}

	var principals []*rbacpb.Principal
	for _, rl := range m.principals {
		principal, err := generatePrincipal(rl, forTCP, useAuthenticated, action)
		if err != nil {
			return nil, err
		}
		principals = append(principals, principal)
	}
	if len(principals) == 0 {
		return nil, fmt.Errorf("must have at least 1 principal")
	}

	return &rbacpb.Policy{

                        exact: spiffe://not-principal
                  - authenticated:
                      principalName:
                        safeRegex:
                          regex: spiffe://.*not-principal-suffix
                  - authenticated:
                      principalName:
                        prefix: spiffe://not-principal-prefix
                  - authenticated:
                      principalName:

                      exact: spiffe://rule[0]-from[1]-principal[1]
                - authenticated:
                    principalName:
                      exact: spiffe://rule[0]-from[1]-principal[2]
            - orIds:
                ids:
                - metadata:
                    filter: istio_authn
                    path:
                    - key: request.auth.principal
                    value:

			SourceIps:     stringToIP(op.IpBlocks),
			NotSourceIps:  stringToIP(op.NotIpBlocks),
			Namespaces:    stringToMatch(op.Namespaces),
			NotNamespaces: stringToMatch(op.NotNamespaces),
			Principals:    stringToMatch(op.Principals),
			NotPrincipals: stringToMatch(op.NotPrincipals),
		}
		fromMatches = append(fromMatches, match)
	}

	rules := []*security.Rules{}
	if len(toMatches) > 0 {

                    addressPrefix: 192.168.10.0
                    prefixLen: 24
        principals:
        - andIds:
            ids:
            - orIds:
                ids:
                - authenticated:
                    principalName:
                      exact: spiffe://rule[0]-from[0]-principal[1]
                - authenticated:
                    principalName:

	NotNamespaces       []*StringMatch `protobuf:"bytes,2,rep,name=not_namespaces,json=notNamespaces,proto3" json:"not_namespaces,omitempty"`
	Principals          []*StringMatch `protobuf:"bytes,3,rep,name=principals,proto3" json:"principals,omitempty"`
	NotPrincipals       []*StringMatch `protobuf:"bytes,4,rep,name=not_principals,json=notPrincipals,proto3" json:"not_principals,omitempty"`

			rule: yamlRule(t, `
from:
- source:
    principals: ["td-1/ns/foo/sa/sleep"]
`),
			want: []string{
				"td-1/ns/foo/sa/sleep",
				"td-2/ns/foo/sa/sleep",
			},
		},
		{
			name:     "source-principal-attribute",
			tdBundle: trustdomain.NewBundle("td-1", []string{"td-2"}),
			rule: yamlRule(t, `
when:
- key: source.principal
  values: ["td-1/ns/foo/sa/sleep"]
`),
			want: []string{

	Permissions: []*rbacpb.Permission{{Rule: &rbacpb.Permission_NotRule{
		NotRule: &rbacpb.Permission{Rule: &rbacpb.Permission_Any{Any: true}},
	}}},
	Principals: []*rbacpb.Principal{{Identifier: &rbacpb.Principal_NotId{
		NotId: &rbacpb.Principal{Identifier: &rbacpb.Principal_Any{Any: true}},
	}}},
}

// General setting to control behavior
type Option struct {
	IsCustomBuilder bool
	UseFilterState  bool

                            regex: .+
        principals:
        - andIds:
            ids:
            - orIds:
                ids:
                - authenticated:
                    principalName:
                      exact: spiffe://principal
                - authenticated:
                    principalName:
                      prefix: spiffe://principal-prefix-
                - authenticated:

func TestAuthorizationPolicies_ListAuthorizationPolicies(t *testing.T) {
	policy := &authpb.AuthorizationPolicy{
		Rules: []*authpb.Rule{
			{
				From: []*authpb.Rule_From{
					{
						Source: &authpb.Source{
							Principals: []string{"sleep"},
						},
					},
				},
				To: []*authpb.Rule_To{
					{
						Operation: &authpb.Operation{
							Methods: []string{"GET"},
						},
					},
				},
			},
		},
	}