googleapis · BrennaEpp · Jun 27, 2023 · Jun 15, 2023 · Jun 15, 2023 · Jun 21, 2023
@@ -173,6 +173,9 @@ func (b *BucketHandle) Update(ctx context.Context, uattrs BucketAttrsToUpdate) (
 // [Overview of access control]: https://cloud.google.com/storage/docs/accesscontrol#signed_urls_query_string_authentication
 // [automatic detection of credentials]: https://pkg.go.dev/cloud.google.com/go/storage#hdr-Credential_requirements_for_signing
 func (b *BucketHandle) SignedURL(object string, opts *SignedURLOptions) (string, error) {
+	// Extract the correct endpoint from the readhost set on the client
+	opts.endpoint = b.c.readHost
+
 	if opts.GoogleAccessID != "" && (opts.SignBytes != nil || len(opts.PrivateKey) > 0) {
 		return SignedURL(b.name, object, opts)
 	}
@@ -215,6 +218,9 @@ func (b *BucketHandle) SignedURL(object string, opts *SignedURLOptions) (string,
 //
 // [automatic detection of credentials]: https://pkg.go.dev/cloud.google.com/go/storage#hdr-Credential_requirements_for_signing
 func (b *BucketHandle) GenerateSignedPostPolicyV4(object string, opts *PostPolicyV4Options) (*PostPolicyV4, error) {
+	// Extract the correct endpoint from the readhost set on the client
+	opts.endpoint = b.c.readHost
+
 	if opts.GoogleAccessID != "" && (opts.SignRawBytes != nil || opts.SignBytes != nil || len(opts.PrivateKey) > 0) {
 		return GenerateSignedPostPolicyV4(b.name, object, opts)
 	}

@@ -15,6 +15,7 @@
 package storage
 
 import (
+	"context"
 	"fmt"
 	"testing"
 	"time"
@@ -25,6 +26,7 @@ import (
 	gax "github.com/googleapis/gax-go/v2"
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/googleapi"
+	"google.golang.org/api/option"
 	raw "google.golang.org/api/storage/v1"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/durationpb"
@@ -1210,3 +1212,301 @@ func TestDetectDefaultGoogleAccessID(t *testing.T) {
 		})
 	}
 }
+
+// TestBucketSignedURL_Endpoint_Emulator_Host tests that Bucket.SignedURl
+// respects the host set in STORAGE_EMULATOR_HOST and/or in option.WithEndpoint
+func TestBucketSignedURL_Endpoint_Emulator_Host(t *testing.T) {
+	expires, _ := time.Parse(time.RFC3339, "2002-10-02T10:00:00-05:00")
+	bucketName := "bucket-name"
+	objectName := "obj-name"
+
+	localhost9000 := "localhost:9000"
+	localhost6000Https := "https://localhost:6000"
+
+	tests := []struct {
+		desc         string
+		emulatorHost string
+		endpoint     *string
+		now          time.Time
+		opts         *SignedURLOptions
+		// Note for future implementors: X-Goog-Signature generated by having
+		// the client run through its algorithm with pre-defined input and copy
+		// pasting the output. These tests are not great for testing whether
+		// the right signature is calculated - instead we rely on the backend
+		// and integration tests for that.
+		want string
+	}{
+		{
+			desc:         "SignURLV4 creates link to resources in emulator",
+			emulatorHost: localhost9000,
+			now:          expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV4,
+				Insecure:       true,
+			},
+			want: "http://localhost:9000/" + bucketName + "/" + objectName +
+				"?X-Goog-Algorithm=GOOG4-RSA-SHA256" +
+				"&X-Goog-Credential=xxx%40clientid%2F20021001%2Fauto%2Fstorage%2Fgoog4_request" +
+				"&X-Goog-Date=20021001T100000Z&X-Goog-Expires=86400" +
+				"&X-Goog-Signature=2ff5ff0e5f336c4f2e4a44b93673ea22c6f94153da070206077328ce9f33b51d668549454668e6a784fe99110e506d504d7199015e34b22f8faa3e5eee294a71d8729e55debe7d24fbc336193e217373124ec69db19d447c8b649b6ca0734a76cebe33e9ccacbe462cdf2dacb30809846a81f1f48c654eed45ddd26eb787947760d82fb5098d34e3aaa6d4a0b0b8b444a12436d1456b96bcd8a2acc5b74a948a42216a1f842802a0d41391fe9acc97744eb1a848f596d3284f95a56f134cd6b78387efbd514ae7d2b98e62241cf6466e7493822184e0bd192dee62dad2d1449bc9c8fed2e84ddfa26996a0c5a9238cf675bb4ffec05cdcec07cc57d272357fd2" +
+				"&X-Goog-SignedHeaders=host",
+		},
+		{
+			desc:     "SignURLV4 - endpoint",
+			endpoint: &localhost9000,
+			now:      expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV4,
+				Insecure:       true,
+			},
+			want: "http://localhost:9000/" + bucketName + "/" + objectName +
+				"?X-Goog-Algorithm=GOOG4-RSA-SHA256" +
+				"&X-Goog-Credential=xxx%40clientid%2F20021001%2Fauto%2Fstorage%2Fgoog4_request" +
+				"&X-Goog-Date=20021001T100000Z&X-Goog-Expires=86400" +
+				"&X-Goog-Signature=2ff5ff0e5f336c4f2e4a44b93673ea22c6f94153da070206077328ce9f33b51d668549454668e6a784fe99110e506d504d7199015e34b22f8faa3e5eee294a71d8729e55debe7d24fbc336193e217373124ec69db19d447c8b649b6ca0734a76cebe33e9ccacbe462cdf2dacb30809846a81f1f48c654eed45ddd26eb787947760d82fb5098d34e3aaa6d4a0b0b8b444a12436d1456b96bcd8a2acc5b74a948a42216a1f842802a0d41391fe9acc97744eb1a848f596d3284f95a56f134cd6b78387efbd514ae7d2b98e62241cf6466e7493822184e0bd192dee62dad2d1449bc9c8fed2e84ddfa26996a0c5a9238cf675bb4ffec05cdcec07cc57d272357fd2" +
+				"&X-Goog-SignedHeaders=host",
+		},
+		{
+			desc:         "SignURLV4 - endpoint takes precedence over emulator",
+			endpoint:     &localhost9000,
+			emulatorHost: "localhost:8000",
+			now:          expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV4,
+				Insecure:       true,
+			},
+			want: "http://localhost:9000/" + bucketName + "/" + objectName +
+				"?X-Goog-Algorithm=GOOG4-RSA-SHA256" +
+				"&X-Goog-Credential=xxx%40clientid%2F20021001%2Fauto%2Fstorage%2Fgoog4_request" +
+				"&X-Goog-Date=20021001T100000Z&X-Goog-Expires=86400" +
+				"&X-Goog-Signature=2ff5ff0e5f336c4f2e4a44b93673ea22c6f94153da070206077328ce9f33b51d668549454668e6a784fe99110e506d504d7199015e34b22f8faa3e5eee294a71d8729e55debe7d24fbc336193e217373124ec69db19d447c8b649b6ca0734a76cebe33e9ccacbe462cdf2dacb30809846a81f1f48c654eed45ddd26eb787947760d82fb5098d34e3aaa6d4a0b0b8b444a12436d1456b96bcd8a2acc5b74a948a42216a1f842802a0d41391fe9acc97744eb1a848f596d3284f95a56f134cd6b78387efbd514ae7d2b98e62241cf6466e7493822184e0bd192dee62dad2d1449bc9c8fed2e84ddfa26996a0c5a9238cf675bb4ffec05cdcec07cc57d272357fd2" +
+				"&X-Goog-SignedHeaders=host",
+		},
+		{
+			desc:         "SigningSchemeV2 - emulator",
+			emulatorHost: "localhost:8000",
+			now:          expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV2,
+			},
+			want: "https://localhost:8000/" + bucketName + "/" + objectName +
+				"?Expires=1033570800" +
+				"&GoogleAccessId=xxx%40clientid" +
+				"&Signature=oRi3y2tBTmoDto7FezNx4AjC0RXA6fpJjTBa0hINeVroZ%2ByOeRU8MRwJbKg1IkBbV0IjtlPaGwv5YoUH16UYdipBjCXOS%2B1qgRWyzl8AnzvU%2BfwSXSlCk9zPtHHoBkFT7G4cZQOdDTLRrSG%2FmRJ3K09KEHYg%2Fc6R5Dd92inD1tLE2tiFMyHFs5uQHRMsepY4wrWiIQ4u53tPvk%2Fwiq1%2B9yL6x3QGblhdWwjX0BTVBOxexyKTlwczJW0XlWX8wpcTFfzQnJZuujbhanf2g9MGzSmkv3ylyuQdHMJDYp4Bzq%2FmnkNUg0Vp6iEvh9tyVdRNkwXeg3D8qn%2BFSOxcF%2B9vJw%3D%3D",
+		},
+		{
+			desc:         "SigningSchemeV2 - endpoint",
+			emulatorHost: "localhost:8000",
+			endpoint:     &localhost9000,
+			now:          expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV2,
+			},
+			want: "https://localhost:9000/" + bucketName + "/" + objectName +
+				"?Expires=1033570800" +
+				"&GoogleAccessId=xxx%40clientid" +
+				"&Signature=oRi3y2tBTmoDto7FezNx4AjC0RXA6fpJjTBa0hINeVroZ%2ByOeRU8MRwJbKg1IkBbV0IjtlPaGwv5YoUH16UYdipBjCXOS%2B1qgRWyzl8AnzvU%2BfwSXSlCk9zPtHHoBkFT7G4cZQOdDTLRrSG%2FmRJ3K09KEHYg%2Fc6R5Dd92inD1tLE2tiFMyHFs5uQHRMsepY4wrWiIQ4u53tPvk%2Fwiq1%2B9yL6x3QGblhdWwjX0BTVBOxexyKTlwczJW0XlWX8wpcTFfzQnJZuujbhanf2g9MGzSmkv3ylyuQdHMJDYp4Bzq%2FmnkNUg0Vp6iEvh9tyVdRNkwXeg3D8qn%2BFSOxcF%2B9vJw%3D%3D",
+		},
+		{
+			desc:         "VirtualHostedStyle - emulator",
+			emulatorHost: "localhost:8000",
+			now:          expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV4,
+				Style:          VirtualHostedStyle(),
+				Insecure:       true,
+			},
+			want: "http://" + bucketName + ".localhost:8000/" + objectName +
+				"?X-Goog-Algorithm=GOOG4-RSA-SHA256" +
+				"&X-Goog-Credential=xxx%40clientid%2F20021001%2Fauto%2Fstorage%2Fgoog4_request" +
+				"&X-Goog-Date=20021001T100000Z&X-Goog-Expires=86400" +
+				"&X-Goog-Signature=9163ad1bfb8ca4c70aff3bc6ee5b2895d8fc6946f28ade641824c40efed922ec1f42c100ab98192f6db955620bf35f660fa6da0974a35d5599d56583f4dd8f9f8441b8dd70ebb3557a742db5d619e9c950b8b397da76317aeee4409c25dd8ac1af0454d331d49b6c3fc4b6118ddcf570154f3455d616c737e0b5891de7758dea438f734e1124e78ebc7bad657d68f9003f282e14f8c5dceb97f441efad70ff2f76eab89537b05bdf0fbb50d87c34e7583028979b87793d9bc1902f44d6e4b4c4564bc457b430584881b8ee4e8995fcca4e6050c4c28609c5d0026a3a4b2fc0121dcb11833c872e5bf9f154f8be582a65ad6f52b5bd2cf052f23fadd293f8362e" +
+				"&X-Goog-SignedHeaders=host",
+		},
+		{
+			desc:         "VirtualHostedStyle - endpoint",
+			emulatorHost: "localhost:8000",
+			endpoint:     &localhost9000,
+			now:          expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV4,
+				Style:          VirtualHostedStyle(),
+				Insecure:       true,
+			},
+			want: "http://" + bucketName + ".localhost:9000/" + objectName +
+				"?X-Goog-Algorithm=GOOG4-RSA-SHA256" +
+				"&X-Goog-Credential=xxx%40clientid%2F20021001%2Fauto%2Fstorage%2Fgoog4_request" +
+				"&X-Goog-Date=20021001T100000Z&X-Goog-Expires=86400" +
+				"&X-Goog-Signature=59577491e93738f05f2442166c787fdf6f5ad70619cd87d7ac2590b78f31c01cd3cef1948fd9150de756a834de0e7cf843d82b36f744fe8cf3c095fbb35205f8db17ddaa72925a7aae9179ebf811519ab04a9e778cc1a388fa961869f01f0ab6b70e8c4e39730752f8874d29809db15209a062df90c42b536237d371f1397916008a97db70c9cd011965f843e8ddbaf2d20aed4a213e71938aeb5c88411bdf40444ae6b07f34ee2fa91825c32f136a7e7411d33dda3d34260d61694a50f5a13d1187490d1a9301aaef745ec78db7620beb4501fd76bf54d989d227ca29d01e76c50fbb3cf796e1987c18c732a14f1c4c36fa630514f6edf029546a129136d28c" +
+				"&X-Goog-SignedHeaders=host",
+		},
+		{
+			desc:         "BucketBoundHostname - emulator",
+			emulatorHost: "localhost:8000",
+			now:          expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV4,
+				Style:          BucketBoundHostname("myhost"),
+			},
+			want: "https://" + "myhost/" + objectName +
+				"?X-Goog-Algorithm=GOOG4-RSA-SHA256" +
+				"&X-Goog-Credential=xxx%40clientid%2F20021001%2Fauto%2Fstorage%2Fgoog4_request" +
+				"&X-Goog-Date=20021001T100000Z&X-Goog-Expires=86400" +
+				"&X-Goog-Signature=15fe19f6c61bcbdbd6473c32f2bec29caa8a5fa3b2ce32cfb5329a71edaa0d4e5ffe6469f32ed4c23ca2fbed3882fdf1ed107c6a98c2c4995dda6036c64bae51e6cb542c353618f483832aa1f3ef85342ddadd69c13ad4c69fd3f573ea5cf325a58056e3d5a37005217662af63b49fef8688de3c5c7a2f7b43651a030edd0813eb7f7713989a4c29a8add65133ce652895fea9de7dbc6248ee11b4d7c6c1e152df87700100e896e544ba8eeea96584078f56e699665140b750e90550b9b79633f4e7c8409efa807be5670d6e987eeee04a4180be9b9e30bb8557597beaf390a3805cc602c87a3e34800f8bc01449c3dd10ac2f2263e55e55b91e445052548d5e" +
+				"&X-Goog-SignedHeaders=host",
+		},
+		{
+			desc:     "BucketBoundHostname - endpoint",
+			endpoint: &localhost9000,
+			now:      expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV4,
+				Style:          BucketBoundHostname("myhost"),
+			},
+			want: "https://" + "myhost/" + objectName +
+				"?X-Goog-Algorithm=GOOG4-RSA-SHA256" +
+				"&X-Goog-Credential=xxx%40clientid%2F20021001%2Fauto%2Fstorage%2Fgoog4_request" +
+				"&X-Goog-Date=20021001T100000Z&X-Goog-Expires=86400" +
+				"&X-Goog-Signature=15fe19f6c61bcbdbd6473c32f2bec29caa8a5fa3b2ce32cfb5329a71edaa0d4e5ffe6469f32ed4c23ca2fbed3882fdf1ed107c6a98c2c4995dda6036c64bae51e6cb542c353618f483832aa1f3ef85342ddadd69c13ad4c69fd3f573ea5cf325a58056e3d5a37005217662af63b49fef8688de3c5c7a2f7b43651a030edd0813eb7f7713989a4c29a8add65133ce652895fea9de7dbc6248ee11b4d7c6c1e152df87700100e896e544ba8eeea96584078f56e699665140b750e90550b9b79633f4e7c8409efa807be5670d6e987eeee04a4180be9b9e30bb8557597beaf390a3805cc602c87a3e34800f8bc01449c3dd10ac2f2263e55e55b91e445052548d5e" +
+				"&X-Goog-SignedHeaders=host",
+		},
+		{
+			desc:         "emulator host specifies scheme",
+			emulatorHost: "https://localhost:6000",
+			now:          expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV4,
+				Insecure:       true,
+			},
+			want: "http://localhost:6000/" + bucketName + "/" + objectName +
+				"?X-Goog-Algorithm=GOOG4-RSA-SHA256" +
+				"&X-Goog-Credential=xxx%40clientid%2F20021001%2Fauto%2Fstorage%2Fgoog4_request" +
+				"&X-Goog-Date=20021001T100000Z&X-Goog-Expires=86400" +
+				"&X-Goog-Signature=1bdbbc7e8db59e51ae2e6593fb326d9b1aa49a0905c6b94ee5bcb3be9e329656c07564a14e209275c95065f752695bd394d09afadb6874c0c0121799482f6f496593a87cdce48afd3c125b18054730273727075845e0b7d64e90503ffb20e6b02d2609bb596b081ce994ab4aafa35ee0a53350a994329e73a0125bb0edc955792f942ea8a9df5f5e87adcda4be5005dfb0d44915dee708815ac1d023c760379a22bc3d43983a672cf06c664b81bf1b724525bc1d0b2a89649c5ca396abf817ff5543f113933eb9f009fc655508656bf0d4017b2f5412028d144ef782c7b64162471c3a518053bf488ad382db3b3806316d903fa94d8b247b910aea4aa109cc55" +
+				"&X-Goog-SignedHeaders=host",
+		},
+		{
+			desc:     "endpoint specifies scheme",
+			endpoint: &localhost6000Https,
+			now:      expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV4,
+				Insecure:       true,
+			},
+			want: "http://localhost:6000/" + bucketName + "/" + objectName +
+				"?X-Goog-Algorithm=GOOG4-RSA-SHA256" +
+				"&X-Goog-Credential=xxx%40clientid%2F20021001%2Fauto%2Fstorage%2Fgoog4_request" +
+				"&X-Goog-Date=20021001T100000Z&X-Goog-Expires=86400" +
+				"&X-Goog-Signature=1bdbbc7e8db59e51ae2e6593fb326d9b1aa49a0905c6b94ee5bcb3be9e329656c07564a14e209275c95065f752695bd394d09afadb6874c0c0121799482f6f496593a87cdce48afd3c125b18054730273727075845e0b7d64e90503ffb20e6b02d2609bb596b081ce994ab4aafa35ee0a53350a994329e73a0125bb0edc955792f942ea8a9df5f5e87adcda4be5005dfb0d44915dee708815ac1d023c760379a22bc3d43983a672cf06c664b81bf1b724525bc1d0b2a89649c5ca396abf817ff5543f113933eb9f009fc655508656bf0d4017b2f5412028d144ef782c7b64162471c3a518053bf488ad382db3b3806316d903fa94d8b247b910aea4aa109cc55" +
+				"&X-Goog-SignedHeaders=host",
+		},
+		{
+			desc:         "emulator host specifies scheme using SigningSchemeV2",
+			emulatorHost: "https://localhost:8000",
+			now:          expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV2,
+			},
+			want: "https://localhost:8000/" + bucketName + "/" + objectName +
+				"?Expires=1033570800" +
+				"&GoogleAccessId=xxx%40clientid" +
+				"&Signature=oRi3y2tBTmoDto7FezNx4AjC0RXA6fpJjTBa0hINeVroZ%2ByOeRU8MRwJbKg1IkBbV0IjtlPaGwv5YoUH16UYdipBjCXOS%2B1qgRWyzl8AnzvU%2BfwSXSlCk9zPtHHoBkFT7G4cZQOdDTLRrSG%2FmRJ3K09KEHYg%2Fc6R5Dd92inD1tLE2tiFMyHFs5uQHRMsepY4wrWiIQ4u53tPvk%2Fwiq1%2B9yL6x3QGblhdWwjX0BTVBOxexyKTlwczJW0XlWX8wpcTFfzQnJZuujbhanf2g9MGzSmkv3ylyuQdHMJDYp4Bzq%2FmnkNUg0Vp6iEvh9tyVdRNkwXeg3D8qn%2BFSOxcF%2B9vJw%3D%3D",
+		},
+		{
+			desc:     "endpoint specifies scheme using SigningSchemeV2",
+			endpoint: &localhost6000Https,
+			now:      expires.Add(-24 * time.Hour),
+			opts: &SignedURLOptions{
+				GoogleAccessID: "xxx@clientid",
+				PrivateKey:     dummyKey("rsa"),
+				Method:         "POST",
+				Expires:        expires,
+				Scheme:         SigningSchemeV2,
+			},
+			want: "https://localhost:6000/" + bucketName + "/" + objectName +
+				"?Expires=1033570800" +
+				"&GoogleAccessId=xxx%40clientid" +
+				"&Signature=oRi3y2tBTmoDto7FezNx4AjC0RXA6fpJjTBa0hINeVroZ%2ByOeRU8MRwJbKg1IkBbV0IjtlPaGwv5YoUH16UYdipBjCXOS%2B1qgRWyzl8AnzvU%2BfwSXSlCk9zPtHHoBkFT7G4cZQOdDTLRrSG%2FmRJ3K09KEHYg%2Fc6R5Dd92inD1tLE2tiFMyHFs5uQHRMsepY4wrWiIQ4u53tPvk%2Fwiq1%2B9yL6x3QGblhdWwjX0BTVBOxexyKTlwczJW0XlWX8wpcTFfzQnJZuujbhanf2g9MGzSmkv3ylyuQdHMJDYp4Bzq%2FmnkNUg0Vp6iEvh9tyVdRNkwXeg3D8qn%2BFSOxcF%2B9vJw%3D%3D",
+		},
+	}
+	oldUTCNow := utcNow
+	defer func() {
+		utcNow = oldUTCNow
+	}()
+
+	for _, test := range tests {
+		t.Run(test.desc, func(s *testing.T) {
+			utcNow = func() time.Time {
+				return test.now
+			}
+
+			t.Setenv("STORAGE_EMULATOR_HOST", test.emulatorHost)
+
+			var opts []option.ClientOption
+			if test.endpoint != nil {
+				opts = append(opts, option.WithEndpoint(*test.endpoint))
+			}
+			c, err := NewClient(context.Background(), opts...)
+			if err != nil {
+				t.Fatalf("NewClient: %v", err)
+			}
+
+			got, err := c.Bucket(bucketName).SignedURL(objectName, test.opts)
+			if err != nil {
+				s.Fatal(err)
+			}
+
+			if got != test.want {
+				s.Fatalf("bucket.SidnedURL:\n\tgot:\t%v\n\twant:\t%v", got, test.want)
+			}
+		})
+	}
+}
@@ -4750,11 +4750,9 @@ func TestIntegration_SignedURL_WithCreds(t *testing.T) {
 			t.Fatalf("problem with the signed URL: %v", err)
 		}
 	}, option.WithCredentials(creds))
-
 }
 
 func TestIntegration_SignedURL_DefaultSignBytes(t *testing.T) {
-
 	ctx := context.Background()
 
 	// Create another client to test the sign byte function as well

@@ -114,6 +114,7 @@ type PostPolicyV4Options struct {
 	Conditions []PostPolicyV4Condition
 
 	shouldHashSignBytes bool
+	endpoint            string
 }
 
 func (opts *PostPolicyV4Options) clone() *PostPolicyV4Options {
@@ -128,6 +129,7 @@ func (opts *PostPolicyV4Options) clone() *PostPolicyV4Options {
 		Fields:              opts.Fields,
 		Conditions:          opts.Conditions,
 		shouldHashSignBytes: opts.shouldHashSignBytes,
+		endpoint:            opts.endpoint,
 	}
 }
 
@@ -370,7 +372,7 @@ func GenerateSignedPostPolicyV4(bucket, object string, opts *PostPolicyV4Options
 	u := &url.URL{
 		Path:    path,
 		RawPath: pathEncodeV4(path),
-		Host:    opts.Style.host(bucket),
+		Host:    opts.Style.host(opts.endpoint, bucket),
 		Scheme:  scheme,
 	}
 

@@ -40,6 +40,7 @@ func TestPostPolicyV4OptionsClone(t *testing.T) {
 		Fields:              &PolicyV4Fields{ACL: "test-acl"},
 		Conditions:          []PostPolicyV4Condition{},
 		shouldHashSignBytes: true,
+		endpoint:            "localhost:9000",
 	}
 
 	// Check that all fields are set to a non-zero value, so we can check that