Implement include=selector_resource for /v3/access_rules endpoint

rkoster · rkoster · commit ea99dbb7daef · 2026-04-10T06:38:05.000Z
- Add include parameter support to AccessRulesListMessage
- Refactor IncludeAccessRuleSelectorResourceDecorator to match RFC format:
  - Return separate arrays for apps, spaces, organizations instead of selector_resources
  - Include full resource details using appropriate presenters
  - Batch resource fetching by type with eager loading
  - Auto-deduplicate resources
  - Gracefully handle stale/missing resources
- Wire up decorator to AccessRulesController
- Add comprehensive request specs for include=selector_resource

Fixes: uninitialized constant error by adding proper require statement
diff --git a/app/controllers/v3/access_rules_controller.rb b/app/controllers/v3/access_rules_controller.rb
@@ -2,6 +2,7 @@
 require 'messages/access_rule_update_message'
 require 'messages/access_rules_list_message'
 require 'presenters/v3/access_rule_presenter'
+require 'decorators/include_access_rule_selector_resource_decorator'
 
 class AccessRulesController < ApplicationController
   def index
@@ -10,11 +11,15 @@ def index
 
     dataset = build_dataset(message)
 
+    decorators = []
+    decorators << IncludeAccessRuleSelectorResourceDecorator if IncludeAccessRuleSelectorResourceDecorator.match?(message.include)
+
     render status: :ok, json: Presenters::V3::PaginatedListPresenter.new(
       presenter: Presenters::V3::AccessRulePresenter,
       paginated_result: SequelPaginator.new.get_page(dataset, message.try(:pagination_options)),
       path: '/v3/access_rules',
-      message: message
+      message: message,
+      decorators: decorators
     )
   end
 
diff --git a/app/decorators/include_access_rule_selector_resource_decorator.rb b/app/decorators/include_access_rule_selector_resource_decorator.rb
@@ -10,7 +10,12 @@ def self.match?(include_params)
     end
 
     def self.decorate(hash, access_rules)
-      included = []
+      hash[:included] ||= {}
+      
+      # Collect all GUIDs by type
+      app_guids = []
+      space_guids = []
+      org_guids = []
 
       access_rules.each do |rule|
         match = SELECTOR_REGEX.match(rule.selector)
@@ -19,22 +24,49 @@ def self.decorate(hash, access_rules)
         resource_type = match[1]
         resource_guid = match[2]
 
-        resource = case resource_type
-                   when 'app'
-                     VCAP::CloudController::AppModel.find(guid: resource_guid)
-                   when 'space'
-                     VCAP::CloudController::Space.find(guid: resource_guid)
-                   when 'org'
-                     VCAP::CloudController::Organization.find(guid: resource_guid)
-                   end
-
-        next if resource.nil?
-
-        included << { type: resource_type, guid: resource.guid }
+        case resource_type
+        when 'app'
+          app_guids << resource_guid
+        when 'space'
+          space_guids << resource_guid
+        when 'org'
+          org_guids << resource_guid
+        end
       end
 
-      hash[:included] = { selector_resources: included }
+      # Fetch and present resources
+      hash[:included][:apps] = fetch_and_present_apps(app_guids.uniq)
+      hash[:included][:spaces] = fetch_and_present_spaces(space_guids.uniq)
+      hash[:included][:organizations] = fetch_and_present_organizations(org_guids.uniq)
+      
       hash
     end
+
+    private_class_method def self.fetch_and_present_apps(guids)
+      return [] if guids.empty?
+
+      apps = VCAP::CloudController::AppModel.where(guid: guids).
+             order(:created_at, :guid).
+             eager(VCAP::CloudController::Presenters::V3::AppPresenter.associated_resources).all
+      apps.map { |app| VCAP::CloudController::Presenters::V3::AppPresenter.new(app).to_hash }
+    end
+
+    private_class_method def self.fetch_and_present_spaces(guids)
+      return [] if guids.empty?
+
+      spaces = VCAP::CloudController::Space.where(guid: guids).
+               order(:created_at, :guid).
+               eager(VCAP::CloudController::Presenters::V3::SpacePresenter.associated_resources).all
+      spaces.map { |space| VCAP::CloudController::Presenters::V3::SpacePresenter.new(space).to_hash }
+    end
+
+    private_class_method def self.fetch_and_present_organizations(guids)
+      return [] if guids.empty?
+
+      orgs = VCAP::CloudController::Organization.where(guid: guids).
+             order(:created_at, :guid).
+             eager(VCAP::CloudController::Presenters::V3::OrganizationPresenter.associated_resources).all
+      orgs.map { |org| VCAP::CloudController::Presenters::V3::OrganizationPresenter.new(org).to_hash }
+    end
   end
 end
diff --git a/app/messages/access_rules_list_message.rb b/app/messages/access_rules_list_message.rb
@@ -6,12 +6,14 @@ class AccessRulesListMessage < ListMessage
       route_guids
       names
       selectors
+      include
     ]
 
     validates_with NoAdditionalParamsValidator
+    validates_with IncludeParamValidator, valid_values: ['selector_resource', 'route']
 
     def self.from_params(params)
-      super(params, %w[route_guids names selectors])
+      super(params, %w[route_guids names selectors include])
     end
   end
 end
diff --git a/spec/request/access_rules_spec.rb b/spec/request/access_rules_spec.rb
@@ -300,6 +300,120 @@ def expected_rule_json(rule)
       expect(parsed['resources'].length).to eq(1)
       expect(parsed['resources'][0]['selector']).to eq('cf:any')
     end
+
+    context 'with include=selector_resource' do
+      let!(:app) { VCAP::CloudController::AppModel.make(space: space, name: 'frontend-app') }
+      let!(:other_space) { VCAP::CloudController::Space.make(organization: org, name: 'other-space') }
+      let!(:other_org) { VCAP::CloudController::Organization.make(name: 'other-org') }
+
+      let!(:app_rule) do
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'app-rule',
+          selector: "cf:app:#{app.guid}",
+          route_id: mtls_route.id
+        )
+      end
+
+      let!(:space_rule) do
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'space-rule',
+          selector: "cf:space:#{other_space.guid}",
+          route_id: mtls_route.id
+        )
+      end
+
+      let!(:org_rule) do
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'org-rule',
+          selector: "cf:org:#{other_org.guid}",
+          route_id: mtls_route.id
+        )
+      end
+
+      it 'includes resolved selector resources' do
+        get '/v3/access_rules?include=selector_resource', nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+
+        # Check included structure
+        expect(parsed['included']).to be_a(Hash)
+        expect(parsed['included']['apps']).to be_an(Array)
+        expect(parsed['included']['spaces']).to be_an(Array)
+        expect(parsed['included']['organizations']).to be_an(Array)
+
+        # Check app is included with full details
+        app_included = parsed['included']['apps'].find { |a| a['guid'] == app.guid }
+        expect(app_included).to be_present
+        expect(app_included['name']).to eq('frontend-app')
+        expect(app_included['guid']).to eq(app.guid)
+
+        # Check space is included
+        space_included = parsed['included']['spaces'].find { |s| s['guid'] == other_space.guid }
+        expect(space_included).to be_present
+        expect(space_included['name']).to eq('other-space')
+
+        # Check org is included
+        org_included = parsed['included']['organizations'].find { |o| o['guid'] == other_org.guid }
+        expect(org_included).to be_present
+        expect(org_included['name']).to eq('other-org')
+      end
+
+      it 'handles stale resources (missing GUIDs) gracefully' do
+        stale_guid = '99999999-9999-9999-9999-999999999999'
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'stale-rule',
+          selector: "cf:app:#{stale_guid}",
+          route_id: mtls_route.id
+        )
+
+        get '/v3/access_rules?include=selector_resource', nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+
+        # Stale resource should not appear in included
+        stale_app = parsed['included']['apps'].find { |a| a['guid'] == stale_guid }
+        expect(stale_app).to be_nil
+      end
+
+      it 'includes only unique resources when multiple rules reference the same resource' do
+        # Create another rule referencing the same app
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'another-app-rule',
+          selector: "cf:app:#{app.guid}",
+          route_id: VCAP::CloudController::Route.make(space: space, domain: mtls_domain).id
+        )
+
+        get '/v3/access_rules?include=selector_resource', nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        parsed = Oj.load(last_response.body)
+
+        # App should appear only once
+        app_count = parsed['included']['apps'].count { |a| a['guid'] == app.guid }
+        expect(app_count).to eq(1)
+      end
+
+      it 'does not include resources for cf:any selectors' do
+        VCAP::CloudController::RouteAccessRule.create(
+          guid: SecureRandom.uuid,
+          name: 'any-rule',
+          selector: 'cf:any',
+          route_id: VCAP::CloudController::Route.make(space: space, domain: mtls_domain).id
+        )
+
+        get '/v3/access_rules?include=selector_resource', nil, admin_header
+
+        expect(last_response.status).to eq(200)
+        # Should succeed without error even with cf:any selector
+      end
+    end
   end
 
   describe 'DELETE /v3/access_rules/:guid' do
