ensure authenticated request bodies for Admin-API (#5984)

This commit adds a check to the server's admin-API such that it only
accepts Admin-API requests with authenticated bodies. Further this
commit updates the `madmin` package to always add the
`X-Amz-Content-Sha256` header.

This change improves the Admin-API security since the server does not
accept unauthenticated request bodies anymore.

After this commit `mc` must be updated to the new `madmin` api because
requests over TLS connections will fail.

pkg/madmin/heal-commands.go

@@ -18,10 +18,8 @@
 package madmin
 
 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
-	"io"
 	"io/ioutil"
 	"net/http"
 	"net/url"
@@ -194,23 +192,18 @@ func (adm *AdminClient) Heal(bucket, prefix string, healOpts HealOpts,
 
 	// execute POST request to heal api
 	queryVals := make(url.Values)
-	var contentBody io.Reader
 	if clientToken != "" {
 		queryVals.Set("clientToken", clientToken)
 		body = []byte{}
-	} else {
-		// Set a body only if clientToken is not given
-		contentBody = bytes.NewReader(body)
 	}
 	if forceStart {
 		queryVals.Set("forceStart", "true")
 	}
 
 	resp, err := adm.executeMethod("POST", requestData{
-		relPath:            path,
-		contentBody:        contentBody,
-		contentSHA256Bytes: sum256(body),
-		queryValues:        queryVals,
+		relPath:     path,
+		content:     body,
+		queryValues: queryVals,
 	})
 	defer closeResponse(resp)
 	if err != nil {