// expect to fail with `ErrUnsignedHeaders` because couldn't find some header
	_, errCode = extractSignedHeaders(signedHeaders, r)
	if errCode != ErrUnsignedHeaders {
		t.Fatalf("Expected the APIErrorCode to %d, but got %d", ErrUnsignedHeaders, errCode)
	}
	// set headers value through Get parameter
	inputQuery.Add("x-amz-server-side-encryption", xhttp.AmzEncryptionAES)

    /**
     * Share flag indicating that hash generation V2 is enabled for this share.
     */
    public static final int SMB2_SHAREFLAG_ENABLE_HASH_V2 = 0x4000;
    /**
     * Share flag indicating that encryption is required for this share.
     */
    public static final int SMB2_SHAREFLAG_ENCRYPT_DATA = 0x8000;
    /**
     * Share capability indicating DFS support.
     */

import org.mockito.MockedStatic;

class PacTest {

    private Map<Integer, KerberosKey> keys;

    @BeforeEach
    void setUp() {
        keys = new HashMap<>();
        // Use ARCFOUR-HMAC encryption type (23) which matches KERB_CHECKSUM_HMAC_MD5
        KerberosKey serverKey = new KerberosKey(new KerberosPrincipal("******@****.***"), "serverKey1234567".getBytes(),
                PacSignature.ETYPE_ARCFOUR_HMAC, 1);

        SmbTransport.ServerData serverData = transport.new ServerData();
        serverData.security = 0; // Set to 0 or appropriate value for SECURITY_SHARE
        serverData.encryptionKey = new byte[8]; // Initialize with empty encryption key

        // Configure the mock transport with the server data
        transport.server = serverData;

        smbtStatic = mockStatic(SmbTransport.class);

    /** Whether SMB3 encryption is enabled */
    protected boolean encryptionEnabled = false;
    /** Whether SMB3 compression is enabled */
    protected boolean compressionEnabled = false;
    /** Preferred encryption ciphers in order of preference */
    protected String preferredCiphers = "AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM";
    /** Whether AES-256 encryption is enabled */

- `@Secured` annotation with role array (`"admin-user"`, `"admin-user-view"`)
- Role-based query filtering via `RoleQueryHelper`
- Authentication: Local (UserService), LDAP, OIDC, SAML, SPNEGO, Entra ID
- Security features: AES encryption, SHA256 digest, LDAP injection prevention, password policy, rate limiting

## Naming Conventions

| Element | Convention | Example |
|---------|------------|---------|

- Veeam requires TLS connections to the object storage.  This can be configured per <https://docs.min.io/community/minio-object-store/operations/network-encryption.html>
- The S3 bucket, Access Key and Secret Key have to be created before and outside of Veeam.

        verify(mockDelegate).getGuestUsername();
        verify(mockDelegate).getGuestPassword();
        verify(mockDelegate).isAllowGuestFallback();
    }

    @Test
    @DisplayName("Encryption and security configuration should delegate correctly")
    void testEncryptionSecurityDelegation() {
        // Given
        when(mockDelegate.isEncryptionEnabled()).thenReturn(true);

	}
	var nonce [32]byte
	if _, err := io.ReadFull(random, nonce[:]); err != nil {
		logger.CriticalIf(context.Background(), errOutOfEntropy)
	}

	const Context = "object-encryption-key generation"
	mac := hmac.New(sha256.New, extKey)
	mac.Write([]byte(Context))
	mac.Write(nonce[:])
	mac.Sum(key[:0])
	return key
}

// GenerateIV generates a new random 256 bit IV from the provided source

        assertEquals(invertibleCryptographer, provider.providePrimaryInvertibleCryptographer());
        assertEquals(md5, provider.providePrimaryOneWayCryptographer());
    }

    // Test encryption and decryption functionality
    @Test
    public void test_invertibleCryptography() {
        // Test that invertible cryptography works correctly