// in Using IAM.
	//
	// Arn is a required field
	Arn string

	// A unique identifier that contains the role ID and the role session name of
	// the role that is being assumed. The role ID is generated by AWS when the
	// role is created.
	//
	// AssumedRoleId is a required field
	AssumedRoleID string `xml:"AssumeRoleId"`
	// contains filtered or unexported fields
}

	}

	oidcToken, err := cmd.MockOpenIDTestUserInteraction(ctx, appParams, "******@****.***", "dillon")
	if err != nil {
		log.Fatalf("Failed to generate OIDC token: %v", err)
	}

	roleARN := os.Getenv("ROLE_ARN")
	webID := cr.STSWebIdentity{
		Client:      &http.Client{},
		STSEndpoint: endpoint,
		GetWebIDTokenExpiry: func() (*cr.WebIdentityToken, error) {
			return &cr.WebIdentityToken{
				Token: oidcToken,
			}, nil

	} else {
		c.iamUsersMap[key] = u
	}
	c.updatedAt = time.Now()
	return nil
}

// IAMStorageAPI defines an interface for the IAM persistence layer
type IAMStorageAPI interface {
	// The role of the read-write lock is to prevent go routines from
	// concurrently reading and writing the IAM storage. The (r)lock()
	// functions return the iamCache. The cache can be safely written to
	// only when returned by `lock()`.

guangwu <******@****.***> 1712938195 +0800

	return escaper + strings.ReplaceAll(string(v), escaper, escaper+escaper) + escaper
}

func TestExplainSQL(t *testing.T) {
	type role string
	type password []byte
	type intType int
	type floatType float64
	var (
		tt                 = now.MustParse("2020-02-23 11:10:10")
		myrole             = role("admin")
		pwd                = password("pass")
		jsVal              = []byte(`{"Name":"test","Val":"test"}`)

		if !ok {
			return nil, fmt.Errorf("Invalid kid value %v", jwtToken.Header["kid"])
		}
		return r.pubKeys.get(kid), nil
	}

	pCfg, ok := r.arnProviderCfgsMap[arn]
	if !ok {
		return fmt.Errorf("Role %s does not exist", arn)
	}

	jwtToken, err := jp.ParseWithClaims(token, &claims, keyFuncCallback)
	if err != nil {
		// Re-populate the public key in-case the JWKS
		// pubkeys are refreshed

		}

		// Check if claim name is the non-default value and role policy is set.
		if p.ClaimName != policy.PolicyName && p.RolePolicy != "" {
			// In the unlikely event that the user specifies
			// `policy.PolicyName` as the claim name explicitly and sets
			// a role policy, this check is thwarted, but we will be using
			// the role policy anyway.

				// Print a warning that some policies mapped to a role are not defined.
				errMsg := fmt.Errorf(
					"The policies \"%s\" mapped to role ARN %s are not defined - this role may not work as expected.",
					unknownPoliciesSet.ToSlice(), arn.String())
				authZLogIf(ctx, errMsg, logger.WarningKind)
			}
		}
		sys.rolesMap[arn] = rolePolicies
	}
}

// Prints IAM role ARNs.
func (sys *IAMSys) printIAMRoles() {

func mustGetClusterRole(g *WithT, objs *ObjectSet, name string) *object.K8sObject {
	obj := objs.kind(name2.ClusterRoleStr).nameEquals(name)
	g.Expect(obj).Should(Not(BeNil()))
	return obj
}

// mustGetRole returns the role with the given name or fails if it's not found in objs.
func mustGetRole(g *WithT, objs *ObjectSet, name string) *object.K8sObject {
	obj := objs.kind(name2.RoleStr).nameEquals(name)
	g.Expect(obj).Should(Not(BeNil()))

	cr "github.com/minio/minio-go/v7/pkg/credentials"
)

var (
	// LDAP integrated Minio endpoint
	stsEndpoint string

	// token to use with AssumeRoleWithCustomToken
	token string

	// Role ARN to use
	roleArn string

	// Display credentials flag
	displayCreds bool

	// Credential expiry duration
	expiryDuration time.Duration

	// Bucket to list
	bucketToList string
)