"k8s.io/klog/v2"
)

type dispatcher struct {
	matcher generic.PolicyMatcher
	authz   authorizer.Authorizer
}

var _ generic.Dispatcher[PolicyHook] = &dispatcher{}

func NewDispatcher(
	authorizer authorizer.Authorizer,
	matcher generic.PolicyMatcher,
) generic.Dispatcher[PolicyHook] {
	return &dispatcher{
		matcher: matcher,
		authz:   authorizer,
	}
}

	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
)

const (
	checkHeader       = "x-ext-authz"
	allowedValue      = "allow"
	resultHeader      = "x-ext-authz-check-result"
	receivedHeader    = "x-ext-authz-check-received"
	overrideHeader    = "x-ext-authz-additional-header-override"
	overrideGRPCValue = "grpc-additional-header-override-value"
	resultAllowed     = "allowed"

	authnBuilder := lb.authnBuilder
	if svc != nil {
		authnBuilder = authn.NewBuilderForService(lb.push, lb.node, svc)
		authzBuilder = authz.NewBuilderForService(authz.Local, lb.push, lb.node, true, svc)
		authzCustomBuilder = authz.NewBuilderForService(authz.Custom, lb.push, lb.node, true, svc)
	}

	// TODO: consider dedicated listener class for waypoint filters
	cls := istionetworking.ListenerClassSidecarInbound

		}
	}
}

// TestNotRestRoutesHaveAuth checks that special non-routes are behind authz/authn.
func TestNotRestRoutesHaveAuth(t *testing.T) {
	config, _ := setUp(t)

	authz := mockAuthorizer{}

	config.LegacyAPIGroupPrefixes = sets.NewString("/apiPrefix")
	config.Authorization.Authorizer = &authz

	config.EnableIndex = true
	config.EnableProfiling = true

	kubeVersion := fakeVersion()

	meshconfig "istio.io/api/mesh/v1alpha1"
	"istio.io/istio/pilot/pkg/model"
	authzmodel "istio.io/istio/pilot/pkg/security/authz/model"
	"istio.io/istio/pkg/config/validation/agent"
	"istio.io/istio/pkg/maps"
	"istio.io/istio/pkg/wellknown"
)

const (
	extAuthzMatchPrefix   = "istio-ext-authz"
	badCustomActionSuffix = `-deny-due-to-bad-CUSTOM-action`
)

var supportedStatus = func() []int {
	var supported []int

						opts.Check = check.Status(http.StatusForbidden)
					},
				},
			}))

			t.NewSubTest("no-authn-authz").Run(newTest("", []testCase{
				{
					name: "no-authn-authz",
					customizeCall: func(t framework.TestContext, from echo.Instance, opts *echo.CallOptions) {
						opts.HTTP.Path = "/no-authn-authz"
						opts.Check = check.And(
							check.OK(),
							check.ReachedTargetClusters(t))
					},
				},

				"[1, 2, 3].indexOf(2) == 1",      // lists
				"'abc'.contains('bc')",           //strings
				"isURL('http://example.com')",    // urls
				"'a 1 b 2'.find('[0-9]') == '1'", // regex
			},
		},
		{
			name: "authz disabled",
			typeVersionCombinations: []envTypeAndVersion{
				{version.MajorMinor(1, 26), NewExpressions},
				// always enabled for StoredExpressions
			},

    server: https://authz.example.com
  name: foobar
users:
- name: a cluster
  user:
    client-certificate: {{ .Cert }}
    client-key: {{ .Key }}
`,
			wantErr: true,
		},
		{
			msg: "multiple clusters with no context",
			configTmpl: `
clusters:
- cluster:
    certificate-authority: {{ .CA }}
    server: https://authz.example.com
  name: foobar
- cluster:

func setGlobalAuthNPlugin(authn *idplugin.AuthNPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthNPlugin = authn
	globalAuthPluginMutex.Unlock()
}

func setGlobalAuthZPlugin(authz *polplugin.AuthZPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthZPlugin = authz
	globalAuthPluginMutex.Unlock()
}

				istioLabel = labelOverride
			}
			t.ConfigIstio().File(apps.Namespace.Name(), "testdata/authz-a.yaml").ApplyOrFail(t)
			t.ConfigIstio().EvalFile(i.Settings().SystemNamespace, map[string]any{
				"GatewayIstioLabel": istioLabel,
			}, "testdata/authz-b.yaml").ApplyOrFail(t)

			gwPod, err := i.IngressFor(t.Clusters().Default()).PodID(0)
			if err != nil {