chore(apiserver): Clean up routes

# Issue

It was possible to get information for a currently unbound app from the
API server

# Fix

Check if the app is currently bound to the service on all routes.

src/acceptance/api/api_test.go

@@ -79,7 +79,7 @@ var _ = Describe("AutoScaler Public API", func() {
 		Expect(appGUID).NotTo(BeEmpty())
 	})
 
-	Context("when no policy defined", func() {
+	When("no scaling policy is set", func() {
 
 		BeforeEach(func() {
 			_, status := deletePolicy()
@@ -114,7 +114,7 @@ var _ = Describe("AutoScaler Public API", func() {
 
 	})
 
-	Context("When policy is defined", func() {
+	When("a scaling policy is set", func() {
 		memThreshold := int64(10)
 		var policy string
 
@@ -161,7 +161,7 @@ var _ = Describe("AutoScaler Public API", func() {
 
 		})
 
-		Context("for an unrelated user", func() {
+		When("an unrelated user tries to access the API", func() {
 			BeforeEach(func() {
 				workflowhelpers.AsUser(setup.AdminUserContext(), cfg.DefaultTimeoutDuration(), func() {
 					// Make "other user" a space auditor in the space along with a space developer in the other space
@@ -179,7 +179,7 @@ var _ = Describe("AutoScaler Public API", func() {
 			})
 		})
 
-		Context("When scale out is triggered ", func() {
+		When("a scale out is triggered ", func() {
 			BeforeEach(func() {
 				totalTime := time.Duration(cfg.AggregateInterval*2)*time.Second + 3*time.Minute
 				WaitForNInstancesRunning(appGUID, 2, totalTime)
@@ -199,6 +199,27 @@ var _ = Describe("AutoScaler Public API", func() {
 				}
 			})
 		})
+
+		When("trying to get info for an app not bound to the service", func() {
+			BeforeEach(func() {
+				UnbindServiceFromApp(cfg, appName, instanceName)
+			})
+
+			It("should not be possible to get information from the API", func() {
+				By("getting the policy")
+				_, status := getPolicy()
+				Expect(status).To(Equal(http.StatusForbidden))
+
+				By("getting the history")
+				_, status = get(historyURL)
+				Expect(status).To(Equal(http.StatusForbidden))
+
+				By("getting the aggregated metrics")
+				_, status = get(aggregatedMetricURL)
+				Expect(status).To(Equal(http.StatusForbidden))
+			})
+		})
+
 	})
 })
 

src/acceptance/helpers/helpers.go

@@ -501,6 +501,11 @@ func BindServiceToAppWithPolicy(cfg *config.Config, appName string, instanceName
 	return err
 }
 
+func UnbindServiceFromApp(cfg *config.Config, appName string, instanceName string) {
+	unbindService := cf.Cf("unbind-service", appName, instanceName).Wait(cfg.DefaultTimeoutDuration())
+	Expect(unbindService).To(Exit(0), fmt.Sprintf("Failed to unbind service %s from app %s \n CLI Output:\n %s %s", instanceName, appName, unbindService.Buffer().Contents(), unbindService.Err.Contents()))
+}
+
 func CreateService(cfg *config.Config) string {
 	instanceName := generator.PrefixedRandomName(cfg.Prefix, cfg.InstancePrefix)
 	FailOnError(CreateServiceWithPlan(cfg, cfg.ServicePlan, instanceName))

src/autoscaler/api/publicapiserver/public_api_server.go

@@ -52,6 +52,7 @@ func NewPublicApiServer(logger lager.Logger, conf *config.Config, policydb db.Po
 	rp.Use(rateLimiterMiddleware.CheckRateLimit)
 	rp.Use(mw.HasClientToken)
 	rp.Use(mw.Oauth)
+	rp.Use(mw.CheckServiceBinding)
 	rp.Use(httpStatusCollectMiddleware.Collect)
 
 	rp.Get(routes.PublicApiScalingHistoryRouteName).Handler(scalingHistoryHandler)
@@ -68,13 +69,6 @@ func NewPublicApiServer(logger lager.Logger, conf *config.Config, policydb db.Po
 	rpolicy.Get(routes.PublicApiAttachPolicyRouteName).Handler(VarsFunc(pah.AttachScalingPolicy))
 	rpolicy.Get(routes.PublicApiDetachPolicyRouteName).Handler(VarsFunc(pah.DetachScalingPolicy))
 
-	rcredential := routes.ApiCredentialRoutes()
-	rcredential.Use(rateLimiterMiddleware.CheckRateLimit)
-
-	rcredential.Use(httpStatusCollectMiddleware.Collect)
-	rcredential.Use(mw.HasClientToken)
-	rcredential.Use(mw.Oauth)
-
 	return helpers.NewHTTPServer(logger, conf.PublicApiServer, r)
 }