Validates private domain doesn't overlap w system hostname and domain

piyalibanerjee · piyalibanerjee · commit 666bcd57ee8a · 2020-07-01T10:45:46.000-07:00
[#173543223]
diff --git a/app/models/runtime/private_domain.rb b/app/models/runtime/private_domain.rb
@@ -44,6 +44,7 @@ def validate
       if (offending_domain = domains_exist_in_other_orgs?)
         errors.add(:name, Sequel.lit(%{The domain name "#{name}" cannot be created because "#{offending_domain.name}" is already reserved by another domain}))
       end
+      validate_system_domain_overlap
       validate_total_private_domains
     end
 
@@ -115,5 +116,16 @@ def reserved?
       rule = PublicSuffix::List.default.find(name)
       !rule.nil? && rule.decompose(name).last.nil?
     end
+
+    def validate_system_domain_overlap
+      system_domain = VCAP::CloudController::Config.config.get(:system_domain)
+      reserved_system_domains = VCAP::CloudController::Config.config.get(:system_hostnames).map { |host| host + '.' + system_domain }
+      if reserved_system_domains.include?(name)
+        errors.add(
+          :name,
+          Sequel.lit(%{The domain name "#{name}" cannot be created because "#{name}" is already reserved by the system})
+        )
+      end
+    end
   end
 end
diff --git a/spec/unit/models/runtime/private_domain_spec.rb b/spec/unit/models/runtime/private_domain_spec.rb
@@ -6,7 +6,7 @@ module VCAP::CloudController
     let(:reserved) { nil }
 
     before(:each) do
-      TestConfig.override({ reserved_private_domains: reserved })
+      TestConfig.override(system_domain: 'customer-app-domain1.com', reserved_private_domains: reserved)
     end
 
     it { is_expected.to have_timestamp_columns }
@@ -32,6 +32,10 @@ module VCAP::CloudController
         include_examples 'domain validation'
       end
 
+      it 'denies private uaa.customer-app-domain1.com when customer-app-domain1.com is the system domain' do
+        expect { PrivateDomain.make name: 'uaa.customer-app-domain1.com' }.to raise_error(Sequel::ValidationFailed, /is already reserved by the system/)
+      end
+
       it 'allows private bar.foo.com when foo.com has the same owner' do
         private_domain = PrivateDomain.make name: 'foo.com'
         expect { PrivateDomain.make name: 'bar.foo.com', owning_organization_id: private_domain.owning_organization_id }.to_not raise_error
