message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

message SubjectAccessReviewStatus {
  // Allowed is required. True if the action would be allowed, false otherwise.
  optional bool allowed = 1;

  // Denied is optional. True if the action would be denied, otherwise
  // false. If both allowed is false and denied is false, then the
  // authorizer has no opinion on whether to authorize the action. Denied
  // may not be true if Allowed is true.
  // +optional

      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to:
        - operation: # TCP

        private void checkIfAllowed() {
            if (!hashingAllowed) {
                throw new UnsupportedOperationException("Hashing is currently not allowed")
            }
        }

        void allowHashing(boolean allowed) {
            this.hashingAllowed = allowed
        }
    }

    static class AllowingStat implements Stat {

        private final Stat delegate
        private boolean statAllowed

		t.Run(fmt.Sprintf("recognized:%v,allowed: %v,err: %v", c.recognized, c.allowed, c.err), func(t *testing.T) {
			client := &fake.Clientset{}
			client.AddReactor("create", "subjectaccessreviews", func(action testclient.Action) (handled bool, ret runtime.Object, err error) {
				return true, &authorization.SubjectAccessReview{
					Status: authorization.SubjectAccessReviewStatus{
						Allowed: c.allowed,
					},
				}, nil
			})

}

// ImageReviewStatus is the result of the review for the pod creation request.
type ImageReviewStatus struct {
	// Allowed indicates that all images were allowed to be run.
	Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
	// Reason should be empty unless Allowed is false in which case it
	// may contain a short description of what is wrong.  Kubernetes

		expect   authorizer.Decision
		features featuregate.FeatureGate
	}{
		{
			name:   "allowed configmap",
			attrs:  authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "configmaps", Name: "configmap0-pod0-node0", Namespace: "ns0"},
			expect: authorizer.DecisionAllow,
		},
		{
			name:   "allowed secret via pod",

package p

func f(x int) func(int) int {
	return func(y int) int { return x + y } // ERROR "heap-allocated closure f\.func1, not allowed in runtime"
}

func g(x int) func(int) int { // ERROR "x escapes to heap, not allowed in runtime"
	return func(y int) int { // ERROR "heap-allocated closure g\.func1, not allowed in runtime"
		x += y
		return x + y
	}