Implement include=route for /v3/access_rules endpoint

Add support for including route resources when listing access rules
via the ?include=route query parameter.

Changes:
- Create IncludeAccessRuleRouteDecorator to handle route inclusion
- Wire up decorator in AccessRulesController
- Add comprehensive request specs for include=route
- Test single/multiple routes, uniqueness, and combining with selector_resource
- Follow existing CAPI decorator patterns for resource inclusion

The decorator fetches and presents Route resources referenced by the
access rules, adding them to the 'included' section of the response.

Author: rkoster

app/controllers/v3/access_rules_controller.rb

@@ -3,6 +3,7 @@
 require 'messages/access_rules_list_message'
 require 'presenters/v3/access_rule_presenter'
 require 'decorators/include_access_rule_selector_resource_decorator'
+require 'decorators/include_access_rule_route_decorator'
 
 class AccessRulesController < ApplicationController
   def index
@@ -13,6 +14,7 @@ def index
 
     decorators = []
     decorators << IncludeAccessRuleSelectorResourceDecorator if IncludeAccessRuleSelectorResourceDecorator.match?(message.include)
+    decorators << IncludeAccessRuleRouteDecorator if IncludeAccessRuleRouteDecorator.match?(message.include)
 
     render status: :ok, json: Presenters::V3::PaginatedListPresenter.new(
       presenter: Presenters::V3::AccessRulePresenter,
@@ -42,27 +44,17 @@ def create
     unauthorized! unless permission_queryer.can_write_to_active_space?(route.space.id)
     suspended! unless permission_queryer.is_space_active?(route.space.id)
 
-    unless route.domain.enforce_access_rules
-      unprocessable!("Cannot create access rules for route '#{route.guid}': the route's domain does not have enforce_access_rules enabled.")
-    end
+    unprocessable!("Cannot create access rules for route '#{route.guid}': the route's domain does not have enforce_access_rules enabled.") unless route.domain.enforce_access_rules
 
     # Enforce cf:any exclusivity: if route already has a cf:any rule, reject new rules;
     # if new rule is cf:any, reject if route already has any rules.
     existing_selectors = route.access_rules.map(&:selector)
-    if message.selector == 'cf:any' && existing_selectors.any?
-      unprocessable!("Cannot add 'cf:any' selector when other access rules already exist for this route.")
-    end
-    if existing_selectors.include?('cf:any') && message.selector != 'cf:any'
-      unprocessable!("Cannot add selector '#{message.selector}': route already has a 'cf:any' rule.")
-    end
+    unprocessable!("Cannot add 'cf:any' selector when other access rules already exist for this route.") if message.selector == 'cf:any' && existing_selectors.any?
+    unprocessable!("Cannot add selector '#{message.selector}': route already has a 'cf:any' rule.") if existing_selectors.include?('cf:any') && message.selector != 'cf:any'
 
     # Uniqueness: name and selector must be unique per route
-    if route.access_rules.any? { |r| r.name == message.name }
-      unprocessable!("An access rule with name '#{message.name}' already exists for this route.")
-    end
-    if existing_selectors.include?(message.selector)
-      unprocessable!("An access rule with selector '#{message.selector}' already exists for this route.")
-    end
+    unprocessable!("An access rule with name '#{message.name}' already exists for this route.") if route.access_rules.any? { |r| r.name == message.name }
+    unprocessable!("An access rule with selector '#{message.selector}' already exists for this route.") if existing_selectors.include?(message.selector)
 
     access_rule = VCAP::CloudController::RouteAccessRule.new(
       guid: SecureRandom.uuid,
@@ -123,16 +115,16 @@ def build_dataset(message)
 
     if message.requested?(:route_guids)
       dataset = dataset.
-        join(:routes, id: :route_id).
-        where(routes__guid: message.route_guids).
-        select_all(:route_access_rules)
+                join(:routes, id: :route_id).
+                where(routes__guid: message.route_guids).
+                select_all(:route_access_rules)
     end
 
     if message.requested?(:space_guids)
       dataset = dataset.
-        join(:routes, id: :route_id).
-        where(routes__space_id: VCAP::CloudController::Space.where(guid: message.space_guids).select(:id)).
-        select_all(:route_access_rules)
+                join(:routes, id: :route_id).
+                where(routes__space_id: VCAP::CloudController::Space.where(guid: message.space_guids).select(:id)).
+                select_all(:route_access_rules)
     end
 
     dataset = dataset.where(name: message.names) if message.requested?(:names)

app/decorators/include_access_rule_route_decorator.rb

@@ -0,0 +1,27 @@
+module VCAP::CloudController
+  class IncludeAccessRuleRouteDecorator
+    # Handles `?include=route` for GET /v3/access_rules
+    # Includes the route resources associated with the access rules
+
+    def self.match?(include_params)
+      include_params&.include?('route')
+    end
+
+    def self.decorate(hash, access_rules)
+      hash[:included] ||= {}
+
+      # Collect all unique route IDs from access rules
+      route_ids = access_rules.map(&:route_id).uniq
+
+      # Fetch routes with their associations
+      routes = VCAP::CloudController::Route.where(id: route_ids).
+               order(:created_at, :guid).
+               eager(VCAP::CloudController::Presenters::V3::RoutePresenter.associated_resources).all
+
+      # Present routes
+      hash[:included][:routes] = routes.map { |route| VCAP::CloudController::Presenters::V3::RoutePresenter.new(route).to_hash }
+
+      hash
+    end
+  end
+end

spec/request/access_rules_spec.rb

@@ -133,7 +133,7 @@ def expected_rule_json(rule)
         }.to_json, admin_header
 
         expect(last_response.status).to eq(422)
-        expect(last_response.body).to include("cf:any")
+        expect(last_response.body).to include('cf:any')
       end
     end
 
@@ -155,7 +155,7 @@ def expected_rule_json(rule)
         }.to_json, admin_header
 
         expect(last_response.status).to eq(422)
-        expect(last_response.body).to include("cf:any")
+        expect(last_response.body).to include('cf:any')
       end
     end
 
@@ -481,6 +481,96 @@ def expected_rule_json(rule)
         # Should succeed without error even with cf:any selector
       end
     end
+
+    context 'with include=route' do
+      let(:route2) { VCAP::CloudController::Route.make(space: space, domain: mtls_domain) }
+
+      let!(:rule_on_route1) do
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'rule-on-route1',
+          selector: 'cf:any',
+          route_id: mtls_route.id
+        )
+      end
+
+      let!(:rule_on_route2) do
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'rule-on-route2',
+          selector: "cf:app:#{valid_uuid}",
+          route_id: route2.id
+        )
+      end
+
+      it 'includes route resources' do
+        get '/v3/access_rules?include=route', nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+
+        # Check included structure
+        expect(parsed['included']).to be_a(Hash)
+        expect(parsed['included']['routes']).to be_an(Array)
+        expect(parsed['included']['routes'].length).to be >= 2
+
+        # Check routes are included with full details
+        route1_included = parsed['included']['routes'].find { |r| r['guid'] == mtls_route.guid }
+        expect(route1_included).to be_present
+        expect(route1_included['guid']).to eq(mtls_route.guid)
+        expect(route1_included['url']).to be_present
+
+        route2_included = parsed['included']['routes'].find { |r| r['guid'] == route2.guid }
+        expect(route2_included).to be_present
+        expect(route2_included['guid']).to eq(route2.guid)
+      end
+
+      it 'includes only unique routes when multiple rules reference the same route' do
+        # Create another rule on the same route
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'another-rule-on-route1',
+          selector: "cf:app:#{valid_uuid}",
+          route_id: mtls_route.id
+        )
+
+        get '/v3/access_rules?include=route', nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+
+        # Route should appear only once
+        route_count = parsed['included']['routes'].count { |r| r['guid'] == mtls_route.guid }
+        expect(route_count).to eq(1)
+      end
+
+      it 'combines include=route with include=selector_resource' do
+        app = VCAP::CloudController::AppModel.make(space: space, name: 'test-app')
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'combined-rule',
+          selector: "cf:app:#{app.guid}",
+          route_id: mtls_route.id
+        )
+
+        get '/v3/access_rules?include=route,selector_resource', nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+
+        # Both routes and selector resources should be included
+        expect(parsed['included']['routes']).to be_an(Array)
+        expect(parsed['included']['apps']).to be_an(Array)
+
+        # Verify route is present
+        route_included = parsed['included']['routes'].find { |r| r['guid'] == mtls_route.guid }
+        expect(route_included).to be_present
+
+        # Verify app is present
+        app_included = parsed['included']['apps'].find { |a| a['guid'] == app.guid }
+        expect(app_included).to be_present
+      end
+    end
   end
 
   describe 'DELETE /v3/access_rules/:guid' do