refreshInterval      time.Duration
	lockRetryMinInterval time.Duration
}

// Granted - represents a structure of a granted lock.
type Granted struct {
	index   int
	lockUID string // Locked if set with UID string, unlocked if empty
}

func (g *Granted) isLocked() bool {
	return isLocked(g.lockUID)
}

func isLocked(uid string) bool {
	return len(uid) > 0
}

	}

	defer rc.Close()

	if err = setObjectHeaders(w, fileObjInfo, nil, opts); err != nil {
		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
		return
	}
	// s3zip does not allow ranges
	w.Header().Del(xhttp.AcceptRanges)

	setHeadGetRespHeaders(w, r.Form)

	httpWriter := xioutil.WriteOnClose(w)

	// Write object content to response body

	sts.AssumeRoleWithSSO(w, r)
}

// AssumeRoleWithClientGrants - implementation of AWS STS extension API supporting
// OAuth2.0 client credential grants.
//
// Eg:-
//
//	$ curl https://minio:9000/?Action=AssumeRoleWithClientGrants&Token=<jwt>
func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *http.Request) {
	sts.AssumeRoleWithSSO(w, r)

		Code:           "ExpiredToken",
		Description:    "The client grants that was passed is expired or is not valid. Get a new client grants token from the identity provider and then retry the request.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSInvalidClientGrantsToken: {
		Code:           "InvalidClientGrantsToken",
		Description:    "The client grants token that was passed could not be validated by MinIO.",

	// The intended audience (also known as client ID) of the web identity token.
	// This is traditionally the client identifier issued to the application that
	// requested the client grants.
	Audience string `xml:",omitempty"`

	// The temporary security credentials, which include an access key ID, a secret
	// access key, and a security (or session) token.
	//

package cmd

import (
	"context"
	"errors"
	"fmt"
	"io"
	"strings"

	"github.com/minio/madmin-go/v3"
	xhttp "github.com/minio/minio/internal/http"
)

// WarmBackendGetOpts is used to express byte ranges within an object. The zero
// value represents the entire byte range of an object.
type WarmBackendGetOpts struct {
	startOffset int64
	length      int64
}

query results are printed to the console, organized by workload name.

All metrics returned are from server-side reports. This means that latencies
and error rates are from the perspective of the service itself and not of an
individual client (or aggregate set of clients). Rates and latencies are
calculated over a time interval of 1 minute.
`,
		Example: `  # Retrieve workload metrics for productpage-v1 workload

	if _, reply = l.lockMap[args.Resources[0]]; !reply {
		l.lockMap[args.Resources[0]] = WriteLock // No locks held on the given name, so claim write lock
	}
	reply = !reply // Negate *reply to return true when lock is granted or false otherwise
	return reply, nil
}

func (l *lockServer) Unlock(args *LockArgs) (reply bool, err error) {
	if d := atomic.LoadInt64(&l.responseDelay); d != 0 {
		time.Sleep(time.Duration(d))
	}

	AmzFwdStatus                   = "x-amz-fwd-status"
	AmzFwdErrorCode                = "x-amz-fwd-error-code"
	AmzFwdErrorMessage             = "x-amz-fwd-error-message"
	AmzFwdHeaderAcceptRanges       = "x-amz-fwd-header-accept-ranges"
	AmzFwdHeaderCacheControl       = "x-amz-fwd-header-Cache-Control"
	AmzFwdHeaderContentDisposition = "x-amz-fwd-header-Content-Disposition"
	AmzFwdHeaderContentEncoding    = "x-amz-fwd-header-Content-Encoding"

	return filterPolicies(cache, policyName, bucketName)
}

// GetBucketUsers - returns users (not STS or service accounts) that have access
// to the bucket. User is included even if a group policy that grants access to
// the bucket is disabled.
func (store *IAMStoreSys) GetBucketUsers(bucket string) (map[string]madmin.UserInfo, error) {
	if bucket == "" {
		return nil, errInvalidArgument
	}