Tests for policies targeting wildcard/hostnames and analogous

[guicassolato]

For cases that involving deciding on merging or not policies that target network resources that are strict subsets one of another. E.g.:

• Policy A → Gateway: hostname="*.acme.com"
• Policy B → HTTPRoute: headers{name="Authorization", type=RegularExpression, value="Bearer .+"}

Depending on the intent, the following variations might be possible:

1. Policy A merge overrides Policy B
2. Policy A merges providing defaults to Policy B
3. Policy A is accepted and Policy B is discarded (no merger)
4. Policy A is discarded and Policy B is accepted (no merger)
5. Policy A and Policy B are both accepted (no merger)

Depends on #3.

[guicassolato]

Examples of use cases with authorization policies:

1. One who controls a GW wants to enforce an additional authorization rule to all Routes linked to that GW (e.g. deny-list)
2. One who controls a GW wants to set an additional default authorization rule to all Routes linked to that GW (e.g. JWT claim check: email_verified == true)
3. One who controls a GW wants to disable a specific authorization rule set in any Route linked to that GW, without compromising or having to learn about other authorization rules attached to the Routes.
4. One who controls a GW wants to rollout a new set of authorization rules that supersedes all other rules attached to Route linked to that GW.
5. One who controls a Route A method=POST wants to enforce an additional authorization rule to all other Routes linked to the same GW as Route A, where the rule is applied conditionally only when method=POST.
6. One who controls a Route A method=POST wants to rollout a new set of authorization rules that supersedes all other rules attached to any other Routes linked to the same GW as Route A.