rules:
            - any: true
        principals:
        - andIds:
            ids:
            - orIds:
                ids:
                - authenticated:
                    principalName:
                      exact: spiffe://principals1
                - authenticated:
                    principalName:
                      exact: spiffe://principals2
      ns[foo]-policy[httpbin-6]-rule[0]:

  rules:
  # Has mix of L4 and L7 in from
  - from:
    - source:
        principals: ["from-mix-principal"]
        requestPrincipals: ["from-mix-requestPrincipals"]
        namespaces: ["from-mix-ns"]
    to:
    - operation:
        ports: ["80"]
  # Has mix of L4 and L7 in to
  - from:
    - source:
        principals: ["to-mix-principal"]
        namespaces: ["to-mix-ns"]
    to:
    - operation:

            rules:
            - any: true
        principals:
        - andIds:
            ids:
            - orIds:
                ids:
                - authenticated:
                    principalName:
                      exact: spiffe://principals1
                - authenticated:
                    principalName:
                      exact: spiffe://principals2
      ns[foo]-policy[httpbin-6]-rule[0]:

	}

	var principals []*rbacpb.Principal
	for _, rl := range m.principals {
		principal, err := generatePrincipal(rl, forTCP, useAuthenticated, action)
		if err != nil {
			return nil, err
		}
		principals = append(principals, principal)
	}
	if len(principals) == 0 {
		return nil, fmt.Errorf("must have at least 1 principal")
	}

	return &rbacpb.Policy{

                        exact: spiffe://not-principal
                  - authenticated:
                      principalName:
                        safeRegex:
                          regex: spiffe://.*not-principal-suffix
                  - authenticated:
                      principalName:
                        prefix: spiffe://not-principal-prefix
                  - authenticated:
                      principalName:

    - destinationPorts:
      - 80
  - matches:
    - namespaces:
      - exact: from-mix-ns
      principals:
      - exact: from-mix-principal
- rules:
  - matches:
    - destinationPorts:
      - 80
  - matches:
    - namespaces:
      - exact: to-mix-ns
      principals:
      - exact: to-mix-principal
- rules:
  - matches:
    - destinationPorts:
      - 80
  - matches:
    - namespaces:

spec:
  rules:
  # Has mix of L4 and L7 in from
  - from:
    - source:
        principals: ["from-mix-principal"]
        requestPrincipals: ["from-mix-requestPrincipals"]
        namespaces: ["from-mix-ns"]
    to:
    - operation:
        ports: ["80"]
  # Has mix of L4 and L7 in to
  - from:
    - source:
        principals: ["to-mix-principal"]
        namespaces: ["to-mix-ns"]
    to:
    - operation:

	for _, principal := range principals {
		isTrustDomainBeingEnforced := isTrustDomainBeingEnforced(principal)
		// Return the existing principals if the policy doesn't care about the trust domain.
		if !isTrustDomainBeingEnforced {
			principalsIncludingAliases = append(principalsIncludingAliases, principal)
			continue
		}
		trustDomainFromPrincipal, err := getTrustDomainFromSpiffeIdentity(principal)
		if err != nil {

        permissions:
        - andRules:
            rules:
            - orRules:
                rules:
                - urlPath:
                    path:
                      exact: /httpbin1
        principals:
        - andIds:
            ids:
            - any: true
      istio-ext-authz-ns[foo]-policy[httpbin-2]-rule[0]-deny-due-to-bad-CUSTOM-action:
        permissions:
        - andRules:
            rules:

                - authenticated:
                    principalName:
                      exact: spiffe://td1/ns/foo/sa/rule[0]-from[1]-principal[1]
                - authenticated:
                    principalName:
                      safeRegex:
                        regex: spiffe://.*bar/ns/foo/sa/rule[0]-from[1]-principal[1]