RFC0055 Identity-Aware Routing

.gitignore

@@ -26,6 +26,7 @@ _testmain.go
 # Built binaries
 *.exe
 /cli
+/cf/cli
 
 out/
 release/*

actor/actionerror/route_policy_not_found_error.go

@@ -0,0 +1,11 @@
+package actionerror
+
+import "fmt"
+
+type RoutePolicyNotFoundError struct {
+	Source string
+}
+
+func (e RoutePolicyNotFoundError) Error() string {
+	return fmt.Sprintf("Route policy with source '%s' not found.", e.Source)
+}

actor/v7action/cloud_controller_client.go

@@ -20,6 +20,7 @@ type CloudControllerClient interface {
 	CancelDeployment(deploymentGUID string) (ccv3.Warnings, error)
 	ContinueDeployment(deploymentGUID string) (ccv3.Warnings, error)
 	CopyPackage(sourcePackageGUID string, targetAppGUID string) (resources.Package, ccv3.Warnings, error)
+	CreateRoutePolicy(routePolicy resources.RoutePolicy) (resources.RoutePolicy, ccv3.Warnings, error)
 	CreateApplication(app resources.Application) (resources.Application, ccv3.Warnings, error)
 	CreateApplicationDeployment(dep resources.Deployment) (string, ccv3.Warnings, error)
 	CreateApplicationProcessScale(appGUID string, process resources.Process) (resources.Process, ccv3.Warnings, error)
@@ -42,6 +43,7 @@ type CloudControllerClient interface {
 	CreateSpace(space resources.Space) (resources.Space, ccv3.Warnings, error)
 	CreateSpaceQuota(spaceQuota resources.SpaceQuota) (resources.SpaceQuota, ccv3.Warnings, error)
 	CreateUser(userGUID string) (resources.User, ccv3.Warnings, error)
+	DeleteRoutePolicy(guid string) (ccv3.JobURL, ccv3.Warnings, error)
 	DeleteApplication(guid string) (ccv3.JobURL, ccv3.Warnings, error)
 	DeleteApplicationProcessInstance(appGUID string, processType string, instanceIndex int) (ccv3.Warnings, error)
 	DeleteBuildpack(buildpackGUID string) (ccv3.JobURL, ccv3.Warnings, error)
@@ -63,6 +65,7 @@ type CloudControllerClient interface {
 	DeleteUser(userGUID string) (ccv3.JobURL, ccv3.Warnings, error)
 	DownloadDroplet(dropletGUID string) ([]byte, ccv3.Warnings, error)
 	EntitleIsolationSegmentToOrganizations(isoGUID string, orgGUIDs []string) (resources.RelationshipList, ccv3.Warnings, error)
+	GetRoutePolicies(query ...ccv3.Query) ([]resources.RoutePolicy, ccv3.IncludedResources, ccv3.Warnings, error)
 	GetApplicationByNameAndSpace(appName string, spaceGUID string) (resources.Application, ccv3.Warnings, error)
 	GetApplicationDropletCurrent(appGUID string) (resources.Droplet, ccv3.Warnings, error)
 	GetApplicationEnvironment(appGUID string) (ccv3.Environment, ccv3.Warnings, error)

actor/v7action/domain.go

@@ -24,7 +24,7 @@ func (actor Actor) CheckRoute(domainName string, hostname string, path string, p
 	return matches, allWarnings, err
 }
 
-func (actor Actor) CreateSharedDomain(domainName string, internal bool, routerGroupName string) (Warnings, error) {
+func (actor Actor) CreateSharedDomain(domainName string, internal bool, routerGroupName string, enforceAccessRules bool, accessRulesScope string) (Warnings, error) {
 	allWarnings := Warnings{}
 	routerGroupGUID := ""
 
@@ -37,28 +37,45 @@ func (actor Actor) CreateSharedDomain(domainName string, internal bool, routerGr
 		routerGroupGUID = routerGroup.GUID
 	}
 
-	_, warnings, err := actor.CloudControllerClient.CreateDomain(resources.Domain{
+	domain := resources.Domain{
 		Name:        domainName,
 		Internal:    types.NullBool{IsSet: true, Value: internal},
 		RouterGroup: routerGroupGUID,
-	})
+	}
+
+	// Set enforce_route_policies if specified
+	if enforceAccessRules {
+		domain.EnforceRoutePolicies = types.NullBool{IsSet: true, Value: true}
+		domain.RoutePoliciesScope = accessRulesScope
+	}
+
+	_, warnings, err := actor.CloudControllerClient.CreateDomain(domain)
 	allWarnings = append(allWarnings, Warnings(warnings)...)
 
 	return allWarnings, err
 }
 
-func (actor Actor) CreatePrivateDomain(domainName string, orgName string) (Warnings, error) {
+func (actor Actor) CreatePrivateDomain(domainName string, orgName string, enforceAccessRules bool, accessRulesScope string) (Warnings, error) {
 	allWarnings := Warnings{}
 	organization, warnings, err := actor.GetOrganizationByName(orgName)
 	allWarnings = append(allWarnings, warnings...)
 
 	if err != nil {
 		return allWarnings, err
 	}
-	_, apiWarnings, err := actor.CloudControllerClient.CreateDomain(resources.Domain{
+
+	domain := resources.Domain{
 		Name:             domainName,
 		OrganizationGUID: organization.GUID,
-	})
+	}
+
+	// Set enforce_route_policies if specified
+	if enforceAccessRules {
+		domain.EnforceRoutePolicies = types.NullBool{IsSet: true, Value: true}
+		domain.RoutePoliciesScope = accessRulesScope
+	}
+
+	_, apiWarnings, err := actor.CloudControllerClient.CreateDomain(domain)
 
 	actorWarnings := Warnings(apiWarnings)
 	allWarnings = append(allWarnings, actorWarnings...)

actor/v7action/domain_test.go

@@ -112,17 +112,21 @@ var _ = Describe("Domain Actions", func() {
 
 	Describe("CreateSharedDomain", func() {
 		var (
-			warnings    Warnings
-			executeErr  error
-			routerGroup string
+			warnings      Warnings
+			executeErr    error
+			routerGroup   string
+			enforceRules  bool
+			scope         string
 		)
 
 		JustBeforeEach(func() {
-			warnings, executeErr = actor.CreateSharedDomain("the-domain-name", true, routerGroup)
+			warnings, executeErr = actor.CreateSharedDomain("the-domain-name", true, routerGroup, enforceRules, scope)
 		})
 
 		BeforeEach(func() {
 			routerGroup = ""
+			enforceRules = false
+			scope = ""
 			fakeCloudControllerClient.CreateDomainReturns(resources.Domain{}, ccv3.Warnings{"create-warning-1", "create-warning-2"}, errors.New("create-error"))
 		})
 
@@ -170,11 +174,40 @@ var _ = Describe("Domain Actions", func() {
 				))
 			})
 		})
+
+		Context("when enforce route policies is enabled with a scope", func() {
+			BeforeEach(func() {
+				enforceRules = true
+				scope = "org"
+				fakeCloudControllerClient.CreateDomainReturns(resources.Domain{}, ccv3.Warnings{"create-warning-1"}, nil)
+			})
+
+			It("passes EnforceRoutePolicies and RoutePoliciesScope to the client", func() {
+				Expect(executeErr).NotTo(HaveOccurred())
+
+				Expect(fakeCloudControllerClient.CreateDomainCallCount()).To(Equal(1))
+				passedDomain := fakeCloudControllerClient.CreateDomainArgsForCall(0)
+				Expect(passedDomain.EnforceRoutePolicies).To(Equal(types.NullBool{IsSet: true, Value: true}))
+				Expect(passedDomain.RoutePoliciesScope).To(Equal("org"))
+			})
+		})
 	})
 
 	Describe("CreatePrivateDomain", func() {
+		var (
+			warnings     Warnings
+			executeErr   error
+			enforceRules bool
+			scope        string
+		)
+
+		JustBeforeEach(func() {
+			warnings, executeErr = actor.CreatePrivateDomain("private-domain-name", "org-name", enforceRules, scope)
+		})
 
 		BeforeEach(func() {
+			enforceRules = false
+			scope = ""
 			fakeCloudControllerClient.GetOrganizationsReturns(
 				[]resources.Organization{
 					{GUID: "org-guid"},
@@ -191,7 +224,6 @@ var _ = Describe("Domain Actions", func() {
 		})
 
 		It("delegates to the cloud controller client", func() {
-			warnings, executeErr := actor.CreatePrivateDomain("private-domain-name", "org-name")
 			Expect(executeErr).To(MatchError("create-error"))
 			Expect(warnings).To(ConsistOf("get-orgs-warning", "create-warning-1", "create-warning-2"))
 
@@ -205,6 +237,23 @@ var _ = Describe("Domain Actions", func() {
 				},
 			))
 		})
+
+		Context("when enforce route policies is enabled with a scope", func() {
+			BeforeEach(func() {
+				enforceRules = true
+				scope = "org"
+				fakeCloudControllerClient.CreateDomainReturns(resources.Domain{}, ccv3.Warnings{"create-warning-1"}, nil)
+			})
+
+			It("passes EnforceRoutePolicies and RoutePoliciesScope to the client", func() {
+				Expect(executeErr).NotTo(HaveOccurred())
+
+				Expect(fakeCloudControllerClient.CreateDomainCallCount()).To(Equal(1))
+				passedDomain := fakeCloudControllerClient.CreateDomainArgsForCall(0)
+				Expect(passedDomain.EnforceRoutePolicies).To(Equal(types.NullBool{IsSet: true, Value: true}))
+				Expect(passedDomain.RoutePoliciesScope).To(Equal("org"))
+			})
+		})
 	})
 
 	Describe("delete domain", func() {