Add unit tests for allowed_sources validation

rkoster · rkoster · commit 223902c0c3ec · 2026-03-05T08:33:18.000Z
Tests cover:
- Feature flag disabled: allowed_sources rejected as unknown field
- Structure validation: object type, valid keys, array types, boolean any
- any exclusivity: cannot combine any:true with apps/spaces/orgs lists
- GUID existence validation: apps, spaces, orgs must exist in database
- Combined options: allowed_sources works with loadbalancing
diff --git a/spec/unit/messages/route_options_message_spec.rb b/spec/unit/messages/route_options_message_spec.rb
@@ -37,6 +37,204 @@ module VCAP::CloudController
       end
     end
 
+    describe 'allowed_sources validations' do
+      context 'when app_to_app_mtls_routing feature flag is disabled' do
+        it 'does not allow allowed_sources option' do
+          message = RouteOptionsMessage.new({ allowed_sources: { apps: ['app-guid-1'] } })
+          expect(message).not_to be_valid
+          expect(message.errors_on(:base)).to include("Unknown field(s): 'allowed_sources'")
+        end
+      end
+
+      context 'when app_to_app_mtls_routing feature flag is enabled' do
+        before do
+          VCAP::CloudController::FeatureFlag.make(name: 'app_to_app_mtls_routing', enabled: true)
+        end
+
+        describe 'structure validation' do
+          it 'allows valid allowed_sources with apps' do
+            app = AppModel.make
+            message = RouteOptionsMessage.new({ allowed_sources: { 'apps' => [app.guid] } })
+            expect(message).to be_valid
+          end
+
+          it 'allows valid allowed_sources with spaces' do
+            space = Space.make
+            message = RouteOptionsMessage.new({ allowed_sources: { 'spaces' => [space.guid] } })
+            expect(message).to be_valid
+          end
+
+          it 'allows valid allowed_sources with orgs' do
+            org = Organization.make
+            message = RouteOptionsMessage.new({ allowed_sources: { 'orgs' => [org.guid] } })
+            expect(message).to be_valid
+          end
+
+          it 'allows valid allowed_sources with any: true' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'any' => true } })
+            expect(message).to be_valid
+          end
+
+          it 'allows valid allowed_sources with any: false' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'any' => false } })
+            expect(message).to be_valid
+          end
+
+          it 'allows empty allowed_sources object' do
+            message = RouteOptionsMessage.new({ allowed_sources: {} })
+            expect(message).to be_valid
+          end
+
+          it 'does not allow non-object allowed_sources' do
+            message = RouteOptionsMessage.new({ allowed_sources: 'invalid' })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('must be an object')
+          end
+
+          it 'does not allow array allowed_sources' do
+            message = RouteOptionsMessage.new({ allowed_sources: ['app-guid-1'] })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('must be an object')
+          end
+
+          it 'does not allow invalid keys in allowed_sources' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'invalid_key' => 'value' } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('contains invalid keys: invalid_key')
+          end
+
+          it 'does not allow non-array apps' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'apps' => 'not-an-array' } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('apps must be an array of strings')
+          end
+
+          it 'does not allow non-string elements in apps array' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'apps' => [123, 456] } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('apps must be an array of strings')
+          end
+
+          it 'does not allow non-array spaces' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'spaces' => 'not-an-array' } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('spaces must be an array of strings')
+          end
+
+          it 'does not allow non-array orgs' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'orgs' => 'not-an-array' } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('orgs must be an array of strings')
+          end
+
+          it 'does not allow non-boolean any' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'any' => 'true' } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('any must be a boolean')
+          end
+        end
+
+        describe 'any exclusivity validation' do
+          it 'does not allow any: true with apps list' do
+            app = AppModel.make
+            message = RouteOptionsMessage.new({ allowed_sources: { 'any' => true, 'apps' => [app.guid] } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('any is mutually exclusive with apps, spaces, and orgs')
+          end
+
+          it 'does not allow any: true with spaces list' do
+            space = Space.make
+            message = RouteOptionsMessage.new({ allowed_sources: { 'any' => true, 'spaces' => [space.guid] } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('any is mutually exclusive with apps, spaces, and orgs')
+          end
+
+          it 'does not allow any: true with orgs list' do
+            org = Organization.make
+            message = RouteOptionsMessage.new({ allowed_sources: { 'any' => true, 'orgs' => [org.guid] } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('any is mutually exclusive with apps, spaces, and orgs')
+          end
+
+          it 'allows any: false with apps list' do
+            app = AppModel.make
+            message = RouteOptionsMessage.new({ allowed_sources: { 'any' => false, 'apps' => [app.guid] } })
+            expect(message).to be_valid
+          end
+
+          it 'allows any: true with empty apps list' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'any' => true, 'apps' => [] } })
+            expect(message).to be_valid
+          end
+        end
+
+        describe 'GUID existence validation' do
+          it 'validates that app GUIDs exist' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'apps' => ['non-existent-app-guid'] } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('apps contains non-existent app GUIDs: non-existent-app-guid')
+          end
+
+          it 'validates that space GUIDs exist' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'spaces' => ['non-existent-space-guid'] } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('spaces contains non-existent space GUIDs: non-existent-space-guid')
+          end
+
+          it 'validates that org GUIDs exist' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'orgs' => ['non-existent-org-guid'] } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('orgs contains non-existent organization GUIDs: non-existent-org-guid')
+          end
+
+          it 'reports multiple non-existent app GUIDs' do
+            message = RouteOptionsMessage.new({ allowed_sources: { 'apps' => ['guid-1', 'guid-2'] } })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('apps contains non-existent app GUIDs: guid-1, guid-2')
+          end
+
+          it 'allows mix of existing apps, spaces, and orgs' do
+            app = AppModel.make
+            space = Space.make
+            org = Organization.make
+            message = RouteOptionsMessage.new({
+              allowed_sources: {
+                'apps' => [app.guid],
+                'spaces' => [space.guid],
+                'orgs' => [org.guid]
+              }
+            })
+            expect(message).to be_valid
+          end
+
+          it 'validates all types of GUIDs when multiple are provided' do
+            app = AppModel.make
+            message = RouteOptionsMessage.new({
+              allowed_sources: {
+                'apps' => [app.guid],
+                'spaces' => ['non-existent-space'],
+                'orgs' => ['non-existent-org']
+              }
+            })
+            expect(message).not_to be_valid
+            expect(message.errors_on(:allowed_sources)).to include('spaces contains non-existent space GUIDs: non-existent-space')
+            expect(message.errors_on(:allowed_sources)).to include('orgs contains non-existent organization GUIDs: non-existent-org')
+          end
+        end
+
+        describe 'combined with other options' do
+          it 'allows allowed_sources with loadbalancing' do
+            app = AppModel.make
+            message = RouteOptionsMessage.new({
+              loadbalancing: 'round-robin',
+              allowed_sources: { 'apps' => [app.guid] }
+            })
+            expect(message).to be_valid
+          end
+        end
+      end
+    end
+
     describe 'hash-based routing validations' do
       context 'when hash_based_routing feature flag is disabled' do
         it 'does not allow hash_header option' do
