Add support to AppGw Exception feature (#27539)

Author: Yaniv Haddad

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -269,6 +269,14 @@ public void TestTopLevelWafPolicyPerRuleExclusions()
             TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyWithPerRuleExclusions -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayWafPolicyExceptions()
+        {
+            TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyWithException -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -4369,6 +4369,73 @@ function Test-ApplicationGatewayFirewallPolicyWithPerRuleExclusions
 	}
 }
 
+function Test-ApplicationGatewayFirewallPolicyWithException
+{
+	# Setup
+	$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
+
+	$rgname = Get-ResourceGroupName
+	$wafPolicyName = Get-ResourceName
+
+	try
+	{
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
+
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
+		New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+
+		# Check firewall policy
+		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
+		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
+		Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
+		Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
+		Assert-AreEqual $policy.PolicySettings.State $policySettings.State
+
+		$ruleEntry1 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule -RuleId 942100
+		$ruleEntry2 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule -RuleId 942110
+		$sqlRuleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup -Name REQUEST-942-APPLICATION-ATTACK-SQLI -Rule $ruleEntry1,$ruleEntry2
+
+		$ruleEntry3 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule -RuleId 941100
+		$xssRuleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup -Name REQUEST-941-APPLICATION-ATTACK-XSS -Rule $ruleEntry3
+
+		$exceptionRuleSetEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet -Type "OWASP" -Version "3.2" -RuleGroup $sqlRuleGroupEntry,$xssRuleGroupEntry
+
+		$exceptionValue1 = "hey"
+		$exceptionValue2 = "hi"
+
+		$exceptionEntry = New-AzApplicationGatewayFirewallPolicyException -MatchVariable RequestURI -Value $exceptionValue1,$exceptionValue2 -ValueMatchOperator Contains -ExceptionManagedRuleSet $exceptionRuleSetEntry
+
+		$managedRules = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet -Exception $exceptionEntry
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 750 -MaxRequestBodySizeInKb 128
+		$policy.managedRules = $managedRules
+		$policy.PolicySettings = $policySettings
+		Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+		Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.Count 1
+		Assert-AreEqual $policy.ManagedRules.Exceptions.Count 1
+		Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets.Count 1
+		Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets[0].RuleGroups.Count 2
+		Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets[0].RuleGroups[0].Rules.Count 2
+		Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets[0].RuleGroups[1].Rules.Count 1
+		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
+		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
+		Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
+		Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
+		Assert-AreEqual $policy.PolicySettings.State $policySettings.State
+	}
+	finally
+	{
+		# Cleanup
+		Clean-ResourceGroup $rgname
+	}
+}
+
 <#
 .SYNOPSIS
 Application gateway v2 waf policy with log scrubbing

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayWafPolicyExceptions.json

@@ -341,6 +341,7 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
                'New-AzApplicationGatewayFirewallDisabledRuleGroupConfig', 
                'New-AzApplicationGatewayFirewallExclusionConfig', 
                'New-AzApplicationGatewayFirewallMatchVariable', 
+               'New-AzApplicationGatewayFirewallPolicyException', 
                'New-AzApplicationGatewayFirewallPolicy', 
                'New-AzApplicationGatewayFirewallPolicyExclusion', 
                'New-AzApplicationGatewayFirewallPolicyExclusionManagedRule', 

src/Network/Network/Az.Network.psd1

@@ -106,6 +106,8 @@
 * Updated Add-AzNetworkInterfaceIpConfig and New-AzNetworkInterfaceIpConfig cmdlets to add new parameter PrivateIpAddressPrefixLength.
     - `Add-AzNetworkInterfaceIpConfig`
     - `New-AzNetworkInterfaceIpConfig`
+* Onboarded Application Gateway WAF Exceptions cmdlet.
+    - `New-AzApplicationGatewayFirewallPolicyException`   
 
 ## Version 7.15.1
 * Updated VirtualNetworkGatewayConnection cmdlets to pass AuxilaryAuthHeader for referenced resourceIds i.e. LocalNetworkGateway2, VirtualNetworkGateway2. This is needed in case referenced resourceIds are in different AAD Tenant.

src/Network/Network/ChangeLog.md

@@ -33,6 +33,12 @@ public class AzureApplicationGatewayFirewallPolicyManagedRules : NetworkBaseCmdl
         [ValidateNotNullOrEmpty]
         public PSApplicationGatewayFirewallPolicyExclusion[] Exclusion { get; set; }
 
+        [Parameter(
+          Mandatory = false,
+          HelpMessage = "List of Exception Entry.")]
+        [ValidateNotNullOrEmpty]
+        public PSApplicationGatewayFirewallPolicyException[] Exception { get; set; }
+
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();

src/Network/Network/FirewallPolicy/ManagedRules/AzureApplicationGatewayFirewallPolicyManagedRules.cs

@@ -0,0 +1,79 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Models;
+using System.Collections.Generic;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    public class AzureApplicationGatewayFirewallPolicyException : NetworkBaseCmdlet
+    {
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The variable on which we evaluate the exception condition.")]
+        [ValidateSet("RequestURI", "RemoteAddr", "RequestHeader", IgnoreCase = true)]
+        [ValidateNotNullOrEmpty]
+        public string MatchVariable { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "Allowed values for the matchVariable.")]
+        [ValidateNotNullOrEmpty]
+        public string[] Value { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "Operates on the allowed values for the matchVariable.")]
+        [ValidateSet("Equals", "Contains", "StartsWith", "EndsWith", "IPMatch", IgnoreCase = true)]
+        [ValidateNotNullOrEmpty]
+        public string ValueMatchOperator { get; set; }
+
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector.")]
+        [ValidateSet("Equals", "Contains", "StartsWith", "EndsWith", IgnoreCase = true)]
+        public string SelectorMatchOperator { get; set; }
+
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key.")]
+        public string Selector { get; set; }
+
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The managed rule sets that are associated with the exception.")]
+        [ValidateNotNullOrEmpty]
+        public PSApplicationGatewayFirewallPolicyExclusionManagedRuleSet[] ExceptionManagedRuleSet { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+        }
+
+        protected PSApplicationGatewayFirewallPolicyException NewObject()
+        {
+            return new PSApplicationGatewayFirewallPolicyException()
+            {
+                MatchVariable = this.MatchVariable,
+                Values = this.Value.ToList(),
+                ValueMatchOperator = this.ValueMatchOperator,
+                SelectorMatchOperator = this.SelectorMatchOperator,
+                Selector = this.Selector,
+                ExceptionManagedRuleSets = this.ExceptionManagedRuleSet?.ToList()
+            };
+        }
+    }
+}

src/Network/Network/FirewallPolicy/ManagedRules/Exception/AzureApplicationGatewayFirewallPolicyException.cs

@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Models;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    [Cmdlet("New", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "ApplicationGatewayFirewallPolicyException", SupportsShouldProcess = true), OutputType(typeof(PSApplicationGatewayFirewallPolicyException))]
+    public class NewAzureApplicationGatewayFirewallPolicyExceptionCommand : AzureApplicationGatewayFirewallPolicyException
+    {
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+            WriteObject(base.NewObject());
+        }
+    }
+}

src/Network/Network/FirewallPolicy/ManagedRules/Exception/NewAzureApplicationGatewayFirewallPolicyExceptionCommand.cs

@@ -0,0 +1,42 @@
+//
+// Copyright (c) Microsoft.  All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+using Microsoft.Azure.Management.Network.Models;
+using Microsoft.WindowsAzure.Commands.Common.Attributes;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.Network.Models
+{
+    public partial class PSApplicationGatewayFirewallPolicyException
+    {
+        [Ps1Xml(Target = ViewControl.Table)]
+        public string MatchVariable { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public List<string> Values { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public string ValueMatchOperator { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public string SelectorMatchOperator { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public string Selector { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public List<PSApplicationGatewayFirewallPolicyExclusionManagedRuleSet> ExceptionManagedRuleSets { get; set; }
+    }
+}

src/Network/Network/Models/PSApplicationGatewayFirewallPolicyException.cs

@@ -27,5 +27,8 @@ public partial class PSApplicationGatewayFirewallPolicyManagedRules
 
         [Ps1Xml(Target = ViewControl.Table)]
         public List<PSApplicationGatewayFirewallPolicyExclusion> Exclusions { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public List<PSApplicationGatewayFirewallPolicyException> Exceptions { get; set; }
     }
 }

src/Network/Network/Models/PSApplicationGatewayFirewallPolicyManagedRules.cs

@@ -942,6 +942,9 @@ Creates a match variable for firewall condition.
 ### [New-AzApplicationGatewayFirewallPolicy](New-AzApplicationGatewayFirewallPolicy.md)
 Creates a application gateway firewall policy.
 
+### [New-AzApplicationGatewayFirewallPolicyException](New-AzApplicationGatewayFirewallPolicyException.md)
+Creates an exception on the Firewall Policy
+
 ### [New-AzApplicationGatewayFirewallPolicyExclusion](New-AzApplicationGatewayFirewallPolicyExclusion.md)
 Creates an exclusion on the Firewall Policy