# See the OWNERS docs at https://go.k8s.io/owners

# approval on api packages bubbles to api-approvers
reviewers:
  - sig-auth-audit-approvers
  - sig-auth-audit-reviewers
labels:

	"net/http"
	"time"

	"k8s.io/klog/v2"

	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apiserver/pkg/audit"
	"k8s.io/apiserver/pkg/authorization/authorizer"
	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
	"k8s.io/apiserver/pkg/endpoints/request"
)

const (
	// Annotation key names set in advanced audit
	decisionAnnotationKey = "authorization.k8s.io/decision"
	reasonAnnotationKey   = "authorization.k8s.io/reason"

	if err != nil {
		t.Fatalf("failed creating test service account: %v", err)
	}

	// create an audit context to allow recording audit information
	ctx = audit.WithAuditContext(ctx)
	_, err = storage.Token.Create(ctx, serviceAccount.Name, &authenticationapi.TokenRequest{
		ObjectMeta: metav1.ObjectMeta{
			Name:      serviceAccount.Name,

const (
	// AuditAnnotationActionPublish indicates that the audit annotation should be
	// published with the audit event.
	AuditAnnotationActionPublish PolicyAuditAnnotationAction = "publish"
	// AuditAnnotationActionError indicates that the valueExpression resulted
	// in an error.
	AuditAnnotationActionError PolicyAuditAnnotationAction = "error"
	// AuditAnnotationActionExclude indicates that the audit annotation should be excluded

See the License for the specific language governing permissions and
limitations under the License.
*/

package audit

import (
	"fmt"
	"strings"

	"k8s.io/apimachinery/pkg/util/errors"
	auditinternal "k8s.io/apiserver/pkg/apis/audit"
)

// Union returns an audit Backend which logs events to a set of backends. The returned
// Sink implementation blocks in turn for each call to ProcessEvents.

limitations under the License.
*/

package filters

import (
	"crypto/tls"
	"crypto/x509"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"

	auditinternal "k8s.io/apiserver/pkg/apis/audit"
	"k8s.io/apiserver/pkg/audit/policy"
)

func TestFailedAuthnAudit(t *testing.T) {
	sink := &fakeAuditSink{}
	fakeRuleEvaluator := policy.NewFakePolicyRuleEvaluator(auditinternal.LevelRequestResponse, nil)

	// By default, an annotation gets logged into audit event if the request's audit level is greater or
	// equal to Metadata.
	AddAnnotation(key, value string) error

	// AddAnnotationWithLevel sets annotation according to key-value pair with additional intended audit level.
	// An Annotation gets logged into audit event if the request's audit level is greater or equal to the
	// intended audit level.

		}
		recorder := &recorder{}
		ctx = warning.WithWarningRecorder(ctx, recorder)

		ctx = audit.WithAuditContext(ctx)
		ac := audit.AuditContextFrom(ctx)
		// since this is shared work between multiple requests, we have no way of knowing if any
		// particular request supports audit annotations.  thus we always attempt to record them.
		ac.Event.Level = auditinternal.LevelMetadata

type RecommendedOptions struct {
	Etcd           *EtcdOptions
	SecureServing  *SecureServingOptionsWithLoopback
	Authentication *DelegatingAuthenticationOptions
	Authorization  *DelegatingAuthorizationOptions
	Audit          *AuditOptions
	Features       *FeatureOptions
	CoreAPI        *CoreAPIOptions

	// FeatureGate is a way to plumb feature gate through if you have them.
	FeatureGate featuregate.FeatureGate

	"testing"

	"github.com/stretchr/testify/assert"
	batch "k8s.io/api/batch/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apimachinery/pkg/runtime/serializer"
	auditinternal "k8s.io/apiserver/pkg/apis/audit"
	"k8s.io/apiserver/pkg/audit"
	"k8s.io/apiserver/pkg/authorization/authorizer"
)

func TestGetAuthorizerAttributes(t *testing.T) {
	testcases := map[string]struct {
		Verb               string
		Path               string