)

const (
	ClientCertAuthenticatorType = "ClientCertAuthenticator"
)

// ClientCertAuthenticator extracts identities from client certificate.
type ClientCertAuthenticator struct{}

var _ security.Authenticator = &ClientCertAuthenticator{}

func (cca *ClientCertAuthenticator) AuthenticatorType() string {
	return ClientCertAuthenticatorType
}

// Authenticate extracts identities from presented client certificates. This

	"net/http"
	"os"
	goruntime "runtime"

	"github.com/spf13/cobra"

	utilerrors "k8s.io/apimachinery/pkg/util/errors"
	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
	"k8s.io/apiserver/pkg/authentication/authenticator"
	"k8s.io/apiserver/pkg/authorization/authorizer"
	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
	apirequest "k8s.io/apiserver/pkg/endpoints/request"
	"k8s.io/apiserver/pkg/server"

	"fmt"
	"reflect"
	"strings"
	"testing"

	jose "gopkg.in/square/go-jose.v2"

	v1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apiserver/pkg/authentication/authenticator"
	clientset "k8s.io/client-go/kubernetes"
	"k8s.io/client-go/kubernetes/fake"
	typedv1core "k8s.io/client-go/kubernetes/typed/core/v1"
	v1listers "k8s.io/client-go/listers/core/v1"
	"k8s.io/client-go/tools/cache"

		if !testCase.Insecure {
			req.TLS = &tls.ConnectionState{PeerCertificates: testCase.Certs}
		}

		authCall := false
		auth := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
			authCall = true
			return &authenticator.Response{User: &user.DefaultInfo{Name: "innerauth"}}, true, nil
		})

		a := NewVerifier(testCase.Opts, auth, testCase.AllowedCNs)

	"istio.io/istio/pkg/security"
)

const (
	XfccAuthenticatorType = "XfccAuthenticator"
)

// XfccAuthenticator extracts identities from Xfcc header.
type XfccAuthenticator struct{}

var _ security.Authenticator = &XfccAuthenticator{}

func (xff XfccAuthenticator) AuthenticatorType() string {
	return XfccAuthenticatorType
}

// Authenticate extracts identities from Xfcc Header.

	kcb := util.NewKeyCertBundleFromPem(nil, nil, certChainBytes, rootCertBytes)

	mockCa := &mockca.FakeCA{
		SignedCert:    signedCert,
		KeyCertBundle: kcb,
	}
	server, err := ca.New(mockCa, 1, []security.Authenticator{auth}, nil)
	if err != nil {
		return 0
	}
	csrString, err := f.GetString()
	if err != nil {
		return 0
	}
	request := &pb.IstioCertificateRequest{Csr: csrString}
	ctx := context.Background()

   serverSocketFactory
 * **MultipartBody.Part**: body, headers
 * **MultipartBody.**: boundary, parts, size, type
 * **OkHttpClient**: authenticator, cache, callTimeoutMillis, certificatePinner,
   connectTimeoutMillis, connectionPool, connectionSpecs, cookieJar, dispatcher, dns,
   eventListenerFactory, followRedirects, followSslRedirects, hostnameVerifier, interceptors,

	"k8s.io/apimachinery/pkg/types"
	"k8s.io/apimachinery/pkg/util/sets"
	"k8s.io/apimachinery/pkg/util/validation/field"
	"k8s.io/apiserver/pkg/audit"
	"k8s.io/apiserver/pkg/authentication/authenticator"
	"k8s.io/apiserver/pkg/authentication/serviceaccount"
	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
	"k8s.io/apiserver/pkg/registry/rest"
	utilfeature "k8s.io/apiserver/pkg/util/feature"

   * This avoids sending potentially sensitive data like HTTP cookies to the proxy unencrypted.
   *
   * In order to support preemptive authentication we pass a fake "Auth Failed" response to the
   * authenticator. This gives the authenticator the option to customize the CONNECT request. It can
   * decline to do so by returning null, in which case OkHttp will use it as-is.
   */
  @Throws(IOException::class)

    static final String NTLM_AUTH_METHOD = 'NTLM'

    // There is absolutely no doubt that no one should ever on a map like that
    // and that a proper implementation of an NTLM authenticator shouldn't do this
    // but those are test fixtures and I couldn't find a better way to do this
    // without deeper understanding of the Jetty APIs. Feel free to provide an
    // alternate solution