Bump github.com/mattermost/mattermost-server/v6 from 6.1.0 to 6.3.0 (#1686)

Bumps [github.com/mattermost/mattermost-server/v6](https://github.com/mattermost/mattermost-server) from 6.1.0 to 6.3.0. - [Release notes](https://github.com/mattermost/mattermost-server/releases) - [Changelog](https://github.com/mattermost/mattermost-server/blob/master/CHANGELOG.md) - [Commits](https://github.com/mattermost/mattermost-server/compare/v6.1.0...v6.3.0) --- updated-dependencies: - dependency-name: github.com/mattermost/mattermost-server/v6 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-04 13:37:44 +00:00 · 2022-01-18 20:24:14 +01:00
parent fecca57507
commit aad60c882e
250 changed files with 43143 additions and 11479 deletions
--- a/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go
@ -112,7 +112,7 @@ func (m *IAM) Retrieve() (Value, error) {

 				return &WebIdentityToken{Token: string(token)}, nil
 			},
-			roleARN:         os.Getenv("AWS_ROLE_ARN"),
+			RoleARN:         os.Getenv("AWS_ROLE_ARN"),
 			roleSessionName: os.Getenv("AWS_ROLE_SESSION_NAME"),
 		}

--- a/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts-tls-identity.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts-tls-identity.go
@ -0,0 +1,192 @@
+// MinIO Go Library for Amazon S3 Compatible Cloud Storage
+// Copyright 2021 MinIO, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package credentials
+
+import (
+	"crypto/tls"
+	"encoding/xml"
+	"errors"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+	"time"
+)
+
+// CertificateIdentityOption is an optional AssumeRoleWithCertificate
+// parameter - e.g. a custom HTTP transport configuration or S3 credental
+// livetime.
+type CertificateIdentityOption func(*STSCertificateIdentity)
+
+// CertificateIdentityWithTransport returns a CertificateIdentityOption that
+// customizes the STSCertificateIdentity with the given http.RoundTripper.
+func CertificateIdentityWithTransport(t http.RoundTripper) CertificateIdentityOption {
+	return CertificateIdentityOption(func(i *STSCertificateIdentity) { i.Client.Transport = t })
+}
+
+// CertificateIdentityWithExpiry returns a CertificateIdentityOption that
+// customizes the STSCertificateIdentity with the given livetime.
+//
+// Fetched S3 credentials will have the given livetime if the STS server
+// allows such credentials.
+func CertificateIdentityWithExpiry(livetime time.Duration) CertificateIdentityOption {
+	return CertificateIdentityOption(func(i *STSCertificateIdentity) { i.S3CredentialLivetime = livetime })
+}
+
+// A STSCertificateIdentity retrieves S3 credentials from the MinIO STS API and
+// rotates those credentials once they expire.
+type STSCertificateIdentity struct {
+	Expiry
+
+	// STSEndpoint is the base URL endpoint of the STS API.
+	// For example, https://minio.local:9000
+	STSEndpoint string
+
+	// S3CredentialLivetime is the duration temp. S3 access
+	// credentials should be valid.
+	//
+	// It represents the access credential livetime requested
+	// by the client. The STS server may choose to issue
+	// temp. S3 credentials that have a different - usually
+	// shorter - livetime.
+	//
+	// The default livetime is one hour.
+	S3CredentialLivetime time.Duration
+
+	// Client is the HTTP client used to authenticate and fetch
+	// S3 credentials.
+	//
+	// A custom TLS client configuration can be specified by
+	// using a custom http.Transport:
+	//   Client: http.Client {
+	//       Transport: &http.Transport{
+	//           TLSClientConfig: &tls.Config{},
+	//       },
+	//   }
+	Client http.Client
+}
+
+var _ Provider = (*STSWebIdentity)(nil) // compiler check
+
+// NewSTSCertificateIdentity returns a STSCertificateIdentity that authenticates
+// to the given STS endpoint with the given TLS certificate and retrieves and
+// rotates S3 credentials.
+func NewSTSCertificateIdentity(endpoint string, certificate tls.Certificate, options ...CertificateIdentityOption) (*Credentials, error) {
+	if endpoint == "" {
+		return nil, errors.New("STS endpoint cannot be empty")
+	}
+	if _, err := url.Parse(endpoint); err != nil {
+		return nil, err
+	}
+	var identity = &STSCertificateIdentity{
+		STSEndpoint: endpoint,
+		Client: http.Client{
+			Transport: &http.Transport{
+				Proxy: http.ProxyFromEnvironment,
+				DialContext: (&net.Dialer{
+					Timeout:   30 * time.Second,
+					KeepAlive: 30 * time.Second,
+				}).DialContext,
+				ForceAttemptHTTP2:     true,
+				MaxIdleConns:          100,
+				IdleConnTimeout:       90 * time.Second,
+				TLSHandshakeTimeout:   10 * time.Second,
+				ExpectContinueTimeout: 5 * time.Second,
+				TLSClientConfig: &tls.Config{
+					Certificates: []tls.Certificate{certificate},
+				},
+			},
+		},
+	}
+	for _, option := range options {
+		option(identity)
+	}
+	return New(identity), nil
+}
+
+// Retrieve fetches a new set of S3 credentials from the configured
+// STS API endpoint.
+func (i *STSCertificateIdentity) Retrieve() (Value, error) {
+	endpointURL, err := url.Parse(i.STSEndpoint)
+	if err != nil {
+		return Value{}, err
+	}
+	var livetime = i.S3CredentialLivetime
+	if livetime == 0 {
+		livetime = 1 * time.Hour
+	}
+
+	queryValues := url.Values{}
+	queryValues.Set("Action", "AssumeRoleWithCertificate")
+	queryValues.Set("Version", STSVersion)
+	endpointURL.RawQuery = queryValues.Encode()
+
+	req, err := http.NewRequest(http.MethodPost, endpointURL.String(), nil)
+	if err != nil {
+		return Value{}, err
+	}
+	req.Form.Add("DurationSeconds", strconv.FormatUint(uint64(livetime.Seconds()), 10))
+
+	resp, err := i.Client.Do(req)
+	if err != nil {
+		return Value{}, err
+	}
+	if resp.Body != nil {
+		defer resp.Body.Close()
+	}
+	if resp.StatusCode != http.StatusOK {
+		return Value{}, errors.New(resp.Status)
+	}
+
+	const MaxSize = 10 * 1 << 20
+	var body io.Reader = resp.Body
+	if resp.ContentLength > 0 && resp.ContentLength < MaxSize {
+		body = io.LimitReader(body, resp.ContentLength)
+	} else {
+		body = io.LimitReader(body, MaxSize)
+	}
+
+	var response assumeRoleWithCertificateResponse
+	if err = xml.NewDecoder(body).Decode(&response); err != nil {
+		return Value{}, err
+	}
+	i.SetExpiration(response.Result.Credentials.Expiration, DefaultExpiryWindow)
+	return Value{
+		AccessKeyID:     response.Result.Credentials.AccessKey,
+		SecretAccessKey: response.Result.Credentials.SecretKey,
+		SessionToken:    response.Result.Credentials.SessionToken,
+		SignerType:      SignatureDefault,
+	}, nil
+}
+
+// Expiration returns the expiration time of the current S3 credentials.
+func (i *STSCertificateIdentity) Expiration() time.Time { return i.expiration }
+
+type assumeRoleWithCertificateResponse struct {
+	XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithCertificateResponse" json:"-"`
+	Result  struct {
+		Credentials struct {
+			AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty"`
+			SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty"`
+			Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
+			SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
+		} `xml:"Credentials" json:"credentials,omitempty"`
+	} `xml:"AssumeRoleWithCertificateResult"`
+	ResponseMetadata struct {
+		RequestID string `xml:"RequestId,omitempty"`
+	} `xml:"ResponseMetadata,omitempty"`
+}
--- a/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_ldap_identity.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_ldap_identity.go
@ -124,7 +124,7 @@ func stripPassword(err error) error {
 // LDAP Identity with a specified session policy. The `policy` parameter must be
 // a JSON string specifying the policy document.
 //
-// DEPRECATED: Use the `LDAPIdentityPolicyOpt` with `NewLDAPIdentity` instead.
+// Deprecated: Use the `LDAPIdentityPolicyOpt` with `NewLDAPIdentity` instead.
 func NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, policy string) (*Credentials, error) {
 	return New(&LDAPIdentity{
 		Client:       &http.Client{Transport: http.DefaultTransport},
--- a/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_web_identity.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_web_identity.go
@ -78,9 +78,9 @@ type STSWebIdentity struct {
 	// This is a customer provided function and is mandatory.
 	GetWebIDTokenExpiry func() (*WebIdentityToken, error)

-	// roleARN is the Amazon Resource Name (ARN) of the role that the caller is
+	// RoleARN is the Amazon Resource Name (ARN) of the role that the caller is
 	// assuming.
-	roleARN string
+	RoleARN string

 	// roleSessionName is the identifier for the assumed role session.
 	roleSessionName string
@ -164,7 +164,7 @@ func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSession
 // Retrieve retrieves credentials from the MinIO service.
 // Error will be returned if the request fails.
 func (m *STSWebIdentity) Retrieve() (Value, error) {
-	a, err := getWebIdentityCredentials(m.Client, m.STSEndpoint, m.roleARN, m.roleSessionName, m.GetWebIDTokenExpiry)
+	a, err := getWebIdentityCredentials(m.Client, m.STSEndpoint, m.RoleARN, m.roleSessionName, m.GetWebIDTokenExpiry)
 	if err != nil {
 		return Value{}, err
 	}
--- a/vendor/github.com/minio/minio-go/v7/pkg/lifecycle/lifecycle.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/lifecycle/lifecycle.go
@ -21,9 +21,12 @@ package lifecycle
 import (
 	"encoding/json"
 	"encoding/xml"
+	"errors"
 	"time"
 )

+var errMissingStorageClass = errors.New("storage-class cannot be empty")
+
 // AbortIncompleteMultipartUpload structure, not supported yet on MinIO
 type AbortIncompleteMultipartUpload struct {
 	XMLName             xml.Name       `xml:"AbortIncompleteMultipartUpload,omitempty"  json:"-"`
@ -50,13 +53,14 @@ func (n AbortIncompleteMultipartUpload) MarshalXML(e *xml.Encoder, start xml.Sta
 // (or suspended) to request server delete noncurrent object versions at a
 // specific period in the object's lifetime.
 type NoncurrentVersionExpiration struct {
-	XMLName        xml.Name       `xml:"NoncurrentVersionExpiration" json:"-"`
-	NoncurrentDays ExpirationDays `xml:"NoncurrentDays,omitempty"`
+	XMLName               xml.Name       `xml:"NoncurrentVersionExpiration" json:"-"`
+	NoncurrentDays        ExpirationDays `xml:"NoncurrentDays,omitempty"`
+	MaxNoncurrentVersions int            `xml:"MaxNoncurrentVersions,omitempty"`
 }

 // MarshalXML if non-current days not set to non zero value
 func (n NoncurrentVersionExpiration) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
-	if n.IsDaysNull() {
+	if n.isNull() {
 		return nil
 	}
 	type noncurrentVersionExpirationWrapper NoncurrentVersionExpiration
@ -68,13 +72,17 @@ func (n NoncurrentVersionExpiration) IsDaysNull() bool {
 	return n.NoncurrentDays == ExpirationDays(0)
 }

+func (n NoncurrentVersionExpiration) isNull() bool {
+	return n.IsDaysNull() && n.MaxNoncurrentVersions == 0
+}
+
 // NoncurrentVersionTransition structure, set this action to request server to
 // transition noncurrent object versions to different set storage classes
 // at a specific period in the object's lifetime.
 type NoncurrentVersionTransition struct {
 	XMLName        xml.Name       `xml:"NoncurrentVersionTransition,omitempty"  json:"-"`
 	StorageClass   string         `xml:"StorageClass,omitempty" json:"StorageClass,omitempty"`
-	NoncurrentDays ExpirationDays `xml:"NoncurrentDays,omitempty" json:"NoncurrentDays,omitempty"`
+	NoncurrentDays ExpirationDays `xml:"NoncurrentDays" json:"NoncurrentDays"`
 }

 // IsDaysNull returns true if days field is null
@ -87,10 +95,30 @@ func (n NoncurrentVersionTransition) IsStorageClassEmpty() bool {
 	return n.StorageClass == ""
 }

+func (n NoncurrentVersionTransition) isNull() bool {
+	return n.StorageClass == ""
+}
+
+// UnmarshalJSON implements NoncurrentVersionTransition JSONify
+func (n *NoncurrentVersionTransition) UnmarshalJSON(b []byte) error {
+	type noncurrentVersionTransition NoncurrentVersionTransition
+	var nt noncurrentVersionTransition
+	err := json.Unmarshal(b, &nt)
+	if err != nil {
+		return err
+	}
+
+	if nt.StorageClass == "" {
+		return errMissingStorageClass
+	}
+	*n = NoncurrentVersionTransition(nt)
+	return nil
+}
+
 // MarshalXML is extended to leave out
 // <NoncurrentVersionTransition></NoncurrentVersionTransition> tags
 func (n NoncurrentVersionTransition) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
-	if n.IsDaysNull() || n.IsStorageClassEmpty() {
+	if n.isNull() {
 		return nil
 	}
 	type noncurrentVersionTransitionWrapper NoncurrentVersionTransition
@ -114,25 +142,44 @@ type Transition struct {
 	XMLName      xml.Name       `xml:"Transition" json:"-"`
 	Date         ExpirationDate `xml:"Date,omitempty" json:"Date,omitempty"`
 	StorageClass string         `xml:"StorageClass,omitempty" json:"StorageClass,omitempty"`
-	Days         ExpirationDays `xml:"Days,omitempty" json:"Days,omitempty"`
+	Days         ExpirationDays `xml:"Days" json:"Days"`
+}
+
+// UnmarshalJSON returns an error if storage-class is empty.
+func (t *Transition) UnmarshalJSON(b []byte) error {
+	type transition Transition
+	var tr transition
+	err := json.Unmarshal(b, &tr)
+	if err != nil {
+		return err
+	}
+
+	if tr.StorageClass == "" {
+		return errMissingStorageClass
+	}
+	*t = Transition(tr)
+	return nil
 }

 // MarshalJSON customizes json encoding by omitting empty values
 func (t Transition) MarshalJSON() ([]byte, error) {
+	if t.IsNull() {
+		return nil, nil
+	}
 	type transition struct {
 		Date         *ExpirationDate `json:"Date,omitempty"`
 		StorageClass string          `json:"StorageClass,omitempty"`
-		Days         *ExpirationDays `json:"Days,omitempty"`
+		Days         *ExpirationDays `json:"Days"`
 	}

 	newt := transition{
 		StorageClass: t.StorageClass,
 	}
-	if !t.IsDaysNull() {
-		newt.Days = &t.Days
-	}
+
 	if !t.IsDateNull() {
 		newt.Date = &t.Date
+	} else {
+		newt.Days = &t.Days
 	}
 	return json.Marshal(newt)
 }
@ -147,9 +194,9 @@ func (t Transition) IsDateNull() bool {
 	return t.Date.Time.IsZero()
 }

-// IsNull returns true if both date and days fields are null
+// IsNull returns true if no storage-class is set.
 func (t Transition) IsNull() bool {
-	return t.IsDaysNull() && t.IsDateNull()
+	return t.StorageClass == ""
 }

 // MarshalXML is transition is non null
@ -364,10 +411,10 @@ func (r Rule) MarshalJSON() ([]byte, error) {
 	if !r.Transition.IsNull() {
 		newr.Transition = &r.Transition
 	}
-	if !r.NoncurrentVersionExpiration.IsDaysNull() {
+	if !r.NoncurrentVersionExpiration.isNull() {
 		newr.NoncurrentVersionExpiration = &r.NoncurrentVersionExpiration
 	}
-	if !r.NoncurrentVersionTransition.IsDaysNull() {
+	if !r.NoncurrentVersionTransition.isNull() {
 		newr.NoncurrentVersionTransition = &r.NoncurrentVersionTransition
 	}

--- a/vendor/github.com/minio/minio-go/v7/pkg/replication/replication.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/replication/replication.go
@ -103,15 +103,21 @@ func (c *Config) AddRule(opts Options) error {
 	if err != nil {
 		return err
 	}
+	var compatSw bool // true if RoleArn is used with new mc client and older minio version prior to multisite
 	if opts.RoleArn != "" {
 		tokens := strings.Split(opts.RoleArn, ":")
 		if len(tokens) != 6 {
 			return fmt.Errorf("invalid format for replication Role Arn: %v", opts.RoleArn)
 		}
-		if !strings.HasPrefix(opts.RoleArn, "arn:aws:iam") {
+		switch {
+		case strings.HasPrefix(opts.RoleArn, "arn:minio:replication") && len(c.Rules) == 0:
+			c.Role = opts.RoleArn
+			compatSw = true
+		case strings.HasPrefix(opts.RoleArn, "arn:aws:iam"):
+			c.Role = opts.RoleArn
+		default:
 			return fmt.Errorf("RoleArn invalid for AWS replication configuration: %v", opts.RoleArn)
 		}
-		c.Role = opts.RoleArn
 	}

 	var status Status
@ -151,7 +157,11 @@ func (c *Config) AddRule(opts Options) error {
 	destBucket := opts.DestBucket
 	// ref https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html
 	if btokens := strings.Split(destBucket, ":"); len(btokens) != 6 {
-		return fmt.Errorf("destination bucket needs to be in Arn format")
+		if len(btokens) == 1 && compatSw {
+			destBucket = fmt.Sprintf("arn:aws:s3:::%s", destBucket)
+		} else {
+			return fmt.Errorf("destination bucket needs to be in Arn format")
+		}
 	}
 	dmStatus := Disabled
 	if opts.ReplicateDeleteMarkers != "" {
@ -228,7 +238,7 @@ func (c *Config) AddRule(opts Options) error {
 		return err
 	}
 	// if replication config uses RoleArn, migrate this to the destination element as target ARN for remote bucket for MinIO configuration
-	if c.Role != "" && !strings.HasPrefix(c.Role, "arn:aws:iam") {
+	if c.Role != "" && !strings.HasPrefix(c.Role, "arn:aws:iam") && !compatSw {
 		for i := range c.Rules {
 			c.Rules[i].Destination.Bucket = c.Role
 		}
@ -254,7 +264,7 @@ func (c *Config) EditRule(opts Options) error {
 		return fmt.Errorf("rule ID missing")
 	}
 	// if replication config uses RoleArn, migrate this to the destination element as target ARN for remote bucket for non AWS.
-	if c.Role != "" && !strings.HasPrefix(c.Role, "arn:aws:iam") {
+	if c.Role != "" && !strings.HasPrefix(c.Role, "arn:aws:iam") && len(c.Rules) > 1 {
 		for i := range c.Rules {
 			c.Rules[i].Destination.Bucket = c.Role
 		}
@ -484,10 +494,7 @@ func (r Rule) validateStatus() error {
 }

 func (r Rule) validateFilter() error {
-	if err := r.Filter.Validate(); err != nil {
-		return err
-	}
-	return nil
+	return r.Filter.Validate()
 }

 // Prefix - a rule can either have prefix under <filter></filter> or under
@ -712,9 +719,12 @@ type Metrics struct {
 	FailedCount uint64 `json:"failedReplicationCount"`
 }

+// ResyncTargetsInfo provides replication target information to resync replicated data.
 type ResyncTargetsInfo struct {
 	Targets []ResyncTarget `json:"target,omitempty"`
 }
+
+// ResyncTarget provides the replica resources and resetID to initiate resync replication.
 type ResyncTarget struct {
 	Arn     string `json:"arn"`
 	ResetID string `json:"resetid"`
--- a/vendor/github.com/minio/minio-go/v7/pkg/s3utils/utils.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/s3utils/utils.go
@ -171,6 +171,7 @@ func IsAmazonFIPSGovCloudEndpoint(endpointURL url.URL) bool {
 		return false
 	}
 	return endpointURL.Host == "s3-fips-us-gov-west-1.amazonaws.com" ||
+		endpointURL.Host == "s3-fips.us-gov-west-1.amazonaws.com" ||
 		endpointURL.Host == "s3-fips.dualstack.us-gov-west-1.amazonaws.com"
 }

@ -211,7 +212,7 @@ func IsGoogleEndpoint(endpointURL url.URL) bool {

 // Expects ascii encoded strings - from output of urlEncodePath
 func percentEncodeSlash(s string) string {
-	return strings.Replace(s, "/", "%2F", -1)
+	return strings.ReplaceAll(s, "/", "%2F")
 }

 // QueryEncode - encodes query values in their URL encoded form. In
--- a/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v2.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v2.go
@ -233,16 +233,7 @@ func writeCanonicalizedHeaders(buf *bytes.Buffer, req http.Request) {
 			if idx > 0 {
 				buf.WriteByte(',')
 			}
-			if strings.Contains(v, "\n") {
-				// TODO: "Unfold" long headers that
-				// span multiple lines (as allowed by
-				// RFC 2616, section 4.2) by replacing
-				// the folding white-space (including
-				// new-line) by a single space.
-				buf.WriteString(v)
-			} else {
-				buf.WriteString(v)
-			}
+			buf.WriteString(v)
 		}
 		buf.WriteByte('\n')
 	}
--- a/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v4.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v4.go
@ -42,22 +42,22 @@ const (
 	ServiceTypeSTS = "sts"
 )

-///
-/// Excerpts from @lsegal -
-/// https://github.com/aws/aws-sdk-js/issues/659#issuecomment-120477258.
-///
-///  User-Agent:
-///
-///      This is ignored from signing because signing this causes
-///      problems with generating pre-signed URLs (that are executed
-///      by other agents) or when customers pass requests through
-///      proxies, which may modify the user-agent.
-///
-///
-///  Authorization:
-///
-///      Is skipped for obvious reasons
-///
+//
+// Excerpts from @lsegal -
+// https:/github.com/aws/aws-sdk-js/issues/659#issuecomment-120477258.
+//
+//  User-Agent:
+//
+//      This is ignored from signing because signing this causes
+//      problems with generating pre-signed URLs (that are executed
+//      by other agents) or when customers pass requests through
+//      proxies, which may modify the user-agent.
+//
+//
+//  Authorization:
+//
+//      Is skipped for obvious reasons
+//
 var v4IgnoredHeaders = map[string]bool{
 	"Authorization": true,
 	"User-Agent":    true,
@ -118,7 +118,9 @@ func getCanonicalHeaders(req http.Request, ignoredHeaders map[string]bool) strin
 		headers = append(headers, strings.ToLower(k))
 		vals[strings.ToLower(k)] = vv
 	}
-	headers = append(headers, "host")
+	if !headerExists("host", headers) {
+		headers = append(headers, "host")
+	}
 	sort.Strings(headers)

 	var buf bytes.Buffer
@ -130,7 +132,7 @@ func getCanonicalHeaders(req http.Request, ignoredHeaders map[string]bool) strin
 		switch {
 		case k == "host":
 			buf.WriteString(getHostAddr(&req))
-			fallthrough
+			buf.WriteByte('\n')
 		default:
 			for idx, v := range vals[k] {
 				if idx > 0 {
@ -144,6 +146,15 @@ func getCanonicalHeaders(req http.Request, ignoredHeaders map[string]bool) strin
 	return buf.String()
 }

+func headerExists(key string, headers []string) bool {
+	for _, k := range headers {
+		if k == key {
+			return true
+		}
+	}
+	return false
+}
+
 // getSignedHeaders generate all signed request headers.
 // i.e lexically sorted, semicolon-separated list of lowercase
 // request header names.
@ -155,7 +166,9 @@ func getSignedHeaders(req http.Request, ignoredHeaders map[string]bool) string {
 		}
 		headers = append(headers, strings.ToLower(k))
 	}
-	headers = append(headers, "host")
+	if !headerExists("host", headers) {
+		headers = append(headers, "host")
+	}
 	sort.Strings(headers)
 	return strings.Join(headers, ";")
 }
@ -170,7 +183,7 @@ func getSignedHeaders(req http.Request, ignoredHeaders map[string]bool) string {
 //  <SignedHeaders>\n
 //  <HashedPayload>
 func getCanonicalRequest(req http.Request, ignoredHeaders map[string]bool, hashedPayload string) string {
-	req.URL.RawQuery = strings.Replace(req.URL.Query().Encode(), "+", "%20", -1)
+	req.URL.RawQuery = strings.ReplaceAll(req.URL.Query().Encode(), "+", "%20")
 	canonicalRequest := strings.Join([]string{
 		req.Method,
 		s3utils.EncodePath(req.URL.Path),
@ -186,7 +199,7 @@ func getCanonicalRequest(req http.Request, ignoredHeaders map[string]bool, hashe
 func getStringToSignV4(t time.Time, location, canonicalRequest, serviceType string) string {
 	stringToSign := signV4Algorithm + "\n" + t.Format(iso8601DateFormat) + "\n"
 	stringToSign = stringToSign + getScope(location, t, serviceType) + "\n"
-	stringToSign = stringToSign + hex.EncodeToString(sum256([]byte(canonicalRequest)))
+	stringToSign += hex.EncodeToString(sum256([]byte(canonicalRequest)))
 	return stringToSign
 }

--- a/vendor/github.com/minio/minio-go/v7/pkg/signer/utils.go
+++ b/vendor/github.com/minio/minio-go/v7/pkg/signer/utils.go
@ -44,6 +44,10 @@ func sumHMAC(key []byte, data []byte) []byte {

 // getHostAddr returns host header if available, otherwise returns host from URL
 func getHostAddr(req *http.Request) string {
+	host := req.Header.Get("host")
+	if host != "" && req.Host != host {
+		return host
+	}
 	if req.Host != "" {
 		return req.Host
 	}