"k8s.io/apiserver/pkg/apis/audit"
	"k8s.io/apiserver/pkg/authentication/user"
	"k8s.io/apiserver/pkg/authorization/authorizer"
)

var (
	tim = &user.DefaultInfo{
		Name:   "******@****.***",
		Groups: []string{"humans", "developers"},
	}
	attrs = map[string]authorizer.Attributes{
		"namespaced": &authorizer.AttributesRecord{
			User:            tim,
			Verb:            "get",
			Namespace:       "default",

		if err != nil {
			return nil, -1, err
		}
	}

	if inputs.Authorizer != nil {
		authorizerVal = library.NewAuthorizerVal(versionedAttr.GetUserInfo(), inputs.Authorizer)
		requestResourceAuthorizerVal = library.NewResourceAuthorizerVal(versionedAttr.GetUserInfo(), inputs.Authorizer, versionedAttr)
	}

	requestVal, err := convertObjectToUnstructured(request)
	if err != nil {

	Validate(ctx context.Context, matchedResource schema.GroupVersionResource, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *corev1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult

	t := time.Now()
	evalResults, _, err := m.filter.ForInput(ctx, versionedAttr, celplugin.CreateAdmissionRequest(versionedAttr.Attributes, metav1.GroupVersionResource(versionedAttr.GetResource()), metav1.GroupVersionKind(versionedAttr.VersionedKind)), celplugin.OptionalVariableBindings{
		VersionedParams: versionedParams,
		Authorizer:      authz,

	// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
	Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"`
	// EvaluationError can appear in combination with Rules. It indicates an error occurred during
	// rule evaluation, such as an authorizer that doesn't support rule evaluation, and that

	// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
	Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"`
	// EvaluationError can appear in combination with Rules. It indicates an error occurred during
	// rule evaluation, such as an authorizer that doesn't support rule evaluation, and that

	rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
)

const PostStartHookName = "rbac/bootstrap-roles"

type RESTStorageProvider struct {
	Authorizer authorizer.Authorizer
}

var _ genericapiserver.PostStartHookProvider = RESTStorageProvider{}

	celconfig "k8s.io/apiserver/pkg/apis/cel"
	"k8s.io/apiserver/pkg/authorization/authorizer"
	"k8s.io/apiserver/pkg/warning"
	"k8s.io/klog/v2"
)

type dispatcher struct {
	matcher generic.PolicyMatcher
	authz   authorizer.Authorizer
}

var _ generic.Dispatcher[PolicyHook] = &dispatcher{}

func NewDispatcher(
	authorizer authorizer.Authorizer,
	matcher generic.PolicyMatcher,
) generic.Dispatcher[PolicyHook] {

// +structType=atomic
message Subject {
  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
  optional string kind = 1;

  // APIGroup holds the API group of the referenced subject.
  // Defaults to "" for ServiceAccount subjects.

// or a value for non-objects such as user and group names.
message Subject {
  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
  optional string kind = 1;

  // APIGroup holds the API group of the referenced subject.
  // Defaults to "" for ServiceAccount subjects.