"istio.io/istio/pkg/test/util/assert"
	"istio.io/istio/pkg/test/util/retry"
	ingressutil "istio.io/istio/tests/integration/security/sds_ingress/util"
)

func TestGateway(t *testing.T) {
	framework.
		NewTest(t).
		Run(func(t framework.TestContext) {
			crd.DeployGatewayAPIOrSkip(t)

			t.NewSubTest("unmanaged").Run(UnmanagedGatewayTest)
			t.NewSubTest("managed").Run(ManagedGatewayTest)

		Setup(common.InstallMCSCRDs).
		Setup(istio.Setup(&i, enableMCSServiceDiscovery)).
		Setup(common.DeployEchosFunc("mcs", &echos)).
		Run()
}

func TestClusterLocal(t *testing.T) {
	framework.NewTest(t).
		RequireIstioVersion("1.11").
		Run(func(t framework.TestContext) {
			serviceA = match.ServiceName(echo.NamespacedName{Name: common.ServiceA, Namespace: echos.Namespace})

		} else {
			t.Logf("no potential policy bypass requests found")
		}

	default:
		t.Fatalf("unknown fuzzer %s", fuzzer)
	}
}

func TestFuzzAuthorization(t *testing.T) {
	framework.NewTest(t).
		Run(func(t framework.TestContext) {
			ns := "fuzz-authz"
			namespace.ClaimOrFail(t, t, ns)

			t.ConfigIstio().YAML(ns, authzDenyPolicy).ApplyOrFail(t)
			t.Logf("authorization policy applied")

// It uses CredentialName set in DestinationRule API to fetch secrets from k8s API server
func TestSimpleTlsOrigination(t *testing.T) {
	// nolint: staticcheck
	framework.NewTest(t).
		RequiresSingleNetwork(). // https://github.com/istio/istio/issues/37134
		Run(func(t framework.TestContext) {
			var (
				credName        = "tls-credential-cacert"
				fakeCredName    = "fake-tls-credential-cacert"

		name string

		mediaType  string
		out        []byte
		outErrs    []error
		req        *http.Request
		statusCode int
		object     runtime.Object

		wantCode    int
		wantHeaders http.Header
	}
	newTest := func() test {
		return test{
			name:      "compress on gzip",
			out:       largePayload,
			mediaType: "application/json",
			req: &http.Request{
				Header: http.Header{
					"Accept-Encoding": []string{"gzip"},

        given:
        createPassingFailingTest()
        fails("check")
        when:
        renameTests()
        fails("check")
        then:
        testResult.assertTestClassesExecuted('SomeTest', 'NewTest')
    }

    @ToBeFixedForConfigurationCache(bottomSpecs = "XCTestTestFrameworkIntegrationTest")
    def "honors test case filter from --tests flag"() {
        given:
        createPassingFailingTest()

		t.Skip("IngressClass not supported")
	}
}

// TestIngress tests that we can route using standard Kubernetes Ingress objects.
func TestIngress(t *testing.T) {
	framework.
		NewTest(t).
		Run(func(t framework.TestContext) {
			skipIfIngressClassUnsupported(t)
			// Set up secret contain some TLS certs for *.example.com

// It uses CredentialName set in DestinationRule API to fetch secrets from k8s API server.
func TestSidecarMutualTlsOrigination(t *testing.T) {
	// nolint: staticcheck
	framework.NewTest(t).
		Run(func(t framework.TestContext) {
			var (
				credNameGeneric  = "mtls-credential-generic"
				fakeCredName     = "fake-mtls-credential"
				credWithCRL      = "mtls-credential-generic-valid-crl"

	"istio.io/istio/pkg/test/framework/components/echo/match"
)

// TestPassThroughFilterChain tests the authN and authZ policy on the pass through filter chain.
func TestPassThroughFilterChain(t *testing.T) {
	framework.
		NewTest(t).
		Run(func(t framework.TestContext) {
			type expect struct {
				port echo.Port
				// Plaintext will be sent from Naked pods.
				plaintextSucceeds bool
				// MTLS will be sent from all pods other than Naked.

	},
	{
		configDir: "gateway/tls/istio-mutual",
	},
	{
		configDir: "gateway/tls/passthrough",
	},
}

func TestTunnelingOutboundTraffic(t *testing.T) {
	framework.
		NewTest(t).
		RequireIstioVersion("1.15.0").
		Run(func(ctx framework.TestContext) {
			meshNs := apps.A.NamespaceName()
			externalNs := apps.External.Namespace.Name()

			applyForwardProxyConfigMaps(ctx, externalNs)