resolution: STATIC
  endpoints:
    - address: 1.1.1.1
      labels:
        istio.io/benchmark: "true"
---
{{- range $i := until .Services }}
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: authn-{{$i}}
spec:
  action: DENY
  rules:
    - from:
        - source:
            namespaces: ["default"]
      to:
        - operation:
            methods: ["POST"]
---

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: authorization-policy
spec:
 selector:
   matchLabels:
     app: httpbin
     version: v1
 rules:
 - from:
   - source:
       principals: ["cluster.local/ns/default/sa/sleep"]
   - source:
       namespaces: ["test"]
   to:
   - operation:
       methods: ["GET"]
       paths: ["/info*"]
   - operation:
       methods: ["POST"]

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
 name: authorization-policy
spec:
 selector:
   matchLabels:
     app: httpbin
     version: v1
 rules:
 - from:
   - source:
       principals: ["cluster.local/ns/default/sa/sleep"]
   - source:
       namespaces: ["test"]
   to:
   - operation:
       methods: ["GET"]
       paths: ["/info*"]
   - operation:
       methods: ["POST"]

			Spec:        config.Spec.(*authpb.AuthorizationPolicy),
		}
		policy.NamespaceToPolicies[config.Namespace] = append(policy.NamespaceToPolicies[config.Namespace], authzConfig)
	}

	return policy
}

type AuthorizationPoliciesResult struct {
	Custom []AuthorizationPolicy
	Deny   []AuthorizationPolicy
	Allow  []AuthorizationPolicy
	Audit  []AuthorizationPolicy
}

	auditPolicy.Action = authpb.AuthorizationPolicy_AUDIT

	customPolicy := proto.Clone(policy).(*authpb.AuthorizationPolicy)
	customPolicy.Action = authpb.AuthorizationPolicy_CUSTOM

	cases := []struct {
		name          string
		selectionOpts WorkloadPolicyMatcher
		configs       []config.Config
		wantDeny      []AuthorizationPolicy
		wantAllow     []AuthorizationPolicy
		wantAudit     []AuthorizationPolicy

          values: ["https://accounts.google.com"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: meshwide-httpbin
  namespace: istio-system # valid: it applies to whole mesh
spec:
  {}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: meshwide-httpbin-v1
  namespace: istio-system # invalid: no pods running anywhere in the mesh

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}-request-headers
spec:
  selector:
    matchLabels:
      app: "{{ .To.ServiceName }}"
  rules:
  - to:
    - operation:
        paths: [ "/request-headers" ]
    when:
    - key: request.headers[x-foo]
      values: [ "foo" ]
  - to:
      - operation:
          paths: [ "/request-headers-notValues" ]
    when:

		Inputs: []config.GroupVersionKind{
			gvk.MeshConfig,
			gvk.AuthorizationPolicy,
			gvk.Namespace,
			gvk.Pod,
		},
	}
}

func (a *AuthorizationPoliciesAnalyzer) Analyze(c analysis.Context) {
	podLabelsMap := initPodLabelsMap(c)

	c.ForEach(gvk.AuthorizationPolicy, func(r *resource.Instance) bool {
		a.analyzeNoMatchingWorkloads(r, c, podLabelsMap)

# The following policy denies access to path /allow/admin.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: policy-{{ .To.ServiceName }}-deny
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
  action: DENY
  rules:
    - to:
        - operation:
            paths: ["/allow/admin"]
---
# The following policy allows access to path with prefix /allow.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-policy
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods: ["*"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-policy
spec:
  action: DENY
  rules:
  - to:
    - operation:
        methods: ["*"]
  - to:
    - operation:
        methods: ["*"]