: CiliumHttpIntegrationTest(fmt::format(

            fmt::runtime(TestEnvironment::substitute(cilium_proxy_config_fmt, GetParam())),

            "true")) {}

  CiliumIntegrationTest(const std::string& config) : CiliumHttpIntegrationTest(config) {}

  std::string testPolicyFmt() override {

    return TestEnvironment::substitute(HEADER_ACTION_POLICY_fmt, GetParam());

  }

  std::vector<std::pair<std::string, std::string>> testSecrets() override {

    return std::vector<std::pair<std::string, std::string>>{

        {"bearer-token", SECRET_TOKEN_CONFIG},

    };

  }

  void initialize() override {

    accessLogServer_.clear();

    if (!initialized_) {

      HttpIntegrationTest::initialize();

      initialized_ = true;

    }

  }

  void denied(Http::TestRequestHeaderMapImpl&& headers) {

    initialize();

    codec_client_ = makeHttpConnection(lookupPort("http"));

    auto response = codec_client_->makeHeaderOnlyRequest(headers);

    ASSERT_TRUE(response->waitForEndStream());

    absl::optional<std::string> maybe_x_request_id;

    EXPECT_TRUE(expectAccessLogDeniedTo([&maybe_x_request_id](const ::cilium::LogEntry& entry) {

      maybe_x_request_id = getHeader(entry.http().headers(), "x-request-id");

      return entry.http().status() == 0;

    }));

    ASSERT_TRUE(maybe_x_request_id.has_value());

    absl::optional<std::string> maybe_x_request_id_resp;

    EXPECT_TRUE(

        expectAccessLogResponseTo([&maybe_x_request_id_resp](const ::cilium::LogEntry& entry) {

          maybe_x_request_id_resp = getHeader(entry.http().headers(), "x-request-id");

          return entry.http().status() == 403;

        }));

    ASSERT_TRUE(maybe_x_request_id_resp.has_value());

    EXPECT_EQ(maybe_x_request_id.value(), maybe_x_request_id_resp.value());

    EXPECT_TRUE(response->complete());

    EXPECT_EQ("403", response->headers().getStatusValue());

    cleanupUpstreamAndDownstream();

  }

  void deniedL3(Http::TestRequestHeaderMapImpl&& headers) {

    initialize();

    codec_client_ = makeHttpConnection(lookupPort("http"));

    auto response = codec_client_->makeHeaderOnlyRequest(headers);

    ASSERT_TRUE(codec_client_->waitForDisconnect());

    absl::optional<std::string> maybe_x_request_id;

    EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry&) { return true; }));

    cleanupUpstreamAndDownstream();

  }

  void accepted(Http::TestRequestHeaderMapImpl&& headers) {

    initialize();

    codec_client_ = makeHttpConnection(lookupPort("http"));

    auto response = sendRequestAndWaitForResponse(headers, 0, default_response_headers_, 0);

    absl::optional<std::string> maybe_x_request_id;

    EXPECT_TRUE(expectAccessLogRequestTo([&maybe_x_request_id](const ::cilium::LogEntry& entry) {

      maybe_x_request_id = getHeader(entry.http().headers(), "x-request-id");

      return entry.http().status() == 0;

    }));

    ASSERT_TRUE(maybe_x_request_id.has_value());

    absl::optional<std::string> maybe_x_request_id_resp;

    EXPECT_TRUE(

        expectAccessLogResponseTo([&maybe_x_request_id_resp](const ::cilium::LogEntry& entry) {

          maybe_x_request_id_resp = getHeader(entry.http().headers(), "x-request-id");

          return entry.http().status() == 200;

        }));

    ASSERT_TRUE(maybe_x_request_id_resp.has_value());

    EXPECT_EQ(maybe_x_request_id.value(), maybe_x_request_id_resp.value());

    EXPECT_TRUE(response->complete());

    EXPECT_EQ("200", response->headers().getStatusValue());

    EXPECT_TRUE(upstream_request_->complete());

    EXPECT_EQ(0, upstream_request_->bodyLength());

    cleanupUpstreamAndDownstream();

  }

      : CiliumHttpIntegrationTest(fmt::format(

            fmt::runtime(TestEnvironment::substitute(cilium_proxy_config_fmt, GetParam())),

            "true")) {}

  void invalidHostMap(const std::string& config, const char* exmsg) {

    std::string path = TestEnvironment::writeStringToFileForTest("host_map_fail.yaml", config);

    envoy::service::discovery::v3::DiscoveryResponse message;

    ThreadLocal::InstanceImpl tls;

    Cilium::PolicyHostDecoder host_decoder;

    THROW_IF_NOT_OK(MessageUtil::loadFromFile(

        path, message, ProtobufMessage::getNullValidationVisitor(), *api_.get()));

    Envoy::Cilium::PolicyHostMap hmap(tls);

    const auto decoded_resources =

        THROW_OR_RETURN_VALUE(Config::DecodedResourcesWrapper::create(

                                  host_decoder, message.resources(), message.version_info()),

                              std::unique_ptr<Config::DecodedResourcesWrapper>);

    EXPECT_THROW_WITH_MESSAGE(

        EXPECT_TRUE(hmap.onConfigUpdate(decoded_resources->refvec_, message.version_info()).ok()),

        EnvoyException, exmsg);

    tls.shutdownGlobalThreading();

  }

TEST_P(HostMapTest, HostMapValid) {

  std::string config = R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 173

  host_addresses: [ "192.168.0.1", "f00d::1" ]

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 1

  host_addresses: [ "127.0.0.1/32", "::1/128" ]

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "127.0.0.0/8", "beef::/63" ]

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 12

  host_addresses: [ "0.0.0.0/0", "::/0" ]

)EOF";

  std::string path = TestEnvironment::writeStringToFileForTest("host_map_success.yaml", config);

  envoy::service::discovery::v3::DiscoveryResponse message;

  ThreadLocal::InstanceImpl tls;

  Cilium::PolicyHostDecoder host_decoder;

  THROW_IF_NOT_OK(MessageUtil::loadFromFile(

      path, message, ProtobufMessage::getNullValidationVisitor(), *api_.get()));

  auto hmap = std::make_shared<Envoy::Cilium::PolicyHostMap>(tls);

  const auto decoded_resources =

      THROW_OR_RETURN_VALUE(Config::DecodedResourcesWrapper::create(

                                host_decoder, message.resources(), message.version_info()),

                            std::unique_ptr<Config::DecodedResourcesWrapper>);

  EXPECT_TRUE(hmap->onConfigUpdate(decoded_resources->refvec_, message.version_info()).ok());

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv4Instance("192.168.0.1").ip()), 173);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv4Instance("192.168.0.0").ip()), 12);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv4Instance("192.168.0.2").ip()), 12);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv4Instance("127.0.0.1").ip()), 1);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv4Instance("127.0.0.2").ip()), 11);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv4Instance("126.0.0.2").ip()), 12);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv4Instance("128.0.0.0").ip()), 12);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv6Instance("::1").ip()), 1);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv6Instance("::").ip()), 12);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv6Instance("f00d::1").ip()), 173);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv6Instance("f00d::").ip()), 12);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv6Instance("beef::1.2.3.4").ip()), 11);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv6Instance("beef:0:0:1::").ip()), 11);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv6Instance("beef:0:0:1::42").ip()), 11);

  EXPECT_EQ(hmap->resolve(Network::Address::Ipv6Instance("beef:0:0:2::").ip()), 12);

  tls.shutdownGlobalThreading();

}

TEST_P(HostMapTest, HostMapInvalidNonCIDRBits) {

  if (GetParam() == Network::Address::IpVersion::v4) {

    invalidHostMap(R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "127.0.0.1/32", "127.0.0.1/31" ]

)EOF",

                   "NetworkPolicyHosts: Non-prefix bits set in '127.0.0.1/31'");

  } else {

}

TEST_P(HostMapTest, HostMapInvalidPrefixLengths) {

  if (GetParam() == Network::Address::IpVersion::v4) {

    invalidHostMap(

        R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "127.0.0.1", "127.0.0.0/8", "127.0.0.1/33" ]

)EOF",

        "NetworkPolicyHosts: Invalid prefix length in '127.0.0.1/33'");

  } else {

}

TEST_P(HostMapTest, HostMapInvalidPrefixLengths2) {

  if (GetParam() == Network::Address::IpVersion::v4) {

    invalidHostMap(

        R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "127.0.0.1", "127.0.0.0/8", "127.0.0.1/32a" ]

)EOF",

        "NetworkPolicyHosts: Invalid prefix length in '127.0.0.1/32a'");

  } else {

}

TEST_P(HostMapTest, HostMapInvalidPrefixLengths3) {

  if (GetParam() == Network::Address::IpVersion::v4) {

    invalidHostMap(

        R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "127.0.0.1", "127.0.0.0/8", "127.0.0.1/ 32" ]

)EOF",

        "NetworkPolicyHosts: Invalid prefix length in '127.0.0.1/ 32'");

  } else {

}

TEST_P(HostMapTest, HostMapDuplicateEntry) {

  if (GetParam() == Network::Address::IpVersion::v4) {

    invalidHostMap(R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "127.0.0.0/16", "127.0.0.1/32", "127.0.0.1" ]

)EOF",

                   "NetworkPolicyHosts: Duplicate host entry '127.0.0.1' for "

                   "policy 11, already mapped to 11");

  } else {

}

TEST_P(HostMapTest, HostMapDuplicateEntry2) {

  if (GetParam() == Network::Address::IpVersion::v4) {

    invalidHostMap(R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "127.0.0.0/16", "127.0.0.1/32" ]

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 12

  host_addresses: [ "127.0.0.0/8", "127.0.0.1" ]

)EOF",

                   "NetworkPolicyHosts: Duplicate host entry '127.0.0.1' for "

                   "policy 12, already mapped to 11");

  } else {

}

TEST_P(HostMapTest, HostMapInvalidAddress) {

  if (GetParam() == Network::Address::IpVersion::v4) {

    invalidHostMap(

        R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "127.0.0.0/16", "127.0.0.1/32", "255.256.0.0" ]

)EOF",

        "NetworkPolicyHosts: Invalid host entry '255.256.0.0' for policy 11");

  } else {

}

TEST_P(HostMapTest, HostMapInvalidAddress2) {

  if (GetParam() == Network::Address::IpVersion::v4) {

    invalidHostMap(

        R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "127.0.0.0/16", "127.0.0.1/32", "255.255.0.0 " ]

)EOF",

        "NetworkPolicyHosts: Invalid host entry '255.255.0.0 ' for policy 11");

  } else {

}

TEST_P(HostMapTest, HostMapInvalidDefaults) {

  if (GetParam() == Network::Address::IpVersion::v4) {

    invalidHostMap(R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 11

  host_addresses: [ "0.0.0.0/0", "128.0.0.0/0" ]

)EOF",

                   "NetworkPolicyHosts: Non-prefix bits set in '128.0.0.0/0'");

  } else {

}

TEST_P(CiliumIntegrationTest, DeniedPathPrefix) {

  denied({{":method", "GET"}, {":path", "/prefix"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    return http.missing_headers_size() == 0 && http.rejected_headers_size() == 0;

  }));

}

TEST_P(CiliumIntegrationTest, AllowedPathPrefix) {

  accepted({{":method", "GET"},

            {":path", "/allowed"},

            {":authority", "host"},

            {"bearer-token", "d4ef0f5011f163ac"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& missing = http.missing_headers();

    return http.missing_headers_size() == 1 && hasHeader(missing, "header42") &&

           http.rejected_headers_size() == 0 && !hasHeader(http.headers(), "header42");

  }));

}

TEST_P(CiliumIntegrationTest, AllowedPathPrefixWrongHeader) {

  accepted({{":method", "GET"},

            {":path", "/allowed"},

            {":authority", "host"},

            {"bearer-token", "wrong-value"},

            {"x-envoy-original-dst-host", "1.1.1.1:9999"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& rejected = http.rejected_headers();

    const auto& missing = http.missing_headers();

    return http.rejected_headers_size() == 1 && hasHeader(rejected, "bearer-token", "[redacted]") &&

           http.missing_headers_size() == 2 && hasHeader(missing, "header42") &&

           hasHeader(missing, "bearer-token", "[redacted]") &&

           hasHeader(http.headers(), "bearer-token", "d4ef0f5011f163ac") &&

           !hasHeader(http.headers(), "header42");

  }));

}

TEST_P(CiliumIntegrationTest, MultipleRequests) {

  accepted({{":method", "GET"},

            {":path", "/allowed"},

            {":authority", "host"},

            {"bearer-token", "d4ef0f5011f163ac"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& missing = http.missing_headers();

    return http.missing_headers_size() == 1 && hasHeader(missing, "header42") &&

           http.rejected_headers_size() == 0 && !hasHeader(http.headers(), "header42");

  }));

  accepted({{":method", "GET"},

            {":path", "/allowed"},

            {":authority", "host"},

            {"bearer-token", "wrong-value"},

            {"x-envoy-original-dst-host", "1.1.1.1:9999"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& rejected = http.rejected_headers();

    const auto& missing = http.missing_headers();

    return http.rejected_headers_size() == 1 && hasHeader(rejected, "bearer-token", "[redacted]") &&

           http.missing_headers_size() == 2 && hasHeader(missing, "header42") &&

           hasHeader(missing, "bearer-token", "[redacted]") &&

           hasHeader(http.headers(), "bearer-token", "d4ef0f5011f163ac") &&

           !hasHeader(http.headers(), "header42");

  }));

}

TEST_P(CiliumIntegrationTest, AllowedPathRegex) {

  accepted({{":method", "GET"}, {":path", "/maybe/public"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    return http.rejected_headers_size() == 0 && http.missing_headers_size() == 0;

  }));

}

TEST_P(CiliumIntegrationTest, AllowedPathRegexDeleteHeader) {

  accepted({{":method", "GET"},

            {":path", "/maybe/public"},

            {":authority", "host"},

            {"User-Agent", "test"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& rejected = http.rejected_headers();

    return http.missing_headers_size() == 0 && http.rejected_headers_size() == 1 &&

           hasHeader(rejected, "user-agent", "test") && !hasHeader(http.headers(), "User-Agent");

  }));

}

TEST_P(CiliumIntegrationTest, AllowedHostRegexDeleteHeader) {

  accepted({{":method", "GET"},

            {":path", "/maybe/private"},

            {":authority", "hostREGEXname"},

            {"header42", "test"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& rejected = http.rejected_headers();

    return http.missing_headers_size() == 0 && http.rejected_headers_size() == 1 &&

           hasHeader(rejected, "header42", "test") &&

           !hasHeader(http.headers(), "header42", "test");

  }));

}

TEST_P(CiliumIntegrationTest, DeniedPath) {

  denied({{":method", "GET"}, {":path", "/maybe/private"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    return http.missing_headers_size() == 0 && http.rejected_headers_size() == 0;

  }));

}

TEST_P(CiliumIntegrationTest, AllowedHostString) {

  accepted({{":method", "GET"}, {":path", "/maybe/private"}, {":authority", "allowedHOST"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& missing = http.missing_headers();

    return http.missing_headers_size() == 2 && hasHeader(missing, "header2", "value2") &&

           hasHeader(missing, "header42") && http.rejected_headers_size() == 0 &&

           !hasHeader(http.headers(), "header42") && hasHeader(http.headers(), "header2", "value2");

  }));

}

TEST_P(CiliumIntegrationTest, AllowedReplaced) {

  accepted({{":method", "GET"}, {":path", "/allowed"}, {":authority", "allowedHOST"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& missing = http.missing_headers();

    return http.missing_headers_size() == 3 && hasHeader(missing, "bearer-token", "[redacted]") &&

           hasHeader(missing, "header2", "value2") && hasHeader(missing, "header42") &&

           http.rejected_headers_size() == 0 && !hasHeader(http.headers(), "header42") &&

           hasHeader(http.headers(), "header2", "value2") &&

           hasHeader(http.headers(), "bearer-token", "d4ef0f5011f163ac");

  }));

}

TEST_P(CiliumIntegrationTest, Denied42) {

  denied({{":method", "GET"},

          {":path", "/allowed"},

          {":authority", "host"},

          {"header42", "anything"}});

  EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& missing = http.missing_headers();

    const auto& rejected = http.rejected_headers();

    return http.rejected_headers_size() == 1 && hasHeader(rejected, "header42") &&

           http.missing_headers_size() == 1 && hasHeader(missing, "bearer-token", "[redacted]") &&

           hasHeader(http.headers(), "header42") &&

           hasHeader(http.headers(), "bearer-token", "d4ef0f5011f163ac");

  }));

}

TEST_P(CiliumIntegrationTest, AllowedReplacedAndDeleted) {

  accepted({{":method", "GET"},

            {":path", "/allowed"},

            {":authority", "allowedHOST"},

            {"header42", "anything"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& missing = http.missing_headers();

    const auto& rejected = http.rejected_headers();

    return http.rejected_headers_size() == 1 && hasHeader(rejected, "header42") &&

           http.missing_headers_size() == 2 && hasHeader(missing, "bearer-token", "[redacted]") &&

           hasHeader(missing, "header2", "value2") && !hasHeader(http.headers(), "header42") &&

           hasHeader(http.headers(), "header2", "value2") &&

           hasHeader(http.headers(), "bearer-token", "d4ef0f5011f163ac");

  }));

}

TEST_P(CiliumIntegrationTest, AllowedHostRegex) {

  accepted({{":method", "GET"}, {":path", "/maybe/private"}, {":authority", "hostREGEXname"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    return http.missing_headers_size() == 0 && http.rejected_headers_size() == 0;

  }));

}

TEST_P(CiliumIntegrationTest, DeniedMethod) {

  denied({{":method", "POST"}, {":path", "/maybe/private"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    return http.missing_headers_size() == 0 && http.rejected_headers_size() == 0;

  }));

}

TEST_P(CiliumIntegrationTest, AcceptedMethod) {

  accepted({{":method", "PUT"}, {":path", "/public/opinions"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    return http.missing_headers_size() == 0 && http.rejected_headers_size() == 0;

  }));

}

TEST_P(CiliumIntegrationTest, L3DeniedPath) {

  denied({{":method", "GET"}, {":path", "/only-2-allowed"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    return http.missing_headers_size() == 0 && http.rejected_headers_size() == 0;

  }));

}

  CiliumIntegrationPortTest() = default;

  std::string testPolicyFmt() override {

    return TestEnvironment::substitute(R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - '{{ ntop_ip_loopback_address }}'

  endpoint_id: 3

  ingress_per_port_policies:

  - port: {0}

    rules:

    - remote_policies: [ 1 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/only-2-allowed'

  - port: {0}

    rules:

    - remote_policies: [ 1 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            safe_regex_match:

              google_re2: {{}}

              regex: '/also-2-allowed'

  egress_per_port_policies:

  - port: {0}

    rules:

    - remote_policies: [ 2 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/only-2-allowed'

)EOF",

                                       GetParam());

  }

TEST_P(CiliumIntegrationPortTest, DuplicatePortAllowedPath) {

  accepted({{":method", "GET"}, {":path", "/only-2-allowed"}, {":authority", "host"}});

}

TEST_P(CiliumIntegrationPortTest, DuplicatePortAllowedPath2) {

  accepted({{":method", "GET"}, {":path", "/also-2-allowed"}, {":authority", "host"}});

}

  CiliumIntegrationPortRangeTest() = default;

  std::string testPolicyFmt() override {

    return TestEnvironment::substitute(BASIC_POLICY_fmt + R"EOF(  - end_port: {0}

    rules:

    - remote_policies: [ 2 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            safe_regex_match:

              google_re2: {{}}

              regex: '/only-2-allowed'

)EOF",

                                       GetParam());

  }

TEST_P(CiliumIntegrationPortRangeTest, InvalidRange) {

  initialize();

  Http::TestRequestHeaderMapImpl headers = {

      {":method", "GET"}, {":path", "/allowed"}, {":authority", "host"}};

  codec_client_ = makeHttpConnection(lookupPort("http"));

  ASSERT_TRUE(codec_client_->waitForDisconnect());

  cleanupUpstreamAndDownstream();

}

      : CiliumIntegrationTest(fmt::format(

            fmt::runtime(TestEnvironment::substitute(cilium_proxy_config_fmt, GetParam())),

            "false")) {

    host_map_config = R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 173

  host_addresses: [ "192.168.0.1", "f00d::1" ]

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 1

  host_addresses: [ "127.0.0.0/8", "::/104" ]

)EOF";

  }

TEST_P(CiliumIntegrationEgressTest, DeniedPathPrefix) {

  denied({{":method", "GET"}, {":path", "/prefix"}, {":authority", "host"}});

}

TEST_P(CiliumIntegrationEgressTest, AllowedPathPrefix) {

  accepted({{":method", "GET"}, {":path", "/allowed"}, {":authority", "host"}});

}

TEST_P(CiliumIntegrationEgressTest, AllowedPathRegex) {

  accepted({{":method", "GET"}, {":path", "/maybe/public"}, {":authority", "host"}});

}

TEST_P(CiliumIntegrationEgressTest, DeniedPath) {

  denied({{":method", "GET"}, {":path", "/maybe/private"}, {":authority", "host"}});

}

TEST_P(CiliumIntegrationEgressTest, AllowedHostString) {

  accepted({{":method", "GET"}, {":path", "/maybe/private"}, {":authority", "allowedHOST"}});

}

TEST_P(CiliumIntegrationEgressTest, AllowedHostRegex) {

  accepted({{":method", "GET"}, {":path", "/maybe/private"}, {":authority", "hostREGEXname"}});

}

TEST_P(CiliumIntegrationEgressTest, DeniedMethod) {

  denied({{":method", "POST"}, {":path", "/maybe/private"}, {":authority", "host"}});

}

TEST_P(CiliumIntegrationEgressTest, AcceptedMethod) {

  accepted({{":method", "PUT"}, {":path", "/public/opinions"}, {":authority", "host"}});

}

TEST_P(CiliumIntegrationEgressTest, L3DeniedPath) {

  denied({{":method", "GET"}, {":path", "/only-2-allowed"}, {":authority", "host"}});

}

  CiliumIntegrationEgressL34Test() = default;

  std::string testPolicyFmt() override {

    return TestEnvironment::substitute(L34_POLICY_fmt, GetParam());

  }

TEST_P(CiliumIntegrationEgressL34Test, DeniedPathPrefix) {

  deniedL3({{":method", "GET"}, {":path", "/prefix"}, {":authority", "host"}});

}

TEST_P(CiliumIntegrationEgressL34Test, DeniedPathPrefix2) {

  deniedL3({{":method", "GET"}, {":path", "/allowed"}, {":authority", "host"}});

}

  SDSIntegrationTest() {

    Cilium::resetSDSConfigFunc();

    host_map_config = R"EOF(version_info: "0"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 42

  host_addresses: [ "192.168.1.1", "f00d::1:1" ]

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 1

  host_addresses: [ "127.0.0.0/8", "::/104" ]

- "@type": type.googleapis.com/cilium.NetworkPolicyHosts

  policy: 2

  host_addresses: [ "0.0.0.0/0", "::/0" ]

)EOF";

  }

  std::string testPolicyFmt2() {

    return TestEnvironment::substitute(HEADER_ACTION_MISSING_SDS_POLICY2_fmt, GetParam());

  }

  std::string testPolicyFmt() override {

    return TestEnvironment::substitute(HEADER_ACTION_MISSING_SDS_POLICY_fmt, GetParam());

  }

  std::vector<std::pair<std::string, std::string>> testSecrets() override {

    return std::vector<std::pair<std::string, std::string>>{}; // No secrets

  }

TEST_P(SDSIntegrationTest, TestDeniedL3) {

  denied({{":method", "GET"}, {":path", "/only42"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry& entry) {

    auto source_ip = Network::Utility::parseInternetAddressAndPortNoThrow(entry.source_address())

                         ->ip()

                         ->addressAsString();

    const auto& http = entry.http();

    ENVOY_LOG_MISC(info, "Access Log entry: {}", entry.DebugString());

    return http.rejected_headers_size() == 0 && http.missing_headers_size() == 0 &&

           entry.source_security_id() == 1 &&

           source_ip == ((GetParam() == Network::Address::IpVersion::v4) ? "127.0.0.1" : "::1");

  }));

}

TEST_P(SDSIntegrationTest, TestDeniedL3SpoofedXFF) {

  denied({{":method", "GET"},

          {":path", "/only42"},

          {":authority", "host"},

          {"x-forwarded-for", "192.168.1.1"}});

  EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry& entry) {

    auto source_ip = Network::Utility::parseInternetAddressAndPortNoThrow(entry.source_address())

                         ->ip()

                         ->addressAsString();

    const auto& http = entry.http();

    ENVOY_LOG_MISC(info, "Access Log entry: {}", entry.DebugString());

    return http.rejected_headers_size() == 0 && http.missing_headers_size() == 0 &&

           entry.source_security_id() == 1 &&

           source_ip == ((GetParam() == Network::Address::IpVersion::v4) ? "127.0.0.1" : "::1");

  }));

}

TEST_P(SDSIntegrationTest, TestMissingSDSSecretOnUpdate) {

  accepted({{":method", "GET"}, {":path", "/allowed2"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogRequestTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    ENVOY_LOG_MISC(info, "Access Log entry: {}", entry.DebugString());

    return http.rejected_headers_size() == 0 && http.missing_headers_size() == 0;

  }));

  auto port = fake_upstreams_[0]->localAddress()->ip()->port();

  auto config = fmt::format(fmt::runtime(testPolicyFmt2()), port);

  std::string temp_path =

      TestEnvironment::writeStringToFileForTest("network_policy_tmp.yaml", config);

  std::string backup_path = policy_path + ".backup";

  TestEnvironment::renameFile(policy_path, backup_path);

  TestEnvironment::renameFile(temp_path, policy_path);

  ENVOY_LOG_MISC(debug,

                 "Updating Cilium Network Policy from file \'{}\'->\'{}\' instead "

                 "of using gRPC",

                 temp_path, policy_path);

  absl::SleepFor(absl::Milliseconds(100));

  denied({{":method", "GET"}, {":path", "/allowed"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    const auto& missing = http.missing_headers();

    ENVOY_LOG_MISC(info, "Access Log entry: {}", entry.DebugString());

    return http.rejected_headers_size() == 0 && http.missing_headers_size() == 1 &&

           hasHeader(missing, "header42");

  }));

  TestEnvironment::renameFile(backup_path, policy_path);

  ENVOY_LOG_MISC(debug,

                 "Updating Cilium Network Policy from file \'{}\'->\'{}\' instead "

                 "of using gRPC",

                 backup_path, policy_path);

  absl::SleepFor(absl::Milliseconds(100));

  denied({{":method", "GET"}, {":path", "/allowed"}, {":authority", "host"}});

  EXPECT_TRUE(expectAccessLogDeniedTo([](const ::cilium::LogEntry& entry) {

    const auto& http = entry.http();

    ENVOY_LOG_MISC(info, "Access Log entry: {}", entry.DebugString());

    return http.rejected_headers_size() == 0 && http.missing_headers_size() == 0;

  }));

}