Rename allowed_sources to mtls_allowed_sources for clarity

Rename the route options field from allowed_sources to
mtls_allowed_sources for better clarity about its purpose
in mTLS app-to-app routing.

Updates RouteOptionsMessage to use the new field name in:
- Allowed keys registration
- Feature flag gating
- Validation methods
- All related tests

Author: rkoster

app/messages/route_options_message.rb

@@ -3,12 +3,12 @@
 module VCAP::CloudController
   class RouteOptionsMessage < BaseMessage
     # Register all possible keys upfront so attr_accessors are created
-    register_allowed_keys %i[loadbalancing hash_header hash_balance allowed_sources]
+    register_allowed_keys %i[loadbalancing hash_header hash_balance mtls_allowed_sources]
 
     def self.valid_route_options
       options = %i[loadbalancing]
       options += %i[hash_header hash_balance] if VCAP::CloudController::FeatureFlag.enabled?(:hash_based_routing)
-      options += %i[allowed_sources] if VCAP::CloudController::FeatureFlag.enabled?(:app_to_app_mtls_routing)
+      options += %i[mtls_allowed_sources] if VCAP::CloudController::FeatureFlag.enabled?(:app_to_app_mtls_routing)
       options.freeze
     end
 
@@ -22,7 +22,7 @@ def self.valid_loadbalancing_algorithms
     validate :loadbalancing_algorithm_is_valid
     validate :route_options_are_valid
     validate :hash_options_are_valid
-    validate :allowed_sources_options_are_valid
+    validate :mtls_allowed_sources_options_are_valid
 
     def loadbalancing_algorithm_is_valid
       return if loadbalancing.blank?
@@ -85,99 +85,99 @@ def validate_hash_options_with_loadbalancing
       errors.add(:base, 'Hash balance can only be set when loadbalancing is hash') if hash_balance.present? && loadbalancing.present? && loadbalancing != 'hash'
     end
 
-    def allowed_sources_options_are_valid
-      # Only validate allowed_sources when the feature flag is enabled
+    def mtls_allowed_sources_options_are_valid
+      # Only validate mtls_allowed_sources when the feature flag is enabled
       # If disabled, route_options_are_valid will already report it as unknown field
       return unless VCAP::CloudController::FeatureFlag.enabled?(:app_to_app_mtls_routing)
-      return if allowed_sources.blank?
+      return if mtls_allowed_sources.blank?
 
-      validate_allowed_sources_structure
-      validate_allowed_sources_any_exclusivity
-      validate_allowed_sources_guids_exist
+      validate_mtls_allowed_sources_structure
+      validate_mtls_allowed_sources_any_exclusivity
+      validate_mtls_allowed_sources_guids_exist
     end
 
     private
 
-    # Normalize allowed_sources to use string keys (Rails may parse JSON with symbol keys)
-    def normalized_allowed_sources
-      @normalized_allowed_sources ||= allowed_sources.is_a?(Hash) ? allowed_sources.transform_keys(&:to_s) : allowed_sources
+    # Normalize mtls_allowed_sources to use string keys (Rails may parse JSON with symbol keys)
+    def normalized_mtls_allowed_sources
+      @normalized_mtls_allowed_sources ||= mtls_allowed_sources.is_a?(Hash) ? mtls_allowed_sources.transform_keys(&:to_s) : mtls_allowed_sources
     end
 
-    def validate_allowed_sources_structure
-      unless allowed_sources.is_a?(Hash)
-        errors.add(:allowed_sources, 'must be an object')
+    def validate_mtls_allowed_sources_structure
+      unless mtls_allowed_sources.is_a?(Hash)
+        errors.add(:mtls_allowed_sources, 'must be an object')
         return
       end
 
       valid_keys = %w[apps spaces orgs any]
-      invalid_keys = normalized_allowed_sources.keys - valid_keys
-      errors.add(:allowed_sources, "contains invalid keys: #{invalid_keys.join(', ')}") if invalid_keys.any?
+      invalid_keys = normalized_mtls_allowed_sources.keys - valid_keys
+      errors.add(:mtls_allowed_sources, "contains invalid keys: #{invalid_keys.join(', ')}") if invalid_keys.any?
 
       # Validate types
       %w[apps spaces orgs].each do |key|
-        next unless normalized_allowed_sources[key].present?
+        next unless normalized_mtls_allowed_sources[key].present?
 
-        unless normalized_allowed_sources[key].is_a?(Array) && normalized_allowed_sources[key].all? { |v| v.is_a?(String) }
-          errors.add(:allowed_sources, "#{key} must be an array of strings")
+        unless normalized_mtls_allowed_sources[key].is_a?(Array) && normalized_mtls_allowed_sources[key].all? { |v| v.is_a?(String) }
+          errors.add(:mtls_allowed_sources, "#{key} must be an array of strings")
         end
       end
 
-      return unless normalized_allowed_sources['any'].present? && ![true, false].include?(normalized_allowed_sources['any'])
+      return unless normalized_mtls_allowed_sources['any'].present? && ![true, false].include?(normalized_mtls_allowed_sources['any'])
 
-      errors.add(:allowed_sources, 'any must be a boolean')
+      errors.add(:mtls_allowed_sources, 'any must be a boolean')
     end
 
-    def validate_allowed_sources_any_exclusivity
-      return unless allowed_sources.is_a?(Hash)
+    def validate_mtls_allowed_sources_any_exclusivity
+      return unless mtls_allowed_sources.is_a?(Hash)
 
-      has_any = normalized_allowed_sources['any'] == true
-      has_lists = %w[apps spaces orgs].any? { |key| normalized_allowed_sources[key].present? && normalized_allowed_sources[key].any? }
+      has_any = normalized_mtls_allowed_sources['any'] == true
+      has_lists = %w[apps spaces orgs].any? { |key| normalized_mtls_allowed_sources[key].present? && normalized_mtls_allowed_sources[key].any? }
 
       return unless has_any && has_lists
 
-      errors.add(:allowed_sources, 'any is mutually exclusive with apps, spaces, and orgs')
+      errors.add(:mtls_allowed_sources, 'any is mutually exclusive with apps, spaces, and orgs')
     end
 
-    def validate_allowed_sources_guids_exist
-      return unless allowed_sources.is_a?(Hash)
-      return if errors[:allowed_sources].any? # Skip if already invalid
+    def validate_mtls_allowed_sources_guids_exist
+      return unless mtls_allowed_sources.is_a?(Hash)
+      return if errors[:mtls_allowed_sources].any? # Skip if already invalid
 
       validate_app_guids_exist
       validate_space_guids_exist
       validate_org_guids_exist
     end
 
     def validate_app_guids_exist
-      app_guids = normalized_allowed_sources['apps']
+      app_guids = normalized_mtls_allowed_sources['apps']
       return if app_guids.blank?
 
       existing_guids = AppModel.where(guid: app_guids).select_map(:guid)
       missing_guids = app_guids - existing_guids
       return if missing_guids.empty?
 
-      errors.add(:allowed_sources, "apps contains non-existent app GUIDs: #{missing_guids.join(', ')}")
+      errors.add(:mtls_allowed_sources, "apps contains non-existent app GUIDs: #{missing_guids.join(', ')}")
     end
 
     def validate_space_guids_exist
-      space_guids = normalized_allowed_sources['spaces']
+      space_guids = normalized_mtls_allowed_sources['spaces']
       return if space_guids.blank?
 
       existing_guids = Space.where(guid: space_guids).select_map(:guid)
       missing_guids = space_guids - existing_guids
       return if missing_guids.empty?
 
-      errors.add(:allowed_sources, "spaces contains non-existent space GUIDs: #{missing_guids.join(', ')}")
+      errors.add(:mtls_allowed_sources, "spaces contains non-existent space GUIDs: #{missing_guids.join(', ')}")
     end
 
     def validate_org_guids_exist
-      org_guids = normalized_allowed_sources['orgs']
+      org_guids = normalized_mtls_allowed_sources['orgs']
       return if org_guids.blank?
 
       existing_guids = Organization.where(guid: org_guids).select_map(:guid)
       missing_guids = org_guids - existing_guids
       return if missing_guids.empty?
 
-      errors.add(:allowed_sources, "orgs contains non-existent organization GUIDs: #{missing_guids.join(', ')}")
+      errors.add(:mtls_allowed_sources, "orgs contains non-existent organization GUIDs: #{missing_guids.join(', ')}")
     end
   end
 end