"[1, 2, 3].indexOf(2) == 1",      // lists
				"'abc'.contains('bc')",           //strings
				"isURL('http://example.com')",    // urls
				"'a 1 b 2'.find('[0-9]') == '1'", // regex
			},
		},
		{
			name: "authz disabled",
			typeVersionCombinations: []envTypeAndVersion{
				{version.MajorMinor(1, 26), NewExpressions},
				// always enabled for StoredExpressions
			},

func setGlobalAuthNPlugin(authn *idplugin.AuthNPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthNPlugin = authn
	globalAuthPluginMutex.Unlock()
}

func setGlobalAuthZPlugin(authz *polplugin.AuthZPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthZPlugin = authz
	globalAuthPluginMutex.Unlock()
}

    server: https://authz.example.com
  name: foobar
users:
- name: a cluster
  user:
    client-certificate: {{ .Cert }}
    client-key: {{ .Key }}
`,
			wantErr: true,
		},
		{
			msg: "multiple clusters with no context",
			configTmpl: `
clusters:
- cluster:
    certificate-authority: {{ .CA }}
    server: https://authz.example.com
  name: foobar
- cluster:

// limitations under the License.

package model

import (
	"fmt"
	"strconv"
	"strings"

	matcherpb "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"

	"istio.io/istio/pilot/pkg/security/authz/matcher"
	"istio.io/istio/pilot/pkg/xds/filters"
)

// convertToPort converts a port string to a uint32.
func convertToPort(v string) (uint32, error) {
	p, err := strconv.ParseUint(v, 10, 32)

  // take place.
  // Groups are OR-ed.
  repeated Group groups = 5;
}

message Group {
  // Rules are OR-ed (e.g. ANY rule can match)
  // This is a generic form of the authz policy's to, from and when
  repeated Rules rules = 1;
}

message Rules {
  // The logical behavior between the matches (if there are more than one)
//  MatchBehavior match_behavior = 1;

	Validate(ctx context.Context, matchedResource schema.GroupVersionResource, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *corev1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult

				istioLabel = labelOverride
			}
			t.ConfigIstio().File(apps.Namespace.Name(), "testdata/authz-a.yaml").ApplyOrFail(t)
			t.ConfigIstio().EvalFile(i.Settings().SystemNamespace, map[string]any{
				"GatewayIstioLabel": istioLabel,
			}, "testdata/authz-b.yaml").ApplyOrFail(t)

			gwPod, err := i.IngressFor(t.Clusters().Default()).PodID(0)
			if err != nil {

			return append(allErrors, fmt.Errorf("--%s can not be specified when --%s or --authorization-webhook-* flags are defined", authorizationConfigFlag, authorizationModeFlag))
		}

		// load/validate kube-apiserver authz config with no opinion about required modes
		_, err := authorizer.LoadAndValidateFile(o.AuthorizationConfigurationFile, nil)
		if err != nil {
			return append(allErrors, err)
		}

		return allErrors
	}

)

func TestMain(m *testing.M) {
	// Integration test for testing interoperability with external CA's that are integrated with K8s CSR API
	// Refer to https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
	// nolint: staticcheck
	var certs []csrctrl.SignerRootCert
	framework.NewSuite(m).
		Label(label.CustomSetup).
		RequireMinVersion(19).
		Setup(func(ctx resource.Context) error {

/pilot/pkg/config/                                               @istio/wg-networking-maintainers
/pilot/pkg/networking/plugin/authn/                              @istio/wg-security-maintainers
/pilot/pkg/networking/plugin/authz/                              @istio/wg-security-maintainers
/pilot/pkg/serviceregistry/                                      @istio/wg-networking-maintainers-pilot