// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package authz

import (
	"bytes"
	"reflect"
	"testing"

	envoy_admin "github.com/envoyproxy/go-control-plane/envoy/admin/v3"
	"google.golang.org/protobuf/types/known/anypb"

        - mountPath: /etc/istio-custom-bootstrap
          name: custom-bootstrap-volume
        {{- end }}
        {{- end }}
{{- if $.IncludeExtAuthz }}
      - name: ext-authz
        image: {{ $.ImageHub }}/ext-authz:{{ $.ImageTag }}
        imagePullPolicy: {{ $.ImagePullPolicy }}
        ports:
        - containerPort: 8000
        - containerPort: 9000
{{- end }}
      volumes:
      - emptyDir: {}

				"[1, 2, 3].indexOf(2) == 1",      // lists
				"'abc'.contains('bc')",           //strings
				"isURL('http://example.com')",    // urls
				"'a 1 b 2'.find('[0-9]') == '1'", // regex
			},
		},
		{
			name: "authz disabled",
			typeVersionCombinations: []envTypeAndVersion{
				{version.MajorMinor(1, 26), NewExpressions},
				// always enabled for StoredExpressions
			},

		"Enable block profiling, if profiling is enabled")
	fs.StringVar(&o.DebugSocketPath, "debug-socket-path", o.DebugSocketPath,
		"Use an unprotected (no authn/authz) unix-domain socket for profiling with the given path")
	fs.BoolVar(&o.EnablePriorityAndFairness, "enable-priority-and-fairness", o.EnablePriorityAndFairness, ""+

    server: https://authz.example.com
  name: foobar
users:
- name: a cluster
  user:
    client-certificate: {{ .Cert }}
    client-key: {{ .Key }}
`,
			wantErr: true,
		},
		{
			msg: "multiple clusters with no context",
			configTmpl: `
clusters:
- cluster:
    certificate-authority: {{ .CA }}
    server: https://authz.example.com
  name: foobar
- cluster:

func setGlobalAuthNPlugin(authn *idplugin.AuthNPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthNPlugin = authn
	globalAuthPluginMutex.Unlock()
}

func setGlobalAuthZPlugin(authz *polplugin.AuthZPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthZPlugin = authz
	globalAuthPluginMutex.Unlock()
}

/pilot/pkg/config/                                               @istio/wg-networking-maintainers
/pilot/pkg/networking/plugin/authn/                              @istio/wg-security-maintainers
/pilot/pkg/networking/plugin/authz/                              @istio/wg-security-maintainers
/pilot/pkg/serviceregistry/                                      @istio/wg-networking-maintainers-pilot

    # Create the ABAC file if it doesn't exist yet, or if we have a KUBE_USER set (to ensure the right user is given permissions)
    if [[ -n "${KUBE_USER:-}" || ! -e /etc/srv/kubernetes/abac-authz-policy.jsonl ]]; then
      local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
      if [[ -n "${KUBE_USER:-}" ]]; then
        sed -i -e "s/{{kube_user}}/${KUBE_USER}/g" "${abac_policy_json}"
      else

		TrafficDirection:                 core.TrafficDirection_INBOUND,
		ContinueOnListenerFiltersTimeout: true,
	}

	// Flush authz cache since we need filter state for the principal.
	oldBuilder := lb.authzBuilder
	lb.authzBuilder = authz.NewBuilder(authz.Local, lb.push, lb.node, true)
	inboundChainConfigs := lb.buildInboundChainConfigs()
	for _, cc := range inboundChainConfigs {
		cc.hbone = true

		Ads: &core.AggregatedConfigSource{},
	},
	ResourceApiVersion: core.ApiVersion_V3,
	// we block proxy init until WasmPlugins are loaded because they might be
	// critical for security (e.g. authn/authz)
	InitialFetchTimeout: &durationpb.Duration{Seconds: 0},
}

// PopAppendHTTP takes a list of filters and a set of WASM plugins, keyed by phase. It will remove all