RFC0055 Identity-Aware Routing

.gitignore

@@ -26,6 +26,7 @@ _testmain.go
 # Built binaries
 *.exe
 /cli
+/cf/cli
 
 out/
 release/*

actor/actionerror/domain_not_enforcing_route_policies_error.go

@@ -0,0 +1,13 @@
+package actionerror
+
+import "fmt"
+
+// DomainNotEnforcingRoutePoliciesError is returned when a user attempts to
+// add a route policy to a domain that does not have enforce_route_policies enabled.
+type DomainNotEnforcingRoutePoliciesError struct {
+	Name string
+}
+
+func (e DomainNotEnforcingRoutePoliciesError) Error() string {
+	return fmt.Sprintf("Domain '%s' does not have route policy enforcement enabled.", e.Name)
+}

actor/actionerror/route_policy_ambiguity_error.go

@@ -0,0 +1,17 @@
+package actionerror
+
+import "fmt"
+
+// RoutePolicyAmbiguityError is returned when a route has multiple policies
+// and no --source flag was given to disambiguate.
+type RoutePolicyAmbiguityError struct {
+	RouteURL string
+	Count    int
+}
+
+func (e RoutePolicyAmbiguityError) Error() string {
+	return fmt.Sprintf(
+		"Route '%s' has %d policies. Specify one with --source.",
+		e.RouteURL, e.Count,
+	)
+}

actor/actionerror/route_policy_not_found_error.go

@@ -0,0 +1,11 @@
+package actionerror
+
+import "fmt"
+
+type RoutePolicyNotFoundError struct {
+	Source string
+}
+
+func (e RoutePolicyNotFoundError) Error() string {
+	return fmt.Sprintf("Route policy with source '%s' not found.", e.Source)
+}

actor/v7action/cloud_controller_client.go

@@ -20,6 +20,7 @@ type CloudControllerClient interface {
 	CancelDeployment(deploymentGUID string) (ccv3.Warnings, error)
 	ContinueDeployment(deploymentGUID string) (ccv3.Warnings, error)
 	CopyPackage(sourcePackageGUID string, targetAppGUID string) (resources.Package, ccv3.Warnings, error)
+	CreateRoutePolicy(routePolicy resources.RoutePolicy) (resources.RoutePolicy, ccv3.Warnings, error)
 	CreateApplication(app resources.Application) (resources.Application, ccv3.Warnings, error)
 	CreateApplicationDeployment(dep resources.Deployment) (string, ccv3.Warnings, error)
 	CreateApplicationProcessScale(appGUID string, process resources.Process) (resources.Process, ccv3.Warnings, error)
@@ -42,6 +43,7 @@ type CloudControllerClient interface {
 	CreateSpace(space resources.Space) (resources.Space, ccv3.Warnings, error)
 	CreateSpaceQuota(spaceQuota resources.SpaceQuota) (resources.SpaceQuota, ccv3.Warnings, error)
 	CreateUser(userGUID string) (resources.User, ccv3.Warnings, error)
+	DeleteRoutePolicy(guid string) (ccv3.JobURL, ccv3.Warnings, error)
 	DeleteApplication(guid string) (ccv3.JobURL, ccv3.Warnings, error)
 	DeleteApplicationProcessInstance(appGUID string, processType string, instanceIndex int) (ccv3.Warnings, error)
 	DeleteBuildpack(buildpackGUID string) (ccv3.JobURL, ccv3.Warnings, error)
@@ -63,6 +65,7 @@ type CloudControllerClient interface {
 	DeleteUser(userGUID string) (ccv3.JobURL, ccv3.Warnings, error)
 	DownloadDroplet(dropletGUID string) ([]byte, ccv3.Warnings, error)
 	EntitleIsolationSegmentToOrganizations(isoGUID string, orgGUIDs []string) (resources.RelationshipList, ccv3.Warnings, error)
+	GetRoutePolicies(query ...ccv3.Query) ([]resources.RoutePolicy, ccv3.IncludedResources, ccv3.Warnings, error)
 	GetApplicationByNameAndSpace(appName string, spaceGUID string) (resources.Application, ccv3.Warnings, error)
 	GetApplicationDropletCurrent(appGUID string) (resources.Droplet, ccv3.Warnings, error)
 	GetApplicationEnvironment(appGUID string) (ccv3.Environment, ccv3.Warnings, error)

actor/v7action/domain.go

@@ -24,7 +24,7 @@ func (actor Actor) CheckRoute(domainName string, hostname string, path string, p
 	return matches, allWarnings, err
 }
 
-func (actor Actor) CreateSharedDomain(domainName string, internal bool, routerGroupName string) (Warnings, error) {
+func (actor Actor) CreateSharedDomain(domainName string, internal bool, routerGroupName string, enforceAccessRules bool, accessRulesScope string) (Warnings, error) {
 	allWarnings := Warnings{}
 	routerGroupGUID := ""
 
@@ -37,28 +37,45 @@ func (actor Actor) CreateSharedDomain(domainName string, internal bool, routerGr
 		routerGroupGUID = routerGroup.GUID
 	}
 
-	_, warnings, err := actor.CloudControllerClient.CreateDomain(resources.Domain{
+	domain := resources.Domain{
 		Name:        domainName,
 		Internal:    types.NullBool{IsSet: true, Value: internal},
 		RouterGroup: routerGroupGUID,
-	})
+	}
+
+	// Set enforce_route_policies if specified
+	if enforceAccessRules {
+		domain.EnforceRoutePolicies = types.NullBool{IsSet: true, Value: true}
+		domain.RoutePoliciesScope = accessRulesScope
+	}
+
+	_, warnings, err := actor.CloudControllerClient.CreateDomain(domain)
 	allWarnings = append(allWarnings, Warnings(warnings)...)
 
 	return allWarnings, err
 }
 
-func (actor Actor) CreatePrivateDomain(domainName string, orgName string) (Warnings, error) {
+func (actor Actor) CreatePrivateDomain(domainName string, orgName string, enforceAccessRules bool, accessRulesScope string) (Warnings, error) {
 	allWarnings := Warnings{}
 	organization, warnings, err := actor.GetOrganizationByName(orgName)
 	allWarnings = append(allWarnings, warnings...)
 
 	if err != nil {
 		return allWarnings, err
 	}
-	_, apiWarnings, err := actor.CloudControllerClient.CreateDomain(resources.Domain{
+
+	domain := resources.Domain{
 		Name:             domainName,
 		OrganizationGUID: organization.GUID,
-	})
+	}
+
+	// Set enforce_route_policies if specified
+	if enforceAccessRules {
+		domain.EnforceRoutePolicies = types.NullBool{IsSet: true, Value: true}
+		domain.RoutePoliciesScope = accessRulesScope
+	}
+
+	_, apiWarnings, err := actor.CloudControllerClient.CreateDomain(domain)
 
 	actorWarnings := Warnings(apiWarnings)
 	allWarnings = append(allWarnings, actorWarnings...)

actor/v7action/domain_test.go

@@ -112,17 +112,21 @@ var _ = Describe("Domain Actions", func() {
 
 	Describe("CreateSharedDomain", func() {
 		var (
-			warnings    Warnings
-			executeErr  error
-			routerGroup string
+			warnings      Warnings
+			executeErr    error
+			routerGroup   string
+			enforceRules  bool
+			scope         string
 		)
 
 		JustBeforeEach(func() {
-			warnings, executeErr = actor.CreateSharedDomain("the-domain-name", true, routerGroup)
+			warnings, executeErr = actor.CreateSharedDomain("the-domain-name", true, routerGroup, enforceRules, scope)
 		})
 
 		BeforeEach(func() {
 			routerGroup = ""
+			enforceRules = false
+			scope = ""
 			fakeCloudControllerClient.CreateDomainReturns(resources.Domain{}, ccv3.Warnings{"create-warning-1", "create-warning-2"}, errors.New("create-error"))
 		})
 
@@ -170,11 +174,40 @@ var _ = Describe("Domain Actions", func() {
 				))
 			})
 		})
+
+		Context("when enforce route policies is enabled with a scope", func() {
+			BeforeEach(func() {
+				enforceRules = true
+				scope = "org"
+				fakeCloudControllerClient.CreateDomainReturns(resources.Domain{}, ccv3.Warnings{"create-warning-1"}, nil)
+			})
+
+			It("passes EnforceRoutePolicies and RoutePoliciesScope to the client", func() {
+				Expect(executeErr).NotTo(HaveOccurred())
+
+				Expect(fakeCloudControllerClient.CreateDomainCallCount()).To(Equal(1))
+				passedDomain := fakeCloudControllerClient.CreateDomainArgsForCall(0)
+				Expect(passedDomain.EnforceRoutePolicies).To(Equal(types.NullBool{IsSet: true, Value: true}))
+				Expect(passedDomain.RoutePoliciesScope).To(Equal("org"))
+			})
+		})
 	})
 
 	Describe("CreatePrivateDomain", func() {
+		var (
+			warnings     Warnings
+			executeErr   error
+			enforceRules bool
+			scope        string
+		)
+
+		JustBeforeEach(func() {
+			warnings, executeErr = actor.CreatePrivateDomain("private-domain-name", "org-name", enforceRules, scope)
+		})
 
 		BeforeEach(func() {
+			enforceRules = false
+			scope = ""
 			fakeCloudControllerClient.GetOrganizationsReturns(
 				[]resources.Organization{
 					{GUID: "org-guid"},
@@ -191,7 +224,6 @@ var _ = Describe("Domain Actions", func() {
 		})
 
 		It("delegates to the cloud controller client", func() {
-			warnings, executeErr := actor.CreatePrivateDomain("private-domain-name", "org-name")
 			Expect(executeErr).To(MatchError("create-error"))
 			Expect(warnings).To(ConsistOf("get-orgs-warning", "create-warning-1", "create-warning-2"))
 
@@ -205,6 +237,23 @@ var _ = Describe("Domain Actions", func() {
 				},
 			))
 		})
+
+		Context("when enforce route policies is enabled with a scope", func() {
+			BeforeEach(func() {
+				enforceRules = true
+				scope = "org"
+				fakeCloudControllerClient.CreateDomainReturns(resources.Domain{}, ccv3.Warnings{"create-warning-1"}, nil)
+			})
+
+			It("passes EnforceRoutePolicies and RoutePoliciesScope to the client", func() {
+				Expect(executeErr).NotTo(HaveOccurred())
+
+				Expect(fakeCloudControllerClient.CreateDomainCallCount()).To(Equal(1))
+				passedDomain := fakeCloudControllerClient.CreateDomainArgsForCall(0)
+				Expect(passedDomain.EnforceRoutePolicies).To(Equal(types.NullBool{IsSet: true, Value: true}))
+				Expect(passedDomain.RoutePoliciesScope).To(Equal("org"))
+			})
+		})
 	})
 
 	Describe("delete domain", func() {

actor/v7action/label.go

@@ -2,6 +2,7 @@ package v7action
 
 import (
 	"code.cloudfoundry.org/cli/v9/actor/actionerror"
+	"code.cloudfoundry.org/cli/v9/api/cloudcontroller/ccv3"
 	"code.cloudfoundry.org/cli/v9/resources"
 	"code.cloudfoundry.org/cli/v9/types"
 )
@@ -178,3 +179,55 @@ func (actor *Actor) updateResourceMetadata(resourceType string, resourceGUID str
 
 	return warnings, nil
 }
+
+// resolveRoutePolicyGUID finds the GUID of the route policy to operate on.
+// If source is non-empty, it finds the policy with that source.
+// If source is empty, it requires exactly one policy (returns ambiguity or not-found error).
+func (actor *Actor) resolveRoutePolicyGUID(routeURL, spaceGUID, source string) (string, *resources.Metadata, Warnings, error) {
+	route, routeWarnings, err := actor.GetRoute(routeURL, spaceGUID)
+	if err != nil {
+		return "", nil, routeWarnings, err
+	}
+
+	routePolicies, _, policyWarnings, err := actor.CloudControllerClient.GetRoutePolicies(
+		ccv3.Query{Key: ccv3.RouteGUIDFilter, Values: []string{route.GUID}},
+	)
+	allWarnings := append(routeWarnings, Warnings(policyWarnings)...)
+	if err != nil {
+		return "", nil, allWarnings, err
+	}
+
+	if source != "" {
+		for _, p := range routePolicies {
+			if p.Source == source {
+				return p.GUID, p.Metadata, allWarnings, nil
+			}
+		}
+		return "", nil, allWarnings, actionerror.RoutePolicyNotFoundError{Source: source}
+	}
+
+	if len(routePolicies) == 0 {
+		return "", nil, allWarnings, actionerror.RoutePolicyNotFoundError{Source: ""}
+	}
+	if len(routePolicies) > 1 {
+		return "", nil, allWarnings, actionerror.RoutePolicyAmbiguityError{RouteURL: routeURL, Count: len(routePolicies)}
+	}
+	p := routePolicies[0]
+	return p.GUID, p.Metadata, allWarnings, nil
+}
+
+func (actor *Actor) GetRoutePolicyLabels(routeURL, spaceGUID, source string) (map[string]types.NullString, Warnings, error) {
+	_, metadata, warnings, err := actor.resolveRoutePolicyGUID(routeURL, spaceGUID, source)
+	if err != nil {
+		return nil, warnings, err
+	}
+	return actor.extractLabels(metadata, warnings, nil)
+}
+
+func (actor *Actor) UpdateRoutePolicyLabels(routeURL, spaceGUID, source string, labels map[string]types.NullString) (Warnings, error) {
+	policyGUID, _, warnings, err := actor.resolveRoutePolicyGUID(routeURL, spaceGUID, source)
+	if err != nil {
+		return warnings, err
+	}
+	return actor.updateResourceMetadata("route-policy", policyGUID, resources.Metadata{Labels: labels}, warnings)
+}