from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # TCP

			// User lacks permission: either the call requires root permission and the
			// user is not root, or the call is denied by a container security policy.
			return true
		case syscall.EINVAL:
			// Some containers return EINVAL instead of EPERM if a system call is
			// denied by security policy.
			return true
		}
	}

	if errors.Is(err, fs.ErrPermission) || errors.Is(err, errors.ErrUnsupported) {

				nil,
			},
			want: `
			# HELP authorization_attempts_total [ALPHA] Counter of authorization attempts broken down by result. It can be either 'allowed', 'denied', 'no-opinion' or 'error'.
			# TYPE authorization_attempts_total counter
			authorization_attempts_total{result="denied"} 1
				`,
		},
		{
			desc: "authorizer failed with error",
			authorizer: fakeAuthorizer{
				authorizer.DecisionNoOpinion,
				"",

				ResourceRequest: true,
			},
			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
				Allowed:         true,
				Denied:          false,
				Reason:          "allowed",
				EvaluationError: "",
			},
		},

		"resource denied": {
			spec: authorizationapi.SubjectAccessReviewSpec{
				User:               "bob",
				ResourceAttributes: &authorizationapi.ResourceAttributes{},
			},

    - key: source.ip
      values: {{ .Allowed.MustWorkloads.Addresses | toJson }}
  - to:
      - operation:
          paths: [ "/source-ip-notValues" ]
    when:
      - key: source.ip
        notValues: {{ .Denied.MustWorkloads.Addresses | toJson }}
---

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}-source-namespace
spec:
  selector:
    matchLabels:

	EIO          = syscall.NewError("i/o error")
	ENAMETOOLONG = syscall.NewError("file name too long")
	EINTR        = syscall.NewError("interrupted")
	EPERM        = syscall.NewError("permission denied")
	EBUSY        = syscall.NewError("no free devices")
	ETIMEDOUT    = syscall.NewError("connection timed out")
	EPLAN9       = syscall.NewError("not supported by plan 9")

	// The following errors do not correspond to any

	EPERM        = NewError("permission denied")
	EBUSY        = NewError("no free devices")
	ETIMEDOUT    = NewError("connection timed out")
	EPLAN9       = NewError("not supported by plan 9")

	// The following errors do not correspond to any
	// Plan 9 system messages. Invented to support
	// what package os and others expect.
	EACCES       = NewError("access permission denied")

// "Approved" condition and no "Denied" conditions; false otherwise.
func isCertificateRequestApproved(csr *certv1.CertificateSigningRequest) bool {
	approved, denied := getCertApprovalCondition(&csr.Status)
	return approved && !denied
}

func getCertApprovalCondition(status *certv1.CertificateSigningRequestStatus) (approved bool, denied bool) {
	for _, c := range status.Conditions {

								if denied(dryRunErr) {
									t.Fatalf("got unexpected for valid config: %v", dryRunErr)
								} else {
									t.Fatalf("got unexpected unknown error for valid config: %v", dryRunErr)
								}
							case dryRunErr == nil && !valid:
								t.Fatalf("got unexpected success for invalid config")
							case dryRunErr != nil && !valid:
								if !denied(dryRunErr) {

	Allowed bool
	// Denied is optional. True if the action would be denied, otherwise
	// false. If both allowed is false and denied is false, then the
	// authorizer has no opinion on whether to authorize the action. Denied
	// may not be true if Allowed is true.
	Denied bool
	// Reason is optional.  It indicates why a request was allowed or denied.
	Reason string