Prevent enforce_route_policies on internal and router_group domains

Internal domains bypass GoRouter entirely (using container-to-container
networking), so GoRouter cannot enforce route policies. Similarly, TCP
router groups do not support mTLS policy enforcement.

Add validation to DomainCreateMessage#mutually_exclusive_fields to
reject these invalid combinations at domain creation time.

Author: rkoster

app/messages/domain_create_message.rb

@@ -90,6 +90,10 @@ def alpha_numeric
     def mutually_exclusive_fields
       errors.add(:base, 'Cannot associate an internal domain with an organization') if requested?(:internal) && internal == true && requested?(:relationships)
       errors.add(:base, 'Internal domains cannot be associated to a router group.') if requested?(:internal) && internal == true && requested?(:router_group)
+      errors.add(:base, 'Internal domains cannot have route policy enforcement. Internal routes bypass GoRouter.') if requested?(:internal) && internal == true &&
+                                                                                                                      requested?(:enforce_route_policies) && enforce_route_policies == true
+      errors.add(:base, 'Domains with a router group cannot have route policy enforcement. TCP routes do not support mTLS policy enforcement.') if requested?(:router_group) &&
+                                                                                                                                                   requested?(:enforce_route_policies) && enforce_route_policies == true
       return unless requested?(:relationships) && requested?(:router_group)
 
       errors.add(:base, 'Domains scoped to an organization cannot be associated to a router group.')

spec/unit/messages/domain_create_message_spec.rb

@@ -490,6 +490,44 @@ module VCAP::CloudController
           end
         end
       end
+
+      context 'enforce_route_policies with internal' do
+        context 'when both internal and enforce_route_policies are true' do
+          let(:params) { { name: 'name.com', internal: true, enforce_route_policies: true, route_policies_scope: 'any' } }
+
+          it 'is not valid' do
+            expect(subject).not_to be_valid
+            expect(subject.errors[:base]).to include('Internal domains cannot have route policy enforcement. Internal routes bypass GoRouter.')
+          end
+        end
+
+        context 'when internal is true and enforce_route_policies is false' do
+          let(:params) { { name: 'name.com', internal: true, enforce_route_policies: false } }
+
+          it 'is valid' do
+            expect(subject).to be_valid
+          end
+        end
+      end
+
+      context 'enforce_route_policies with router_group' do
+        context 'when both router_group and enforce_route_policies are set' do
+          let(:params) { { name: 'name.com', router_group: { guid: 'some-guid' }, enforce_route_policies: true, route_policies_scope: 'any' } }
+
+          it 'is not valid' do
+            expect(subject).not_to be_valid
+            expect(subject.errors[:base]).to include('Domains with a router group cannot have route policy enforcement. TCP routes do not support mTLS policy enforcement.')
+          end
+        end
+
+        context 'when router_group is set and enforce_route_policies is false' do
+          let(:params) { { name: 'name.com', router_group: { guid: 'some-guid' }, enforce_route_policies: false } }
+
+          it 'is valid' do
+            expect(subject).to be_valid
+          end
+        end
+      end
     end
 
     describe 'accessor methods' do