apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "default"
spec:
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy

	_PPC_FEATURE2_SCV  = 0x00100000
)

func doinit() {
	// HWCAP2 feature bits
	PPC64.IsPOWER8 = isSet(hwCap2, _PPC_FEATURE2_ARCH_2_07)
	PPC64.IsPOWER9 = isSet(hwCap2, _PPC_FEATURE2_ARCH_3_00)
	PPC64.HasDARN = isSet(hwCap2, _PPC_FEATURE2_DARN)
	PPC64.HasSCV = isSet(hwCap2, _PPC_FEATURE2_SCV)
}

func isSet(hwc uint, value uint) bool {
	return hwc&value != 0

	groups := "<none>"
	if len(ev.User.Username) > 0 {
		username = ev.User.Username
		if len(ev.User.Groups) > 0 {
			groups = auditStringSlice(ev.User.Groups)
		}
	}
	asuser := "<self>"
	asgroups := "<lookup>"
	if ev.ImpersonatedUser != nil {
		asuser = ev.ImpersonatedUser.Username
		if ev.ImpersonatedUser.Groups != nil {
			asgroups = auditStringSlice(ev.ImpersonatedUser.Groups)
		}
	}

	namespace := "<none>"

      }
    }

  /** Returns true if the certificate was signed by [issuer]. */
  @Throws(SignatureException::class)
  fun checkSignature(issuer: PublicKey): Boolean {
    val signedData = CertificateAdapters.tbsCertificate.toDer(tbsCertificate)

    return Signature.getInstance(tbsCertificate.signatureAlgorithmName).run {
      initVerify(issuer)
      update(signedData.toByteArray())

	// CPU features
	hwcap2_DARN = 0x00200000
	hwcap2_SCV  = 0x00100000
)

func osinit() {
	PPC64.IsPOWER8 = isSet(HWCap2, hwcap2_ARCH_2_07)
	PPC64.IsPOWER9 = isSet(HWCap2, hwcap2_ARCH_3_00)
	PPC64.IsPOWER10 = isSet(HWCap2, hwcap2_ARCH_3_1)
	PPC64.HasDARN = isSet(HWCap2, hwcap2_DARN)
	PPC64.HasSCV = isSet(HWCap2, hwcap2_SCV)

}

// Issuer provides the configuration for an external provider's specific settings.
type Issuer struct {
	// url points to the issuer URL in a format https://url or https://url/path.
	// This must match the "iss" claim in the presented JWT, and the issuer returned from discovery.
	// Same value as the --oidc-issuer-url flag.

metadata:
  name: default
spec:
  jwtRules:
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "test-issuer******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---

# The following policy enables authorization on workload:
# - Allow request principal test-issuer******@****.***/sub-1 to access path /token1

// K8S is created with --service-account-issuer, service-account-signing-key-file and service-account-api-audiences
// which enable OIDC.
func NewJwtAuthenticator(jwtRule *v1beta1.JWTRule, meshWatcher mesh.Watcher) (*JwtAuthenticator, error) {
	issuer := jwtRule.GetIssuer()
	jwksURL := jwtRule.GetJwksUri()
	// The key of a JWT issuer may change, so the key may need to be updated.

// generator.
func (g *portGenerator) SetUsed(port int) *portGenerator {
	g.used[port] = struct{}{}
	return g
}

// IsUsed indicates if the given port has already been used.
func (g *portGenerator) IsUsed(port int) bool {
	_, ok := g.used[port]
	return ok
}

// Next assigns the next port for the given protocol.
func (g *portGenerator) Next(protocol protocol.Instance) int {

	_, ebx7, _, _ := cpuid(7, 0)
	X86.HasBMI1 = isSet(ebx7, cpuid_BMI1)
	X86.HasAVX2 = isSet(ebx7, cpuid_AVX2) && osSupportsAVX
	X86.HasBMI2 = isSet(ebx7, cpuid_BMI2)
	X86.HasERMS = isSet(ebx7, cpuid_ERMS)
	X86.HasADX = isSet(ebx7, cpuid_ADX)
	X86.HasSHA = isSet(ebx7, cpuid_SHA)

	X86.HasAVX512F = isSet(ebx7, cpuid_AVX512F) && osSupportsAVX512
	if X86.HasAVX512F {
		X86.HasAVX512BW = isSet(ebx7, cpuid_AVX512BW)