"istio.io/istio/pilot/pkg/serviceregistry/aggregate"
)

var meshHolder fuzzMeshConfigHolder

type fuzzMeshConfigHolder struct {
	trustDomainAliases []string
}

func (mh fuzzMeshConfigHolder) Mesh() *meshconfig.MeshConfig {
	return &meshconfig.MeshConfig{
		TrustDomainAliases: mh.trustDomainAliases,
	}
}

// FuzzAggregateController implements a fuzzer
// that targets the add and delete registry apis

		meshConfig *meshconfig.MeshConfig
		want       []string
	}{
		{
			name: "No duplicated trust domain in mesh config",
			meshConfig: &meshconfig.MeshConfig{
				TrustDomain:        "cluster.local",
				TrustDomainAliases: []string{"alias-1.domain", "some-other-alias-1.domain", "alias-2.domain"},
			},
			want: []string{"cluster.local", "alias-1.domain", "some-other-alias-1.domain", "alias-2.domain"},
		},
		{

	"AES128-GCM-SHA256",
}

// BuildInboundTLS returns the TLS context corresponding to the mTLS mode.
func BuildInboundTLS(mTLSMode model.MutualTLSMode, node *model.Proxy,
	protocol networking.ListenerProtocol, trustDomainAliases []string, minTLSVersion tls.TlsParameters_TlsProtocol,
	mc *meshconfig.MeshConfig,
) *tls.DownstreamTlsContext {
	if mTLSMode == model.MTLSDisable || mTLSMode == model.MTLSUnknown {
		return nil
	}

	// For example, if we have
	// trustDomain: td1, trustDomainAliases: ["td2", "td3"]
	// Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`,
	// or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh.
	TrustDomains []string
}

// NewBundle returns a new trust domain bundle.
func NewBundle(trustDomain string, trustDomainAliases []string) Bundle {
	return Bundle{

// 5. DestinaitonRule with tls ISTIO_MUTUAL mode, because Istio auto mTLS will let client send plaintext to naked servers by default.
// 6. MeshConfig.TrustDomainAliases contains one of the trust domain "server-naked-foo".
//
// Expectation:
// When the "server-naked-foo" is in the list of MeshConfig.TrustDomainAliases, client requests to
// "server-naked-foo" succeeds, and requests to "server-naked-bar" fails.
func TestTrustDomainAliasSecureNaming(t *testing.T) {

)

func TrustDomainsForValidation(meshConfig *meshconfig.MeshConfig) []string {
	if features.SkipValidateTrustDomain {
		return nil
	}

	tds := append([]string{meshConfig.TrustDomain}, meshConfig.TrustDomainAliases...)
	for _, cacert := range meshConfig.GetCaCertificates() {
		tds = append(tds, cacert.GetTrustDomains()...)
	}
	return dedupTrustDomains(tds)
}

func dedupTrustDomains(tds []string) []string {

}

func NewBuilderForService(actionType ActionType, push *model.PushContext, proxy *model.Proxy, useFilterState bool, svc *model.Service) *Builder {
	tdBundle := trustdomain.NewBundle(push.Mesh.TrustDomain, push.Mesh.TrustDomainAliases)
	option := builder.Option{
		IsCustomBuilder: actionType == Custom,
		UseFilterState:  useFilterState,
		UseExtendedJwt:  proxy.SupportsEnvoyExtendedJwt(),
	}

type PolicyApplier interface {
	// InboundMTLSSettings returns inbound mTLS settings for a given workload port
	InboundMTLSSettings(endpointPort uint32, node *model.Proxy, trustDomainAliases []string, modeOverride model.MutualTLSMode) MTLSSettings

	// JwtFilter returns the JWT HTTP filter to enforce the underlying authentication policy.
	// It may return nil, if no JWT validation is needed.

	cfgYaml := tmpl.MustEvaluate(`
values:
  pilot:
    env:
      EXTERNAL_CA: ISTIOD_RA_KUBERNETES_API
  meshConfig:
    defaultConfig:
      proxyMetadata:
        ISTIO_META_CERT_SIGNER: signer1
    trustDomainAliases: [some-other, trust-domain-foo]
    caCertificates:
    - pem: |
{{.rootcert1 | indent 8}}
      certSigners:
      - {{.signer1}}
    - pem: |
{{.rootcert2 | indent 8}}
      certSigners:

	cfgYaml := tmpl.MustEvaluate(`
values:
  pilot:
    env:
      ISTIO_MULTIROOT_MESH: true
  meshConfig:
    defaultConfig:
      proxyMetadata:
        PROXY_CONFIG_XDS_AGENT: "true"
    trustDomainAliases: [some-other, trust-domain-foo]
    caCertificates:
    - pem: |
{{.pem | indent 8}}
`, map[string]string{"pem": rootPEM})
	cfg.ControlPlaneValues = cfgYaml
}