[chore]: Bump github.com/minio/minio-go/v7 from 7.0.81 to 7.0.84 (#3728)

Bumps [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) from 7.0.81 to 7.0.84.
- [Release notes](https://github.com/minio/minio-go/releases)
- [Commits](https://github.com/minio/minio-go/compare/v7.0.81...v7.0.84)

---
updated-dependencies:
- dependency-name: github.com/minio/minio-go/v7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

vendor/github.com/minio/minio-go/v7/pkg/credentials/assume_role.go

@@ -76,7 +76,8 @@ type AssumeRoleResult struct {
 type STSAssumeRole struct {
 	Expiry
 
-	// Required http Client to use when connecting to MinIO STS service.
+	// Optional http Client to use when connecting to MinIO STS service
+	// (overrides default client in CredContext)
 	Client *http.Client
 
 	// STS endpoint to fetch STS credentials.
@@ -108,16 +109,10 @@ type STSAssumeRoleOptions struct {
 // NewSTSAssumeRole returns a pointer to a new
 // Credentials object wrapping the STSAssumeRole.
 func NewSTSAssumeRole(stsEndpoint string, opts STSAssumeRoleOptions) (*Credentials, error) {
-	if stsEndpoint == "" {
-		return nil, errors.New("STS endpoint cannot be empty")
-	}
 	if opts.AccessKey == "" || opts.SecretKey == "" {
 		return nil, errors.New("AssumeRole credentials access/secretkey is mandatory")
 	}
 	return New(&STSAssumeRole{
-		Client: &http.Client{
-			Transport: http.DefaultTransport,
-		},
 		STSEndpoint: stsEndpoint,
 		Options:     opts,
 	}), nil
@@ -222,10 +217,30 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume
 	return a, nil
 }
 
-// Retrieve retrieves credentials from the MinIO service.
-// Error will be returned if the request fails.
-func (m *STSAssumeRole) Retrieve() (Value, error) {
-	a, err := getAssumeRoleCredentials(m.Client, m.STSEndpoint, m.Options)
+// RetrieveWithCredContext retrieves credentials from the MinIO service.
+// Error will be returned if the request fails, optional cred context.
+func (m *STSAssumeRole) RetrieveWithCredContext(cc *CredContext) (Value, error) {
+	if cc == nil {
+		cc = defaultCredContext
+	}
+
+	client := m.Client
+	if client == nil {
+		client = cc.Client
+	}
+	if client == nil {
+		client = defaultCredContext.Client
+	}
+
+	stsEndpoint := m.STSEndpoint
+	if stsEndpoint == "" {
+		stsEndpoint = cc.Endpoint
+	}
+	if stsEndpoint == "" {
+		return Value{}, errors.New("STS endpoint unknown")
+	}
+
+	a, err := getAssumeRoleCredentials(client, stsEndpoint, m.Options)
 	if err != nil {
 		return Value{}, err
 	}
@@ -241,3 +256,9 @@ func (m *STSAssumeRole) Retrieve() (Value, error) {
 		SignerType:      SignatureV4,
 	}, nil
 }
+
+// Retrieve retrieves credentials from the MinIO service.
+// Error will be returned if the request fails.
+func (m *STSAssumeRole) Retrieve() (Value, error) {
+	return m.RetrieveWithCredContext(nil)
+}

vendor/github.com/minio/minio-go/v7/pkg/credentials/chain.go

@@ -55,6 +55,24 @@ func NewChainCredentials(providers []Provider) *Credentials {
 	})
 }
 
+// RetrieveWithCredContext is like Retrieve with CredContext
+func (c *Chain) RetrieveWithCredContext(cc *CredContext) (Value, error) {
+	for _, p := range c.Providers {
+		creds, _ := p.RetrieveWithCredContext(cc)
+		// Always prioritize non-anonymous providers, if any.
+		if creds.AccessKeyID == "" && creds.SecretAccessKey == "" {
+			continue
+		}
+		c.curr = p
+		return creds, nil
+	}
+	// At this point we have exhausted all the providers and
+	// are left without any credentials return anonymous.
+	return Value{
+		SignerType: SignatureAnonymous,
+	}, nil
+}
+
 // Retrieve returns the credentials value, returns no credentials(anonymous)
 // if no credentials provider returned any value.
 //

vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.go

@@ -18,6 +18,7 @@
 package credentials
 
 import (
+	"net/http"
 	"sync"
 	"time"
 )
@@ -30,6 +31,10 @@ const (
 	defaultExpiryWindow = 0.8
 )
 
+// defaultCredContext is used when the credential context doesn't
+// actually matter or the default context is suitable.
+var defaultCredContext = &CredContext{Client: http.DefaultClient}
+
 // A Value is the S3 credentials value for individual credential fields.
 type Value struct {
 	// S3 Access key ID
@@ -52,8 +57,17 @@ type Value struct {
 // Value. A provider is required to manage its own Expired state, and what to
 // be expired means.
 type Provider interface {
+	// RetrieveWithCredContext returns nil if it successfully retrieved the
+	// value. Error is returned if the value were not obtainable, or empty.
+	// optionally takes CredContext for additional context to retrieve credentials.
+	RetrieveWithCredContext(cc *CredContext) (Value, error)
+
 	// Retrieve returns nil if it successfully retrieved the value.
 	// Error is returned if the value were not obtainable, or empty.
+	//
+	// Deprecated: Retrieve() exists for historical compatibility and should not
+	// be used. To get new credentials use the RetrieveWithCredContext function
+	// to ensure the proper context (i.e. HTTP client) will be used.
 	Retrieve() (Value, error)
 
 	// IsExpired returns if the credentials are no longer valid, and need
@@ -61,6 +75,18 @@ type Provider interface {
 	IsExpired() bool
 }
 
+// CredContext is passed to the Retrieve function of a provider to provide
+// some additional context to retrieve credentials.
+type CredContext struct {
+	// Client specifies the HTTP client that should be used if an HTTP
+	// request is to be made to fetch the credentials.
+	Client *http.Client
+
+	// Endpoint specifies the MinIO endpoint that will be used if no
+	// explicit endpoint is provided.
+	Endpoint string
+}
+
 // A Expiry provides shared expiration logic to be used by credentials
 // providers to implement expiry functionality.
 //
@@ -146,16 +172,36 @@ func New(provider Provider) *Credentials {
 //
 // If Credentials.Expire() was called the credentials Value will be force
 // expired, and the next call to Get() will cause them to be refreshed.
+//
+// Deprecated: Get() exists for historical compatibility and should not be
+// used. To get new credentials use the Credentials.GetWithContext function
+// to ensure the proper context (i.e. HTTP client) will be used.
 func (c *Credentials) Get() (Value, error) {
+	return c.GetWithContext(nil)
+}
+
+// GetWithContext returns the credentials value, or error if the
+// credentials Value failed to be retrieved.
+//
+// Will return the cached credentials Value if it has not expired. If the
+// credentials Value has expired the Provider's Retrieve() will be called
+// to refresh the credentials.
+//
+// If Credentials.Expire() was called the credentials Value will be force
+// expired, and the next call to Get() will cause them to be refreshed.
+func (c *Credentials) GetWithContext(cc *CredContext) (Value, error) {
 	if c == nil {
 		return Value{}, nil
 	}
+	if cc == nil {
+		cc = defaultCredContext
+	}
 
 	c.Lock()
 	defer c.Unlock()
 
 	if c.isExpired() {
-		creds, err := c.provider.Retrieve()
+		creds, err := c.provider.RetrieveWithCredContext(cc)
 		if err != nil {
 			return Value{}, err
 		}

vendor/github.com/minio/minio-go/v7/pkg/credentials/env_aws.go

@@ -37,8 +37,7 @@ func NewEnvAWS() *Credentials {
 	return New(&EnvAWS{})
 }
 
-// Retrieve retrieves the keys from the environment.
-func (e *EnvAWS) Retrieve() (Value, error) {
+func (e *EnvAWS) retrieve() (Value, error) {
 	e.retrieved = false
 
 	id := os.Getenv("AWS_ACCESS_KEY_ID")
@@ -65,6 +64,16 @@ func (e *EnvAWS) Retrieve() (Value, error) {
 	}, nil
 }
 
+// Retrieve retrieves the keys from the environment.
+func (e *EnvAWS) Retrieve() (Value, error) {
+	return e.retrieve()
+}
+
+// RetrieveWithCredContext is like Retrieve (no-op input of Cred Context)
+func (e *EnvAWS) RetrieveWithCredContext(_ *CredContext) (Value, error) {
+	return e.retrieve()
+}
+
 // IsExpired returns if the credentials have been retrieved.
 func (e *EnvAWS) IsExpired() bool {
 	return !e.retrieved

vendor/github.com/minio/minio-go/v7/pkg/credentials/env_minio.go

@@ -38,8 +38,7 @@ func NewEnvMinio() *Credentials {
 	return New(&EnvMinio{})
 }
 
-// Retrieve retrieves the keys from the environment.
-func (e *EnvMinio) Retrieve() (Value, error) {
+func (e *EnvMinio) retrieve() (Value, error) {
 	e.retrieved = false
 
 	id := os.Getenv("MINIO_ROOT_USER")
@@ -62,6 +61,16 @@ func (e *EnvMinio) Retrieve() (Value, error) {
 	}, nil
 }
 
+// Retrieve retrieves the keys from the environment.
+func (e *EnvMinio) Retrieve() (Value, error) {
+	return e.retrieve()
+}
+
+// RetrieveWithCredContext is like Retrieve() (no-op input cred context)
+func (e *EnvMinio) RetrieveWithCredContext(_ *CredContext) (Value, error) {
+	return e.retrieve()
+}
+
 // IsExpired returns if the credentials have been retrieved.
 func (e *EnvMinio) IsExpired() bool {
 	return !e.retrieved

vendor/github.com/minio/minio-go/v7/pkg/credentials/file_aws_credentials.go

@@ -71,9 +71,7 @@ func NewFileAWSCredentials(filename, profile string) *Credentials {
 	})
 }
 
-// Retrieve reads and extracts the shared credentials from the current
-// users home directory.
-func (p *FileAWSCredentials) Retrieve() (Value, error) {
+func (p *FileAWSCredentials) retrieve() (Value, error) {
 	if p.Filename == "" {
 		p.Filename = os.Getenv("AWS_SHARED_CREDENTIALS_FILE")
 		if p.Filename == "" {
@@ -142,6 +140,17 @@ func (p *FileAWSCredentials) Retrieve() (Value, error) {
 	}, nil
 }
 
+// Retrieve reads and extracts the shared credentials from the current
+// users home directory.
+func (p *FileAWSCredentials) Retrieve() (Value, error) {
+	return p.retrieve()
+}
+
+// RetrieveWithCredContext is like Retrieve(), cred context is no-op for File credentials
+func (p *FileAWSCredentials) RetrieveWithCredContext(_ *CredContext) (Value, error) {
+	return p.retrieve()
+}
+
 // loadProfiles loads from the file pointed to by shared credentials filename for profile.
 // The credentials retrieved from the profile will be returned or error. Error will be
 // returned if it fails to read from the file, or the data is invalid.

vendor/github.com/minio/minio-go/v7/pkg/credentials/file_minio_client.go

@@ -56,9 +56,7 @@ func NewFileMinioClient(filename, alias string) *Credentials {
 	})
 }
 
-// Retrieve reads and extracts the shared credentials from the current
-// users home directory.
-func (p *FileMinioClient) Retrieve() (Value, error) {
+func (p *FileMinioClient) retrieve() (Value, error) {
 	if p.Filename == "" {
 		if value, ok := os.LookupEnv("MINIO_SHARED_CREDENTIALS_FILE"); ok {
 			p.Filename = value
@@ -96,6 +94,17 @@ func (p *FileMinioClient) Retrieve() (Value, error) {
 	}, nil
 }
 
+// Retrieve reads and extracts the shared credentials from the current
+// users home directory.
+func (p *FileMinioClient) Retrieve() (Value, error) {
+	return p.retrieve()
+}
+
+// RetrieveWithCredContext - is like Retrieve()
+func (p *FileMinioClient) RetrieveWithCredContext(_ *CredContext) (Value, error) {
+	return p.retrieve()
+}
+
 // IsExpired returns if the shared credentials have expired.
 func (p *FileMinioClient) IsExpired() bool {
 	return !p.retrieved

vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go

@@ -49,7 +49,8 @@ const DefaultExpiryWindow = -1
 type IAM struct {
 	Expiry
 
-	// Required http Client to use when connecting to IAM metadata service.
+	// Optional http Client to use when connecting to IAM metadata service
+	// (overrides default client in CredContext)
 	Client *http.Client
 
 	// Custom endpoint to fetch IAM role credentials.
@@ -90,17 +91,16 @@ const (
 // NewIAM returns a pointer to a new Credentials object wrapping the IAM.
 func NewIAM(endpoint string) *Credentials {
 	return New(&IAM{
-		Client: &http.Client{
-			Transport: http.DefaultTransport,
-		},
 		Endpoint: endpoint,
 	})
 }
 
-// Retrieve retrieves credentials from the EC2 service.
-// Error will be returned if the request fails, or unable to extract
-// the desired
-func (m *IAM) Retrieve() (Value, error) {
+// RetrieveWithCredContext is like Retrieve with Cred Context
+func (m *IAM) RetrieveWithCredContext(cc *CredContext) (Value, error) {
+	if cc == nil {
+		cc = defaultCredContext
+	}
+
 	token := os.Getenv("AWS_CONTAINER_AUTHORIZATION_TOKEN")
 	if token == "" {
 		token = m.Container.AuthorizationToken
@@ -144,7 +144,16 @@ func (m *IAM) Retrieve() (Value, error) {
 	var roleCreds ec2RoleCredRespBody
 	var err error
 
+	client := m.Client
+	if client == nil {
+		client = cc.Client
+	}
+	if client == nil {
+		client = defaultCredContext.Client
+	}
+
 	endpoint := m.Endpoint
+
 	switch {
 	case identityFile != "":
 		if len(endpoint) == 0 {
@@ -160,7 +169,7 @@ func (m *IAM) Retrieve() (Value, error) {
 		}
 
 		creds := &STSWebIdentity{
-			Client:      m.Client,
+			Client:      client,
 			STSEndpoint: endpoint,
 			GetWebIDTokenExpiry: func() (*WebIdentityToken, error) {
 				token, err := os.ReadFile(identityFile)
@@ -174,7 +183,7 @@ func (m *IAM) Retrieve() (Value, error) {
 			roleSessionName: roleSessionName,
 		}
 
-		stsWebIdentityCreds, err := creds.Retrieve()
+		stsWebIdentityCreds, err := creds.RetrieveWithCredContext(cc)
 		if err == nil {
 			m.SetExpiration(creds.Expiration(), DefaultExpiryWindow)
 		}
@@ -185,11 +194,11 @@ func (m *IAM) Retrieve() (Value, error) {
 			endpoint = fmt.Sprintf("%s%s", DefaultECSRoleEndpoint, relativeURI)
 		}
 
-		roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
+		roleCreds, err = getEcsTaskCredentials(client, endpoint, token)
 
 	case tokenFile != "" && fullURI != "":
 		endpoint = fullURI
-		roleCreds, err = getEKSPodIdentityCredentials(m.Client, endpoint, tokenFile)
+		roleCreds, err = getEKSPodIdentityCredentials(client, endpoint, tokenFile)
 
 	case fullURI != "":
 		if len(endpoint) == 0 {
@@ -203,10 +212,10 @@ func (m *IAM) Retrieve() (Value, error) {
 			}
 		}
 
-		roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
+		roleCreds, err = getEcsTaskCredentials(client, endpoint, token)
 
 	default:
-		roleCreds, err = getCredentials(m.Client, endpoint)
+		roleCreds, err = getCredentials(client, endpoint)
 	}
 
 	if err != nil {
@@ -224,6 +233,13 @@ func (m *IAM) Retrieve() (Value, error) {
 	}, nil
 }
 
+// Retrieve retrieves credentials from the EC2 service.
+// Error will be returned if the request fails, or unable to extract
+// the desired
+func (m *IAM) Retrieve() (Value, error) {
+	return m.RetrieveWithCredContext(nil)
+}
+
 // A ec2RoleCredRespBody provides the shape for unmarshaling credential
 // request responses.
 type ec2RoleCredRespBody struct {

vendor/github.com/minio/minio-go/v7/pkg/credentials/static.go

@@ -59,6 +59,11 @@ func (s *Static) Retrieve() (Value, error) {
 	return s.Value, nil
 }
 
+// RetrieveWithCredContext returns the static credentials.
+func (s *Static) RetrieveWithCredContext(_ *CredContext) (Value, error) {
+	return s.Retrieve()
+}
+
 // IsExpired returns if the credentials are expired.
 //
 // For Static, the credentials never expired.

vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_client_grants.go

@@ -72,7 +72,8 @@ type ClientGrantsToken struct {
 type STSClientGrants struct {
 	Expiry
 
-	// Required http Client to use when connecting to MinIO STS service.
+	// Optional http Client to use when connecting to MinIO STS service.
+	// (overrides default client in CredContext)
 	Client *http.Client
 
 	// MinIO endpoint to fetch STS credentials.
@@ -90,16 +91,10 @@ type STSClientGrants struct {
 // NewSTSClientGrants returns a pointer to a new
 // Credentials object wrapping the STSClientGrants.
 func NewSTSClientGrants(stsEndpoint string, getClientGrantsTokenExpiry func() (*ClientGrantsToken, error)) (*Credentials, error) {
-	if stsEndpoint == "" {
-		return nil, errors.New("STS endpoint cannot be empty")
-	}
 	if getClientGrantsTokenExpiry == nil {
 		return nil, errors.New("Client grants access token and expiry retrieval function should be defined")
 	}
 	return New(&STSClientGrants{
-		Client: &http.Client{
-			Transport: http.DefaultTransport,
-		},
 		STSEndpoint:                stsEndpoint,
 		GetClientGrantsTokenExpiry: getClientGrantsTokenExpiry,
 	}), nil
@@ -162,10 +157,29 @@ func getClientGrantsCredentials(clnt *http.Client, endpoint string,
 	return a, nil
 }
 
-// Retrieve retrieves credentials from the MinIO service.
-// Error will be returned if the request fails.
-func (m *STSClientGrants) Retrieve() (Value, error) {
-	a, err := getClientGrantsCredentials(m.Client, m.STSEndpoint, m.GetClientGrantsTokenExpiry)
+// RetrieveWithCredContext is like Retrieve() with cred context
+func (m *STSClientGrants) RetrieveWithCredContext(cc *CredContext) (Value, error) {
+	if cc == nil {
+		cc = defaultCredContext
+	}
+
+	client := m.Client
+	if client == nil {
+		client = cc.Client
+	}
+	if client == nil {
+		client = defaultCredContext.Client
+	}
+
+	stsEndpoint := m.STSEndpoint
+	if stsEndpoint == "" {
+		stsEndpoint = cc.Endpoint
+	}
+	if stsEndpoint == "" {
+		return Value{}, errors.New("STS endpoint unknown")
+	}
+
+	a, err := getClientGrantsCredentials(client, stsEndpoint, m.GetClientGrantsTokenExpiry)
 	if err != nil {
 		return Value{}, err
 	}
@@ -181,3 +195,9 @@ func (m *STSClientGrants) Retrieve() (Value, error) {
 		SignerType:      SignatureV4,
 	}, nil
 }
+
+// Retrieve retrieves credentials from the MinIO service.
+// Error will be returned if the request fails.
+func (m *STSClientGrants) Retrieve() (Value, error) {
+	return m.RetrieveWithCredContext(nil)
+}

vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_custom_identity.go

@@ -53,6 +53,8 @@ type AssumeRoleWithCustomTokenResponse struct {
 type CustomTokenIdentity struct {
 	Expiry
 
+	// Optional http Client to use when connecting to MinIO STS service.
+	// (overrides default client in CredContext)
 	Client *http.Client
 
 	// MinIO server STS endpoint to fetch STS credentials.
@@ -69,9 +71,21 @@ type CustomTokenIdentity struct {
 	RequestedExpiry time.Duration
 }
 
-// Retrieve - to satisfy Provider interface; fetches credentials from MinIO.
-func (c *CustomTokenIdentity) Retrieve() (value Value, err error) {
-	u, err := url.Parse(c.STSEndpoint)
+// RetrieveWithCredContext with Retrieve optionally cred context
+func (c *CustomTokenIdentity) RetrieveWithCredContext(cc *CredContext) (value Value, err error) {
+	if cc == nil {
+		cc = defaultCredContext
+	}
+
+	stsEndpoint := c.STSEndpoint
+	if stsEndpoint == "" {
+		stsEndpoint = cc.Endpoint
+	}
+	if stsEndpoint == "" {
+		return Value{}, errors.New("STS endpoint unknown")
+	}
+
+	u, err := url.Parse(stsEndpoint)
 	if err != nil {
 		return value, err
 	}
@@ -92,7 +106,15 @@ func (c *CustomTokenIdentity) Retrieve() (value Value, err error) {
 		return value, err
 	}
 
-	resp, err := c.Client.Do(req)
+	client := c.Client
+	if client == nil {
+		client = cc.Client
+	}
+	if client == nil {
+		client = defaultCredContext.Client
+	}
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return value, err
 	}
@@ -118,11 +140,15 @@ func (c *CustomTokenIdentity) Retrieve() (value Value, err error) {
 	}, nil
 }
 
+// Retrieve - to satisfy Provider interface; fetches credentials from MinIO.
+func (c *CustomTokenIdentity) Retrieve() (value Value, err error) {
+	return c.RetrieveWithCredContext(nil)
+}
+
 // NewCustomTokenCredentials - returns credentials using the
 // AssumeRoleWithCustomToken STS API.
 func NewCustomTokenCredentials(stsEndpoint, token, roleArn string, optFuncs ...CustomTokenOpt) (*Credentials, error) {
 	c := CustomTokenIdentity{
-		Client:      &http.Client{Transport: http.DefaultTransport},
 		STSEndpoint: stsEndpoint,
 		Token:       token,
 		RoleArn:     roleArn,

vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_ldap_identity.go

@@ -20,6 +20,7 @@ package credentials
 import (
 	"bytes"
 	"encoding/xml"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -55,7 +56,8 @@ type LDAPIdentityResult struct {
 type LDAPIdentity struct {
 	Expiry
 
-	// Required http Client to use when connecting to MinIO STS service.
+	// Optional http Client to use when connecting to MinIO STS service.
+	// (overrides default client in CredContext)
 	Client *http.Client
 
 	// Exported STS endpoint to fetch STS credentials.
@@ -77,7 +79,6 @@ type LDAPIdentity struct {
 // Identity.
 func NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword string, optFuncs ...LDAPIdentityOpt) (*Credentials, error) {
 	l := LDAPIdentity{
-		Client:       &http.Client{Transport: http.DefaultTransport},
 		STSEndpoint:  stsEndpoint,
 		LDAPUsername: ldapUsername,
 		LDAPPassword: ldapPassword,
@@ -113,7 +114,6 @@ func LDAPIdentityExpiryOpt(d time.Duration) LDAPIdentityOpt {
 // Deprecated: Use the `LDAPIdentityPolicyOpt` with `NewLDAPIdentity` instead.
 func NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, policy string) (*Credentials, error) {
 	return New(&LDAPIdentity{
-		Client:       &http.Client{Transport: http.DefaultTransport},
 		STSEndpoint:  stsEndpoint,
 		LDAPUsername: ldapUsername,
 		LDAPPassword: ldapPassword,
@@ -121,10 +121,22 @@ func NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, p
 	}), nil
 }
 
-// Retrieve gets the credential by calling the MinIO STS API for
+// RetrieveWithCredContext gets the credential by calling the MinIO STS API for
 // LDAP on the configured stsEndpoint.
-func (k *LDAPIdentity) Retrieve() (value Value, err error) {
-	u, err := url.Parse(k.STSEndpoint)
+func (k *LDAPIdentity) RetrieveWithCredContext(cc *CredContext) (value Value, err error) {
+	if cc == nil {
+		cc = defaultCredContext
+	}
+
+	stsEndpoint := k.STSEndpoint
+	if stsEndpoint == "" {
+		stsEndpoint = cc.Endpoint
+	}
+	if stsEndpoint == "" {
+		return Value{}, errors.New("STS endpoint unknown")
+	}
+
+	u, err := url.Parse(stsEndpoint)
 	if err != nil {
 		return value, err
 	}
@@ -148,7 +160,15 @@ func (k *LDAPIdentity) Retrieve() (value Value, err error) {
 
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 
-	resp, err := k.Client.Do(req)
+	client := k.Client
+	if client == nil {
+		client = cc.Client
+	}
+	if client == nil {
+		client = defaultCredContext.Client
+	}
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return value, err
 	}
@@ -188,3 +208,9 @@ func (k *LDAPIdentity) Retrieve() (value Value, err error) {
 		SignerType:      SignatureV4,
 	}, nil
 }
+
+// Retrieve gets the credential by calling the MinIO STS API for
+// LDAP on the configured stsEndpoint.
+func (k *LDAPIdentity) Retrieve() (value Value, err error) {
+	return k.RetrieveWithCredContext(defaultCredContext)
+}

vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_tls_identity.go

@@ -20,8 +20,8 @@ import (
 	"crypto/tls"
 	"encoding/xml"
 	"errors"
+	"fmt"
 	"io"
-	"net"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -36,7 +36,12 @@ type CertificateIdentityOption func(*STSCertificateIdentity)
 // CertificateIdentityWithTransport returns a CertificateIdentityOption that
 // customizes the STSCertificateIdentity with the given http.RoundTripper.
 func CertificateIdentityWithTransport(t http.RoundTripper) CertificateIdentityOption {
-	return CertificateIdentityOption(func(i *STSCertificateIdentity) { i.Client.Transport = t })
+	return CertificateIdentityOption(func(i *STSCertificateIdentity) {
+		if i.Client == nil {
+			i.Client = &http.Client{}
+		}
+		i.Client.Transport = t
+	})
 }
 
 // CertificateIdentityWithExpiry returns a CertificateIdentityOption that
@@ -53,6 +58,10 @@ func CertificateIdentityWithExpiry(livetime time.Duration) CertificateIdentityOp
 type STSCertificateIdentity struct {
 	Expiry
 
+	// Optional http Client to use when connecting to MinIO STS service.
+	// (overrides default client in CredContext)
+	Client *http.Client
+
 	// STSEndpoint is the base URL endpoint of the STS API.
 	// For example, https://minio.local:9000
 	STSEndpoint string
@@ -68,50 +77,18 @@ type STSCertificateIdentity struct {
 	// The default livetime is one hour.
 	S3CredentialLivetime time.Duration
 
-	// Client is the HTTP client used to authenticate and fetch
-	// S3 credentials.
-	//
-	// A custom TLS client configuration can be specified by
-	// using a custom http.Transport:
-	//   Client: http.Client {
-	//       Transport: &http.Transport{
-	//           TLSClientConfig: &tls.Config{},
-	//       },
-	//   }
-	Client http.Client
+	// Certificate is the client certificate that is used for
+	// STS authentication.
+	Certificate tls.Certificate
 }
 
-var _ Provider = (*STSWebIdentity)(nil) // compiler check
-
 // NewSTSCertificateIdentity returns a STSCertificateIdentity that authenticates
 // to the given STS endpoint with the given TLS certificate and retrieves and
 // rotates S3 credentials.
 func NewSTSCertificateIdentity(endpoint string, certificate tls.Certificate, options ...CertificateIdentityOption) (*Credentials, error) {
-	if endpoint == "" {
-		return nil, errors.New("STS endpoint cannot be empty")
-	}
-	if _, err := url.Parse(endpoint); err != nil {
-		return nil, err
-	}
 	identity := &STSCertificateIdentity{
 		STSEndpoint: endpoint,
-		Client: http.Client{
-			Transport: &http.Transport{
-				Proxy: http.ProxyFromEnvironment,
-				DialContext: (&net.Dialer{
-					Timeout:   30 * time.Second,
-					KeepAlive: 30 * time.Second,
-				}).DialContext,
-				ForceAttemptHTTP2:     true,
-				MaxIdleConns:          100,
-				IdleConnTimeout:       90 * time.Second,
-				TLSHandshakeTimeout:   10 * time.Second,
-				ExpectContinueTimeout: 5 * time.Second,
-				TLSClientConfig: &tls.Config{
-					Certificates: []tls.Certificate{certificate},
-				},
-			},
-		},
+		Certificate: certificate,
 	}
 	for _, option := range options {
 		option(identity)
@@ -119,10 +96,21 @@ func NewSTSCertificateIdentity(endpoint string, certificate tls.Certificate, opt
 	return New(identity), nil
 }
 
-// Retrieve fetches a new set of S3 credentials from the configured
-// STS API endpoint.
-func (i *STSCertificateIdentity) Retrieve() (Value, error) {
-	endpointURL, err := url.Parse(i.STSEndpoint)
+// RetrieveWithCredContext is Retrieve with cred context
+func (i *STSCertificateIdentity) RetrieveWithCredContext(cc *CredContext) (Value, error) {
+	if cc == nil {
+		cc = defaultCredContext
+	}
+
+	stsEndpoint := i.STSEndpoint
+	if stsEndpoint == "" {
+		stsEndpoint = cc.Endpoint
+	}
+	if stsEndpoint == "" {
+		return Value{}, errors.New("STS endpoint unknown")
+	}
+
+	endpointURL, err := url.Parse(stsEndpoint)
 	if err != nil {
 		return Value{}, err
 	}
@@ -145,7 +133,28 @@ func (i *STSCertificateIdentity) Retrieve() (Value, error) {
 	}
 	req.Form.Add("DurationSeconds", strconv.FormatUint(uint64(livetime.Seconds()), 10))
 
-	resp, err := i.Client.Do(req)
+	client := i.Client
+	if client == nil {
+		client = cc.Client
+	}
+	if client == nil {
+		client = defaultCredContext.Client
+	}
+
+	tr, ok := client.Transport.(*http.Transport)
+	if !ok {
+		return Value{}, fmt.Errorf("CredContext should contain an http.Transport value")
+	}
+
+	// Clone the HTTP transport (patch the TLS client certificate)
+	trCopy := tr.Clone()
+	trCopy.TLSClientConfig.Certificates = []tls.Certificate{i.Certificate}
+
+	// Clone the HTTP client (patch the HTTP transport)
+	clientCopy := *client
+	clientCopy.Transport = trCopy
+
+	resp, err := clientCopy.Do(req)
 	if err != nil {
 		return Value{}, err
 	}
@@ -193,6 +202,11 @@ func (i *STSCertificateIdentity) Retrieve() (Value, error) {
 	}, nil
 }
 
+// Retrieve fetches a new set of S3 credentials from the configured STS API endpoint.
+func (i *STSCertificateIdentity) Retrieve() (Value, error) {
+	return i.RetrieveWithCredContext(defaultCredContext)
+}
+
 // Expiration returns the expiration time of the current S3 credentials.
 func (i *STSCertificateIdentity) Expiration() time.Time { return i.expiration }
 

vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_web_identity.go

@@ -69,7 +69,8 @@ type WebIdentityToken struct {
 type STSWebIdentity struct {
 	Expiry
 
-	// Required http Client to use when connecting to MinIO STS service.
+	// Optional http Client to use when connecting to MinIO STS service.
+	// (overrides default client in CredContext)
 	Client *http.Client
 
 	// Exported STS endpoint to fetch STS credentials.
@@ -97,16 +98,10 @@ type STSWebIdentity struct {
 // NewSTSWebIdentity returns a pointer to a new
 // Credentials object wrapping the STSWebIdentity.
 func NewSTSWebIdentity(stsEndpoint string, getWebIDTokenExpiry func() (*WebIdentityToken, error), opts ...func(*STSWebIdentity)) (*Credentials, error) {
-	if stsEndpoint == "" {
-		return nil, errors.New("STS endpoint cannot be empty")
-	}
 	if getWebIDTokenExpiry == nil {
 		return nil, errors.New("Web ID token and expiry retrieval function should be defined")
 	}
 	i := &STSWebIdentity{
-		Client: &http.Client{
-			Transport: http.DefaultTransport,
-		},
 		STSEndpoint:         stsEndpoint,
 		GetWebIDTokenExpiry: getWebIDTokenExpiry,
 	}
@@ -162,6 +157,10 @@ func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSession
 		// Usually set when server is using extended userInfo endpoint.
 		v.Set("WebIdentityAccessToken", idToken.AccessToken)
 	}
+	if idToken.RefreshToken != "" {
+		// Usually set when server is using extended userInfo endpoint.
+		v.Set("WebIdentityRefreshToken", idToken.RefreshToken)
+	}
 	if idToken.Expiry > 0 {
 		v.Set("DurationSeconds", fmt.Sprintf("%d", idToken.Expiry))
 	}
@@ -215,10 +214,29 @@ func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSession
 	return a, nil
 }
 
-// Retrieve retrieves credentials from the MinIO service.
-// Error will be returned if the request fails.
-func (m *STSWebIdentity) Retrieve() (Value, error) {
-	a, err := getWebIdentityCredentials(m.Client, m.STSEndpoint, m.RoleARN, m.roleSessionName, m.Policy, m.GetWebIDTokenExpiry)
+// RetrieveWithCredContext is like Retrieve with optional cred context.
+func (m *STSWebIdentity) RetrieveWithCredContext(cc *CredContext) (Value, error) {
+	if cc == nil {
+		cc = defaultCredContext
+	}
+
+	client := m.Client
+	if client == nil {
+		client = cc.Client
+	}
+	if client == nil {
+		client = defaultCredContext.Client
+	}
+
+	stsEndpoint := m.STSEndpoint
+	if stsEndpoint == "" {
+		stsEndpoint = cc.Endpoint
+	}
+	if stsEndpoint == "" {
+		return Value{}, errors.New("STS endpoint unknown")
+	}
+
+	a, err := getWebIdentityCredentials(client, stsEndpoint, m.RoleARN, m.roleSessionName, m.Policy, m.GetWebIDTokenExpiry)
 	if err != nil {
 		return Value{}, err
 	}
@@ -235,6 +253,12 @@ func (m *STSWebIdentity) Retrieve() (Value, error) {
 	}, nil
 }
 
+// Retrieve retrieves credentials from the MinIO service.
+// Error will be returned if the request fails.
+func (m *STSWebIdentity) Retrieve() (Value, error) {
+	return m.RetrieveWithCredContext(nil)
+}
+
 // Expiration returns the expiration time of the credentials
 func (m *STSWebIdentity) Expiration() time.Time {
 	return m.expiration

vendor/github.com/minio/minio-go/v7/pkg/s3utils/utils.go

@@ -118,53 +118,53 @@ func GetRegionFromURL(endpointURL url.URL) string {
 	if endpointURL == sentinelURL {
 		return ""
 	}
-	if endpointURL.Host == "s3-external-1.amazonaws.com" {
+	if endpointURL.Hostname() == "s3-external-1.amazonaws.com" {
 		return ""
 	}
 
 	// if elb's are used we cannot calculate which region it may be, just return empty.
-	if elbAmazonRegex.MatchString(endpointURL.Host) || elbAmazonCnRegex.MatchString(endpointURL.Host) {
+	if elbAmazonRegex.MatchString(endpointURL.Hostname()) || elbAmazonCnRegex.MatchString(endpointURL.Hostname()) {
 		return ""
 	}
 
 	// We check for FIPS dualstack matching first to avoid the non-greedy
 	// regex for FIPS non-dualstack matching a dualstack URL
-	parts := amazonS3HostFIPSDualStack.FindStringSubmatch(endpointURL.Host)
+	parts := amazonS3HostFIPSDualStack.FindStringSubmatch(endpointURL.Hostname())
 	if len(parts) > 1 {
 		return parts[1]
 	}
 
-	parts = amazonS3HostFIPS.FindStringSubmatch(endpointURL.Host)
+	parts = amazonS3HostFIPS.FindStringSubmatch(endpointURL.Hostname())
 	if len(parts) > 1 {
 		return parts[1]
 	}
 
-	parts = amazonS3HostDualStack.FindStringSubmatch(endpointURL.Host)
+	parts = amazonS3HostDualStack.FindStringSubmatch(endpointURL.Hostname())
 	if len(parts) > 1 {
 		return parts[1]
 	}
 
-	parts = amazonS3HostHyphen.FindStringSubmatch(endpointURL.Host)
+	parts = amazonS3HostHyphen.FindStringSubmatch(endpointURL.Hostname())
 	if len(parts) > 1 {
 		return parts[1]
 	}
 
-	parts = amazonS3ChinaHost.FindStringSubmatch(endpointURL.Host)
+	parts = amazonS3ChinaHost.FindStringSubmatch(endpointURL.Hostname())
 	if len(parts) > 1 {
 		return parts[1]
 	}
 
-	parts = amazonS3ChinaHostDualStack.FindStringSubmatch(endpointURL.Host)
+	parts = amazonS3ChinaHostDualStack.FindStringSubmatch(endpointURL.Hostname())
 	if len(parts) > 1 {
 		return parts[1]
 	}
 
-	parts = amazonS3HostDot.FindStringSubmatch(endpointURL.Host)
+	parts = amazonS3HostDot.FindStringSubmatch(endpointURL.Hostname())
 	if len(parts) > 1 {
 		return parts[1]
 	}
 
-	parts = amazonS3HostPrivateLink.FindStringSubmatch(endpointURL.Host)
+	parts = amazonS3HostPrivateLink.FindStringSubmatch(endpointURL.Hostname())
 	if len(parts) > 1 {
 		return parts[1]
 	}