rules:
            - any: true
        principals:
        - andIds:
            ids:
            - orIds:
                ids:
                - authenticated:
                    principalName:
                      exact: spiffe://principals1
                - authenticated:
                    principalName:
                      exact: spiffe://principals2
      ns[foo]-policy[httpbin-6]-rule[0]:

	return &rbacpb.Principal{
		Identifier: &rbacpb.Principal_AndIds{
			AndIds: &rbacpb.Principal_Set{
				Ids: principals,
			},
		},
	}
}

func principalNot(principal *rbacpb.Principal) *rbacpb.Principal {
	return &rbacpb.Principal{
		Identifier: &rbacpb.Principal_NotId{
			NotId: principal,
		},
	}
}

  rules:
  # Has mix of L4 and L7 in from
  - from:
    - source:
        principals: ["from-mix-principal"]
        requestPrincipals: ["from-mix-requestPrincipals"]
        namespaces: ["from-mix-ns"]
    to:
    - operation:
        ports: ["80"]
  # Has mix of L4 and L7 in to
  - from:
    - source:
        principals: ["to-mix-principal"]
        namespaces: ["to-mix-ns"]
    to:
    - operation:

		if got != c.out {
			t.Errorf("expect %s, but got %s", c.out, got)
		}
	}
}

func TestIsTrustDomainBeingEnforced(t *testing.T) {
	cases := []struct {
		principal string
		want      bool
	}{
		{principal: "cluster.local/ns/foo/sa/bar", want: true},
		{principal: "*/ns/foo/sa/bar", want: false},
		{principal: "*-td/ns/foo/sa/bar", want: true},
		{principal: "*/sa/bar", want: false},

            rules:
            - any: true
        principals:
        - andIds:
            ids:
            - orIds:
                ids:
                - authenticated:
                    principalName:
                      exact: spiffe://principals1
                - authenticated:
                    principalName:
                      exact: spiffe://principals2
      ns[foo]-policy[httpbin-6]-rule[0]:

	}

	var principals []*rbacpb.Principal
	for _, rl := range m.principals {
		principal, err := generatePrincipal(rl, forTCP, useAuthenticated, action)
		if err != nil {
			return nil, err
		}
		principals = append(principals, principal)
	}
	if len(principals) == 0 {
		return nil, fmt.Errorf("must have at least 1 principal")
	}

	return &rbacpb.Policy{

                        exact: spiffe://not-principal
                  - authenticated:
                      principalName:
                        safeRegex:
                          regex: spiffe://.*not-principal-suffix
                  - authenticated:
                      principalName:
                        prefix: spiffe://not-principal-prefix
                  - authenticated:
                      principalName:

        permissions:
        - andRules:
            rules:
            - any: true
        principals:
        - andIds:
            ids:
            - any: true
      istio-ext-authz-ns[foo]-policy[httpbin-deny]-rule[1]:
        permissions:
        - andRules:
            rules:
            - any: true
        principals:
        - andIds:
            ids:
            - orIds:
                ids:

    - destinationPorts:
      - 80
  - matches:
    - namespaces:
      - exact: from-mix-ns
      principals:
      - exact: from-mix-principal
- rules:
  - matches:
    - destinationPorts:
      - 80
  - matches:
    - namespaces:
      - exact: to-mix-ns
      principals:
      - exact: to-mix-principal
- rules:
  - matches:
    - destinationPorts:
      - 80
  - matches:
    - namespaces:

  selector:
    matchLabels:
      app: httpbin
      version: v1
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/rule[0]/sa/from[0]-principal[0]"]
        - source:
            principals: ["cluster.local/ns/rule[0]/sa/from[1]-principal[0]", "cluster.local/ns/rule[0]/sa/from[1]-principal[1]"]
            namespaces: ["rule[0]-from[1]-ns[0]"]
      to:
        - operation: