Add space_guids filtering to /v3/access_rules endpoint

Implement space-based filtering for access rules endpoint to enable
querying all access rules within a given space using ?space_guids=<guid>
query parameter.

Changes:
- Add space_guids to AccessRulesListMessage with array validation
- Implement space filtering in AccessRulesController#build_dataset
- Add comprehensive unit tests for AccessRulesListMessage
- Add request specs for single/multiple space filtering and combinations
- Follow existing CAPI patterns for space_guids filtering

The filter joins through the routes table to filter access rules by
the space_id of their associated routes.

Author: rkoster

app/controllers/v3/access_rules_controller.rb

@@ -128,6 +128,13 @@ def build_dataset(message)
         select_all(:route_access_rules)
     end
 
+    if message.requested?(:space_guids)
+      dataset = dataset.
+        join(:routes, id: :route_id).
+        where(routes__space_id: VCAP::CloudController::Space.where(guid: message.space_guids).select(:id)).
+        select_all(:route_access_rules)
+    end
+
     dataset = dataset.where(name: message.names) if message.requested?(:names)
     dataset = dataset.where(selector: message.selectors) if message.requested?(:selectors)
 

app/messages/access_rules_list_message.rb

@@ -4,6 +4,7 @@ module VCAP::CloudController
   class AccessRulesListMessage < ListMessage
     register_allowed_keys %i[
       route_guids
+      space_guids
       names
       selectors
       include
@@ -12,8 +13,10 @@ class AccessRulesListMessage < ListMessage
     validates_with NoAdditionalParamsValidator
     validates_with IncludeParamValidator, valid_values: ['selector_resource', 'route']
 
+    validates :space_guids, array: true, allow_nil: true
+
     def self.from_params(params)
-      super(params, %w[route_guids names selectors include])
+      super(params, %w[route_guids space_guids names selectors include])
     end
   end
 end

spec/request/access_rules_spec.rb

@@ -301,6 +301,73 @@ def expected_rule_json(rule)
       expect(parsed['resources'][0]['selector']).to eq('cf:any')
     end
 
+    describe 'filtering by space_guids' do
+      let(:other_org) { VCAP::CloudController::Organization.make }
+      let(:other_space) { VCAP::CloudController::Space.make(organization: other_org) }
+      let(:other_mtls_domain) do
+        VCAP::CloudController::PrivateDomain.make(
+          owning_organization: other_org,
+          enforce_access_rules: true,
+          access_rules_scope: 'space'
+        )
+      end
+      let(:other_route) { VCAP::CloudController::Route.make(space: other_space, domain: other_mtls_domain) }
+      let!(:rule_in_other_space) do
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'rule-in-other-space',
+          selector: 'cf:any',
+          route_id: other_route.id
+        )
+      end
+
+      before do
+        other_org.add_user(user)
+        other_space.add_developer(user)
+      end
+
+      it 'filters by single space_guid' do
+        get "/v3/access_rules?space_guids=#{space.guid}", nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+        guids = parsed['resources'].map { |r| r['guid'] }
+        expect(guids).to include(rule1.guid, rule2.guid)
+        expect(guids).not_to include(rule_in_other_space.guid)
+      end
+
+      it 'filters by multiple space_guids' do
+        get "/v3/access_rules?space_guids=#{space.guid},#{other_space.guid}", nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+        guids = parsed['resources'].map { |r| r['guid'] }
+        expect(guids).to include(rule1.guid, rule2.guid, rule_in_other_space.guid)
+      end
+
+      it 'combines space_guids with other filters' do
+        get "/v3/access_rules?space_guids=#{space.guid}&names=rule-one", nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+        expect(parsed['resources'].length).to eq(1)
+        expect(parsed['resources'][0]['guid']).to eq(rule1.guid)
+        expect(parsed['resources'][0]['name']).to eq('rule-one')
+      end
+
+      it 'returns empty when space has no access rules' do
+        empty_space = VCAP::CloudController::Space.make(organization: org)
+        org.add_user(user)
+        empty_space.add_developer(user)
+
+        get "/v3/access_rules?space_guids=#{empty_space.guid}", nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+        expect(parsed['resources'].length).to eq(0)
+      end
+    end
+
     context 'with include=selector_resource' do
       let!(:app) { VCAP::CloudController::AppModel.make(space: space, name: 'frontend-app') }
       let!(:other_space) { VCAP::CloudController::Space.make(organization: org, name: 'other-space') }

spec/unit/messages/access_rules_list_message_spec.rb

@@ -0,0 +1,135 @@
+require 'spec_helper'
+require 'messages/access_rules_list_message'
+
+module VCAP::CloudController
+  RSpec.describe AccessRulesListMessage do
+    describe '.from_params' do
+      let(:params) do
+        {
+          'route_guids' => 'route1,route2',
+          'space_guids' => 'space1,space2',
+          'names' => 'name1,name2',
+          'selectors' => 'selector1,selector2',
+          'page' => 1,
+          'per_page' => 5,
+          'order_by' => 'created_at',
+          'include' => 'selector_resource,route'
+        }
+      end
+
+      it 'returns the correct AccessRulesListMessage' do
+        message = AccessRulesListMessage.from_params(params)
+
+        expect(message).to be_a(AccessRulesListMessage)
+        expect(message.route_guids).to eq(%w[route1 route2])
+        expect(message.space_guids).to eq(%w[space1 space2])
+        expect(message.names).to eq(%w[name1 name2])
+        expect(message.selectors).to eq(%w[selector1 selector2])
+        expect(message.page).to eq(1)
+        expect(message.per_page).to eq(5)
+        expect(message.order_by).to eq('created_at')
+        expect(message.include).to eq(%w[selector_resource route])
+      end
+
+      it 'converts requested keys to symbols' do
+        message = AccessRulesListMessage.from_params(params)
+
+        expect(message).to be_requested(:route_guids)
+        expect(message).to be_requested(:space_guids)
+        expect(message).to be_requested(:names)
+        expect(message).to be_requested(:selectors)
+        expect(message).to be_requested(:page)
+        expect(message).to be_requested(:per_page)
+        expect(message).to be_requested(:order_by)
+        expect(message).to be_requested(:include)
+      end
+    end
+
+    describe '#to_param_hash' do
+      let(:opts) do
+        {
+          route_guids: %w[route1 route2],
+          space_guids: %w[space1 space2],
+          names: %w[name1 name2],
+          selectors: %w[selector1 selector2],
+          page: 1,
+          per_page: 5,
+          order_by: 'created_at',
+          include: %w[selector_resource route]
+        }
+      end
+
+      it 'excludes the pagination keys' do
+        expected_params = %i[route_guids space_guids names selectors include]
+        expect(AccessRulesListMessage.from_params(opts).to_param_hash.keys).to match_array(expected_params)
+      end
+    end
+
+    describe 'fields' do
+      it 'accepts a set of fields' do
+        expect do
+          AccessRulesListMessage.from_params({
+                                               route_guids: [],
+                                               space_guids: [],
+                                               names: [],
+                                               selectors: [],
+                                               page: 1,
+                                               per_page: 5,
+                                               order_by: 'created_at',
+                                               include: ['selector_resource', 'route']
+                                             })
+        end.not_to raise_error
+      end
+
+      it 'accepts an empty set' do
+        message = AccessRulesListMessage.from_params({})
+        expect(message).to be_valid
+      end
+
+      it 'does not accept a field not in this set' do
+        message = AccessRulesListMessage.from_params({ foobar: 'pants' })
+
+        expect(message).not_to be_valid
+        expect(message.errors[:base][0]).to include("Unknown query parameter(s): 'foobar'")
+      end
+
+      describe 'include validations' do
+        it 'accepts valid include values' do
+          message = AccessRulesListMessage.from_params({ 'include' => 'selector_resource' })
+          expect(message).to be_valid
+
+          message = AccessRulesListMessage.from_params({ 'include' => 'route' })
+          expect(message).to be_valid
+
+          message = AccessRulesListMessage.from_params({ 'include' => 'selector_resource,route' })
+          expect(message).to be_valid
+        end
+
+        it 'rejects invalid include values' do
+          message = AccessRulesListMessage.from_params({ 'include' => 'invalid' })
+          expect(message).not_to be_valid
+        end
+      end
+
+      describe 'validations' do
+        it 'validates space_guids is an array' do
+          message = AccessRulesListMessage.from_params space_guids: 'not array'
+          expect(message).not_to be_valid
+          expect(message.errors[:space_guids].length).to eq 1
+        end
+
+        it 'allows space_guids to be nil' do
+          message = AccessRulesListMessage.from_params({})
+          expect(message).to be_valid
+          expect(message.space_guids).to be_nil
+        end
+
+        it 'allows space_guids to be an array' do
+          message = AccessRulesListMessage.from_params space_guids: %w[space1 space2]
+          expect(message).to be_valid
+          expect(message.space_guids).to eq(%w[space1 space2])
+        end
+      end
+    end
+  end
+end