)

var (
	AuthorizationPolicy = resource.Builder{
		Identifier: "AuthorizationPolicy",
		Group:      "security.istio.io",
		Kind:       "AuthorizationPolicy",
		Plural:     "authorizationpolicies",
		Version:    "v1beta1",
		VersionAliases: []string{
			"v1",
		},
		Proto: "istio.security.v1beta1.AuthorizationPolicy", StatusProto: "istio.meta.v1alpha1.IstioStatus",

	cmd := &cobra.Command{
		Use:   "check [<type>/]<name>[.<namespace>]",
		Short: "Check AuthorizationPolicy applied in the pod.",
		Long: `Check prints the AuthorizationPolicy applied to a pod by directly checking
the Envoy configuration of the pod. The command is especially useful for inspecting
the policy propagation from Istiod to Envoy and the final AuthorizationPolicy list merged
from multiple sources (mesh-level, namespace-level and workload-level).

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-policy
spec:
  action: ALLOW
  selector:
    matchLabels:
      "istio": {{.GatewayIstioLabel | default "ingressgateway"}}
  rules:
  - to:
    - operation:
        notPorts: ["100"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-policy
spec:
  action: DENY
  selector:
    matchLabels:

)

func getGvk(obj any) (config.GroupVersionKind, bool) {
	switch obj.(type) {
	case *istioioapisecurityv1beta1.AuthorizationPolicy:
		return gvk.AuthorizationPolicy, true
	case *apiistioioapisecurityv1beta1.AuthorizationPolicy:
		return gvk.AuthorizationPolicy, true
	case *k8sioapicertificatesv1.CertificateSigningRequest:
		return gvk.CertificateSigningRequest, true
	case *k8sioapicorev1.ConfigMap:

	ValidatingWebhookConfiguration
	VirtualService
	WasmPlugin
	WorkloadEntry
	WorkloadGroup
)

func (k Kind) String() string {
	switch k {
	case Address:
		return "Address"
	case AuthorizationPolicy:
		return "AuthorizationPolicy"
	case CertificateSigningRequest:
		return "CertificateSigningRequest"
	case ConfigMap:
		return "ConfigMap"
	case CustomResourceDefinition:
		return "CustomResourceDefinition"
	case DNSName:

	"istio.io/istio/pkg/config"
	"istio.io/istio/pkg/config/schema/gvr"
)

var (
	AuthorizationPolicy            = config.GroupVersionKind{Group: "security.istio.io", Version: "v1beta1", Kind: "AuthorizationPolicy"}
	AuthorizationPolicy_v1         = config.GroupVersionKind{Group: "security.istio.io", Version: "v1", Kind: "AuthorizationPolicy"}

	option            Option

	// populated when building for CUSTOM action.
	customPolicies []model.AuthorizationPolicy
	extensions     map[string]*builtExtAuthz

	// populated when building for ALLOW/DENY/AUDIT action.
	denyPolicies  []model.AuthorizationPolicy
	allowPolicies []model.AuthorizationPolicy
	auditPolicies []model.AuthorizationPolicy

	// logger emits logs about policies
	logger *AuthzLogger
}

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
  rules:
  - to:
    - operation:
        paths: ["/public*"]

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}-deny
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
  action: DENY
  rules:
    - from:
      - source:

# The following policy selects the workload

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: policy-{{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"
  rules:
  - to:
    - operation: