)

type meshAuthCredentials struct {
	k8sCreds credentials.PerRPCCredentials
	gcpCreds credentials.PerRPCCredentials
	project  string
}

func (c *meshAuthCredentials) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {
	ret := map[string]string{
		"x-goog-user-project": c.project,
	}
	if err := updateAuthHdrs(ctx, uri, "k8s", c.k8sCreds, ret, "x-mesh-authorization"); err != nil {
		return nil, err
	}

	}

	// Return the nicely colored and formatted update message.
	return colorizeUpdateMessage(downloadURL, newerThan)
}

// colorizeUpdateMessage - inspired from Yeoman project npm package https://github.com/yeoman/update-notifier
func colorizeUpdateMessage(updateString string, newerThan string) string {
	msgLine1Fmt := " You are running an older version of MinIO released %s "
	msgLine2Fmt := " Update: %s "

		return err
	}

	reason := googleAPIErr.Errors[0].Reason
	message := googleAPIErr.Errors[0].Message

	switch reason {
	case "required":
		// Anonymous users does not have storage.xyz access to project 123.
		fallthrough
	case "keyInvalid":
		fallthrough
	case "forbidden":
		err = PrefixAccessDenied{
			Bucket: bucket,
			Object: object,
		}
	case "invalid":
		err = BucketNameInvalid{

                        "projecta",
                        "projectb"
                    ]
                }
            }
        }
    ]
}`

	policyProjectsMap = map[string]string{
		// grants access to bucket `projecta` if user is in group `projecta`
		"projecta": policyProjectA,

		// grants access to bucket `projectb` if user is in group `projectb`

func setRequestLimitMiddleware(h http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		tc, ok := r.Context().Value(mcontext.ContextTraceKey).(*mcontext.TraceCtxt)

		// Reject unsupported reserved metadata first before validation.
		if containsReservedMetadata(r.Header) {
			if ok {
				tc.FuncName = "handler.ValidRequest"
				tc.ResponseRecorder.LogErrBody = true
			}

// - errOnly entries are to be traced, not status code 2xx, 3xx.
// - madmin.TraceInfo type is asked by opts
func shouldTrace(trcInfo madmin.TraceInfo, opts madmin.ServiceTraceOpts) (shouldTrace bool) {
	// Reject all unwanted types.
	want := opts.TraceTypes()
	if !want.Contains(trcInfo.TraceType) {
		return false
	}

	isHTTP := trcInfo.TraceType.Overlaps(madmin.TraceInternal|madmin.TraceS3) && trcInfo.HTTP != nil

	ret := &xdsAddr{host: u.Host}
	if !strings.HasSuffix(ret.host, ":443") {
		ret.host += ":443"
	}
	const projSeg = "/projects/"
	i := strings.Index(u.Path, projSeg)
	if i == -1 {
		return nil, fmt.Errorf("webhook URL %s doesn't contain the projects segment", u)
	}
	i += len(projSeg)
	j := strings.IndexByte(u.Path[i:], '/')
	if j == -1 {
		return nil, fmt.Errorf("webhook URL %s is malformed", u)
	}

func exponentialBackoffWait(r *rand.Rand, unit, cap time.Duration) func(uint) time.Duration {
	if unit > time.Hour {
		// Protect against integer overflow
		panic("unit cannot exceed one hour")
	}
	return func(attempt uint) time.Duration {
		if attempt > 16 {
			// Protect against integer overflow
			attempt = 16
		}
		// sleep = random_between(unit, min(cap, base * 2 ** attempt))

			return nil
		case objectlock.RetGovernance:
			// In governance mode, users can't overwrite or delete an object
			// version or alter its lock settings unless they have special
			// permissions. With governance mode, you protect objects against
			// being deleted by most users, but you can still grant some users
			// permission to alter the retention settings or delete the object

	cache := store.lock()
	defer store.unlock()

	accessKey := cred.AccessKey
	parentUser := cred.ParentUser

	// Found newly requested service account, to be an existing account -
	// reject such operation (updates to the service account are handled in
	// a different API).
	if su, found := cache.iamUsersMap[accessKey]; found {
		scred := su.Credentials
		if scred.ParentUser != parentUser {