review comments

internal/catalog/internal/testhelpers/acl_hooks_test_helpers.go

@@ -93,6 +93,14 @@ func RunWorkloadSelectingTypeACLsTests[T WorkloadSelecting](t *testing.T, typ *p
 			WriteOK: resourcetest.ALLOW,
 			ListOK:  resourcetest.DEFAULT,
 		},
+		"service test write with prefixed selectors and a policy with a specific service": {
+			Rules:   `service "test" { policy = "write" } service "workload" { policy = "read" }`,
+			Data:    getData(&pbcatalog.WorkloadSelector{Prefixes: []string{"workload"}}),
+			Typ:     typ,
+			ReadOK:  resourcetest.ALLOW,
+			WriteOK: resourcetest.DENY,
+			ListOK:  resourcetest.DEFAULT,
+		},
 	}
 
 	for name, tc := range cases {

internal/catalog/internal/types/dns_policy_test.go

@@ -175,7 +175,6 @@ func TestDNSPolicyACLs(t *testing.T) {
 				Weights:   &pbcatalog.Weights{Passing: 1, Warning: 0},
 			}
 		},
-		func(registry resource.Registry) {
-			RegisterDNSPolicy(registry)
-		})
+		RegisterDNSPolicy,
+	)
 }

internal/catalog/internal/types/health_checks_test.go

@@ -203,7 +203,6 @@ func TestHealthChecksACLs(t *testing.T) {
 		func(selector *pbcatalog.WorkloadSelector) *pbcatalog.HealthChecks {
 			return &pbcatalog.HealthChecks{Workloads: selector}
 		},
-		func(registry resource.Registry) {
-			RegisterHealthChecks(registry)
-		})
+		RegisterHealthChecks,
+	)
 }

internal/catalog/internal/types/health_status_test.go

@@ -292,6 +292,24 @@ func TestHealthStatusACLs(t *testing.T) {
 			WriteOK: resourcetest.ALLOW,
 			ListOK:  resourcetest.DEFAULT,
 		},
+		"node test read with workload owner": {
+			Rules:   `node "test" { policy = "read" }`,
+			Data:    healthStatusData,
+			Owner:   workload,
+			Typ:     pbcatalog.HealthStatusType,
+			ReadOK:  resourcetest.DENY,
+			WriteOK: resourcetest.DENY,
+			ListOK:  resourcetest.DEFAULT,
+		},
+		"node test write with workload owner": {
+			Rules:   `node "test" { policy = "write" }`,
+			Data:    healthStatusData,
+			Owner:   workload,
+			Typ:     pbcatalog.HealthStatusType,
+			ReadOK:  resourcetest.DENY,
+			WriteOK: resourcetest.DENY,
+			ListOK:  resourcetest.DEFAULT,
+		},
 	}
 
 	for name, tc := range cases {

internal/catalog/internal/types/service_test.go

@@ -282,7 +282,6 @@ func TestServiceACLs(t *testing.T) {
 		func(selector *pbcatalog.WorkloadSelector) *pbcatalog.Service {
 			return &pbcatalog.Service{Workloads: selector}
 		},
-		func(registry resource.Registry) {
-			RegisterService(registry)
-		})
+		RegisterService,
+	)
 }

internal/mesh/internal/types/destinations_configuration_test.go

@@ -7,7 +7,6 @@ import (
 	"testing"
 
 	catalogtesthelpers "github.com/hashicorp/consul/internal/catalog/catalogtest/helpers"
-	"github.com/hashicorp/consul/internal/resource"
 	pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v2beta1"
 	pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1"
 )
@@ -17,7 +16,6 @@ func TestDestinationsConfigurationACLs(t *testing.T) {
 		func(selector *pbcatalog.WorkloadSelector) *pbmesh.DestinationsConfiguration {
 			return &pbmesh.DestinationsConfiguration{Workloads: selector}
 		},
-		func(registry resource.Registry) {
-			RegisterDestinationsConfiguration(registry)
-		})
+		RegisterDestinationsConfiguration,
+	)
 }

internal/mesh/internal/types/destinations_test.go

@@ -203,7 +203,6 @@ func TestDestinationsACLs(t *testing.T) {
 		func(selector *pbcatalog.WorkloadSelector) *pbmesh.Destinations {
 			return &pbmesh.Destinations{Workloads: selector}
 		},
-		func(registry resource.Registry) {
-			RegisterDestinations(registry)
-		})
+		RegisterDestinations,
+	)
 }

internal/mesh/internal/types/proxy_configuration_test.go

@@ -9,7 +9,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	catalogtesthelpers "github.com/hashicorp/consul/internal/catalog/catalogtest/helpers"
-	"github.com/hashicorp/consul/internal/resource"
 	"github.com/hashicorp/consul/internal/resource/resourcetest"
 	pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v2beta1"
 	pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1"
@@ -22,9 +21,8 @@ func TestProxyConfigurationACLs(t *testing.T) {
 		func(selector *pbcatalog.WorkloadSelector) *pbmesh.ProxyConfiguration {
 			return &pbmesh.ProxyConfiguration{Workloads: selector}
 		},
-		func(registry resource.Registry) {
-			RegisterProxyConfiguration(registry)
-		})
+		RegisterProxyConfiguration,
+	)
 }
 
 func TestMutateProxyConfiguration(t *testing.T) {

internal/resource/resourcetest/acls.go

@@ -52,11 +52,15 @@ func RunACLTestCase(t *testing.T, tc ACLTestCase, registry resource.Registry) {
 	reg, ok := registry.Resolve(tc.Typ)
 	require.True(t, ok)
 
+	resolvedType, ok := registry.Resolve(tc.Typ)
+	require.True(t, ok)
+
 	res := Resource(tc.Typ, "test").
-		WithTenancy(resource.DefaultNamespacedTenancy()).
+		WithTenancy(DefaultTenancyForType(t, resolvedType)).
 		WithOwner(tc.Owner).
 		WithData(t, tc.Data).
 		Build()
+
 	ValidateAndNormalize(t, registry, res)
 
 	config := acl.Config{

internal/resource/resourcetest/tenancy.go

@@ -0,0 +1,23 @@
+package resourcetest
+
+import (
+	"testing"
+
+	"github.com/hashicorp/consul/internal/resource"
+	"github.com/hashicorp/consul/proto-public/pbresource"
+)
+
+func DefaultTenancyForType(t *testing.T, reg resource.Registration) *pbresource.Tenancy {
+	switch reg.Scope {
+	case resource.ScopeNamespace:
+		return resource.DefaultNamespacedTenancy()
+	case resource.ScopePartition:
+		return resource.DefaultPartitionedTenancy()
+	case resource.ScopeCluster:
+		return resource.DefaultClusteredTenancy()
+	default:
+		t.Fatalf("unsupported resource scope: %v", reg.Scope)
+		return nil
+	}
+	return nil
+}