var ecMismatchKeyTests = []struct {
	hexKey        string
	errorContains string
}{
	{hexKey: hexECTestPKCS8Key, errorContains: "use ParsePKCS8PrivateKey instead"},
	{hexKey: hexECTestPKCS1Key, errorContains: "use ParsePKCS1PrivateKey instead"},
}

func TestECMismatchKeyFormat(t *testing.T) {
	for i, test := range ecMismatchKeyTests {

var pkcs8MismatchKeyTests = []struct {
	hexKey        string
	errorContains string
}{
	{hexKey: hexPKCS8TestECKey, errorContains: "use ParseECPrivateKey instead"},
	{hexKey: hexPKCS8TestPKCS1Key, errorContains: "use ParsePKCS1PrivateKey instead"},
}

func TestPKCS8MismatchKeyFormat(t *testing.T) {
	for i, test := range pkcs8MismatchKeyTests {

		require.ErrorContains(t, err, "failed to configure binding: cannot use namespaced paramRef in policy binding that matches cluster-scoped resources")
	} else {
		require.NotEmpty(t, expectedParamsForClusterScopedRequest, "all test cases should match at least one param")
		require.ErrorContains(t, err, "Denied by policy")
	}

		}
		// ErrWebhookRejected is not an error for our purposes
		if tt.ErrorContains != "" {
			if err == nil || !strings.Contains(err.Error(), tt.ErrorContains) {
				t.Errorf("%s: expected an error saying %q, but got %v", tt.Name, tt.ErrorContains, err)
			}
		}
		if _, isStatusErr := err.(*errors.StatusError); err != nil && !isStatusErr {

	IsCRD                  bool
	IsDryRun               bool
	AdditionalLabels       map[string]string
	SkipBenchmark          bool
	ExpectLabels           map[string]string
	ExpectAllow            bool
	ErrorContains          string
	ExpectAnnotations      map[string]string
	ExpectStatusCode       int32
	ExpectReinvokeWebhooks map[string]bool
}

// MutatingTest is a mutating webhook test case.
type MutatingTest struct {

				}
			}
			// ErrWebhookRejected is not an error for our purposes
			if tt.ErrorContains != "" {
				if err == nil || !strings.Contains(err.Error(), tt.ErrorContains) {
					t.Errorf("expected an error saying %q, but got: %v", tt.ErrorContains, err)
				}
			}
			if statusErr, isStatusErr := err.(*errors.StatusError); err != nil && !isStatusErr {

	return func(_ echo.CallResult, err error) error {
		if err == nil {
			return errors.New("expected error, but none occurred")
		}
		return nil
	}
}

// ErrorContains is similar to Error, but checks that the error message contains the given string.
func ErrorContains(expected string) echo.Checker {
	return func(_ echo.CallResult, err error) error {
		if err == nil {
			return errors.New("expected error, but none occurred")
		}

			if test.expectedConfig == nil {
				assert.Nil(t, cfg)
			} else {
				assert.NotNil(t, cfg)
			}

			if test.expectedErr == nil {
				assert.NoError(t, err)
			} else {
				assert.ErrorContains(t, err, test.expectedErr.Error())
			}
		})

	}

										Cert: trustDomains[td].cert,
										Key:  trustDomains[td].key,
									},
									Check: check.OK(),
								}
							}
							if !allow {
								opt.Check = check.ErrorContains("tls: unknown certificate")
							}
							from.CallOrFail(t, opt)
						})
					}

					// Request using plaintext should always allowed.

		switch opts.HTTP.Headers.Get(XExtAuthz) {
		case XExtAuthzAllow:
			return check.And(check.NoError(), checkHeaders)
		default:
			// Deny
			return check.And(check.Forbidden(protocol.GRPC),
				check.ErrorContains("desc = denied by ext_authz for not found header "+
					"`x-ext-authz: allow` in the request"))
		}
	case opts.Port.Protocol.IsTCP():
		if expectAllowed {
			return check.NoError()
		}
		// Deny