return &rbacpb.Principal{
		Identifier: &rbacpb.Principal_AndIds{
			AndIds: &rbacpb.Principal_Set{
				Ids: principals,
			},
		},
	}
}

func principalNot(principal *rbacpb.Principal) *rbacpb.Principal {
	return &rbacpb.Principal{
		Identifier: &rbacpb.Principal_NotId{
			NotId: principal,
		},
	}
}

            rules:
            - any: true
        principals:
        - andIds:
            ids:
            - orIds:
                ids:
                - authenticated:
                    principalName:
                      exact: spiffe://principals1
                - authenticated:
                    principalName:
                      exact: spiffe://principals2
      ns[foo]-policy[httpbin-6]-rule[0]:

  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  rules:
    - from:
        - source:
            principals: ["*"]
        - source:

	}

	var principals []*rbacpb.Principal
	for _, rl := range m.principals {
		principal, err := generatePrincipal(rl, forTCP, useAuthenticated, action)
		if err != nil {
			return nil, err
		}
		principals = append(principals, principal)
	}
	if len(principals) == 0 {
		return nil, fmt.Errorf("must have at least 1 principal")
	}

	return &rbacpb.Policy{

                - authenticated:
                    principalName:
                      exact: spiffe://td1/ns/foo/sa/rule[0]-from[1]-principal[1]
                - authenticated:
                    principalName:
                      safeRegex:
                        regex: spiffe://.*bar/ns/foo/sa/rule[0]-from[1]-principal[1]

                - authenticated:
                    principalName:
                      exact: spiffe://td1/ns/foo/sa/rule[0]-from[1]-principal[1]
                - authenticated:
                    principalName:
                      safeRegex:
                        regex: spiffe://.*bar/ns/foo/sa/rule[0]-from[1]-principal[1]

	for _, principal := range principals {
		isTrustDomainBeingEnforced := isTrustDomainBeingEnforced(principal)
		// Return the existing principals if the policy doesn't care about the trust domain.
		if !isTrustDomainBeingEnforced {
			principalsIncludingAliases = append(principalsIncludingAliases, principal)
			continue
		}
		trustDomainFromPrincipal, err := getTrustDomainFromSpiffeIdentity(principal)
		if err != nil {

            methods: [ "GET" ]
      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to:

		if got != c.out {
			t.Errorf("expect %s, but got %s", c.out, got)
		}
	}
}

func TestIsTrustDomainBeingEnforced(t *testing.T) {
	cases := []struct {
		principal string
		want      bool
	}{
		{principal: "cluster.local/ns/foo/sa/bar", want: true},
		{principal: "*/ns/foo/sa/bar", want: false},
		{principal: "*-td/ns/foo/sa/bar", want: true},
		{principal: "*/sa/bar", want: false},

            methods: [ "GET" ]
      from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # TCP