acl: fix validation of ACL plugin policy entries. (#23274)

.changelog/23274.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+acl: Fix plugin policy validation when checking write permissions
+```

acl/policy.go

@@ -191,7 +191,7 @@ func isPolicyValid(policy string) bool {
 
 func (p *PluginPolicy) isValid() bool {
 	switch p.Policy {
-	case PolicyDeny, PolicyRead, PolicyList:
+	case PolicyDeny, PolicyRead, PolicyList, PolicyWrite:
 		return true
 	default:
 		return false

acl/policy_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/hashicorp/nomad/ci"
+	"github.com/shoenig/test/must"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -898,3 +899,46 @@ func TestParse_BadInput(t *testing.T) {
 		})
 	}
 }
+
+func TestPluginPolicy_isValid(t *testing.T) {
+	ci.Parallel(t)
+
+	testCases := []struct {
+		name              string
+		inputPluginPolicy *PluginPolicy
+		expectedOutput    bool
+	}{
+		{
+			name:              "policy deny",
+			inputPluginPolicy: &PluginPolicy{Policy: "deny"},
+			expectedOutput:    true,
+		},
+		{
+			name:              "policy read",
+			inputPluginPolicy: &PluginPolicy{Policy: "read"},
+			expectedOutput:    true,
+		},
+		{
+			name:              "policy list",
+			inputPluginPolicy: &PluginPolicy{Policy: "list"},
+			expectedOutput:    true,
+		},
+		{
+			name:              "policy write",
+			inputPluginPolicy: &PluginPolicy{Policy: "write"},
+			expectedOutput:    true,
+		},
+		{
+			name:              "policy invalid",
+			inputPluginPolicy: &PluginPolicy{Policy: "invalid"},
+			expectedOutput:    false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			actualOutput := tc.inputPluginPolicy.isValid()
+			must.Eq(t, tc.expectedOutput, actualOutput)
+		})
+	}
+}