// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package once

import (
	"context"
	"sync"
	"sync/atomic"
)

// Inspired from Golang sync.Once but it is only marked
// initialized when the provided function returns nil.

// Init represents the structure.
type Init struct {
	done uint32
	m    sync.Mutex
}

// Do is similar to sync.Once.Do - makes one successful

	var config BucketSSEConfig
	err := xml.NewDecoder(r).Decode(&config)
	if err != nil {
		return nil, err
	}

	// Validates server-side encryption config rules
	// Only one rule is allowed on AWS S3
	if len(config.Rules) != 1 {
		return nil, errors.New("only one server-side encryption rule is allowed at a time")
	}

	for _, rule := range config.Rules {
		switch rule.DefaultEncryptionAction.Algorithm {
		case AES256:

| *Required* | *No*     |

### RoleArn

The role ARN to use. This must be specified if and only if the web identity provider is configured with a role policy.

| Params     | Value    |
| :--        | :--      |
| *Type*     | *String* |
| *Required* | *No*     |

### Version

	ErrInvalidDataSource: {
		Code:           "InvalidDataSource",
		Description:    "Invalid data source type. Only CSV and JSON are supported at this time.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrInvalidExpressionType: {
		Code:           "InvalidExpressionType",
		Description:    "The ExpressionType is invalid. Only SQL expressions are supported at this time.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrBusy: {

      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason

	"github.com/minio/mux"
	"github.com/minio/pkg/v2/policy"
)

// Data types used for returning dummy access control
// policy XML, these variables shouldn't be used elsewhere
// they are only defined to be used in this file alone.
type grantee struct {
	XMLNS       string `xml:"xmlns:xsi,attr"`
	XMLXSI      string `xml:"xsi:type,attr"`
	Type        string `xml:"Type"`
	ID          string `xml:"ID,omitempty"`

	flag.StringVar(&minioUsername, "u", "", "MinIO Username")
	flag.StringVar(&minioPassword, "p", "", "MinIO Password")
	flag.BoolVar(&displayCreds, "d", false, "Only show generated credentials")
	flag.DurationVar(&expiryDuration, "e", 0, "Request a duration of validity for the generated credential")
	flag.StringVar(&bucketToList, "b", "", "Bucket to list (defaults to username)")

}

// Verify if the request has AWS Streaming Signature Version '4'. This is only valid for 'PUT' operation.
func isRequestSignStreamingV4(r *http.Request) bool {
	return r.Header.Get(xhttp.AmzContentSha256) == streamingContentSHA256 &&
		r.Method == http.MethodPut
}

// Verify if the request has AWS Streaming Signature Version '4'. This is only valid for 'PUT' operation.
func isRequestSignStreamingTrailerV4(r *http.Request) bool {

	case emptySHA256:
		// some broken clients set empty-sha256
		// with > 0 content-length in the body,
		// we should skip such clients and allow
		// blindly such insecure clients only if
		// S3 strict compatibility is disabled.

		// We return true only in situations when
		// deployment has asked MinIO to allow for
		// such broken clients and content-length > 0.
		return r.ContentLength > 0 && !globalServerCtxt.StrictS3Compat
	}

                                                                └─────────┘
```

In a given setup, there are `n` MinIO instances talking to `m` KES servers but only `1` central KMS. The most simple setup consists of `1` MinIO server or cluster talking to `1` KMS via `1` KES server.