Remove name field from access rules, add read-only relationships per RFC updates

Update /v3/access_rules API to align with latest RFC changes:
- Remove 'name' field from RouteAccessRule model and API
- Add database migration to drop name column and unique index
- Use labels/annotations for metadata instead of name field
- Add read-only relationships (app, space, organization) to responses
  extracted from selector (cf:app:X, cf:space:X, cf:org:X, cf:any)
- Replace 'names' filter with 'guids' filter
- Add 'selector_resource_guids' filter for text-match against selectors
- Update include support: add individual app, space, organization
  (in addition to existing selector_resource and route)
- Remove name-based uniqueness validation (keep selector uniqueness)
- Update all tests to remove name references

Breaking changes:
- POST /v3/access_rules no longer accepts 'name' field
- GET /v3/access_rules responses no longer include 'name' field
- Filter parameter 'names' removed, use 'guids' instead
- Access rule responses now include app/space/organization relationships

Author: rkoster

app/controllers/v3/access_rules_controller.rb

@@ -52,13 +52,11 @@ def create
     unprocessable!("Cannot add 'cf:any' selector when other access rules already exist for this route.") if message.selector == 'cf:any' && existing_selectors.any?
     unprocessable!("Cannot add selector '#{message.selector}': route already has a 'cf:any' rule.") if existing_selectors.include?('cf:any') && message.selector != 'cf:any'
 
-    # Uniqueness: name and selector must be unique per route
-    unprocessable!("An access rule with name '#{message.name}' already exists for this route.") if route.access_rules.any? { |r| r.name == message.name }
+    # Uniqueness: selector must be unique per route
     unprocessable!("An access rule with selector '#{message.selector}' already exists for this route.") if existing_selectors.include?(message.selector)
 
     access_rule = VCAP::CloudController::RouteAccessRule.new(
       guid: SecureRandom.uuid,
-      name: message.name,
       selector: message.selector,
       route_id: route.id,
       created_at: Time.now.utc,
@@ -127,9 +125,18 @@ def build_dataset(message)
                 select_all(:route_access_rules)
     end
 
-    dataset = dataset.where(name: message.names) if message.requested?(:names)
+    dataset = dataset.where(guid: message.guids) if message.requested?(:guids)
     dataset = dataset.where(selector: message.selectors) if message.requested?(:selectors)
 
+    if message.requested?(:selector_resource_guids)
+      # Text-match against selector string for resource GUIDs
+      # Handles cf:app:<guid>, cf:space:<guid>, cf:org:<guid>
+      conditions = message.selector_resource_guids.map do |guid|
+        Sequel.like(:selector, "%#{guid}%")
+      end
+      dataset = dataset.where(Sequel.|(*conditions))
+    end
+
     dataset
   end
 end

app/decorators/include_access_rule_selector_resource_decorator.rb

@@ -6,12 +6,15 @@ class IncludeAccessRuleSelectorResourceDecorator
     SELECTOR_REGEX = /\Acf:(app|space|org):([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\z/
 
     def self.match?(include_params)
-      include_params&.include?('selector_resource')
+      return false unless include_params
+
+      # Match if any of: selector_resource, app, space, organization
+      (include_params & %w[selector_resource app space organization]).any?
     end
 
     def self.decorate(hash, access_rules)
       hash[:included] ||= {}
-      
+
       # Collect all GUIDs by type
       app_guids = []
       space_guids = []
@@ -38,7 +41,7 @@ def self.decorate(hash, access_rules)
       hash[:included][:apps] = fetch_and_present_apps(app_guids.uniq)
       hash[:included][:spaces] = fetch_and_present_spaces(space_guids.uniq)
       hash[:included][:organizations] = fetch_and_present_organizations(org_guids.uniq)
-      
+
       hash
     end
 

app/messages/access_rule_create_message.rb

@@ -5,15 +5,13 @@ class AccessRuleCreateMessage < MetadataBaseMessage
     SELECTOR_REGEX = /\A(cf:(app|space|org):[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|cf:any)\z/
 
     register_allowed_keys %i[
-      name
       selector
       relationships
     ]
 
     validates_with NoAdditionalKeysValidator
     validates_with RelationshipValidator
 
-    validates :name, presence: true, string: true
     validates :selector, presence: true, string: true
 
     validate :selector_format_valid

app/messages/access_rules_list_message.rb

@@ -3,20 +3,22 @@
 module VCAP::CloudController
   class AccessRulesListMessage < ListMessage
     register_allowed_keys %i[
+      guids
       route_guids
       space_guids
-      names
       selectors
+      selector_resource_guids
       include
     ]
 
     validates_with NoAdditionalParamsValidator
-    validates_with IncludeParamValidator, valid_values: ['selector_resource', 'route']
+    validates_with IncludeParamValidator, valid_values: %w[selector_resource route app space organization]
 
     validates :space_guids, array: true, allow_nil: true
+    validates :selector_resource_guids, array: true, allow_nil: true
 
     def self.from_params(params)
-      super(params, %w[route_guids space_guids names selectors include])
+      super(params, %w[guids route_guids space_guids selectors selector_resource_guids include])
     end
   end
 end

app/models/runtime/route_access_rule.rb

@@ -7,7 +7,6 @@ class RouteAccessRule < Sequel::Model(:route_access_rules)
                 without_guid_generation: true
 
     def validate
-      validates_presence :name
       validates_presence :selector
       validates_presence :route_id
     end

app/presenters/v3/access_rule_presenter.rb

@@ -12,15 +12,12 @@ def to_hash
             guid: access_rule.guid,
             created_at: access_rule.created_at,
             updated_at: access_rule.updated_at,
-            name: access_rule.name,
             selector: access_rule.selector,
-            relationships: {
-              route: {
-                data: {
-                  guid: access_rule.route.guid
-                }
-              }
+            metadata: {
+              labels: hashified_labels(access_rule.labels),
+              annotations: hashified_annotations(access_rule.annotations)
             },
+            relationships: build_relationships,
             links: build_links
           }
         end
@@ -31,6 +28,45 @@ def access_rule
           @resource
         end
 
+        def build_relationships
+          relationships = {
+            route: {
+              data: {
+                guid: access_rule.route.guid
+              }
+            }
+          }
+
+          # Extract resource GUID from selector and populate read-only relationships
+          selector_match = access_rule.selector.match(/\Acf:(app|space|org):([0-9a-f-]+)\z/)
+          if selector_match
+            resource_type = selector_match[1]
+            resource_guid = selector_match[2]
+
+            case resource_type
+            when 'app'
+              relationships[:app] = { data: { guid: resource_guid } }
+              relationships[:space] = { data: nil }
+              relationships[:organization] = { data: nil }
+            when 'space'
+              relationships[:app] = { data: nil }
+              relationships[:space] = { data: { guid: resource_guid } }
+              relationships[:organization] = { data: nil }
+            when 'org'
+              relationships[:app] = { data: nil }
+              relationships[:space] = { data: nil }
+              relationships[:organization] = { data: { guid: resource_guid } }
+            end
+          else
+            # cf:any or malformed - all relationships are null
+            relationships[:app] = { data: nil }
+            relationships[:space] = { data: nil }
+            relationships[:organization] = { data: nil }
+          end
+
+          relationships
+        end
+
         def build_links
           {
             self: {

db/migrations/20260415000001_remove_name_from_route_access_rules.rb

@@ -0,0 +1,15 @@
+Sequel.migration do
+  up do
+    alter_table :route_access_rules do
+      drop_index %i[route_id name], name: :route_access_rules_route_id_name_index
+      drop_column :name
+    end
+  end
+
+  down do
+    alter_table :route_access_rules do
+      add_column :name, String, size: 255
+      add_index %i[route_id name], unique: true, name: :route_access_rules_route_id_name_index
+    end
+  end
+end