}

		healingLogIf(ctx, tracker.update(ctx))
		close(quitting)
	}()

	var retErr error

	// Heal all buckets with all objects
	for _, bucket := range healBuckets {
		if tracker.isHealed(bucket) {
			continue
		}

		var forwardTo string
		// If we resume to the same bucket, forward to last known item.
		b := tracker.getBucket()
		if b == bucket {
			forwardTo = tracker.getObject()

	return h.disk.Delete(ctx, minioMetaBucket,
		pathJoin(bucketMetaPrefix, healingTrackerFilename),
		DeleteOptions{
			Recursive: false,
			Immediate: false,
		},
	)
}

func (h *healingTracker) isHealed(bucket string) bool {
	h.mu.RLock()
	defer h.mu.RUnlock()
	for _, v := range h.HealedBuckets {
		if v == bucket {
			return true
		}
	}
	return false
}

}

func TestIsETagSealed(t *testing.T) {
	for i, test := range isETagSealedTests {
		etag, err := hex.DecodeString(test.ETag)
		if err != nil {
			t.Errorf("Test %d: failed to decode etag: %s", i, err)
		}
		if sealed := IsETagSealed(etag); sealed != test.IsSealed {
			t.Errorf("Test %d: got %v - want %v", i, sealed, test.IsSealed)
		}
	}
}

var removeInternalEntriesTests = []struct {

        final SystemHelper helper1 = new SystemHelper() {
            @Override
            public long getCurrentTimeAsLong() {
                return systemHelper.eolTime + 1000L;
            }
        };
        helper1.eolTime = systemHelper.eolTime;
        assertTrue(helper1.isEoled());
        final SystemHelper helper2 = new SystemHelper() {

        final boolean eoled = isEoled();
        runtime.registerData("eoled", eoled);
        if (eoled) {
            final String eolLink = fessConfig.getOnlineHelpEol();
            runtime.registerData("eolLink", getHelpUrl(eolLink));
        }
    }

    protected boolean isEoled() {
        return getCurrentTimeAsLong() > eolTime;
    }

	// Add more supported headers here.
}

// mapping of internal headers to allowed replication headers
var validSSEReplicationHeaders = map[string]string{
	"X-Minio-Internal-Server-Side-Encryption-Sealed-Key":     "X-Minio-Replication-Server-Side-Encryption-Sealed-Key",
	"X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm": "X-Minio-Replication-Server-Side-Encryption-Seal-Algorithm",

- Seal/Unmount one/some master keys. That will lock all SSE-S3 encrypted objects protected by these master keys. All these objects can not be decrypted as long as the key(s) are sealed.

 *  New: Log the total time of the HTTP call in `HttpLoggingInterceptor`.

 *  New: `OkHttpClient.Builder` now has APIs that use `kotlin.time.Duration`.

 *  New: `mockwebserver3.SocketPolicy` is now a sealed interface. This is one of several
    backwards-incompatible API changes that may impact early adopters of this alpha API.

 *  New: `mockwebserver3.Stream` for duplex streams.

func (o *ObjectInfo) compressionIndexDecrypt(input []byte, h http.Header) ([]byte, error) {
	return o.metadataDecrypter(h)("compression-index", input)
}

// SealMD5CurrFn seals md5sum with object encryption key and returns sealed
// md5sum
type SealMD5CurrFn func([]byte) []byte

// PutObjReader is a type that wraps sio.EncryptReader and
// underlying hash.Reader in a struct
type PutObjReader struct {

		}

		_, sourceReplReq := r.Header[xhttp.MinIOSourceReplicationRequest]
		ssecRepHeaders := []string{
			"X-Minio-Replication-Server-Side-Encryption-Seal-Algorithm",
			"X-Minio-Replication-Server-Side-Encryption-Sealed-Key",
			"X-Minio-Replication-Server-Side-Encryption-Iv",
		}
		ssecRep := false
		for _, header := range ssecRepHeaders {
			if val := r.Header.Get(header); val != "" {
				ssecRep = true
				break
			}