{ObjectOpts{Name: "xyz/c3test", UserTags: "k1=v1", VersionID: "vid", OpType: DeleteReplicationType}, cfgs[2], true},                     // 21. matches rule 1 - DeleteReplication allowed by rule for permanent delete of version

	"github.com/minio/madmin-go/v3"
	"github.com/minio/minio/internal/logger"
	"github.com/minio/mux"
	"github.com/minio/pkg/v3/policy"
)

const (
	// As per AWS S3 specification, 20KiB policy JSON data is allowed.
	maxBucketPolicySize = 20 * humanize.KiByte

	// Policy configuration file.
	bucketPolicyConfig = "policy.json"
)

// PutBucketPolicyHandler - This HTTP handler stores given bucket policy configuration as per

   * saving space.
   */
  @VisibleForTesting static final double MAX_LOAD_FACTOR = 1.2;

  /**
   * Maximum allowed false positive probability of detecting a hash flooding attack given random
   * input.
   */
  @VisibleForTesting static final double HASH_FLOODING_FPP = 0.001;

  /**
   * Maximum allowed length of a hash table bucket before falling back to a j.u.HashMap based
   * implementation. Experimentally determined.
   */

# map: {
#     [classification-name] = list:{
#         ; map:{
#             ; topComment=[comment]; codeType=[String(default) or Number or Boolean]}
#             ; undefinedHandlingType=[EXCEPTION or LOGGING(default) or ALLOWED]
#             ; isUseDocumentOnly=[true or false(default)]
#             ; isSuppressAutoDeploy=[true or false(default)]
#             ; groupingMap = map:{
#                 ; [group-name] = map:{

	MOVQ (AX), M0  // 0f6f00
	MOVQ M0, 8(SP) // 0f7f442408
	MOVQ 8(SP), M0 // 0f6f442408
	MOVQ M0, (AX)  // 0f7f00
	MOVQ M0, (BX)  // 0f7f03
	// On non-64bit arch, Go asm allowed uint32 offsets instead of int32.
	// These tests check that property for backwards-compatibility.
	MOVL 2147483648(AX), AX  // 8b8000000080
	MOVL -2147483648(AX), AX // 8b8000000080
	ADDL 2147483648(AX), AX  // 038000000080

	actionValue := m["action"].(string)

	// Allow user `minio` to perform any action.
	var res Result
	if accountValue == "minio" {
		res.Result = true
	} else {
		// All other users may not perform any `s3:Put*` operations.
		res.Result = true
		if strings.HasPrefix(actionValue, "s3:Put") {
			res.Result = false
		}
	}
	fmt.Printf("account: %v | action: %v | allowed: %v\n", accountValue, actionValue, res.Result)

 * more ACEs are evaluated until all desired access bits (combined)
 * are "allowed". If all of the desired access bits are not "allowed"
 * the then same process is repeated for inherited ACEs.
 * <p>
 * For example, if user <tt>WNET\alice</tt> tries to open a file
 * with desired access bits <tt>0x00000003</tt> (<tt>FILE_READ_DATA |
 * FILE_WRITE_DATA</tt>) and the target file has the following security
 * descriptor ACEs:
 * <pre>

    writer.close();

    assertThrows(IOException.class, () -> writer.write(" Greg"));

    assertThrows(IOException.class, () -> writer.flush());

    // close()ing already closed writer is allowed
    writer.close();
  }

For example, if the client tries to send the form fields:

* `username`: `Rick`
* `password`: `Portal Gun`
* `extra`: `Mr. Poopybutthole`

They will receive an error response telling them that the field `extra` is not allowed:

```json
{
    "detail": [
        {
            "type": "extra_forbidden",
            "loc": ["body", "extra"],
            "msg": "Extra inputs are not permitted",

		return nil
	}
	return &Opa{
		args:   args,
		client: &http.Client{Transport: args.Transport},
	}
}

// IsAllowed - checks given policy args is allowed to continue the REST API.
func (o *Opa) IsAllowed(args policy.Args) (bool, error) {
	if o == nil {
		return false, nil
	}

	// OPA input
	body := make(map[string]interface{})
	body["input"] = args