)

const (
	httpName = "ext-authz-http"
	grpcName = "ext-authz-grpc"
	httpPort = 8000
	grpcPort = 9000

	providerTemplate = `
extensionProviders:
- name: "{{ .httpName }}"
  envoyExtAuthzHttp:
    service: "{{ .fqdn }}"
    port: {{ .httpPort }}
    headersToUpstreamOnAllow: ["x-ext-authz-*"]
    headersToDownstreamOnDeny: ["x-ext-authz-*"]
    includeRequestHeadersInCheck: ["x-ext-authz"]

    patch:
      operation: ADD
      filterClass: AUTHZ # This filter will run *after* the Istio authz filter.
      value:
        name: envoy.filters.http.ext_authz
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
          grpc_service:
            envoy_grpc:
              cluster_name: acme-ext-authz
            initial_metadata:
            - key: foo

      
      * Metadata Exchange
      * CUSTOM Authz
      * WASM Authn
      * Authn
      * WASM Authz
      * Authz
      * WASM Stats
      * Stats
      * WASM unspecified
      
      This changes the following areas:
      * Inbound TCP filters now place Metadata Exchange before Authn.

// See the License for the specific language governing permissions and
// limitations under the License.

package authz

const (
	XExtAuthz                         = "X-Ext-Authz"
	XExtAuthzAllow                    = "allow"
	XExtAuthzCheckReceived            = "X-Ext-Authz-Check-Received"
	XExtAuthzAdditionalHeaderOverride = "X-Ext-Authz-Additional-Header-Override"
	GRPCAdditionalHeaderOverrideValue = "grpc-additional-header-override-value"

    path:
    - key: istio_ext_authz_shadow_effective_policy_id
    value:
      stringMatch:
        prefix: istio-ext-authz
  grpcService:
    envoyGrpc:
      authority: my-custom-ext-authz.foo.svc.cluster.local
      clusterName: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
    timeout: 0.002s
  statusOnError:
    code: Forbidden
  transportApiVersion: V3
  withRequestBody:

)

var (
	// Namespaces
	echo1NS  namespace.Instance
	serverNS namespace.Instance

	// Servers
	apps             deployment.SingleNamespaceView
	authzServer      authz.Server
	localAuthzServer authz.Server
	jwtServer        jwt.Server

	i istio.Instance
)

func TestMain(m *testing.M) {
	framework.
		NewSuite(m).
		Label(label.CustomSetup).

  shadowRules:
    action: DENY
    policies:
      istio-ext-authz-ns[foo]-policy[httpbin-deny]-rule[0]:
        permissions:
        - andRules:
            rules:
            - any: true
        principals:
        - andIds:
            ids:
            - any: true
      istio-ext-authz-ns[foo]-policy[httpbin-deny]-rule[1]:
        permissions:
        - andRules:
            rules:

    path:
    - key: istio_ext_authz_shadow_effective_policy_id
    value:
      stringMatch:
        prefix: istio-ext-authz
  grpcService:
    envoyGrpc:
      authority: my-custom-ext-authz.foo.svc.cluster.local
      clusterName: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
    timeout: 0.002s
  statusOnError:
    code: Forbidden
  transportApiVersion: V3
  withRequestBody:

// See the License for the specific language governing permissions and
// limitations under the License.

package authz

import (
	"istio.io/istio/pkg/test/framework"
	"istio.io/istio/pkg/test/framework/components/namespace"
	"istio.io/istio/pkg/test/framework/resource"
)

// Server for custom authz.
type Server interface {
	Namespace() namespace.Instance

	// Providers returns the list of Provider instances.

    path:
    - key: istio_ext_authz_shadow_effective_policy_id
    value:
      stringMatch:
        prefix: istio-ext-authz
  grpcService:
    envoyGrpc:
      authority: my-custom-ext-authz.foo.svc.cluster.local
      clusterName: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
    timeout: 0.002s
  statPrefix: tcp.