l := len(cfgs)
	if len(requested) > 0 {
		l = len(requested)
	}
	res := make([]model.WorkloadAuthorization, 0, l)
	for _, cfg := range cfgs {
		k := model.ConfigKey{
			Kind:      kind.AuthorizationPolicy,
			Name:      cfg.Authorization.Name,
			Namespace: cfg.Authorization.Namespace,
		}

		if len(requested) > 0 && !requested.Contains(k) {
			continue
		}
		res = append(res, cfg)
	}
	return res

}

func getAuthorizationPolicies() *model.AuthorizationPolicies {
	return &model.AuthorizationPolicies{
		NamespaceToPolicies: map[string][]model.AuthorizationPolicy{
			"foo": {
				{
					Name:      "httpbin-deny",
					Namespace: "foo",
					Spec: &v1beta1.AuthorizationPolicy{
						Action: v1beta1.AuthorizationPolicy_ALLOW,
						Rules: []*v1beta1.Rule{
							{
								From: []*v1beta1.Rule_From{
									{

        {
          "datasource": {
            "type": "prometheus",
            "uid": "${datasource}"
          },
          "expr": "max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"delete\"}) or max(up * 0))",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
        }
      ],

}

var _ model.XdsDeltaResourceGenerator = &EdsGenerator{}

// Map of all configs that do not impact EDS
var skippedEdsConfigs = sets.New(
	kind.Gateway,
	kind.VirtualService,
	kind.WorkloadGroup,
	kind.AuthorizationPolicy,
	kind.RequestAuthentication,
	kind.Secret,
	kind.Telemetry,
	kind.WasmPlugin,
	kind.ProxyConfig,
	kind.DNSName,

	kind.KubernetesGateway,
	kind.HTTPRoute,
	kind.TCPRoute,
	kind.TLSRoute,

					config: `apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mtls
spec:
  mtls:
    mode: DISABLE
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authz
spec:
  rules:
  - to:
    - operation:
        ports:
        - "19092" # TCPWorkloadOnly`,
					expected: []expect{
						{

			configs: sets.New(model.ConfigKey{Kind: k, Name: name + invalidNameSuffix, Namespace: nsName}),
			want:    false,
		})
	}

	sidecarNamespaceScopeTypes := []kind.Kind{
		kind.EnvoyFilter, kind.AuthorizationPolicy, kind.RequestAuthentication, kind.WasmPlugin,
	}
	for _, k := range sidecarNamespaceScopeTypes {
		cases = append(cases,
			Case{
				name:    fmt.Sprintf("%s config for sidecar in same namespace", k.String()),

)

const (
	apacheServer = "apache"
	nginxServer  = "nginx"
	tomcatServer = "tomcat"

	dotdotpwn = "dotdotpwn"
	wfuzz     = "wfuzz"

	authzDenyPolicy = `
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: policy-deny
spec:
  action: DENY
  rules:
  - to:
    - operation:
        paths: ["/private/secret.html"]
`
	jwtTool            = "jwttool"
	requestAuthnPolicy = `

	}
	return
}

// ValidateAuthorizationPolicy checks that AuthorizationPolicy is well-formed.
var ValidateAuthorizationPolicy = RegisterValidateFunc("ValidateAuthorizationPolicy",
	func(cfg config.Config) (Warning, error) {
		in, ok := cfg.Spec.(*security_beta.AuthorizationPolicy)
		if !ok {
			return nil, fmt.Errorf("cannot cast to AuthorizationPolicy")
		}

		var errs error
		var warnings Warning

// This should probably be done for the v2 API.
//
// nolint: unparam
func buildRBAC(node *model.Proxy, push *model.PushContext, suffix string, context *tls.DownstreamTlsContext,
	a rbacpb.RBAC_Action, policies []model.AuthorizationPolicy,
) *rbacpb.RBAC {
	rules := &rbacpb.RBAC{
		Action:   a,
		Policies: map[string]*rbacpb.Policy{},
	}
	for _, policy := range policies {
		for i, rule := range policy.Spec.Rules {

			ConfigCluster:   k8sCluster == opts.DefaultClusterName,
			MeshWatcher:     mesh.NewFixedWatcher(m),
			CRDs: []schema.GroupVersionResource{
				// Install all CRDs used (mostly in Ambient)
				gvr.AuthorizationPolicy,
				gvr.PeerAuthentication,
				gvr.KubernetesGateway,
				gvr.KubernetesGateway,
				gvr.WorkloadEntry,
				gvr.ServiceEntry,
			},
		})
		stop := test.NewStop(t)