# - Allow request with valid JWT token to access path /jwt1
# - Allow request with valid JWT token of presenter bar to access path with suffix "/presenter"
# - Allow request with valid JWT token of audiences foo to access path with suffix "/audiences"

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ .To.ServiceName }}
spec:
  selector:
    matchLabels:
      "app": "{{ .To.ServiceName }}"

          notValues: ["not-requestPrincipals", "not-requestPrincipals-prefix-*", "*-not-suffix-requestPrincipals", "*"]
        - key: "request.auth.audiences"
          values: ["audiences", "audiences-prefix-*", "*-suffix-audiences", "*"]
          notValues: ["not-audiences", "not-audiences-prefix-*", "*-not-suffix-audiences", "*"]
        - key: "request.auth.presenter"
          values: ["presenter", "presenter-prefix-*", "*-suffix-presenter", "*"]

	ksa := parts[3]
	if !checkAudience(sa.Aud, j.audiences) {
		return nil, fmt.Errorf("invalid audiences %v", sa.Aud)
	}
	return &security.Caller{
		AuthSource: security.AuthSourceIDToken,
		Identities: []string{spiffe.MustGenSpiffeURI(j.meshHolder.Mesh(), ns, ksa)},
	}, nil
}

// checkAudience() returns true if the audiences to check are in
// the expected audiences. Otherwise, return false.

    controller: true
    kind: kindValue
    name: nameValue
    uid: uidValue
  resourceVersion: resourceVersionValue
  selfLink: selfLinkValue
  uid: uidValue
spec:
  audiences:
  - audiencesValue
  token: tokenValue
status:
  audiences:
  - audiencesValue
  authenticated: true
  error: errorValue
  user:
    extra:
      extraKey:
      - extraValue
    groups:
    - groupsValue
    uid: uidValue

  "spec": {
    "token": "tokenValue",
    "audiences": [
      "audiencesValue"
    ]
  },
  "status": {
    "authenticated": true,
    "user": {
      "username": "usernameValue",
      "uid": "uidValue",
      "groups": [
        "groupsValue"
      ],
      "extra": {
        "extraKey": [
          "extraValue"
        ]
      }
    },
    "audiences": [
      "audiencesValue"
    ],

  "spec": {
    "token": "tokenValue",
    "audiences": [
      "audiencesValue"
    ]
  },
  "status": {
    "authenticated": true,
    "user": {
      "username": "usernameValue",
      "uid": "uidValue",
      "groups": [
        "groupsValue"
      ],
      "extra": {
        "extraKey": [
          "extraValue"
        ]
      }
    },
    "audiences": [
      "audiencesValue"
    ],

	}{
		{
			name:        "audience is in the expected set",
			expectRet:   true,
			audToCheck:  []string{"aud1"},
			audExpected: []string{"aud1", "aud2"},
		},
		{
			name:        "audience is NOT in the expected set",
			expectRet:   false,
			audToCheck:  []string{"aud3"},
			audExpected: []string{"aud1", "aud2"},
		},
		{
			name:        "one of the audiences is in the expected set",

    controller: true
    kind: kindValue
    name: nameValue
    uid: uidValue
  resourceVersion: resourceVersionValue
  selfLink: selfLinkValue
  uid: uidValue
spec:
  audiences:
  - audiencesValue
  token: tokenValue
status:
  audiences:
  - audiencesValue
  authenticated: true
  error: errorValue
  user:
    extra:
      extraKey:
      - extraValue
    groups:
    - groupsValue
    uid: uidValue

    blockOwnerDeletion: true
    controller: true
    kind: kindValue
    name: nameValue
    uid: uidValue
  resourceVersion: resourceVersionValue
  selfLink: selfLinkValue
  uid: uidValue
spec:
  audiences:
  - audiencesValue
  boundObjectRef:
    apiVersion: apiVersionValue
    kind: kindValue
    name: nameValue
    uid: uidValue
  expirationSeconds: 4
status:
  expirationTimestamp: "2002-01-01T01:01:01Z"

        "time": "2004-01-01T01:01:01Z",
        "fieldsType": "fieldsTypeValue",
        "fieldsV1": {},
        "subresource": "subresourceValue"
      }
    ]
  },
  "spec": {
    "audiences": [
      "audiencesValue"
    ],
    "expirationSeconds": 4,
    "boundObjectRef": {
      "kind": "kindValue",
      "apiVersion": "apiVersionValue",
      "name": "nameValue",
      "uid": "uidValue"
    }