From 962f2da86d78d08082ea62602f8b5f6768ebf7e1 Mon Sep 17 00:00:00 2001
From: Daisuke Taniwaki <daisuketaniwaki@gmail.com>
Date: Wed, 14 Oct 2020 18:16:20 +0900
Subject: [PATCH 1/5] Fix query params type

---
 minio/credentials/providers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/minio/credentials/providers.py b/minio/credentials/providers.py
index 28b17e375..e3c591097 100644
--- a/minio/credentials/providers.py
+++ b/minio/credentials/providers.py
@@ -563,7 +563,7 @@ def retrieve(self):
 
         jwt = self._jwt_provider_func()
 
-        query_params = {"Version", "2011-06-15"}
+        query_params = {"Version": "2011-06-15"}
         duration_seconds = self._get_duration_seconds(
             int(jwt.get("expires_in", "0")),
         )

From e3d9bbfa9ba28590c510d2fc5a1133c008c581e3 Mon Sep 17 00:00:00 2001
From: Daisuke Taniwaki <daisuketaniwaki@gmail.com>
Date: Wed, 14 Oct 2020 23:10:43 +0900
Subject: [PATCH 2/5] Add session token to a presigned URL

---
 minio/signer.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/minio/signer.py b/minio/signer.py
index 7777b1107..33b26d134 100644
--- a/minio/signer.py
+++ b/minio/signer.py
@@ -244,7 +244,7 @@ def sign_v4_sts(
 
 
 def _get_presign_canonical_request_hash(  # pylint: disable=invalid-name
-        method, url, access_key, scope, date, expires,
+        method, url, access_key, scope, date, expires, token
 ):
     """Get canonical request hash for presign request."""
 
@@ -263,6 +263,8 @@ def _get_presign_canonical_request_hash(  # pylint: disable=invalid-name
         expires,
         signed_headers,
     )
+    if token is not None:
+        query += "&X-Amz-Security-Token={0}".format(token)
     parts = list(url)
     parts[3] = query
     url = SplitResult(*parts)
@@ -304,9 +306,13 @@ def presign_v4(
 ):
     """Do signature V4 of given presign request."""
 
+    session_token = None
+    if hasattr(credentials, "session_token"):
+        session_token = credentials.session_token
+
     scope = _get_scope(date, region, "s3")
     canonical_request_hash, url = _get_presign_canonical_request_hash(
-        method, url, credentials.access_key, scope, date, expires,
+        method, url, credentials.access_key, scope, date, expires, session_token,
     )
     string_to_sign = _get_string_to_sign(date, scope, canonical_request_hash)
     signing_key = _get_signing_key(credentials.secret_key, date, region, "s3")

From 7eb2e06c31f30bd85bd67c13c3c37cc983d22e07 Mon Sep 17 00:00:00 2001
From: Daisuke Taniwaki <daisuketaniwaki@gmail.com>
Date: Wed, 14 Oct 2020 23:31:20 +0900
Subject: [PATCH 3/5] Quote a token

---
 minio/signer.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/minio/signer.py b/minio/signer.py
index 33b26d134..bb5bdb192 100644
--- a/minio/signer.py
+++ b/minio/signer.py
@@ -30,7 +30,7 @@
 import hmac
 import re
 from collections import OrderedDict
-from urllib.parse import SplitResult
+from urllib.parse import SplitResult, quote
 
 from .helpers import queryencode, sha256_hash
 
@@ -264,7 +264,7 @@ def _get_presign_canonical_request_hash(  # pylint: disable=invalid-name
         signed_headers,
     )
     if token is not None:
-        query += "&X-Amz-Security-Token={0}".format(token)
+        query += "&X-Amz-Security-Token={0}".format(quote(token, safe=''))
     parts = list(url)
     parts[3] = query
     url = SplitResult(*parts)

From abafeb968bf53916f59c47a3550de95713f12a39 Mon Sep 17 00:00:00 2001
From: Daisuke Taniwaki <daisuketaniwaki@gmail.com>
Date: Wed, 14 Oct 2020 23:38:13 +0900
Subject: [PATCH 4/5] Fix a lint issue

---
 minio/signer.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/minio/signer.py b/minio/signer.py
index bb5bdb192..8143862d9 100644
--- a/minio/signer.py
+++ b/minio/signer.py
@@ -312,7 +312,8 @@ def presign_v4(
 
     scope = _get_scope(date, region, "s3")
     canonical_request_hash, url = _get_presign_canonical_request_hash(
-        method, url, credentials.access_key, scope, date, expires, session_token,
+        method, url, credentials.access_key,
+        scope, date, expires, session_token,
     )
     string_to_sign = _get_string_to_sign(date, scope, canonical_request_hash)
     signing_key = _get_signing_key(credentials.secret_key, date, region, "s3")

From 70b417a7f0fee6572122a0e57c2cc8b2f3776712 Mon Sep 17 00:00:00 2001
From: Daisuke Taniwaki <daisuketaniwaki@gmail.com>
Date: Thu, 15 Oct 2020 01:08:16 +0900
Subject: [PATCH 5/5] Fix for review feedback

---
 minio/api.py    |  7 +++++--
 minio/signer.py | 13 +++----------
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/minio/api.py b/minio/api.py
index b4d91870d..3bc4a5e3a 100644
--- a/minio/api.py
+++ b/minio/api.py
@@ -1601,6 +1601,9 @@ def presigned_url(self, method,
         query_params = extra_query_params or {}
         query_params.update({"versionId": version_id} if version_id else {})
         query_params.update(response_headers or {})
+        creds = self._provider.retrieve() if self._provider else None
+        if creds and creds.session_token:
+            query_params["X-Amz-Security-Token"] = creds.session_token
         url = self._base_url.build(
             method,
             region,
@@ -1609,12 +1612,12 @@ def presigned_url(self, method,
             query_params=query_params,
         )
 
-        if self._provider:
+        if creds:
             url = presign_v4(
                 method,
                 url,
                 region,
-                self._provider.retrieve(),
+                creds,
                 request_date or datetime.utcnow(),
                 int(expires.total_seconds()),
             )
diff --git a/minio/signer.py b/minio/signer.py
index 8143862d9..7777b1107 100644
--- a/minio/signer.py
+++ b/minio/signer.py
@@ -30,7 +30,7 @@
 import hmac
 import re
 from collections import OrderedDict
-from urllib.parse import SplitResult, quote
+from urllib.parse import SplitResult
 
 from .helpers import queryencode, sha256_hash
 
@@ -244,7 +244,7 @@ def sign_v4_sts(
 
 
 def _get_presign_canonical_request_hash(  # pylint: disable=invalid-name
-        method, url, access_key, scope, date, expires, token
+        method, url, access_key, scope, date, expires,
 ):
     """Get canonical request hash for presign request."""
 
@@ -263,8 +263,6 @@ def _get_presign_canonical_request_hash(  # pylint: disable=invalid-name
         expires,
         signed_headers,
     )
-    if token is not None:
-        query += "&X-Amz-Security-Token={0}".format(quote(token, safe=''))
     parts = list(url)
     parts[3] = query
     url = SplitResult(*parts)
@@ -306,14 +304,9 @@ def presign_v4(
 ):
     """Do signature V4 of given presign request."""
 
-    session_token = None
-    if hasattr(credentials, "session_token"):
-        session_token = credentials.session_token
-
     scope = _get_scope(date, region, "s3")
     canonical_request_hash, url = _get_presign_canonical_request_hash(
-        method, url, credentials.access_key,
-        scope, date, expires, session_token,
+        method, url, credentials.access_key, scope, date, expires,
     )
     string_to_sign = _get_string_to_sign(date, scope, canonical_request_hash)
     signing_key = _get_signing_key(credentials.secret_key, date, region, "s3")