matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"

	authzpb "istio.io/api/security/v1beta1"
	"istio.io/istio/pilot/pkg/security/trustdomain"
	"istio.io/istio/pkg/util/protomarshal"
)

func TestModel_MigrateTrustDomain(t *testing.T) {
	cases := []struct {
		name     string
		tdBundle trustdomain.Bundle
		rule     *authzpb.Rule
		want     []string
		notWant  []string
	}{
		{

// limitations under the License.

package model

import (
	"fmt"
	"strings"

	rbacpb "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"

	authzpb "istio.io/api/security/v1beta1"
	"istio.io/istio/pilot/pkg/security/trustdomain"
)

const (
	RBACTCPFilterStatPrefix           = "tcp."
	RBACShadowEngineResult            = "shadow_engine_result"

//
// Examples:
//
//	authorizer.group('').resource('pods').namespace('default').check('create').error()
func Authz() cel.EnvOption {
	return cel.Lib(authzLib)
}

var authzLib = &authz{}

type authz struct{}

func (*authz) LibraryName() string {
	return "k8s.authz"
}

var authzLibraryDecls = map[string][]cel.FunctionOpt{
	"path": {

		Example: `  # Check AuthorizationPolicy applied to pod httpbin-88ddbcfdd-nt5jb:
  istioctl x authz check httpbin-88ddbcfdd-nt5jb

  # Check AuthorizationPolicy applied to one pod under a deployment
  istioctl x authz check deployment/productpage-v1

  # Check AuthorizationPolicy from Envoy config dump file:
  istioctl x authz check -f httpbin_config_dump.json`,
		Args: func(cmd *cobra.Command, args []string) error {

)

func TestAuthorizationPolicies_ListAuthorizationPolicies(t *testing.T) {
	policy := &authpb.AuthorizationPolicy{
		Rules: []*authpb.Rule{
			{
				From: []*authpb.Rule_From{
					{
						Source: &authpb.Source{
							Principals: []string{"sleep"},
						},
					},
				},
				To: []*authpb.Rule_To{
					{
						Operation: &authpb.Operation{
							Methods: []string{"GET"},
						},
					},
				},
			},

releaseNotes:
- |
  Improved the experimental [External Authorization](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/) feature with new capabilities:
  - **Added** the `timeout` field to configure the timeout (default is 10m) between the ext_authz filter and the external service.

# Example configurations for deploying ext-authz server separately in the mesh.

apiVersion: v1
kind: Service
metadata:
  name: ext-authz
  labels:
    app: ext-authz
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 8000
  - name: grpc
    port: 9000
    targetPort: 9000
  selector:
    app: ext-authz
---
apiVersion: apps/v1
kind: Deployment
metadata:

#   limitations under the License.

# Example configurations for deploying ext-authz server locally with the application container in the same pod.

# Define the service entry for the local ext-authz service on port 8000.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin-ext-authz-http
spec:
  hosts:
  - "ext-authz-http.local"
  endpoints:
  - address: "127.0.0.1"
  ports:
  - name: http

releaseNotes:
  - |
    **Fixed** a copule of issues in the ext-authz filter affecting the behavior of the gRPC check response API. Please
    see the [Envoy release note](https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.20.0#bug-fixes) for more

apiVersion: release-notes/v2
kind: feature
area: security
issue:
- https://github.com/istio/api/pull/1933
docs:
- '[usage] https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/'
- '[design] https://docs.google.com/document/d/1xQdZsEgJ3Ld2qebfT3EJkg2COTtCR1TqBVojmnvI78g'
releaseNotes:
- |