ensure authenticated request bodies for Admin-API (#5984)

This commit adds a check to the server's admin-API such that it only accepts Admin-API requests with authenticated bodies. Further this commit updates the `madmin` package to always add the `X-Amz-Content-Sha256` header. This change improves the Admin-API security since the server does not accept unauthenticated request bodies anymore. After this commit `mc` must be updated to the new `madmin` api because requests over TLS connections will fail.
2025-11-11 06:20:14 -05:00 · 2018-05-30 23:49:03 +02:00
parent 5282639f3c
commit 9fb94e6aa8
6 changed files with 17 additions and 67 deletions
--- a/pkg/madmin/service-commands.go
+++ b/pkg/madmin/service-commands.go
@@ -18,7 +18,6 @@
 package madmin

 import (
-	"bytes"
 	"encoding/json"
 	"io/ioutil"
 	"net/http"
@@ -87,9 +86,8 @@ func (adm *AdminClient) ServiceSendAction(action ServiceActionValue) error {

 	// Request API to Restart server
 	resp, err := adm.executeMethod("POST", requestData{
-		relPath:            "/v1/service",
-		contentBody:        bytes.NewReader(body),
-		contentSHA256Bytes: sum256(body),
+		relPath: "/v1/service",
+		content: body,
 	})
 	defer closeResponse(resp)
 	if err != nil {