// If set to a different value - use the value defined by istiod.yaml. Env variable can
	// still override
	Aud []string `json:"aud"`

	// Exp is not currently used - we don't use the token for authn, just to determine k8s settings
	Exp int `json:"exp"`

	// Issuer - configured by K8S admin for projected tokens. Will be used to verify all tokens.
	Iss string `json:"iss"`

	Sub string `json:"sub"`
}

		}
		for p := range expectedset.Difference(pathset) {
			t.Errorf(" Expected %v path which we did not get", p)
		}
	})
}

func TestAuthenticationAuditAnnotationsDefaultChain(t *testing.T) {
	authn := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
		// confirm that we can set an audit annotation in a handler before WithAudit

		want                          string
		wantCELMapper                 bool
		wantUsesEmailVerifiedClaim    bool
	}{
		{
			name:                          "claim and expression are empty, structured authn feature enabled",
			in:                            []api.ClaimValidationRule{{}},
			structuredAuthnFeatureEnabled: true,

		httpFilters := []string{
			xdsfilters.MxFilterName,
			// Ext auth makes 2 filters
			wellknown.HTTPRoleBasedAccessControl,
			wellknown.HTTPExternalAuthorization,
			"extenstions.istio.io/wasmplugin/istio-system.wasm-authn",
			"extenstions.istio.io/wasmplugin/istio-system.wasm-authz",
			wellknown.HTTPRoleBasedAccessControl,
			"extenstions.istio.io/wasmplugin/istio-system.wasm-stats",

)

var baseTimestamp = time.Date(2020, 2, 2, 2, 2, 2, 0, time.UTC)

func TestGetPoliciesForWorkload(t *testing.T) {
	policies := getTestAuthenticationPolicies(createTestConfigs(true /* with mesh peer authn */), t)

	cases := []struct {
		name                   string
		workloadNamespace      string
		workloadLabels         labels.Instance
		wantRequestAuthn       []*config.Config
		wantPeerAuthn          []*config.Config

	return (*na).authenticateImpersonation(caller, requestedIdentityString)
}

// ClusterNodeAuthorizer is a component that implements a subset of Kubernetes Node Authorization
// (https://kubernetes.io/docs/reference/access-authn-authz/node/) for Istio CA within one cluster.
// Specifically, it validates that a node proxy which requests certificates for workloads on its
// own node is requesting valid identities which run on that node (rather than arbitrary ones).

		return ErrSTSAccessDenied
	}
}

func checkAssumeRoleAuth(ctx context.Context, r *http.Request) (auth.Credentials, APIErrorCode) {
	if !isRequestSignatureV4(r) {
		return auth.Credentials{}, ErrAccessDenied
	}

	s3Err := isReqAuthenticated(ctx, r, globalSite.Region(), serviceSTS)
	if s3Err != ErrNone {
		return auth.Credentials{}, s3Err
	}

	user, _, s3Err := getReqAccessKeyV4(r, globalSite.Region(), serviceSTS)

	logger.LogIf(ctx, "admin", err, errKind...)
}

func authNLogIf(ctx context.Context, err error, errKind ...interface{}) {
	logger.LogIf(ctx, "authN", err, errKind...)
}

func authZLogIf(ctx context.Context, err error, errKind ...interface{}) {
	logger.LogIf(ctx, "authZ", err, errKind...)
}

func peersLogIf(ctx context.Context, err error, errKind ...interface{}) {
	if !errors.Is(err, grid.ErrDisconnected) {

		Run(func(t framework.TestContext) {
			crd.DeployGatewayAPIOrSkip(t)
			config.New(t).
				Source(config.File("testdata/authz/gateway-api.yaml.tmpl").WithParams(param.Params{
					param.Namespace.String(): apps.Namespace,
				})).
				Source(config.File("testdata/authz/gateway-authz.yaml.tmpl").WithParams(param.Params{
					param.Namespace.String(): apps.Namespace,
					"Services":               apps.A.Append(apps.B).Services(),

									},
								},
							},
						},
					},
					ValidationContextType: &auth.CommonTlsContext_CombinedValidationContext{
						CombinedValidationContext: &auth.CommonTlsContext_CombinedCertificateValidationContext{
							DefaultValidationContext: &auth.CertificateValidationContext{},
							ValidationContextSdsSecretConfig: &auth.SdsSecretConfig{
								Name: "ROOTCA",
								SdsConfig: &core.ConfigSource{