path:
    - key: istio_ext_authz_shadow_effective_policy_id
    value:
      stringMatch:
        prefix: istio-ext-authz
  grpcService:
    envoyGrpc:
      authority: my-custom-ext-authz.foo.svc.cluster.local
      clusterName: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
    timeout: 0.002s
  statPrefix: tcp.

    path:
    - key: istio_ext_authz_shadow_effective_policy_id
    value:
      stringMatch:
        prefix: istio-ext-authz
  grpcService:
    envoyGrpc:
      authority: my-custom-ext-authz.foo.svc.cluster.local
      clusterName: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
    timeout: 600s
  statusOnError:
    code: Forbidden

type Plugin struct {
	*admission.Handler
	authz authorizer.Authorizer
}

// SetAuthorizer sets the authorizer.
func (p *Plugin) SetAuthorizer(authz authorizer.Authorizer) {
	p.authz = authz
}

// ValidateInitialization ensures an authorizer is set.
func (p *Plugin) ValidateInitialization() error {
	if p.authz == nil {
		return fmt.Errorf("%s requires an authorizer", PluginName)
	}

	echo1NS    namespace.Instance
	echo2NS    namespace.Instance
	externalNS namespace.Instance
	serverNS   namespace.Instance

	// Servers
	apps             deployment.TwoNamespaceView
	authzServer      authz.Server
	localAuthzServer authz.Server
	jwtServer        jwt.Server

	i istio.Instance
)

func TestMain(m *testing.M) {
	framework.
		NewSuite(m).
		Setup(istio.Setup(&i, func(c resource.Context, cfg *istio.Config) {

			fromAndTo := to.Instances().Append(from)

			config.New(t).
				Source(config.File("testdata/authz/mtls.yaml.tmpl")).
				Source(config.File("testdata/authz/deny-global.yaml.tmpl").WithParams(param.Params{
					param.Namespace.String(): istio.ClaimSystemNamespaceOrFail(t, t),
				})).
				Source(config.File("testdata/authz/deny-principal.yaml.tmpl").WithParams(
					param.Params{
						"Denied": denied,
					})).

func NewPlugin() *Plugin {
	return &Plugin{
		Handler: admission.NewHandler(admission.Create, admission.Update),
	}
}

// SetAuthorizer sets the plugin's authorizer.
func (p *Plugin) SetAuthorizer(authz authorizer.Authorizer) {
	p.authz = authz
}

// InspectFeatureGates implements WantsFeatures.
func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
	p.enabled = featureGates.Enabled(features.ClusterTrustBundle)

    path:
    - key: istio_ext_authz_shadow_effective_policy_id
    value:
      stringMatch:
        prefix: istio-ext-authz
  grpcService:
    envoyGrpc:
      authority: my-custom-ext-authz.foo.svc.cluster.local
      clusterName: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
    timeout: 600s
  statusOnError:
    code: Forbidden

          prefix: x-prefix-
        - ignoreCase: true
          suffix: -suffix
    pathPrefix: /check
    serverUri:
      cluster: outbound|9000||my-custom-ext-authz.foo.svc.cluster.local
      timeout: 10s
      uri: http://my-custom-ext-authz.foo.svc.cluster.local
  statusOnError:
    code: Forbidden
  transportApiVersion: V3
  withRequestBody:
    allowPartialMessage: true
    maxRequestBytes: 2048

	"google.golang.org/protobuf/types/known/wrapperspb"

	networking "istio.io/api/networking/v1alpha3"
	"istio.io/istio/pilot/pkg/model"
	authzmatcher "istio.io/istio/pilot/pkg/security/authz/matcher"
	authz "istio.io/istio/pilot/pkg/security/authz/model"
	"istio.io/istio/pkg/config/labels"
	"istio.io/istio/pkg/util/sets"
)

func TestIsCatchAllRoute(t *testing.T) {
	cases := []struct {
		name  string
		route *route.Route

		}
	}, err
}

// BuildAuthz creates an authorizer compatible with the kubelet's needs
func BuildAuthz(client authorizationclient.AuthorizationV1Interface, authz kubeletconfig.KubeletAuthorization) (authorizer.Authorizer, error) {
	switch authz.Mode {
	case kubeletconfig.KubeletAuthorizationModeAlwaysAllow:
		return authorizerfactory.NewAlwaysAllowAuthorizer(), nil

	case kubeletconfig.KubeletAuthorizationModeWebhook: