expect-failure: true
  expected-output-file: fail.out
  allow-additional-output: true
  allow-disordered-output: true
},{
  executable: gradle
  args: "--rerun-tasks --configuration-cache-problems=warn someTask -DsomeDestination=dest"
  expect-failure: false
  expected-output-file: store.out
  allow-additional-output: true
}, {
  executable: gradle

# The following policy enables authorization on workload:
# - Allow request principal ******@****.***/sub-1 to access path /token1
# - Allow request in group-2 to access path /token2
# - Allow request with any token to access path /tokenAny
# - Allow request with permission claim of "write" or "append" to access path /permission
# - Allow request with valid JWT token to access path /jwt1

commands: [{
    executable: gradle
    args: clean alwaysInstrumentClasses
    allow-additional-output: true
    allow-disordered-output: true
},{
    executable: gradle
    args: alwaysInstrumentClasses
    expected-output-file: incrementalBuildUpToDateWhenAgain.out
    allow-additional-output: true
    allow-disordered-output: true

	// Determine whether to allow or deny the request.
	allow := false
	checkHeaderValue, contains := attrs.GetRequest().GetHttp().GetHeaders()[checkHeader]
	if contains {
		allow = checkHeaderValue == allowedValue
	} else {
		allow = attrs.Source != nil && strings.HasSuffix(attrs.Source.Principal, "/sa/"+*serviceAccount)
	}

	if allow {
		return s.allow(request), nil
	}

    protected static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";

    protected static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";

    protected static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";

    protected static final String ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK = "Access-Control-Allow-Private-Network";

	if family == syscall.AF_INET6 && sotype != syscall.SOCK_RAW {
		// Allow both IP versions even if the OS default
		// is otherwise. Note that some operating systems
		// never admit this option.
		syscall.SetsockoptInt(s, syscall.IPPROTO_IPV6, syscall.IPV6_V6ONLY, boolint(ipv6only))
	}
	if (sotype == syscall.SOCK_DGRAM || sotype == syscall.SOCK_RAW) && family != syscall.AF_UNIX {
		// Allow broadcast.

  expect-failure: true
  expected-output-file: fail.out
  allow-additional-output: true
  allow-disordered-output: true
},{
  executable: gradle
  args: "--rerun-tasks --configuration-cache-problems=warn someTask -DsomeDestination=dest"
  expect-failure: false
  expected-output-file: store.out
  allow-additional-output: true
}, {
  executable: gradle

				AdmissionReviewVersions: []string{"v1beta1"},
			}},
			ExpectAllow: true,
		},
		{
			Name: "match & allow",
			Webhooks: []registrationv1.ValidatingWebhook{{
				Name:                    "allow.example.com",
				ClientConfig:            ccfgSVC("allow"),
				Rules:                   matchEverythingRules,
				NamespaceSelector:       &metav1.LabelSelector{},

}

// A service that can be set to allow all or deny all authorization requests.
type mockV1beta1Service struct {
	allow      bool
	statusCode int
	called     int
}

func (m *mockV1beta1Service) Review(r *authorizationv1beta1.SubjectAccessReview) {
	m.called++
	r.Status.Allowed = m.allow
}
func (m *mockV1beta1Service) Allow()              { m.allow = true }

		return false
	}
	from := Reference{Kind: gvk.KubernetesGateway, Namespace: k8s.Namespace(namespace)}
	to := Reference{Kind: gvk.Secret, Namespace: k8s.Namespace(p.Namespace)}
	allow := refs[from][to]
	if allow == nil {
		return false
	}
	return allow.AllowAll || allow.AllowedNames.Contains(p.Name)
}

func (refs AllowedReferences) BackendAllowed(
	k config.GroupVersionKind,
	backendName k8s.ObjectName,
	backendNamespace k8s.Namespace,