Add validation to prevent access rules on internal domains per RFC

rkoster · rkoster · commit 3791874e97fb · 2026-04-15T09:21:26.000Z
Per RFC requirement (line 246-247):
Access rules cannot be created for routes on internal domains
(domains created with --internal). Internal routes use container-to-container
networking and bypass GoRouter entirely, so GoRouter cannot enforce
access rules.

Changes:
- Add validation in AccessRulesController#create to reject access rules
  on internal domains with 422 status
- Add test coverage for internal domain validation
- Error message explains why: internal domains bypass GoRouter
diff --git a/app/controllers/v3/access_rules_controller.rb b/app/controllers/v3/access_rules_controller.rb
@@ -44,6 +44,9 @@ def create
     unauthorized! unless permission_queryer.can_write_to_active_space?(route.space.id)
     suspended! unless permission_queryer.is_space_active?(route.space.id)
 
+    if route.domain.internal?
+      unprocessable!('Cannot create access rules for routes on internal domains. Internal routes use container-to-container networking and bypass GoRouter.')
+    end
     unprocessable!("Cannot create access rules for route '#{route.guid}': the route's domain does not have enforce_access_rules enabled.") unless route.domain.enforce_access_rules
 
     # Enforce cf:any exclusivity: if route already has a cf:any rule, reject new rules;
diff --git a/spec/request/access_rules_spec.rb b/spec/request/access_rules_spec.rb
@@ -16,9 +16,16 @@
   let(:regular_domain) do
     VCAP::CloudController::PrivateDomain.make(owning_organization: org)
   end
+  let(:internal_domain) do
+    VCAP::CloudController::PrivateDomain.make(
+      owning_organization: org,
+      internal: true
+    )
+  end
 
   let(:mtls_route) { VCAP::CloudController::Route.make(space: space, domain: mtls_domain) }
   let(:regular_route) { VCAP::CloudController::Route.make(space: space, domain: regular_domain) }
+  let(:internal_route) { VCAP::CloudController::Route.make(space: space, domain: internal_domain) }
 
   let(:valid_uuid) { '11111111-2222-3333-4444-555555555555' }
 
@@ -93,6 +100,25 @@ def expected_rule_json(rule)
       end
     end
 
+    context 'when the route is on an internal domain' do
+      let(:request_body) do
+        {
+          selector: "cf:app:#{valid_uuid}",
+          relationships: {
+            route: { data: { guid: internal_route.guid } }
+          }
+        }
+      end
+
+      it 'returns 422 with a message about internal domains' do
+        post '/v3/access_rules', request_body.to_json, admin_header
+
+        expect(last_response.status).to eq(422)
+        expect(last_response.body).to include('internal domains')
+        expect(last_response.body).to include('container-to-container networking')
+      end
+    end
+
     context 'when the route does not exist' do
       let(:request_body) do
         {
