Note: `Full` only refers to whether a `PushContext` recomputation is needed. Even within a `Full` push, we keep track of which configuration updates triggered this, so we could have "Full update of Config X" or "Full update of all configs".

import java.io.IOException
import java.security.SecureRandom
import java.security.cert.X509Certificate
import javax.net.ssl.KeyManager
import javax.net.ssl.SSLHandshakeException
import javax.net.ssl.SSLPeerUnverifiedException
import javax.net.ssl.SSLSocketFactory
import javax.net.ssl.TrustManager
import kotlin.test.assertFailsWith
import mockwebserver3.MockResponse
import mockwebserver3.MockWebServer

pkg net/http, const StatusInsufficientStorage ideal-int
pkg net/http, const StatusLocked = 423
pkg net/http, const StatusLocked ideal-int
pkg net/http, const StatusLoopDetected = 508
pkg net/http, const StatusLoopDetected ideal-int
pkg net/http, const StatusMultiStatus = 207
pkg net/http, const StatusMultiStatus ideal-int
pkg net/http, const StatusNotExtended = 510
pkg net/http, const StatusNotExtended ideal-int

But I'll show you how to improve that next. 🤓

## Custom Operation IDs and Better Method Names

You can **modify** the way these operation IDs are **generated** to make them simpler and have **simpler method names** in the clients.

As discussed in [HBONE](#hbone), this is based on the destination IP.
Additionally, we enforce the peer has a valid mesh identity (but do not assert _which_ identity, yet).

Next, we terminate the CONNECT.
From the [headers](#headers), we know the target destination.
If the target destination has a waypoint, we enforce that the request is coming from that waypoint. Otherwise, the request is rejected.

randomly generated secret key per object also known as, Object Encryption Key ([OEK](#oek)). Neither the client-provided SSE-C key nor the KMS-managed key is directly used to en/decrypt an object. Instead, the OEK is stored as part of the object metadata next to the object in an encrypted form. To en/decrypt the OEK another secret key is needed also known as, Key Encryption Key ([KEK](#kek)).

The MinIO server runs a key-derivation algorithm to generate the KEK using a pseudo-random function ([PRF](#prf)):...

explicitly asked for it. This behavior can be controlled by the
[`multipathtcp` setting](/pkg/net#Dialer.SetMultipathTCP).

There is no plan to remove any of these settings.

### Go 1.20

Go 1.20 introduced support for rejecting insecure paths in tar and zip archives,
controlled by the [`tarinsecurepath` setting](/pkg/archive/tar/#Reader.Next)
and the [`zipinsecurepath` setting](/pkg/archive/zip/#NewReader).

But it's signed. So, when you receive a token that you emitted, you can verify that you actually emitted it.

That way, you can create a token with an expiration of, let's say, 1 week. And then when the user comes back the next day with the token, you know that user is still logged in to your system.

  // Specifies how to treat concurrent executions of a Job.
  // Valid values are:
  //
  // - "Allow" (default): allows CronJobs to run concurrently;
  // - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet;
  // - "Replace": cancels currently running job and replaces it with a new one
  // +optional
  optional string concurrencyPolicy = 3;

    taskFaker.runNextTask()
    assertThat(log).containsExactly("red:starting@0")
    assertThat(taskFaker.executeCallCount).isEqualTo(2)

    // Next the blue task starts.
    taskFaker.runNextTask()
    assertThat(log).containsExactly(
      "red:starting@0",
      "blue:starting@0",
    )
    assertThat(taskFaker.executeCallCount).isEqualTo(2)