1.
2.
3.
4.

## Context
<!--- How has this issue affected you? What are you trying to accomplish? -->
<!--- Providing context helps us come up with a solution that is most useful in the real world -->

## Regression
<!-- Is this issue a regression? (Yes / No) -->

```sh
aws s3api put-object --bucket testbucket --key lockme --object-lock-mode GOVERNANCE --object-lock-retain-until-date "2019-11-20"  --body /etc/issue
```

See <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html> for AWS S3 spec on object locking and permissions required for object retention and governance bypass overrides.

Date:   Sat Jun 15 11:27:17 2019 -0700

    [security] Match ${aws:username} exactly instead of prefix match (#7791)

    This PR fixes a security issue where an IAM user based
    on his policy is granted more privileges than restricted
    by the users IAM policy.

    This is due to an issue of prefix based Matcher() function
    which was incorrectly matching prefix based on resource
    prefixes instead of exact match.
```

// errUnexpected - unexpected error, requires manual intervention.
var errUnexpected = StorageErr("unexpected error, please report this issue at https://github.com/minio/minio/issues")

// errCorruptedFormat - corrupted format.
var errCorruptedFormat = StorageErr("corrupted format")

// errCorruptedBackend - corrupted backend.

      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise

		}
		if err == nil {
			if etag != test.ETag {
				t.Fatalf("Test %d: ETag mismatch: got %s - want %s", i, etag, test.ETag)
			}
		}
	}
}

// Tests for issue reproduced when getting the right encrypted
// offset of the object.
func TestGetDecryptedRange_Issue50(t *testing.T) {
	rs, err := parseRequestRangeSpec("bytes=594870256-594870263")
	if err != nil {
		t.Fatal(err)

//
// Any change here should be discussed by opening an issue at
// https://github.com/minio/minio/issues.
func getUserAgent(mode string) string {
	userAgentParts := []string{}
	// Helper function to concisely append a pair of strings to a
	// the user-agent slice.

	// can do nothing (such a JSON could be generated by an external application
	// as the policy for the service account). Inheriting the parent policy in
	// such a case, is a security issue. Ideally, we should not allow such
	// behavior, but for compatibility with the Console, we currently allow it.
	//
	// TODO:
	//
	// 1. fix console behavior and allow this inheritance for service accounts

func shouldCheckForDangling(err error, errs []error, bucket string) bool {
	// Avoid data in .minio.sys for now
	if bucket == minioMetaBucket {
		return false
	}
	switch {
	// Check if we have a read quorum issue
	case errors.Is(err, errErasureReadQuorum):
		return true
	// Check if the object is inexistent in most disks but not all of them
	case errors.Is(err, errFileNotFound) || errors.Is(err, errFileVersionNotFound):

	derrs := make([]error, len(poolIndices))
	dobjects := make([]ObjectInfo, len(poolIndices))

	// Delete concurrently in all server pools that reported no error or read quorum error
	// where the read quorum issue is from metadata inconsistency.
	var wg sync.WaitGroup
	for idx, pe := range poolIndices {
		if v, ok := pe.Err.(InsufficientReadQuorum); ok && v.Type != RQInconsistentMeta {
			derrs[idx] = InsufficientWriteQuorum{}