bootstrapTrace("rootCredentials", func() {
		cred := loadRootCredentials()
		if !cred.IsValid() && (env.Get(api.EnvAPIRootAccess, config.EnableOn) == config.EnableOff) {
			// Generate KMS based credentials if root access is disabled
			// and no ENV is set.
			cred = autoGenerateRootCredentials()
		}

		if !cred.IsValid() {
			cred = auth.DefaultCredentials
		}

		var err error

	s3Err = authenticateRequest(ctx, r, action)
	reqInfo := logger.GetReqInfo(ctx)
	if reqInfo == nil {
		return cred, owner, ErrAccessDenied
	}

	cred = reqInfo.Cred
	owner = reqInfo.Owner
	if s3Err != ErrNone {
		return cred, owner, s3Err
	}

	return cred, owner, authorizeRequest(ctx, r, action)
}

		writeErrorResponseJSON(ctx, w, toAPIError(ctx, err), r.URL)
		return
	}

	cred, _, s3Err := validateAdminSignature(ctx, r, "")
	if s3Err != ErrNone {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
		return
	}
	password := cred.SecretKey

	reqBytes, err := madmin.DecryptData(password, io.LimitReader(r.Body, r.ContentLength))
	if err != nil {

	// account or STS account):
	requestorUser := cred.AccessKey
	requestorParentUser := cred.AccessKey
	requestorGroups := cred.Groups
	requestorIsDerivedCredential := false
	if cred.IsServiceAccount() || cred.IsTemp() {
		requestorParentUser = cred.ParentUser
		requestorIsDerivedCredential = true
	}

	if globalIAMSys.GetUsersSysType() == MinIOUsersSysType && targetUser != cred.AccessKey {

	values.Set(peerRESTEnableSha256, strconv.FormatBool(opts.enableSha256))
	values.Set(peerRESTEnableMultipart, strconv.FormatBool(opts.enableMultipart))
	values.Set(peerRESTAccessKey, opts.creds.AccessKey)

	respBody, err := client.callWithContext(context.Background(), peerRESTMethodSpeedTest, values, nil, -1)
	if err != nil {
		return SpeedTestResult{}, err
	}
	defer xhttp.DrainBody(respBody)

	// 	if err != nil {
	// 		return "", fmt.Errorf("Error reading body: %v", err)
	// 	}
	// 	fmt.Printf("bodyBuf (for LDAP login page): %s\n", string(bodyBuf))
	// }

	// Fill the login form with our test creds:
	// fmt.Printf("login form url: %s\n", lastReq.URL.String())
	formData := url.Values{}
	formData.Set("login", username)
	formData.Set("password", password)

		concurrency:     concurrent,
		duration:        duration,
		storageClass:    storageClass,
		bucketName:      bucketName,
		enableSha256:    enableSha256,
		enableMultipart: enableMultipart,
		creds:           u.Credentials,
	})
	if err != nil {
		result.Error = err.Error()
	}

	done(nil)
	peersLogIf(r.Context(), gob.NewEncoder(w).Encode(result))
}

	}

	tests := []struct {
		edata   []byte
		cred    auth.Credentials
		success bool
	}{
		{edata1, cred1, true},
		{edata2, cred2, true},
		{data, cred1, false},
	}

	for _, test := range tests {
		t.Run("", func(t *testing.T) {
			ddata, err := madmin.DecryptData(test.cred.String(), bytes.NewReader(test.edata))
			if err != nil && test.success {
				t.Errorf("Expected success, saw failure %v", err)
			}

		apiRouter.ServeHTTP(rec, req)
		// Assert the response code with the expected status.
		if rec.Code != testCase.expectedRespStatus {
			if testCase.copySourceSame {
				// encryption will rotate creds, so fail only for non-encryption scenario.
				if GlobalKMS == nil {
					t.Errorf("Test %d: %s:  Expected the response status to be `%d`, but instead found `%d`", i, instanceType, testCase.expectedRespStatus, rec.Code)

package main

// This programs mocks user interaction against Dex IDP and generates STS
// credentials. It is for MinIO testing purposes only.
//
// Run like:
//
// $ MINIO_ENDPOINT=http://localhost:9000 go run gen-oidc-sts-cred.go

import (
	"context"
	"fmt"
	"log"
	"net/http"
	"os"

	cr "github.com/minio/minio-go/v7/pkg/credentials"
	cmd "github.com/minio/minio/cmd"
)

func main() {
	ctx := context.Background()