if (hasLowBound && hasUpBound) {
      int cmp = comparator.compare(lowEnd, upEnd);
      if (cmp > 0 || (cmp == 0 && lowType == OPEN && upType == OPEN)) {
        // force allowed empty range
        lowEnd = upEnd;
        lowType = OPEN;
        upType = CLOSED;
      }
    }

    return new GeneralRange<>(comparator, hasLowBound, lowEnd, lowType, hasUpBound, upEnd, upType);
  }

  @Override

    @PathSensitive(PathSensitivity.NONE)
    public abstract RegularFileProperty getBaseCssFile();

    /**
     * Key-value pairs that are replaced in the generated HTML.
     *
     * This uses Ant style replacement tokens.
     */
    @Input
    public abstract MapProperty<String, String> getReplacementTokens();

    @Inject
    protected abstract FileSystemOperations getFs();

    @TaskAction
    public void transform() {

                  "--sync-interval-cap=30s",
                  "--probe-interval=5s",
                  "--keepalive-time=60s",
                  "--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token",
                  "--agent-identifiers=ipv4=$(HOST_IP)"
                  ]
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:

	if err != nil {
		return nil, err
	}

	// Verify if the authToken already contains
	// <Key> <Token> like format, if this is
	// already present we can blindly use the
	// authToken as is instead of adding 'Bearer'
	tokens := strings.Fields(target.args.AuthToken)
	switch len(tokens) {
	case 2:
		req.Header.Set("Authorization", target.args.AuthToken)
	case 1:

	// still override
	Aud []string `json:"aud"`

	// Exp is not currently used - we don't use the token for authn, just to determine k8s settings
	Exp int `json:"exp"`

	// Issuer - configured by K8S admin for projected tokens. Will be used to verify all tokens.
	Iss string `json:"iss"`

	Sub string `json:"sub"`
}

func (j JwtAuthenticator) AuthenticatorType() string {

		},
	},
}

func mainHandler(w http.ResponseWriter, r *http.Request) {
	token := r.FormValue("token")
	if token == "" {
		writeErrorResponse(w, errors.New("token parameter not given"))
		return
	}

	rsp, ok := tokens[token]
	if !ok {
		w.WriteHeader(http.StatusForbidden)
		return
	}

	fmt.Printf("Allowed for token: %s user: %s\n", token, rsp.User)

	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(rsp)

    print('body: ' + id_token_response.text)

    # we can now use the id_token as much as we want to access protected resources.
    tokens = json.loads(id_token_response.text)
    id_token = tokens['id_token']

    response = sts_client.assume_role_with_web_identity(
        RoleArn='arn:aws:iam::123456789012:user/svc-internal-api',
        RoleSessionName='test',

	{token.LAND, "&&", operator},
	{token.LOR, "||", operator},
	{token.ARROW, "<-", operator},
	{token.INC, "++", operator},
	{token.DEC, "--", operator},

	{token.EQL, "==", operator},
	{token.LSS, "<", operator},
	{token.GTR, ">", operator},
	{token.ASSIGN, "=", operator},
	{token.NOT, "!", operator},

	{token.NEQ, "!=", operator},
	{token.LEQ, "<=", operator},
	{token.GEQ, ">=", operator},

apiVersion: release-notes/v2
kind: feature
area: security
issue:
  - 49913
releaseNotes:
- |

            },
            "call_credentials": [{
            {{ if .sts }}
              "sts_service": {
                "token_exchange_service_uri": "http://localhost:{{ .sts_port }}/token",
                "subject_token_path": "./var/run/secrets/tokens/istio-token",
                "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
                "scope": "https://www.googleapis.com/auth/cloud-platform"
              }