Upgrading minio-go library to 6.0.0 (#8651)

* Upgrading minio-go library to 6.0.0

* Removing unnecesary Gopkg constraint

7 files changed, 216 insertions, 1291 deletions

diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go b/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go
deleted file mode 100644
index b0f2d6e08..000000000
--- a/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go
+++ /dev/null
@@ -1,294 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage
- * Copyright 2017 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package encrypt
-
-import (
-	"bytes"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/rand"
-	"encoding/base64"
-	"errors"
-	"io"
-)
-
-// Crypt mode - encryption or decryption
-type cryptMode int
-
-const (
-	encryptMode cryptMode = iota
-	decryptMode
-)
-
-// CBCSecureMaterials encrypts/decrypts data using AES CBC algorithm
-type CBCSecureMaterials struct {
-
-	// Data stream to encrypt/decrypt
-	stream io.Reader
-
-	// Last internal error
-	err error
-
-	// End of file reached
-	eof bool
-
-	// Holds initial data
-	srcBuf *bytes.Buffer
-
-	// Holds transformed data (encrypted or decrypted)
-	dstBuf *bytes.Buffer
-
-	// Encryption algorithm
-	encryptionKey Key
-
-	// Key to encrypts/decrypts data
-	contentKey []byte
-
-	// Encrypted form of contentKey
-	cryptedKey []byte
-
-	// Initialization vector
-	iv []byte
-
-	// matDesc - currently unused
-	matDesc []byte
-
-	// Indicate if we are going to encrypt or decrypt
-	cryptMode cryptMode
-
-	// Helper that encrypts/decrypts data
-	blockMode cipher.BlockMode
-}
-
-// NewCBCSecureMaterials builds new CBC crypter module with
-// the specified encryption key (symmetric or asymmetric)
-func NewCBCSecureMaterials(key Key) (*CBCSecureMaterials, error) {
-	if key == nil {
-		return nil, errors.New("Unable to recognize empty encryption properties")
-	}
-	return &CBCSecureMaterials{
-		srcBuf:        bytes.NewBuffer([]byte{}),
-		dstBuf:        bytes.NewBuffer([]byte{}),
-		encryptionKey: key,
-		matDesc:       []byte("{}"),
-	}, nil
-
-}
-
-// Close implements closes the internal stream.
-func (s *CBCSecureMaterials) Close() error {
-	closer, ok := s.stream.(io.Closer)
-	if ok {
-		return closer.Close()
-	}
-	return nil
-}
-
-// SetupEncryptMode - tells CBC that we are going to encrypt data
-func (s *CBCSecureMaterials) SetupEncryptMode(stream io.Reader) error {
-	// Set mode to encrypt
-	s.cryptMode = encryptMode
-
-	// Set underlying reader
-	s.stream = stream
-
-	s.eof = false
-	s.srcBuf.Reset()
-	s.dstBuf.Reset()
-
-	var err error
-
-	// Generate random content key
-	s.contentKey = make([]byte, aes.BlockSize*2)
-	if _, err := rand.Read(s.contentKey); err != nil {
-		return err
-	}
-	// Encrypt content key
-	s.cryptedKey, err = s.encryptionKey.Encrypt(s.contentKey)
-	if err != nil {
-		return err
-	}
-	// Generate random IV
-	s.iv = make([]byte, aes.BlockSize)
-	if _, err = rand.Read(s.iv); err != nil {
-		return err
-	}
-	// New cipher
-	encryptContentBlock, err := aes.NewCipher(s.contentKey)
-	if err != nil {
-		return err
-	}
-
-	s.blockMode = cipher.NewCBCEncrypter(encryptContentBlock, s.iv)
-
-	return nil
-}
-
-// SetupDecryptMode - tells CBC that we are going to decrypt data
-func (s *CBCSecureMaterials) SetupDecryptMode(stream io.Reader, iv string, key string) error {
-	// Set mode to decrypt
-	s.cryptMode = decryptMode
-
-	// Set underlying reader
-	s.stream = stream
-
-	// Reset
-	s.eof = false
-	s.srcBuf.Reset()
-	s.dstBuf.Reset()
-
-	var err error
-
-	// Get IV
-	s.iv, err = base64.StdEncoding.DecodeString(iv)
-	if err != nil {
-		return err
-	}
-
-	// Get encrypted content key
-	s.cryptedKey, err = base64.StdEncoding.DecodeString(key)
-	if err != nil {
-		return err
-	}
-
-	// Decrypt content key
-	s.contentKey, err = s.encryptionKey.Decrypt(s.cryptedKey)
-	if err != nil {
-		return err
-	}
-
-	// New cipher
-	decryptContentBlock, err := aes.NewCipher(s.contentKey)
-	if err != nil {
-		return err
-	}
-
-	s.blockMode = cipher.NewCBCDecrypter(decryptContentBlock, s.iv)
-	return nil
-}
-
-// GetIV - return randomly generated IV (per S3 object), base64 encoded.
-func (s *CBCSecureMaterials) GetIV() string {
-	return base64.StdEncoding.EncodeToString(s.iv)
-}
-
-// GetKey - return content encrypting key (cek) in encrypted form, base64 encoded.
-func (s *CBCSecureMaterials) GetKey() string {
-	return base64.StdEncoding.EncodeToString(s.cryptedKey)
-}
-
-// GetDesc - user provided encryption material description in JSON (UTF8) format.
-func (s *CBCSecureMaterials) GetDesc() string {
-	return string(s.matDesc)
-}
-
-// Fill buf with encrypted/decrypted data
-func (s *CBCSecureMaterials) Read(buf []byte) (n int, err error) {
-	// Always fill buf from bufChunk at the end of this function
-	defer func() {
-		if s.err != nil {
-			n, err = 0, s.err
-		} else {
-			n, err = s.dstBuf.Read(buf)
-		}
-	}()
-
-	// Return
-	if s.eof {
-		return
-	}
-
-	// Fill dest buffer if its length is less than buf
-	for !s.eof && s.dstBuf.Len() < len(buf) {
-
-		srcPart := make([]byte, aes.BlockSize)
-		dstPart := make([]byte, aes.BlockSize)
-
-		// Fill src buffer
-		for s.srcBuf.Len() < aes.BlockSize*2 {
-			_, err = io.CopyN(s.srcBuf, s.stream, aes.BlockSize)
-			if err != nil {
-				break
-			}
-		}
-
-		// Quit immediately for errors other than io.EOF
-		if err != nil && err != io.EOF {
-			s.err = err
-			return
-		}
-
-		// Mark current encrypting/decrypting as finished
-		s.eof = (err == io.EOF)
-
-		if s.eof && s.cryptMode == encryptMode {
-			if srcPart, err = pkcs5Pad(s.srcBuf.Bytes(), aes.BlockSize); err != nil {
-				s.err = err
-				return
-			}
-		} else {
-			_, _ = s.srcBuf.Read(srcPart)
-		}
-
-		// Crypt srcPart content
-		for len(srcPart) > 0 {
-
-			// Crypt current part
-			s.blockMode.CryptBlocks(dstPart, srcPart[:aes.BlockSize])
-
-			// Unpad when this is the last part and we are decrypting
-			if s.eof && s.cryptMode == decryptMode {
-				dstPart, err = pkcs5Unpad(dstPart, aes.BlockSize)
-				if err != nil {
-					s.err = err
-					return
-				}
-			}
-
-			// Send crypted data to dstBuf
-			if _, wErr := s.dstBuf.Write(dstPart); wErr != nil {
-				s.err = wErr
-				return
-			}
-			// Move to the next part
-			srcPart = srcPart[aes.BlockSize:]
-		}
-	}
-	return
-}
-
-// Unpad a set of bytes following PKCS5 algorithm
-func pkcs5Unpad(buf []byte, blockSize int) ([]byte, error) {
-	len := len(buf)
-	if len == 0 {
-		return nil, errors.New("buffer is empty")
-	}
-	pad := int(buf[len-1])
-	if pad > len || pad > blockSize {
-		return nil, errors.New("invalid padding size")
-	}
-	return buf[:len-pad], nil
-}
-
-// Pad a set of bytes following PKCS5 algorithm
-func pkcs5Pad(buf []byte, blockSize int) ([]byte, error) {
-	len := len(buf)
-	pad := blockSize - (len % blockSize)
-	padText := bytes.Repeat([]byte{byte(pad)}, pad)
-	return append(buf, padText...), nil
-}
diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go b/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go
deleted file mode 100644
index 482922ab7..000000000
--- a/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage
- * Copyright 2017 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-// Package encrypt implements a generic interface to encrypt any stream of data.
-// currently this package implements two types of encryption
-// - Symmetric encryption using AES.
-// - Asymmetric encrytion using RSA.
-package encrypt
-
-import "io"
-
-// Materials - provides generic interface to encrypt any stream of data.
-type Materials interface {
-
-	// Closes the wrapped stream properly, initiated by the caller.
-	Close() error
-
-	// Returns encrypted/decrypted data, io.Reader compatible.
-	Read(b []byte) (int, error)
-
-	// Get randomly generated IV, base64 encoded.
-	GetIV() (iv string)
-
-	// Get content encrypting key (cek) in encrypted form, base64 encoded.
-	GetKey() (key string)
-
-	// Get user provided encryption material description in
-	// JSON (UTF8) format. This is not used, kept for future.
-	GetDesc() (desc string)
-
-	// Setup encrypt mode, further calls of Read() function
-	// will return the encrypted form of data streamed
-	// by the passed reader
-	SetupEncryptMode(stream io.Reader) error
-
-	// Setup decrypted mode, further calls of Read() function
-	// will return the decrypted form of data streamed
-	// by the passed reader
-	SetupDecryptMode(stream io.Reader, iv string, key string) error
-}
diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/keys.go b/vendor/github.com/minio/minio-go/pkg/encrypt/keys.go
deleted file mode 100644
index 0ed95f5ff..000000000
--- a/vendor/github.com/minio/minio-go/pkg/encrypt/keys.go
+++ /dev/null
@@ -1,166 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage
- * Copyright 2017 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package encrypt
-
-import (
-	"crypto/aes"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"errors"
-)
-
-// Key - generic interface to encrypt/decrypt a key.
-// We use it to encrypt/decrypt content key which is the key
-// that encrypt/decrypt object data.
-type Key interface {
-	// Encrypt data using to the set encryption key
-	Encrypt([]byte) ([]byte, error)
-	// Decrypt data using to the set encryption key
-	Decrypt([]byte) ([]byte, error)
-}
-
-// SymmetricKey - encrypts data with a symmetric master key
-type SymmetricKey struct {
-	masterKey []byte
-}
-
-// Encrypt passed bytes
-func (s *SymmetricKey) Encrypt(plain []byte) ([]byte, error) {
-	// Initialize an AES encryptor using a master key
-	keyBlock, err := aes.NewCipher(s.masterKey)
-	if err != nil {
-		return []byte{}, err
-	}
-
-	// Pad the key before encryption
-	plain, _ = pkcs5Pad(plain, aes.BlockSize)
-
-	encKey := []byte{}
-	encPart := make([]byte, aes.BlockSize)
-
-	// Encrypt the passed key by block
-	for {
-		if len(plain) < aes.BlockSize {
-			break
-		}
-		// Encrypt the passed key
-		keyBlock.Encrypt(encPart, plain[:aes.BlockSize])
-		// Add the encrypted block to the total encrypted key
-		encKey = append(encKey, encPart...)
-		// Pass to the next plain block
-		plain = plain[aes.BlockSize:]
-	}
-	return encKey, nil
-}
-
-// Decrypt passed bytes
-func (s *SymmetricKey) Decrypt(cipher []byte) ([]byte, error) {
-	// Initialize AES decrypter
-	keyBlock, err := aes.NewCipher(s.masterKey)
-	if err != nil {
-		return nil, err
-	}
-
-	var plain []byte
-	plainPart := make([]byte, aes.BlockSize)
-
-	// Decrypt the encrypted data block by block
-	for {
-		if len(cipher) < aes.BlockSize {
-			break
-		}
-		keyBlock.Decrypt(plainPart, cipher[:aes.BlockSize])
-		// Add the decrypted block to the total result
-		plain = append(plain, plainPart...)
-		// Pass to the next cipher block
-		cipher = cipher[aes.BlockSize:]
-	}
-
-	// Unpad the resulted plain data
-	plain, err = pkcs5Unpad(plain, aes.BlockSize)
-	if err != nil {
-		return nil, err
-	}
-
-	return plain, nil
-}
-
-// NewSymmetricKey generates a new encrypt/decrypt crypto using
-// an AES master key password
-func NewSymmetricKey(b []byte) *SymmetricKey {
-	return &SymmetricKey{masterKey: b}
-}
-
-// AsymmetricKey - struct which encrypts/decrypts data
-// using RSA public/private certificates
-type AsymmetricKey struct {
-	publicKey  *rsa.PublicKey
-	privateKey *rsa.PrivateKey
-}
-
-// Encrypt data using public key
-func (a *AsymmetricKey) Encrypt(plain []byte) ([]byte, error) {
-	cipher, err := rsa.EncryptPKCS1v15(rand.Reader, a.publicKey, plain)
-	if err != nil {
-		return nil, err
-	}
-	return cipher, nil
-}
-
-// Decrypt data using public key
-func (a *AsymmetricKey) Decrypt(cipher []byte) ([]byte, error) {
-	cipher, err := rsa.DecryptPKCS1v15(rand.Reader, a.privateKey, cipher)
-	if err != nil {
-		return nil, err
-	}
-	return cipher, nil
-}
-
-// NewAsymmetricKey - generates a crypto module able to encrypt/decrypt
-// data using a pair for private and public key
-func NewAsymmetricKey(privData []byte, pubData []byte) (*AsymmetricKey, error) {
-	// Parse private key from passed data
-	priv, err := x509.ParsePKCS8PrivateKey(privData)
-	if err != nil {
-		return nil, err
-	}
-	privKey, ok := priv.(*rsa.PrivateKey)
-	if !ok {
-		return nil, errors.New("not a valid private key")
-	}
-
-	// Parse public key from passed data
-	pub, err := x509.ParsePKIXPublicKey(pubData)
-	if err != nil {
-		return nil, err
-	}
-
-	pubKey, ok := pub.(*rsa.PublicKey)
-	if !ok {
-		return nil, errors.New("not a valid public key")
-	}
-
-	// Associate the private key with the passed public key
-	privKey.PublicKey = *pubKey
-
-	return &AsymmetricKey{
-		publicKey:  pubKey,
-		privateKey: privKey,
-	}, nil
-}
diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/server-side.go b/vendor/github.com/minio/minio-go/pkg/encrypt/server-side.go
new file mode 100644
index 000000000..2d3c70f00
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/encrypt/server-side.go
@@ -0,0 +1,195 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package encrypt
+
+import (
+	"crypto/md5"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"golang.org/x/crypto/argon2"
+)
+
+const (
+	// sseGenericHeader is the AWS SSE header used for SSE-S3 and SSE-KMS.
+	sseGenericHeader = "X-Amz-Server-Side-Encryption"
+
+	// sseKmsKeyID is the AWS SSE-KMS key id.
+	sseKmsKeyID = sseGenericHeader + "-Aws-Kms-Key-Id"
+	// sseEncryptionContext is the AWS SSE-KMS Encryption Context data.
+	sseEncryptionContext = sseGenericHeader + "-Encryption-Context"
+
+	// sseCustomerAlgorithm is the AWS SSE-C algorithm HTTP header key.
+	sseCustomerAlgorithm = sseGenericHeader + "-Customer-Algorithm"
+	// sseCustomerKey is the AWS SSE-C encryption key HTTP header key.
+	sseCustomerKey = sseGenericHeader + "-Customer-Key"
+	// sseCustomerKeyMD5 is the AWS SSE-C encryption key MD5 HTTP header key.
+	sseCustomerKeyMD5 = sseGenericHeader + "-Customer-Key-MD5"
+
+	// sseCopyCustomerAlgorithm is the AWS SSE-C algorithm HTTP header key for CopyObject API.
+	sseCopyCustomerAlgorithm = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm"
+	// sseCopyCustomerKey is the AWS SSE-C encryption key HTTP header key for CopyObject API.
+	sseCopyCustomerKey = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key"
+	// sseCopyCustomerKeyMD5 is the AWS SSE-C encryption key MD5 HTTP header key for CopyObject API.
+	sseCopyCustomerKeyMD5 = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-MD5"
+)
+
+// PBKDF creates a SSE-C key from the provided password and salt.
+// PBKDF is a password-based key derivation function
+// which can be used to derive a high-entropy cryptographic
+// key from a low-entropy password and a salt.
+type PBKDF func(password, salt []byte) ServerSide
+
+// DefaultPBKDF is the default PBKDF. It uses Argon2id with the
+// recommended parameters from the RFC draft (1 pass, 64 MB memory, 4 threads).
+var DefaultPBKDF PBKDF = func(password, salt []byte) ServerSide {
+	sse := ssec{}
+	copy(sse[:], argon2.IDKey(password, salt, 1, 64*1024, 4, 32))
+	return sse
+}
+
+// Type is the server-side-encryption method. It represents one of
+// the following encryption methods:
+//  - SSE-C: server-side-encryption with customer provided keys
+//  - KMS:   server-side-encryption with managed keys
+//  - S3:    server-side-encryption using S3 storage encryption
+type Type string
+
+const (
+	// SSEC represents server-side-encryption with customer provided keys
+	SSEC Type = "SSE-C"
+	// KMS represents server-side-encryption with managed keys
+	KMS Type = "KMS"
+	// S3 represents server-side-encryption using S3 storage encryption
+	S3 Type = "S3"
+)
+
+// ServerSide is a form of S3 server-side-encryption.
+type ServerSide interface {
+	// Type returns the server-side-encryption method.
+	Type() Type
+
+	// Marshal adds encryption headers to the provided HTTP headers.
+	// It marks an HTTP request as server-side-encryption request
+	// and inserts the required data into the headers.
+	Marshal(h http.Header)
+}
+
+// NewSSE returns a server-side-encryption using S3 storage encryption.
+// Using SSE-S3 the server will encrypt the object with server-managed keys.
+func NewSSE() ServerSide { return s3{} }
+
+// NewSSEKMS returns a new server-side-encryption using SSE-KMS and the provided Key Id and context.
+func NewSSEKMS(keyID string, context interface{}) (ServerSide, error) {
+	if context == nil {
+		return kms{key: keyID, hasContext: false}, nil
+	}
+	serializedContext, err := json.Marshal(context)
+	if err != nil {
+		return nil, err
+	}
+	return kms{key: keyID, context: serializedContext, hasContext: true}, nil
+}
+
+// NewSSEC returns a new server-side-encryption using SSE-C and the provided key.
+// The key must be 32 bytes long.
+func NewSSEC(key []byte) (ServerSide, error) {
+	if len(key) != 32 {
+		return nil, errors.New("encrypt: SSE-C key must be 256 bit long")
+	}
+	sse := ssec{}
+	copy(sse[:], key)
+	return sse, nil
+}
+
+// SSE transforms a SSE-C copy encryption into a SSE-C encryption.
+// It is the inverse of SSECopy(...).
+//
+// If the provided sse is no SSE-C copy encryption SSE returns
+// sse unmodified.
+func SSE(sse ServerSide) ServerSide {
+	if sse == nil || sse.Type() != SSEC {
+		return sse
+	}
+	if sse, ok := sse.(ssecCopy); ok {
+		return ssec(sse)
+	}
+	return sse
+}
+
+// SSECopy transforms a SSE-C encryption into a SSE-C copy
+// encryption. This is required for SSE-C key rotation or a SSE-C
+// copy where the source and the destination should be encrypted.
+//
+// If the provided sse is no SSE-C encryption SSECopy returns
+// sse unmodified.
+func SSECopy(sse ServerSide) ServerSide {
+	if sse == nil || sse.Type() != SSEC {
+		return sse
+	}
+	if sse, ok := sse.(ssec); ok {
+		return ssecCopy(sse)
+	}
+	return sse
+}
+
+type ssec [32]byte
+
+func (s ssec) Type() Type { return SSEC }
+
+func (s ssec) Marshal(h http.Header) {
+	keyMD5 := md5.Sum(s[:])
+	h.Set(sseCustomerAlgorithm, "AES256")
+	h.Set(sseCustomerKey, base64.StdEncoding.EncodeToString(s[:]))
+	h.Set(sseCustomerKeyMD5, base64.StdEncoding.EncodeToString(keyMD5[:]))
+}
+
+type ssecCopy [32]byte
+
+func (s ssecCopy) Type() Type { return SSEC }
+
+func (s ssecCopy) Marshal(h http.Header) {
+	keyMD5 := md5.Sum(s[:])
+	h.Set(sseCopyCustomerAlgorithm, "AES256")
+	h.Set(sseCopyCustomerKey, base64.StdEncoding.EncodeToString(s[:]))
+	h.Set(sseCopyCustomerKeyMD5, base64.StdEncoding.EncodeToString(keyMD5[:]))
+}
+
+type s3 struct{}
+
+func (s s3) Type() Type { return S3 }
+
+func (s s3) Marshal(h http.Header) { h.Set(sseGenericHeader, "AES256") }
+
+type kms struct {
+	key        string
+	context    []byte
+	hasContext bool
+}
+
+func (s kms) Type() Type { return KMS }
+
+func (s kms) Marshal(h http.Header) {
+	h.Set(sseGenericHeader, "aws:kms")
+	h.Set(sseKmsKeyID, s.key)
+	if s.hasContext {
+		h.Set(sseEncryptionContext, base64.StdEncoding.EncodeToString(s.context))
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy-condition.go b/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy-condition.go
deleted file mode 100644
index 737b810ac..000000000
--- a/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy-condition.go
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage
- * Copyright 2015-2017 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package policy
-
-import "github.com/minio/minio-go/pkg/set"
-
-// ConditionKeyMap - map of policy condition key and value.
-type ConditionKeyMap map[string]set.StringSet
-
-// Add - adds key and value.  The value is appended If key already exists.
-func (ckm ConditionKeyMap) Add(key string, value set.StringSet) {
-	if v, ok := ckm[key]; ok {
-		ckm[key] = v.Union(value)
-	} else {
-		ckm[key] = set.CopyStringSet(value)
-	}
-}
-
-// Remove - removes value of given key.  If key has empty after removal, the key is also removed.
-func (ckm ConditionKeyMap) Remove(key string, value set.StringSet) {
-	if v, ok := ckm[key]; ok {
-		if value != nil {
-			ckm[key] = v.Difference(value)
-		}
-
-		if ckm[key].IsEmpty() {
-			delete(ckm, key)
-		}
-	}
-}
-
-// RemoveKey - removes key and its value.
-func (ckm ConditionKeyMap) RemoveKey(key string) {
-	if _, ok := ckm[key]; ok {
-		delete(ckm, key)
-	}
-}
-
-// CopyConditionKeyMap - returns new copy of given ConditionKeyMap.
-func CopyConditionKeyMap(condKeyMap ConditionKeyMap) ConditionKeyMap {
-	out := make(ConditionKeyMap)
-
-	for k, v := range condKeyMap {
-		out[k] = set.CopyStringSet(v)
-	}
-
-	return out
-}
-
-// mergeConditionKeyMap - returns a new ConditionKeyMap which contains merged key/value of given two ConditionKeyMap.
-func mergeConditionKeyMap(condKeyMap1 ConditionKeyMap, condKeyMap2 ConditionKeyMap) ConditionKeyMap {
-	out := CopyConditionKeyMap(condKeyMap1)
-
-	for k, v := range condKeyMap2 {
-		if ev, ok := out[k]; ok {
-			out[k] = ev.Union(v)
-		} else {
-			out[k] = set.CopyStringSet(v)
-		}
-	}
-
-	return out
-}
-
-// ConditionMap - map of condition and conditional values.
-type ConditionMap map[string]ConditionKeyMap
-
-// Add - adds condition key and condition value.  The value is appended if key already exists.
-func (cond ConditionMap) Add(condKey string, condKeyMap ConditionKeyMap) {
-	if v, ok := cond[condKey]; ok {
-		cond[condKey] = mergeConditionKeyMap(v, condKeyMap)
-	} else {
-		cond[condKey] = CopyConditionKeyMap(condKeyMap)
-	}
-}
-
-// Remove - removes condition key and its value.
-func (cond ConditionMap) Remove(condKey string) {
-	if _, ok := cond[condKey]; ok {
-		delete(cond, condKey)
-	}
-}
-
-// mergeConditionMap - returns new ConditionMap which contains merged key/value of two ConditionMap.
-func mergeConditionMap(condMap1 ConditionMap, condMap2 ConditionMap) ConditionMap {
-	out := make(ConditionMap)
-
-	for k, v := range condMap1 {
-		out[k] = CopyConditionKeyMap(v)
-	}
-
-	for k, v := range condMap2 {
-		if ev, ok := out[k]; ok {
-			out[k] = mergeConditionKeyMap(ev, v)
-		} else {
-			out[k] = CopyConditionKeyMap(v)
-		}
-	}
-
-	return out
-}
diff --git a/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy.go b/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy.go
deleted file mode 100644
index 9dda99efc..000000000
--- a/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy.go
+++ /dev/null
@@ -1,635 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage
- * Copyright 2015-2017 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package policy
-
-import (
-	"reflect"
-	"strings"
-
-	"github.com/minio/minio-go/pkg/set"
-)
-
-// BucketPolicy - Bucket level policy.
-type BucketPolicy string
-
-// Different types of Policies currently supported for buckets.
-const (
-	BucketPolicyNone      BucketPolicy = "none"
-	BucketPolicyReadOnly               = "readonly"
-	BucketPolicyReadWrite              = "readwrite"
-	BucketPolicyWriteOnly              = "writeonly"
-)
-
-// IsValidBucketPolicy - returns true if policy is valid and supported, false otherwise.
-func (p BucketPolicy) IsValidBucketPolicy() bool {
-	switch p {
-	case BucketPolicyNone, BucketPolicyReadOnly, BucketPolicyReadWrite, BucketPolicyWriteOnly:
-		return true
-	}
-	return false
-}
-
-// Resource prefix for all aws resources.
-const awsResourcePrefix = "arn:aws:s3:::"
-
-// Common bucket actions for both read and write policies.
-var commonBucketActions = set.CreateStringSet("s3:GetBucketLocation")
-
-// Read only bucket actions.
-var readOnlyBucketActions = set.CreateStringSet("s3:ListBucket")
-
-// Write only bucket actions.
-var writeOnlyBucketActions = set.CreateStringSet("s3:ListBucketMultipartUploads")
-
-// Read only object actions.
-var readOnlyObjectActions = set.CreateStringSet("s3:GetObject")
-
-// Write only object actions.
-var writeOnlyObjectActions = set.CreateStringSet("s3:AbortMultipartUpload", "s3:DeleteObject", "s3:ListMultipartUploadParts", "s3:PutObject")
-
-// Read and write object actions.
-var readWriteObjectActions = readOnlyObjectActions.Union(writeOnlyObjectActions)
-
-// All valid bucket and object actions.
-var validActions = commonBucketActions.
-	Union(readOnlyBucketActions).
-	Union(writeOnlyBucketActions).
-	Union(readOnlyObjectActions).
-	Union(writeOnlyObjectActions)
-
-var startsWithFunc = func(resource string, resourcePrefix string) bool {
-	return strings.HasPrefix(resource, resourcePrefix)
-}
-
-// User - canonical users list.
-type User struct {
-	AWS           set.StringSet `json:"AWS,omitempty"`
-	CanonicalUser set.StringSet `json:"CanonicalUser,omitempty"`
-}
-
-// Statement - minio policy statement
-type Statement struct {
-	Actions    set.StringSet `json:"Action"`
-	Conditions ConditionMap  `json:"Condition,omitempty"`
-	Effect     string
-	Principal  User          `json:"Principal"`
-	Resources  set.StringSet `json:"Resource"`
-	Sid        string
-}
-
-// BucketAccessPolicy - minio policy collection
-type BucketAccessPolicy struct {
-	Version    string      // date in YYYY-MM-DD format
-	Statements []Statement `json:"Statement"`
-}
-
-// isValidStatement - returns whether given statement is valid to process for given bucket name.
-func isValidStatement(statement Statement, bucketName string) bool {
-	if statement.Actions.Intersection(validActions).IsEmpty() {
-		return false
-	}
-
-	if statement.Effect != "Allow" {
-		return false
-	}
-
-	if statement.Principal.AWS == nil || !statement.Principal.AWS.Contains("*") {
-		return false
-	}
-
-	bucketResource := awsResourcePrefix + bucketName
-	if statement.Resources.Contains(bucketResource) {
-		return true
-	}
-
-	if statement.Resources.FuncMatch(startsWithFunc, bucketResource+"/").IsEmpty() {
-		return false
-	}
-
-	return true
-}
-
-// Returns new statements with bucket actions for given policy.
-func newBucketStatement(policy BucketPolicy, bucketName string, prefix string) (statements []Statement) {
-	statements = []Statement{}
-	if policy == BucketPolicyNone || bucketName == "" {
-		return statements
-	}
-
-	bucketResource := set.CreateStringSet(awsResourcePrefix + bucketName)
-
-	statement := Statement{
-		Actions:   commonBucketActions,
-		Effect:    "Allow",
-		Principal: User{AWS: set.CreateStringSet("*")},
-		Resources: bucketResource,
-		Sid:       "",
-	}
-	statements = append(statements, statement)
-
-	if policy == BucketPolicyReadOnly || policy == BucketPolicyReadWrite {
-		statement = Statement{
-			Actions:   readOnlyBucketActions,
-			Effect:    "Allow",
-			Principal: User{AWS: set.CreateStringSet("*")},
-			Resources: bucketResource,
-			Sid:       "",
-		}
-		if prefix != "" {
-			condKeyMap := make(ConditionKeyMap)
-			condKeyMap.Add("s3:prefix", set.CreateStringSet(prefix))
-			condMap := make(ConditionMap)
-			condMap.Add("StringEquals", condKeyMap)
-			statement.Conditions = condMap
-		}
-		statements = append(statements, statement)
-	}
-
-	if policy == BucketPolicyWriteOnly || policy == BucketPolicyReadWrite {
-		statement = Statement{
-			Actions:   writeOnlyBucketActions,
-			Effect:    "Allow",
-			Principal: User{AWS: set.CreateStringSet("*")},
-			Resources: bucketResource,
-			Sid:       "",
-		}
-		statements = append(statements, statement)
-	}
-
-	return statements
-}
-
-// Returns new statements contains object actions for given policy.
-func newObjectStatement(policy BucketPolicy, bucketName string, prefix string) (statements []Statement) {
-	statements = []Statement{}
-	if policy == BucketPolicyNone || bucketName == "" {
-		return statements
-	}
-
-	statement := Statement{
-		Effect:    "Allow",
-		Principal: User{AWS: set.CreateStringSet("*")},
-		Resources: set.CreateStringSet(awsResourcePrefix + bucketName + "/" + prefix + "*"),
-		Sid:       "",
-	}
-
-	if policy == BucketPolicyReadOnly {
-		statement.Actions = readOnlyObjectActions
-	} else if policy == BucketPolicyWriteOnly {
-		statement.Actions = writeOnlyObjectActions
-	} else if policy == BucketPolicyReadWrite {
-		statement.Actions = readWriteObjectActions
-	}
-
-	statements = append(statements, statement)
-	return statements
-}
-
-// Returns new statements for given policy, bucket and prefix.
-func newStatements(policy BucketPolicy, bucketName string, prefix string) (statements []Statement) {
-	statements = []Statement{}
-	ns := newBucketStatement(policy, bucketName, prefix)
-	statements = append(statements, ns...)
-
-	ns = newObjectStatement(policy, bucketName, prefix)
-	statements = append(statements, ns...)
-
-	return statements
-}
-
-// Returns whether given bucket statements are used by other than given prefix statements.
-func getInUsePolicy(statements []Statement, bucketName string, prefix string) (readOnlyInUse, writeOnlyInUse bool) {
-	resourcePrefix := awsResourcePrefix + bucketName + "/"
-	objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*"
-
-	for _, s := range statements {
-		if !s.Resources.Contains(objectResource) && !s.Resources.FuncMatch(startsWithFunc, resourcePrefix).IsEmpty() {
-			if s.Actions.Intersection(readOnlyObjectActions).Equals(readOnlyObjectActions) {
-				readOnlyInUse = true
-			}
-
-			if s.Actions.Intersection(writeOnlyObjectActions).Equals(writeOnlyObjectActions) {
-				writeOnlyInUse = true
-			}
-		}
-		if readOnlyInUse && writeOnlyInUse {
-			break
-		}
-	}
-
-	return readOnlyInUse, writeOnlyInUse
-}
-
-// Removes object actions in given statement.
-func removeObjectActions(statement Statement, objectResource string) Statement {
-	if statement.Conditions == nil {
-		if len(statement.Resources) > 1 {
-			statement.Resources.Remove(objectResource)
-		} else {
-			statement.Actions = statement.Actions.Difference(readOnlyObjectActions)
-			statement.Actions = statement.Actions.Difference(writeOnlyObjectActions)
-		}
-	}
-
-	return statement
-}
-
-// Removes bucket actions for given policy in given statement.
-func removeBucketActions(statement Statement, prefix string, bucketResource string, readOnlyInUse, writeOnlyInUse bool) Statement {
-	removeReadOnly := func() {
-		if !statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) {
-			return
-		}
-
-		if statement.Conditions == nil {
-			statement.Actions = statement.Actions.Difference(readOnlyBucketActions)
-			return
-		}
-
-		if prefix != "" {
-			stringEqualsValue := statement.Conditions["StringEquals"]
-			values := set.NewStringSet()
-			if stringEqualsValue != nil {
-				values = stringEqualsValue["s3:prefix"]
-				if values == nil {
-					values = set.NewStringSet()
-				}
-			}
-
-			values.Remove(prefix)
-
-			if stringEqualsValue != nil {
-				if values.IsEmpty() {
-					delete(stringEqualsValue, "s3:prefix")
-				}
-				if len(stringEqualsValue) == 0 {
-					delete(statement.Conditions, "StringEquals")
-				}
-			}
-
-			if len(statement.Conditions) == 0 {
-				statement.Conditions = nil
-				statement.Actions = statement.Actions.Difference(readOnlyBucketActions)
-			}
-		}
-	}
-
-	removeWriteOnly := func() {
-		if statement.Conditions == nil {
-			statement.Actions = statement.Actions.Difference(writeOnlyBucketActions)
-		}
-	}
-
-	if len(statement.Resources) > 1 {
-		statement.Resources.Remove(bucketResource)
-	} else {
-		if !readOnlyInUse {
-			removeReadOnly()
-		}
-
-		if !writeOnlyInUse {
-			removeWriteOnly()
-		}
-	}
-
-	return statement
-}
-
-// Returns statements containing removed actions/statements for given
-// policy, bucket name and prefix.
-func removeStatements(statements []Statement, bucketName string, prefix string) []Statement {
-	bucketResource := awsResourcePrefix + bucketName
-	objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*"
-	readOnlyInUse, writeOnlyInUse := getInUsePolicy(statements, bucketName, prefix)
-
-	out := []Statement{}
-	readOnlyBucketStatements := []Statement{}
-	s3PrefixValues := set.NewStringSet()
-
-	for _, statement := range statements {
-		if !isValidStatement(statement, bucketName) {
-			out = append(out, statement)
-			continue
-		}
-
-		if statement.Resources.Contains(bucketResource) {
-			if statement.Conditions != nil {
-				statement = removeBucketActions(statement, prefix, bucketResource, false, false)
-			} else {
-				statement = removeBucketActions(statement, prefix, bucketResource, readOnlyInUse, writeOnlyInUse)
-			}
-		} else if statement.Resources.Contains(objectResource) {
-			statement = removeObjectActions(statement, objectResource)
-		}
-
-		if !statement.Actions.IsEmpty() {
-			if statement.Resources.Contains(bucketResource) &&
-				statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) &&
-				statement.Effect == "Allow" &&
-				statement.Principal.AWS.Contains("*") {
-
-				if statement.Conditions != nil {
-					stringEqualsValue := statement.Conditions["StringEquals"]
-					values := set.NewStringSet()
-					if stringEqualsValue != nil {
-						values = stringEqualsValue["s3:prefix"]
-						if values == nil {
-							values = set.NewStringSet()
-						}
-					}
-					s3PrefixValues = s3PrefixValues.Union(values.ApplyFunc(func(v string) string {
-						return bucketResource + "/" + v + "*"
-					}))
-				} else if !s3PrefixValues.IsEmpty() {
-					readOnlyBucketStatements = append(readOnlyBucketStatements, statement)
-					continue
-				}
-			}
-			out = append(out, statement)
-		}
-	}
-
-	skipBucketStatement := true
-	resourcePrefix := awsResourcePrefix + bucketName + "/"
-	for _, statement := range out {
-		if !statement.Resources.FuncMatch(startsWithFunc, resourcePrefix).IsEmpty() &&
-			s3PrefixValues.Intersection(statement.Resources).IsEmpty() {
-			skipBucketStatement = false
-			break
-		}
-	}
-
-	for _, statement := range readOnlyBucketStatements {
-		if skipBucketStatement &&
-			statement.Resources.Contains(bucketResource) &&
-			statement.Effect == "Allow" &&
-			statement.Principal.AWS.Contains("*") &&
-			statement.Conditions == nil {
-			continue
-		}
-
-		out = append(out, statement)
-	}
-
-	if len(out) == 1 {
-		statement := out[0]
-		if statement.Resources.Contains(bucketResource) &&
-			statement.Actions.Intersection(commonBucketActions).Equals(commonBucketActions) &&
-			statement.Effect == "Allow" &&
-			statement.Principal.AWS.Contains("*") &&
-			statement.Conditions == nil {
-			out = []Statement{}
-		}
-	}
-
-	return out
-}
-
-//  Appends given statement into statement list to have unique statements.
-//  - If statement already exists in statement list, it ignores.
-//  - If statement exists with different conditions, they are merged.
-//  - Else the statement is appended to statement list.
-func appendStatement(statements []Statement, statement Statement) []Statement {
-	for i, s := range statements {
-		if s.Actions.Equals(statement.Actions) &&
-			s.Effect == statement.Effect &&
-			s.Principal.AWS.Equals(statement.Principal.AWS) &&
-			reflect.DeepEqual(s.Conditions, statement.Conditions) {
-			statements[i].Resources = s.Resources.Union(statement.Resources)
-			return statements
-		} else if s.Resources.Equals(statement.Resources) &&
-			s.Effect == statement.Effect &&
-			s.Principal.AWS.Equals(statement.Principal.AWS) &&
-			reflect.DeepEqual(s.Conditions, statement.Conditions) {
-			statements[i].Actions = s.Actions.Union(statement.Actions)
-			return statements
-		}
-
-		if s.Resources.Intersection(statement.Resources).Equals(statement.Resources) &&
-			s.Actions.Intersection(statement.Actions).Equals(statement.Actions) &&
-			s.Effect == statement.Effect &&
-			s.Principal.AWS.Intersection(statement.Principal.AWS).Equals(statement.Principal.AWS) {
-			if reflect.DeepEqual(s.Conditions, statement.Conditions) {
-				return statements
-			}
-			if s.Conditions != nil && statement.Conditions != nil {
-				if s.Resources.Equals(statement.Resources) {
-					statements[i].Conditions = mergeConditionMap(s.Conditions, statement.Conditions)
-					return statements
-				}
-			}
-		}
-	}
-
-	if !(statement.Actions.IsEmpty() && statement.Resources.IsEmpty()) {
-		return append(statements, statement)
-	}
-
-	return statements
-}
-
-// Appends two statement lists.
-func appendStatements(statements []Statement, appendStatements []Statement) []Statement {
-	for _, s := range appendStatements {
-		statements = appendStatement(statements, s)
-	}
-
-	return statements
-}
-
-// Returns policy of given bucket statement.
-func getBucketPolicy(statement Statement, prefix string) (commonFound, readOnly, writeOnly bool) {
-	if !(statement.Effect == "Allow" && statement.Principal.AWS.Contains("*")) {
-		return commonFound, readOnly, writeOnly
-	}
-
-	if statement.Actions.Intersection(commonBucketActions).Equals(commonBucketActions) &&
-		statement.Conditions == nil {
-		commonFound = true
-	}
-
-	if statement.Actions.Intersection(writeOnlyBucketActions).Equals(writeOnlyBucketActions) &&
-		statement.Conditions == nil {
-		writeOnly = true
-	}
-
-	if statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) {
-		if prefix != "" && statement.Conditions != nil {
-			if stringEqualsValue, ok := statement.Conditions["StringEquals"]; ok {
-				if s3PrefixValues, ok := stringEqualsValue["s3:prefix"]; ok {
-					if s3PrefixValues.Contains(prefix) {
-						readOnly = true
-					}
-				}
-			} else if stringNotEqualsValue, ok := statement.Conditions["StringNotEquals"]; ok {
-				if s3PrefixValues, ok := stringNotEqualsValue["s3:prefix"]; ok {
-					if !s3PrefixValues.Contains(prefix) {
-						readOnly = true
-					}
-				}
-			}
-		} else if prefix == "" && statement.Conditions == nil {
-			readOnly = true
-		} else if prefix != "" && statement.Conditions == nil {
-			readOnly = true
-		}
-	}
-
-	return commonFound, readOnly, writeOnly
-}
-
-// Returns policy of given object statement.
-func getObjectPolicy(statement Statement) (readOnly bool, writeOnly bool) {
-	if statement.Effect == "Allow" &&
-		statement.Principal.AWS.Contains("*") &&
-		statement.Conditions == nil {
-		if statement.Actions.Intersection(readOnlyObjectActions).Equals(readOnlyObjectActions) {
-			readOnly = true
-		}
-		if statement.Actions.Intersection(writeOnlyObjectActions).Equals(writeOnlyObjectActions) {
-			writeOnly = true
-		}
-	}
-
-	return readOnly, writeOnly
-}
-
-// GetPolicy - Returns policy of given bucket name, prefix in given statements.
-func GetPolicy(statements []Statement, bucketName string, prefix string) BucketPolicy {
-	bucketResource := awsResourcePrefix + bucketName
-	objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*"
-
-	bucketCommonFound := false
-	bucketReadOnly := false
-	bucketWriteOnly := false
-	matchedResource := ""
-	objReadOnly := false
-	objWriteOnly := false
-
-	for _, s := range statements {
-		matchedObjResources := set.NewStringSet()
-		if s.Resources.Contains(objectResource) {
-			matchedObjResources.Add(objectResource)
-		} else {
-			matchedObjResources = s.Resources.FuncMatch(resourceMatch, objectResource)
-		}
-
-		if !matchedObjResources.IsEmpty() {
-			readOnly, writeOnly := getObjectPolicy(s)
-			for resource := range matchedObjResources {
-				if len(matchedResource) < len(resource) {
-					objReadOnly = readOnly
-					objWriteOnly = writeOnly
-					matchedResource = resource
-				} else if len(matchedResource) == len(resource) {
-					objReadOnly = objReadOnly || readOnly
-					objWriteOnly = objWriteOnly || writeOnly
-					matchedResource = resource
-				}
-			}
-		} else if s.Resources.Contains(bucketResource) {
-			commonFound, readOnly, writeOnly := getBucketPolicy(s, prefix)
-			bucketCommonFound = bucketCommonFound || commonFound
-			bucketReadOnly = bucketReadOnly || readOnly
-			bucketWriteOnly = bucketWriteOnly || writeOnly
-		}
-	}
-
-	policy := BucketPolicyNone
-	if bucketCommonFound {
-		if bucketReadOnly && bucketWriteOnly && objReadOnly && objWriteOnly {
-			policy = BucketPolicyReadWrite
-		} else if bucketReadOnly && objReadOnly {
-			policy = BucketPolicyReadOnly
-		} else if bucketWriteOnly && objWriteOnly {
-			policy = BucketPolicyWriteOnly
-		}
-	}
-
-	return policy
-}
-
-// GetPolicies - returns a map of policies rules of given bucket name, prefix in given statements.
-func GetPolicies(statements []Statement, bucketName string) map[string]BucketPolicy {
-	policyRules := map[string]BucketPolicy{}
-	objResources := set.NewStringSet()
-	// Search all resources related to objects policy
-	for _, s := range statements {
-		for r := range s.Resources {
-			if strings.HasPrefix(r, awsResourcePrefix+bucketName+"/") {
-				objResources.Add(r)
-			}
-		}
-	}
-	// Pretend that policy resource as an actual object and fetch its policy
-	for r := range objResources {
-		// Put trailing * if exists in asterisk
-		asterisk := ""
-		if strings.HasSuffix(r, "*") {
-			r = r[:len(r)-1]
-			asterisk = "*"
-		}
-		objectPath := r[len(awsResourcePrefix+bucketName)+1:]
-		p := GetPolicy(statements, bucketName, objectPath)
-		policyRules[bucketName+"/"+objectPath+asterisk] = p
-	}
-	return policyRules
-}
-
-// SetPolicy - Returns new statements containing policy of given bucket name and prefix are appended.
-func SetPolicy(statements []Statement, policy BucketPolicy, bucketName string, prefix string) []Statement {
-	out := removeStatements(statements, bucketName, prefix)
-	// fmt.Println("out = ")
-	// printstatement(out)
-	ns := newStatements(policy, bucketName, prefix)
-	// fmt.Println("ns = ")
-	// printstatement(ns)
-
-	rv := appendStatements(out, ns)
-	// fmt.Println("rv = ")
-	// printstatement(rv)
-
-	return rv
-}
-
-// Match function matches wild cards in 'pattern' for resource.
-func resourceMatch(pattern, resource string) bool {
-	if pattern == "" {
-		return resource == pattern
-	}
-	if pattern == "*" {
-		return true
-	}
-	parts := strings.Split(pattern, "*")
-	if len(parts) == 1 {
-		return resource == pattern
-	}
-	tGlob := strings.HasSuffix(pattern, "*")
-	end := len(parts) - 1
-	if !strings.HasPrefix(resource, parts[0]) {
-		return false
-	}
-	for i := 1; i < end; i++ {
-		if !strings.Contains(resource, parts[i]) {
-			return false
-		}
-		idx := strings.Index(resource, parts[i]) + len(parts[i])
-		resource = resource[idx:]
-	}
-	return tGlob || strings.HasSuffix(resource, parts[end])
-}
diff --git a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v2.go b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v2.go
index 0b90c41f6..b4070938e 100644
--- a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v2.go
+++ b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v2.go
@@ -25,7 +25,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"path/filepath"
 	"sort"
 	"strconv"
 	"strings"
@@ -40,21 +39,17 @@ const (
 )
 
 // Encode input URL path to URL encoded path.
-func encodeURL2Path(req *http.Request) (path string) {
-	reqHost := getHostAddr(req)
-	// Encode URL path.
-	if isS3, _ := filepath.Match("*.s3*.amazonaws.com", reqHost); isS3 {
-		bucketName := reqHost[:strings.LastIndex(reqHost, ".s3")]
-		path = "/" + bucketName
-		path += req.URL.Path
-		path = s3utils.EncodePath(path)
-		return
-	}
-	if strings.HasSuffix(reqHost, ".storage.googleapis.com") {
-		path = "/" + strings.TrimSuffix(reqHost, ".storage.googleapis.com")
-		path += req.URL.Path
-		path = s3utils.EncodePath(path)
-		return
+func encodeURL2Path(req *http.Request, virtualHost bool) (path string) {
+	if virtualHost {
+		reqHost := getHostAddr(req)
+		dotPos := strings.Index(reqHost, ".")
+		if dotPos > -1 {
+			bucketName := reqHost[:dotPos]
+			path = "/" + bucketName
+			path += req.URL.Path
+			path = s3utils.EncodePath(path)
+			return
+		}
 	}
 	path = s3utils.EncodePath(req.URL.Path)
 	return
@@ -62,7 +57,7 @@ func encodeURL2Path(req *http.Request) (path string) {
 
 // PreSignV2 - presign the request in following style.
 // https://${S3_BUCKET}.s3.amazonaws.com/${S3_OBJECT}?AWSAccessKeyId=${S3_ACCESS_KEY}&Expires=${TIMESTAMP}&Signature=${SIGNATURE}.
-func PreSignV2(req http.Request, accessKeyID, secretAccessKey string, expires int64) *http.Request {
+func PreSignV2(req http.Request, accessKeyID, secretAccessKey string, expires int64, virtualHost bool) *http.Request {
 	// Presign is not needed for anonymous credentials.
 	if accessKeyID == "" || secretAccessKey == "" {
 		return &req
@@ -78,7 +73,7 @@ func PreSignV2(req http.Request, accessKeyID, secretAccessKey string, expires in
 	}
 
 	// Get presigned string to sign.
-	stringToSign := preStringToSignV2(req)
+	stringToSign := preStringToSignV2(req, virtualHost)
 	hm := hmac.New(sha1.New, []byte(secretAccessKey))
 	hm.Write([]byte(stringToSign))
 
@@ -132,7 +127,7 @@ func PostPresignSignatureV2(policyBase64, secretAccessKey string) string {
 // CanonicalizedProtocolHeaders = <described below>
 
 // SignV2 sign the request before Do() (AWS Signature Version 2).
-func SignV2(req http.Request, accessKeyID, secretAccessKey string) *http.Request {
+func SignV2(req http.Request, accessKeyID, secretAccessKey string, virtualHost bool) *http.Request {
 	// Signature calculation is not needed for anonymous credentials.
 	if accessKeyID == "" || secretAccessKey == "" {
 		return &req
@@ -147,7 +142,7 @@ func SignV2(req http.Request, accessKeyID, secretAccessKey string) *http.Request
 	}
 
 	// Calculate HMAC for secretAccessKey.
-	stringToSign := stringToSignV2(req)
+	stringToSign := stringToSignV2(req, virtualHost)
 	hm := hmac.New(sha1.New, []byte(secretAccessKey))
 	hm.Write([]byte(stringToSign))
 
@@ -172,14 +167,14 @@ func SignV2(req http.Request, accessKeyID, secretAccessKey string) *http.Request
 //	 Expires + "\n" +
 //	 CanonicalizedProtocolHeaders +
 //	 CanonicalizedResource;
-func preStringToSignV2(req http.Request) string {
+func preStringToSignV2(req http.Request, virtualHost bool) string {
 	buf := new(bytes.Buffer)
 	// Write standard headers.
 	writePreSignV2Headers(buf, req)
 	// Write canonicalized protocol headers if any.
 	writeCanonicalizedHeaders(buf, req)
 	// Write canonicalized Query resources if any.
-	writeCanonicalizedResource(buf, req)
+	writeCanonicalizedResource(buf, req, virtualHost)
 	return buf.String()
 }
 
@@ -199,14 +194,14 @@ func writePreSignV2Headers(buf *bytes.Buffer, req http.Request) {
 //	 Date + "\n" +
 //	 CanonicalizedProtocolHeaders +
 //	 CanonicalizedResource;
-func stringToSignV2(req http.Request) string {
+func stringToSignV2(req http.Request, virtualHost bool) string {
 	buf := new(bytes.Buffer)
 	// Write standard headers.
 	writeSignV2Headers(buf, req)
 	// Write canonicalized protocol headers if any.
 	writeCanonicalizedHeaders(buf, req)
 	// Write canonicalized Query resources if any.
-	writeCanonicalizedResource(buf, req)
+	writeCanonicalizedResource(buf, req, virtualHost)
 	return buf.String()
 }
 
@@ -288,11 +283,11 @@ var resourceList = []string{
 // CanonicalizedResource = [ "/" + Bucket ] +
 // 	  <HTTP-Request-URI, from the protocol name up to the query string> +
 // 	  [ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"];
-func writeCanonicalizedResource(buf *bytes.Buffer, req http.Request) {
+func writeCanonicalizedResource(buf *bytes.Buffer, req http.Request, virtualHost bool) {
 	// Save request URL.
 	requestURL := req.URL
 	// Get encoded URL path.
-	buf.WriteString(encodeURL2Path(&req))
+	buf.WriteString(encodeURL2Path(&req, virtualHost))
 	if requestURL.RawQuery != "" {
 		var n int
 		vals, _ := url.ParseQuery(requestURL.RawQuery)