return globalAuthZPlugin
}

func setGlobalAuthNPlugin(authn *idplugin.AuthNPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthNPlugin = authn
	globalAuthPluginMutex.Unlock()
}

func setGlobalAuthZPlugin(authz *polplugin.AuthZPlugin) {
	globalAuthPluginMutex.Lock()
	globalAuthZPlugin = authz
	globalAuthPluginMutex.Unlock()
}

	req := AuthContext{GrpcContext: ctx}
	for _, authn := range am.Authenticators {
		u, err := authn.Authenticate(req)
		if u != nil && len(u.Identities) > 0 && err == nil {
			securityLog.Debugf("Authentication successful through auth source %v", u.AuthSource)
			return u
		}
		am.authFailMsgs = append(am.authFailMsgs, fmt.Sprintf("Authenticator %s: %v", authn.AuthenticatorType(), err))
	}
	return nil
}

func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz authorizer.Authorizer) http.Handler {
	requestInfoResolver := &apirequest.RequestInfoFactory{}
	failedHandler := genericapifilters.Unauthorized(scheme.Codecs)

	handler = genericapifilters.WithAuthorization(handler, authz, scheme.Codecs)
	handler = genericapifilters.WithAuthentication(handler, authn, failedHandler, nil, nil)

}

func startDefaultServer(t servertesting.Logger, flags ...string) (func(), servertesting.TestServer, error) {
	// create kubeconfig which will not actually be used. But authz/authn needs it to startup.
	fakeKubeConfig, err := os.CreateTemp("", "kubeconfig")
	if err != nil {
		return nil, servertesting.TestServer{}, err
	}
	fakeKubeConfig.WriteString(`
apiVersion: v1
kind: Config
clusters:

		TrafficDirection:                 core.TrafficDirection_INBOUND,
		ContinueOnListenerFiltersTimeout: true,
	}

	// Flush authz cache since we need filter state for the principal.
	oldBuilder := lb.authzBuilder
	lb.authzBuilder = authz.NewBuilder(authz.Local, lb.push, lb.node, true)
	inboundChainConfigs := lb.buildInboundChainConfigs()
	for _, cc := range inboundChainConfigs {
		cc.hbone = true

	AlpnFilterName = "istio.alpn"

	MxFilterName = "istio.metadata_exchange"

	// AuthnFilterName is the name for the Istio AuthN filter. This should be the same
	// as the name defined in
	// https://github.com/istio/proxy/blob/master/src/envoy/http/authn/http_filter_factory.cc#L30
	AuthnFilterName = "istio_authn"

	// EnvoyJwtFilterName is the name of the Envoy JWT filter.

	// If set to a different value - use the value defined by istiod.yaml. Env variable can
	// still override
	Aud []string `json:"aud"`

	// Exp is not currently used - we don't use the token for authn, just to determine k8s settings
	Exp int `json:"exp"`

	// Issuer - configured by K8S admin for projected tokens. Will be used to verify all tokens.
	Iss string `json:"iss"`

	Sub string `json:"sub"`
}

		}
		for p := range expectedset.Difference(pathset) {
			t.Errorf(" Expected %v path which we did not get", p)
		}
	})
}

func TestAuthenticationAuditAnnotationsDefaultChain(t *testing.T) {
	authn := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
		// confirm that we can set an audit annotation in a handler before WithAudit

		want                          string
		wantCELMapper                 bool
		wantUsesEmailVerifiedClaim    bool
	}{
		{
			name:                          "claim and expression are empty, structured authn feature enabled",
			in:                            []api.ClaimValidationRule{{}},
			structuredAuthnFeatureEnabled: true,

		httpFilters := []string{
			xdsfilters.MxFilterName,
			// Ext auth makes 2 filters
			wellknown.HTTPRoleBasedAccessControl,
			wellknown.HTTPExternalAuthorization,
			"extenstions.istio.io/wasmplugin/istio-system.wasm-authn",
			"extenstions.istio.io/wasmplugin/istio-system.wasm-authz",
			wellknown.HTTPRoleBasedAccessControl,
			"extenstions.istio.io/wasmplugin/istio-system.wasm-stats",