}

	var users2 []User
	DB.Preload("Account", clause.Eq{Column: "number", Value: users[0].Account.Number}).Find(&users2, "id IN ?", userIDs)
	sort.Slice(users2, func(i, j int) bool {
		return users2[i].ID < users2[j].ID
	})

	for idx, user := range users2[1:2] {
		if user.Account.Number != "" {
			t.Errorf("No account should found for user %v but got %v", idx+2, user.Account.Number)
		}
	}

		// For STS policy map, we need to merge the new cache with the existing
		// cache because the periodic IAM reload is partial. The periodic load
		// here is to account for STS policy mapping changes that should apply
		// for service accounts derived from such STS accounts (i.e. LDAP STS
		// accounts).
		newCache.iamSTSPolicyMap.Range(func(k string, v MappedPolicy) bool {
			cache.iamSTSPolicyMap.Store(k, v)
			return true
		})

package arn

import (
	"errors"
	"fmt"
	"regexp"
	"strings"
)

// ARN structure:
//
// arn:partition:service:region:account-id:resource-type/resource-id
//
// In this implementation, account-id is empty.
//
// Reference: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

const (
	arnPrefixArn        = "arn"
	arnPartitionMinio   = "minio"

}

// GetNonEligibleUserDistNames - find user accounts (DNs) that are no longer
// present in the LDAP server or do not meet filter criteria anymore
func (l *Config) GetNonEligibleUserDistNames(userDistNames []string) ([]string, error) {
	conn, err := l.LDAP.Connect()
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	// Bind to the lookup user account
	if err = l.LDAP.LookupBind(conn); err != nil {

	// account or STS account):
	requestorUser := cred.AccessKey
	requestorParentUser := cred.AccessKey
	requestorGroups := cred.Groups
	requestorIsDerivedCredential := false
	if cred.IsServiceAccount() || cred.IsTemp() {
		requestorParentUser = cred.ParentUser
		requestorIsDerivedCredential = true
	}

	// Check if we are creating svc account for request sender.
	isSvcAccForRequestor := false

	addExpirationToCondValues(updateReq.NewExpiration, condValues)

	// Permission checks:
	//
	// 1. Any type of account (i.e. access keys (previously/still called service
	// accounts), STS accounts, internal IDP accounts, etc) with the
	// policy.UpdateServiceAccountAdminAction permission can update any service
	// account.
	//
	// 2. We would like to let a user update their own access keys, however it

	// created before a certain (TBD) future date.
	//
	// 2. do not allow empty statement policies for service accounts.
	if subPolicy.Version == "" && subPolicy.Statements == nil && subPolicy.ID == "" {
		hasSessionPolicy = false
		return
	}

	// As the session policy exists, even if the parent is the root account, it
	// must be restricted by it. So, we set `.IsOwner` to false here

		if _, ok := cache.iamUsersMap[svcParent]; !ok {
			// If a service account's parent user is not in iamUsersMap, the
			// parent is an STS account. Such accounts may have a policy mapped
			// on the parent user, so we load them. This is not needed for the
			// initial server startup, however, it is needed for the case where
			// the STS account's policy mapping (for example in LDAP mode) may

    operator.istio.io/component: "EgressGateways"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ $gateway.name }}-sds
subjects:
- kind: ServiceAccount
  name: {{ $gateway.name }}-service-account

apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
  - name: {{ . }}
{{- end }}
{{- end }}
metadata:
  name: {{ $gateway.name }}-service-account
  namespace: {{ .Release.Namespace }}
  labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" | quote }}