MTLSPermissive

	// MTLSStrict if authentication policy enable mTLS in strict mode.
	MTLSStrict
)

// In Ambient, we convert k8s PeerAuthentication resources to the same type as AuthorizationPolicies
// To prevent conflicts in xDS, we add this prefix to the converted PeerAuthentication resources.
const convertedPeerAuthenticationPrefix = "converted_peer_authentication_" // use '_' character since those are illegal in k8s names

				t.Errorf("wantCustom:%v\n but got: %v\n", tc.wantCustom, result.Custom)
			}
		})
	}
}

func createFakeAuthorizationPolicies(configs []config.Config) *AuthorizationPolicies {
	store := &authzFakeStore{}
	for _, cfg := range configs {
		store.add(cfg)
	}
	environment := &Environment{
		ConfigStore: store,

)

func create(c kube.Client, cfg config.Config, objMeta metav1.ObjectMeta) (metav1.Object, error) {
	switch cfg.GroupVersionKind {
	case gvk.AuthorizationPolicy:
		return c.Istio().SecurityV1beta1().AuthorizationPolicies(cfg.Namespace).Create(context.TODO(), &apiistioioapisecurityv1beta1.AuthorizationPolicy{
			ObjectMeta: objMeta,
			Spec:       *(cfg.Spec.(*istioioapisecurityv1beta1.AuthorizationPolicy)),
		}, metav1.CreateOptions{})

)

var (
	AuthorizationPolicy = resource.Builder{
		Identifier: "AuthorizationPolicy",
		Group:      "security.istio.io",
		Kind:       "AuthorizationPolicy",
		Plural:     "authorizationpolicies",
		Version:    "v1beta1",
		VersionAliases: []string{
			"v1",
		},
		Proto: "istio.security.v1beta1.AuthorizationPolicy", StatusProto: "istio.meta.v1alpha1.IstioStatus",

				t.Fatalf("Unexpected SourceIp hash policy. expected: %v, got: %v", tt.useSourceIP, hasSourceIP)
			}
		})
	}
}

func getAuthorizationPolicies() *model.AuthorizationPolicies {
	return &model.AuthorizationPolicies{
		NamespaceToPolicies: map[string][]model.AuthorizationPolicy{
			"foo": {
				{
					Name:      "httpbin-deny",
					Namespace: "foo",
					Spec: &v1beta1.AuthorizationPolicy{

    group: ""
    version: "v1alpha1"
    proto: "istio.mesh.v1alpha1.MeshNetworks"
    protoPackage: "istio.io/api/mesh/v1alpha1"
    synthetic: true

  - kind: AuthorizationPolicy
    plural: "authorizationpolicies"
    group: "security.istio.io"
    version: "v1beta1"
    versionAliases:
      - "v1"
    proto: "istio.security.v1beta1.AuthorizationPolicy"
    protoPackage: "istio.io/api/security/v1beta1"

)

func (a *index) Policies(requested sets.Set[model.ConfigKey]) []model.WorkloadAuthorization {
	// TODO: use many Gets instead of List?
	cfgs := a.authorizationPolicies.List()
	l := len(cfgs)
	if len(requested) > 0 {
		l = len(requested)
	}
	res := make([]model.WorkloadAuthorization, 0, l)
	for _, cfg := range cfgs {
		k := model.ConfigKey{

			{msg.UnknownMeshNetworksServiceRegistry, "MeshNetworks istio-system/meshnetworks"},
		},
	},
	{
		name: "authorizationpolicies",
		inputFiles: []string{
			"testdata/authorizationpolicies.yaml",
		},
		analyzer: &authz.AuthorizationPoliciesAnalyzer{},
		expected: []message{
			{msg.NoMatchingWorkloadsFound, "AuthorizationPolicy istio-system/meshwide-httpbin-v1"},

				CanonicalRevision: "latest",
				WorkloadType:      workloadapi.WorkloadType_POD,
				WorkloadName:      "name",
				Status:            workloadapi.WorkloadStatus_HEALTHY,
				ClusterId:         testC,
				AuthorizationPolicies: []string{
					"istio-system/root-ns",
					"ns/local-ns",
				},
			},
		},
	}
	for _, tt := range cases {
		t.Run(tt.name, func(t *testing.T) {
			mock := krttest.NewMock(t, tt.inputs)

	// are returned out of band.
	// Authorization policies are only valid for workloads with `addresses` rather than `hostname`.
	AuthorizationPolicies []string       `protobuf:"bytes,16,rep,name=authorization_policies,json=authorizationPolicies,proto3" json:"authorization_policies,omitempty"`
	Status                WorkloadStatus `protobuf:"varint,17,opt,name=status,proto3,enum=istio.workload.WorkloadStatus" json:"status,omitempty"`