2. export MC_HOST_{{ template "minio.fullname" . }}_local=http://$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@localhost:{{ .Values.service.port }}

    return current_user


client = TestClient(app)


def test_security_api_key():
    response = client.get("/users/me", headers={"key": "secret"})
    assert response.status_code == 200, response.text
    assert response.json() == {"username": "secret"}


def test_security_api_key_no_key():
    response = client.get("/users/me")
    assert response.status_code == 401, response.text

    return current_user


client = TestClient(app)


def test_security_api_key():
    response = client.get("/users/me", headers={"key": "secret"})
    assert response.status_code == 200, response.text
    assert response.json() == {"username": "secret"}


def test_security_api_key_no_key():
    response = client.get("/users/me")
    assert response.status_code == 401, response.text

	set -e   # fail if we can't read the keys.
	ACCESS=$(cat /config/rootUser)
	SECRET=$(cat /config/rootPassword)
	set +e # The connections to minio are allowed to fail.
	echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT"
	MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET"
	$MC_COMMAND
	STATUS=$?
	until [ $STATUS = 0 ]; do
		ATTEMPTS=$(expr $ATTEMPTS + 1)

        "/items/", headers={"X-Token": "fake-super-secret-token", "X-Key": "invalid"}
    )
    assert response.status_code == 400, response.text
    assert response.json() == {"detail": "X-Key header invalid"}


def test_get_valid_headers(client: TestClient):
    response = client.get(
        "/items/",
        headers={
            "X-Token": "fake-super-secret-token",
            "X-Key": "fake-super-secret-key",

      new SecretKeySpec("secret key".getBytes(UTF_8), "HmacMD5");
  private static final SecretKey SHA1_KEY =
      new SecretKeySpec("secret key".getBytes(UTF_8), "HmacSHA1");
  private static final SecretKey SHA256_KEY =
      new SecretKeySpec("secret key".getBytes(UTF_8), "HmacSHA256");
  private static final SecretKey SHA512_KEY =
      new SecretKeySpec("secret key".getBytes(UTF_8), "HmacSHA512");

##### Cluster

```yaml
scrape_configs:
- job_name: minio-job
  bearer_token: <secret>
  metrics_path: /minio/v2/metrics/cluster
  scheme: http
  static_configs:
  - targets: ['localhost:9000']
```

##### Bucket centric

```yaml
- job_name: minio-job-bucket
  bearer_token: <secret>
  metrics_path: /minio/v2/metrics/bucket
  scheme: http
  static_configs:
  - targets: ['localhost:9000']

app = FastAPI()


async def verify_token(x_token: Annotated[str, Header()]):
    if x_token != "fake-super-secret-token":
        raise HTTPException(status_code=400, detail="X-Token header invalid")


async def verify_key(x_key: Annotated[str, Header()]):
    if x_key != "fake-super-secret-key":
        raise HTTPException(status_code=400, detail="X-Key header invalid")
    return x_key

    void testHandlePasswordOnly() throws Exception {
        JAASAuthenticator auth = new JAASAuthenticator("DOM", "user", "secret");
        PasswordCallback pc = new PasswordCallback("pass:", false);
        auth.handle(new Callback[] { pc });
        assertEquals("secret", new String(pc.getPassword()));
    }

    @Test
    @DisplayName("handle: empty user/domain edge yields '@' and null password")

        ArgumentCaptor<String> shareCap = ArgumentCaptor.forClass(String.class);
        ArgumentCaptor<String> svcCap = ArgumentCaptor.forClass(String.class);
        verify(session).getSmbTree(shareCap.capture(), svcCap.capture());
        assertEquals(share, shareCap.getValue());
        assertEquals(svc, svcCap.getValue());
    }

    // Edge/invalid inputs: null or empty share/service cause IllegalArgumentException (mocked)