// limitations under the License.

package analyzers

import (
	"istio.io/istio/pkg/config/analysis"
	"istio.io/istio/pkg/config/analysis/analyzers/annotations"
	"istio.io/istio/pkg/config/analysis/analyzers/authz"
	"istio.io/istio/pkg/config/analysis/analyzers/deployment"
	"istio.io/istio/pkg/config/analysis/analyzers/deprecation"
	"istio.io/istio/pkg/config/analysis/analyzers/destinationrule"

		AuthzPolicies: yamlPolicy(t, basePath+input),
		Mesh:          mc,
	}
	p.ServiceIndex.HostnameAndNamespace = map[host.Name]map[string]*model.Service{
		"my-custom-ext-authz.foo.svc.cluster.local": {
			"foo": &model.Service{
				Hostname: "my-custom-ext-authz.foo.svc.cluster.local",
			},
		},
	}
	return p
}

func node(version *model.IstioVersion) *model.Proxy {
	return &model.Proxy{

	}

	// Handle large OPA responses when OPA URL is of
	// form http://localhost:8181/v1/data/httpapi/authz
	type opaResultAllow struct {
		Result struct {
			Allow bool `json:"allow"`
		} `json:"result"`
	}

	// Handle simpler OPA responses when OPA URL is of
	// form http://localhost:8181/v1/data/httpapi/authz/allow
	type opaResult struct {
		Result bool `json:"result"`
	}

  # Test images
- name: app
  dockerfile: pkg/test/echo/docker/Dockerfile.app
  files:
  - tests/testdata/certs
  targets:
  - ${TARGET_OUT_LINUX}/client
  - ${TARGET_OUT_LINUX}/server

# Sample authz server
- name: ext-authz
  dockerfile: samples/extauthz/docker/Dockerfile
  targets:
    - ${TARGET_OUT_LINUX}/extauthz

# TODO(https://github.com/istio/istio/issues/38224)
- name: app_sidecar_rockylinux_9

        imagePullPolicy: {{ $.ImagePullPolicy }}
        securityContext: # to allow core dumps
          readOnlyRootFilesystem: false
{{- end }}
{{- if $.IncludeExtAuthz }}
      - name: ext-authz
        image: {{ $.ImageHub }}/ext-authz:{{ $.ImageTag }}
        imagePullPolicy: {{ $.ImagePullPolicy }}
        ports:
        - containerPort: 8000
        - containerPort: 9000
{{- end }}

  - issuer: "******@****.***"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authz-gateway-{{ .To.ServiceName }}
spec:
  targetRefs:
  - kind: Gateway
    group: gateway.networking.k8s.io
    name: waypoint
  rules:
  - from:
    - source:

	authnBuilder := lb.authnBuilder
	if svc != nil {
		authnBuilder = authn.NewBuilderForService(lb.push, lb.node, svc)
		authzBuilder = authz.NewBuilderForService(authz.Local, lb.push, lb.node, true, svc)
		authzCustomBuilder = authz.NewBuilderForService(authz.Custom, lb.push, lb.node, true, svc)
	}

	// TODO: consider dedicated listener class for waypoint filters
	cls := istionetworking.ListenerClassSidecarInbound

		}
	}
}

// TestNotRestRoutesHaveAuth checks that special non-routes are behind authz/authn.
func TestNotRestRoutesHaveAuth(t *testing.T) {
	config, _ := setUp(t)

	authz := mockAuthorizer{}

	config.LegacyAPIGroupPrefixes = sets.NewString("/apiPrefix")
	config.Authorization.Authorizer = &authz

	config.EnableIndex = true
	config.EnableProfiling = true

	kubeVersion := fakeVersion()

	}

	// Handle large OPA responses when OPA URL is of
	// form http://localhost:8181/v1/data/httpapi/authz
	type opaResultAllow struct {
		Result struct {
			Allow bool `json:"allow"`
		} `json:"result"`
	}

	// Handle simpler OPA responses when OPA URL is of
	// form http://localhost:8181/v1/data/httpapi/authz/allow
	type opaResult struct {
		Result bool `json:"result"`
	}

	meshconfig "istio.io/api/mesh/v1alpha1"
	"istio.io/istio/pilot/pkg/model"
	authzmodel "istio.io/istio/pilot/pkg/security/authz/model"
	"istio.io/istio/pkg/config/validation/agent"
	"istio.io/istio/pkg/maps"
	"istio.io/istio/pkg/wellknown"
)

const (
	extAuthzMatchPrefix   = "istio-ext-authz"
	badCustomActionSuffix = `-deny-due-to-bad-CUSTOM-action`
)

var supportedStatus = func() []int {
	var supported []int