writeErrorResponse(r.Context(), w, apiErr, r.URL)
		}
		return
	}

	// Verify if KMS is reachable if its configured
	if GlobalKMS != nil {
		ctx, cancel := context.WithTimeout(r.Context(), time.Minute)
		defer cancel()

		if _, err := GlobalKMS.GenerateKey(ctx, &kms.GenerateKeyRequest{AssociatedData: kms.Context{"healthcheck": ""}}); err != nil {
			switch r.Method {
			case http.MethodHead:

func (b *BucketSSEConfig) Algo() Algorithm {
	for _, rule := range b.Rules {
		return rule.DefaultEncryptionAction.Algorithm
	}
	return ""
}

// KeyID returns the KMS key ID specified by the SSE configuration.
// If the SSE configuration does not specify SSE-KMS it returns an
// empty key ID.
func (b *BucketSSEConfig) KeyID() string {
	for _, rule := range b.Rules {

		return
	}

	// Return error if KMS is not initialized
	if GlobalKMS == nil {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL)
		return
	}
	kmsKey := encConfig.KeyID()
	if kmsKey != "" {
		kmsContext := kms.Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation
		_, err := GlobalKMS.GenerateKey(ctx, &kms.GenerateKeyRequest{Name: kmsKey, AssociatedData: kmsContext})

	}

	KMS, err := kms.Connect(GlobalContext, &kms.ConnectionOptions{
		CADir: globalCertsCADir.Get(),
	})
	if err != nil {
		logger.Fatal(err, "Failed to connect to KMS")
	}

	if _, err = KMS.GenerateKey(GlobalContext, &kms.GenerateKeyRequest{}); errors.Is(err, kms.ErrKeyNotFound) {
		err = KMS.CreateKey(GlobalContext, &kms.CreateKeyRequest{Name: KMS.DefaultKey})
	}

	errKMSNotConfigured               = errors.New("KMS not configured for a server side encrypted objects")
	errKMSKeyNotFound                 = errors.New("Unknown KMS key ID")
	errKMSDefaultKeyAlreadyConfigured = errors.New("A default encryption already exists on KMS")
	// Additional MinIO errors for SSE-C requests.

	logger.LogIf(ctx, "kms", err, errKind...)
}

// KMSLogger permits access to kms module specific logging
type KMSLogger struct{}

// LogOnceIf is the implementation of LogOnceIf, accessible using the Logger interface
func (l KMSLogger) LogOnceIf(ctx context.Context, err error, id string, errKind ...any) {
	logger.LogOnceIf(ctx, "kms", err, id, errKind...)
}

	ErrIncompatibleEncryptionWithCompression = Errorf("Server side encryption specified with SSE-C with compression not allowed")

	// ErrInvalidEncryptionKeyID returns error when KMS key id contains invalid characters
	ErrInvalidEncryptionKeyID = Errorf("KMS KeyID contains unsupported characters")
)

var (
	errMissingInternalIV            = Errorf("The object metadata is missing the internal encryption IV")

//
// S3 specifies three types of server-side-encryption - SSE-C, SSE-S3
// and SSE-KMS - with different semantics w.r.t. ETags.
// In case of SSE-S3, the ETag of an object is computed the same as
// for single resp. multipart plaintext objects. In particular,
// the ETag of a singlepart SSE-S3 object is its content MD5.
//
// In case of SSE-C and SSE-KMS, the ETag of an object is computed

// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package kms

import (
	"os"
	"testing"
)

func TestIsPresent(t *testing.T) {
	for i, test := range isPresentTests {
		os.Clearenv()
		for k, v := range test.Env {
			t.Setenv(k, v)
		}

iam-assets/policies.json {"consoleAdmin":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["admin:*"]},{"Effect":"Allow","Action":["kms:*"]},{"Effect":"Allow","Action":["s3:*"],"Resource":["arn:aws:s3:::*"]}]},diagnostics":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["admin:TopLocksInfo","admin:BandwidthMonitor","admin:ConsoleLog","admin:OBDInfo","admin:Profiling","admin:Prometheus","admin:ServerInfo","admin:ServerTrace"],"Resource":["arn:aws:s3:::*"]}]},rea...