if !testCase.Insecure {
			req.TLS = &tls.ConnectionState{PeerCertificates: testCase.Certs}
		}

		authCall := false
		auth := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
			authCall = true
			return &authenticator.Response{User: &user.DefaultInfo{Name: "innerauth"}}, true, nil
		})

		a := NewVerifier(testCase.Opts, auth, testCase.AllowedCNs)

	"istio.io/istio/pkg/security"
)

const (
	XfccAuthenticatorType = "XfccAuthenticator"
)

// XfccAuthenticator extracts identities from Xfcc header.
type XfccAuthenticator struct{}

var _ security.Authenticator = &XfccAuthenticator{}

func (xff XfccAuthenticator) AuthenticatorType() string {
	return XfccAuthenticatorType
}

// Authenticate extracts identities from Xfcc Header.

	kcb := util.NewKeyCertBundleFromPem(nil, nil, certChainBytes, rootCertBytes)

	mockCa := &mockca.FakeCA{
		SignedCert:    signedCert,
		KeyCertBundle: kcb,
	}
	server, err := ca.New(mockCa, 1, []security.Authenticator{auth}, nil)
	if err != nil {
		return 0
	}
	csrString, err := f.GetString()
	if err != nil {
		return 0
	}
	request := &pb.IstioCertificateRequest{Csr: csrString}
	ctx := context.Background()

	"k8s.io/apimachinery/pkg/types"
	"k8s.io/apimachinery/pkg/util/sets"
	"k8s.io/apimachinery/pkg/util/validation/field"
	"k8s.io/apiserver/pkg/audit"
	"k8s.io/apiserver/pkg/authentication/authenticator"
	"k8s.io/apiserver/pkg/authentication/serviceaccount"
	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
	"k8s.io/apiserver/pkg/registry/rest"
	utilfeature "k8s.io/apiserver/pkg/util/feature"

   * This avoids sending potentially sensitive data like HTTP cookies to the proxy unencrypted.
   *
   * In order to support preemptive authentication we pass a fake "Auth Failed" response to the
   * authenticator. This gives the authenticator the option to customize the CONNECT request. It can
   * decline to do so by returning null, in which case OkHttp will use it as-is.
   */
  @Throws(IOException::class)

    static final String NTLM_AUTH_METHOD = 'NTLM'

    // There is absolutely no doubt that no one should ever on a map like that
    // and that a proper implementation of an NTLM authenticator shouldn't do this
    // but those are test fixtures and I couldn't find a better way to do this
    // without deeper understanding of the Jetty APIs. Feel free to provide an
    // alternate solution

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package authenticator

import (
	"context"
	"errors"
	"fmt"
	"reflect"
	"testing"

	"github.com/google/go-cmp/cmp"
	"k8s.io/apiserver/pkg/authentication/user"
)

func TestAuthenticate(t *testing.T) {

	claims.SetExpiry(UTCNow().Add(defaultJWTExpiry))
	claims.SetAccessKey(accessKey)
	token := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
	return token.SignedString([]byte(secretKey))
}

// Tests web request authenticator.
func TestWebRequestAuthenticate(t *testing.T) {
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()

	obj, fsDir, err := prepareFS(ctx)
	if err != nil {
		t.Fatal(err)
	}

}

func (f *FakeAuthenticator) Set(token string, identity string) *FakeAuthenticator {
	f.mu.Lock()
	defer f.mu.Unlock()
	f.AllowedToken = token
	f.AllowedCert = identity
	return f
}

var _ Authenticator = &FakeAuthenticator{}

func checkToken(ctx context.Context, expected string) error {
	if expected == "" {
		return fmt.Errorf("jwt authentication not allowed")
	}
	targetJWT, err := ExtractBearerToken(ctx)

	kubeClient kubernetes.Interface
	// Primary cluster ID
	clusterID cluster.ID

	// remote cluster kubeClient getter
	remoteKubeClientGetter RemoteKubeClientGetter
}

var _ security.Authenticator = &KubeJWTAuthenticator{}

// NewKubeJWTAuthenticator creates a new kubeJWTAuthenticator.
func NewKubeJWTAuthenticator(
	meshHolder mesh.Holder,
	client kubernetes.Interface,
	clusterID cluster.ID,