newConfig("authz-3", "bar", auditPolicy),
				newConfig("authz-4", "bar", auditPolicy),
			},
			wantDeny: []AuthorizationPolicy{
				{
					Name:      "authz-2",
					Namespace: "bar",
					Spec:      denyPolicy,
				},
			},
			wantAllow: []AuthorizationPolicy{
				{
					Name:      "authz-1",
					Namespace: "bar",
					Spec:      policy,
				},
			},

	"google.golang.org/protobuf/types/known/wrapperspb"

	networking "istio.io/api/networking/v1alpha3"
	"istio.io/istio/pilot/pkg/model"
	authzmatcher "istio.io/istio/pilot/pkg/security/authz/matcher"
	authz "istio.io/istio/pilot/pkg/security/authz/model"
	"istio.io/istio/pkg/config/labels"
	"istio.io/istio/pkg/util/sets"
)

func TestIsCatchAllRoute(t *testing.T) {
	cases := []struct {
		name  string
		route *route.Route

	authnBuilder *authn.Builder
	// authzBuilder provides access to authz configuration for the given proxy.
	authzBuilder *authz.Builder
	// authzCustomBuilder provides access to CUSTOM authz configuration for the given proxy.
	authzCustomBuilder *authz.Builder
}

// enabledInspector captures if for a given listener, listener filter inspectors are added
type enabledInspector struct {

	authzBuilder := lb.authzBuilder
	if policySvc != nil {
		useFilterState := lb.node.Type == model.Waypoint
		authzBuilder = authz.NewBuilderForService(authz.Local, lb.push, lb.node, useFilterState, policySvc)
		authzCustomBuilder = authz.NewBuilderForService(authz.Custom, lb.push, lb.node, useFilterState, policySvc)
	}

	var filters []*listener.Filter

	experimentalCmd.AddCommand(injector.Cmd(ctx))

	rootCmd.AddCommand(mesh.NewVerifyCommand(ctx))
	rootCmd.AddCommand(mesh.UninstallCmd(ctx))

	experimentalCmd.AddCommand(authz.AuthZ(ctx))
	rootCmd.AddCommand(seeExperimentalCmd("authz"))
	experimentalCmd.AddCommand(metrics.Cmd(ctx))
	experimentalCmd.AddCommand(describe.Cmd(ctx))
	experimentalCmd.AddCommand(wait.Cmd(ctx))
	experimentalCmd.AddCommand(config.Cmd())

		AuthzPolicies: yamlPolicy(t, basePath+input),
		Mesh:          mc,
	}
	p.ServiceIndex.HostnameAndNamespace = map[host.Name]map[string]*model.Service{
		"my-custom-ext-authz.foo.svc.cluster.local": {
			"foo": &model.Service{
				Hostname: "my-custom-ext-authz.foo.svc.cluster.local",
			},
		},
	}
	return p
}

func node(version *model.IstioVersion) *model.Proxy {
	return &model.Proxy{

	authnBuilder := lb.authnBuilder
	if svc != nil {
		authnBuilder = authn.NewBuilderForService(lb.push, lb.node, svc)
		authzBuilder = authz.NewBuilderForService(authz.Local, lb.push, lb.node, true, svc)
		authzCustomBuilder = authz.NewBuilderForService(authz.Custom, lb.push, lb.node, true, svc)
	}

	// TODO: consider dedicated listener class for waypoint filters
	cls := istionetworking.ListenerClassSidecarInbound

		}
	}
}

// TestNotRestRoutesHaveAuth checks that special non-routes are behind authz/authn.
func TestNotRestRoutesHaveAuth(t *testing.T) {
	config, _ := setUp(t)

	authz := mockAuthorizer{}

	config.LegacyAPIGroupPrefixes = sets.NewString("/apiPrefix")
	config.Authorization.Authorizer = &authz

	config.EnableIndex = true
	config.EnableProfiling = true

	kubeVersion := fakeVersion()

	meshconfig "istio.io/api/mesh/v1alpha1"
	"istio.io/istio/pilot/pkg/model"
	authzmodel "istio.io/istio/pilot/pkg/security/authz/model"
	"istio.io/istio/pkg/config/validation/agent"
	"istio.io/istio/pkg/maps"
	"istio.io/istio/pkg/wellknown"
)

const (
	extAuthzMatchPrefix   = "istio-ext-authz"
	badCustomActionSuffix = `-deny-due-to-bad-CUSTOM-action`
)

var supportedStatus = func() []int {
	var supported []int

				"[1, 2, 3].indexOf(2) == 1",      // lists
				"'abc'.contains('bc')",           //strings
				"isURL('http://example.com')",    // urls
				"'a 1 b 2'.find('[0-9]') == '1'", // regex
			},
		},
		{
			name: "authz disabled",
			typeVersionCombinations: []envTypeAndVersion{
				{version.MajorMinor(1, 26), NewExpressions},
				// always enabled for StoredExpressions
			},