// limitations under the License.

package analyzers

import (
	"istio.io/istio/pkg/config/analysis"
	"istio.io/istio/pkg/config/analysis/analyzers/annotations"
	"istio.io/istio/pkg/config/analysis/analyzers/authz"
	"istio.io/istio/pkg/config/analysis/analyzers/deployment"
	"istio.io/istio/pkg/config/analysis/analyzers/deprecation"
	"istio.io/istio/pkg/config/analysis/analyzers/destinationrule"

		AuthzPolicies: yamlPolicy(t, basePath+input),
		Mesh:          mc,
	}
	p.ServiceIndex.HostnameAndNamespace = map[host.Name]map[string]*model.Service{
		"my-custom-ext-authz.foo.svc.cluster.local": {
			"foo": &model.Service{
				Hostname: "my-custom-ext-authz.foo.svc.cluster.local",
			},
		},
	}
	return p
}

func node(version *model.IstioVersion) *model.Proxy {
	return &model.Proxy{

	}

	// Handle large OPA responses when OPA URL is of
	// form http://localhost:8181/v1/data/httpapi/authz
	type opaResultAllow struct {
		Result struct {
			Allow bool `json:"allow"`
		} `json:"result"`
	}

	// Handle simpler OPA responses when OPA URL is of
	// form http://localhost:8181/v1/data/httpapi/authz/allow
	type opaResult struct {
		Result bool `json:"result"`
	}

	"k8s.io/klog/v2"
)

type dispatcher struct {
	matcher generic.PolicyMatcher
	authz   authorizer.Authorizer
}

var _ generic.Dispatcher[PolicyHook] = &dispatcher{}

func NewDispatcher(
	authorizer authorizer.Authorizer,
	matcher generic.PolicyMatcher,
) generic.Dispatcher[PolicyHook] {
	return &dispatcher{
		matcher: matcher,
		authz:   authorizer,
	}
}

	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
)

const (
	checkHeader       = "x-ext-authz"
	allowedValue      = "allow"
	resultHeader      = "x-ext-authz-check-result"
	receivedHeader    = "x-ext-authz-check-received"
	overrideHeader    = "x-ext-authz-additional-header-override"
	overrideGRPCValue = "grpc-additional-header-override-value"
	resultAllowed     = "allowed"

  # Test images
- name: app
  dockerfile: pkg/test/echo/docker/Dockerfile.app
  files:
  - tests/testdata/certs
  targets:
  - ${TARGET_OUT_LINUX}/client
  - ${TARGET_OUT_LINUX}/server

# Sample authz server
- name: ext-authz
  dockerfile: samples/extauthz/docker/Dockerfile
  targets:
    - ${TARGET_OUT_LINUX}/extauthz

# TODO(https://github.com/istio/istio/issues/38224)
- name: app_sidecar_rockylinux_9

  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authz-ingress
spec:
  selector:
    matchLabels:
      istio: {{.GatewayIstioLabel | default "ingressgateway"}}
  rules:
  - to:
    - operation:
        hosts:
{{- range $svc := .Services }}

        imagePullPolicy: {{ $.ImagePullPolicy }}
        securityContext: # to allow core dumps
          readOnlyRootFilesystem: false
{{- end }}
{{- if $.IncludeExtAuthz }}
      - name: ext-authz
        image: {{ $.ImageHub }}/ext-authz:{{ $.ImageTag }}
        imagePullPolicy: {{ $.ImagePullPolicy }}
        ports:
        - containerPort: 8000
        - containerPort: 9000
{{- end }}

kind: DestinationRule
metadata:
  name: default
  namespace: {{ .To.NamespaceName }}
spec:
  host: "*.{{ .To.NamespaceName }}.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

---
# This authz policy denies access to the service if the request was not mTLS, since
# mTLS is required in order to match source principals.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:

	var f v1.FailurePolicyType
	if v.failPolicy == nil {
		f = v1.Fail
	} else {
		f = *v.failPolicy
	}
	if v.celMatcher != nil {
		matchResults := v.celMatcher.Match(ctx, versionedAttr, versionedParams, authz)
		if matchResults.Error != nil {
			return ValidateResult{
				Decisions: []PolicyDecision{