from:
    - source:
        requestPrincipals: ["******@****.***/sub-1"]
  - to:
    - operation:
        paths: ["/token2"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[groups]
      values: ["group-2"]
  - to:
    - operation:
        paths: ["/tokenAny"]
        methods: ["GET"]
    from:
    - source:
        requestPrincipals: ["*"]
  - to:
    - operation:

      from:
        - source:
            requestPrincipals: [ "******@****.***/sub-1" ]
    - to: # checks only a can call 443 over istio mutual with JWT
        - operation:
            hosts: [ "jwt-and-{{ .Allowed.ServiceName }}-{{ .Allowed.NamespaceName }}-only.com" ]
      from:
        - source:
            requestPrincipals: [ "******@****.***/sub-1" ]

			if useExtendedJwt {
				merged.insertFrontExtended(requestPrincipalGenerator{}, attrRequestPrincipal, s.RequestPrincipals, s.NotRequestPrincipals)
			} else {
				merged.insertFront(requestPrincipalGenerator{}, attrRequestPrincipal, s.RequestPrincipals, s.NotRequestPrincipals)
			}
			merged.insertFront(srcPrincipalGenerator{}, attrSrcPrincipal, s.Principals, s.NotPrincipals)
		}

	}
	fromMatches := []*security.Match{}
	for _, from := range rule.From {
		op := from.Source
		if action == security.Action_ALLOW && anyNonEmpty(op.RemoteIpBlocks, op.NotRemoteIpBlocks, op.RequestPrincipals, op.NotRequestPrincipals) {
			// L7 policies never match for ALLOW
			// For DENY they will always match, so it is more restrictive
			return nil
		}
		match := &security.Match{

						errs = appendErrors(errs, check(len(src.NotPrincipals) != 0, "From.NotPrincipals"))
						errs = appendErrors(errs, check(len(src.RequestPrincipals) != 0, "From.RequestPrincipals"))
						errs = appendErrors(errs, check(len(src.NotRequestPrincipals) != 0, "From.NotRequestPrincipals"))
					}
				}
				for _, when := range rule.GetWhen() {
					if when == nil {

						Action: v1beta1.AuthorizationPolicy_ALLOW,
						Rules: []*v1beta1.Rule{
							{
								From: []*v1beta1.Rule_From{
									{
										Source: &v1beta1.Source{
											RequestPrincipals: []string{"id-1"},
										},
									},
								},
								To: []*v1beta1.Rule_To{
									{
										Operation: &v1beta1.Operation{
											Methods: []string{"GET"},
										},

						},
					},
				},
			},
			valid: false,
		},
		{
			name: "RequestPrincipals-empty",
			in: &security_beta.AuthorizationPolicy{
				Rules: []*security_beta.Rule{
					{
						From: []*security_beta.Rule_From{
							{
								Source: &security_beta.Source{
									RequestPrincipals: []string{"p1", ""},
								},
							},
						},
					},
				},
			},

                      stringMatch:
                        exact: requestPrincipals1
                - metadata:
                    filter: istio_authn
                    path:
                    - key: request.auth.principal
                    value:
                      stringMatch:
                        exact: requestPrincipals2
      ns[foo]-policy[httpbin-7]-rule[0]:
        permissions:

                        path:
                        - key: payload
                        - key: iss
                        value:
                          stringMatch:
                            exact: requestPrincipals1
                    - metadata:
                        filter: envoy.filters.http.jwt_authn
                        path:
                        - key: payload
                        - key: sub

                      stringMatch:
                        exact: rule[0]-from[0]-requestPrincipal[1]
                - metadata:
                    filter: istio_authn
                    path:
                    - key: request.auth.principal
                    value:
                      stringMatch:
                        exact: rule[0]-from[0]-requestPrincipal[2]
            - orIds:
                ids: