Skip to content

Commit cc49340

Browse files
author
Yaniv Haddad
committed
Add support to AppGw Exception feature (#27539)
1 parent aa58e39 commit cc49340

13 files changed

+1903
-1
lines changed

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -269,6 +269,14 @@ public void TestTopLevelWafPolicyPerRuleExclusions()
269269
TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyWithPerRuleExclusions -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
270270
}
271271

272+
[Fact]
273+
[Trait(Category.AcceptanceType, Category.CheckIn)]
274+
[Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
275+
public void TestApplicationGatewayWafPolicyExceptions()
276+
{
277+
TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyWithException -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
278+
}
279+
272280
[Fact]
273281
[Trait(Category.AcceptanceType, Category.CheckIn)]
274282
[Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4369,6 +4369,73 @@ function Test-ApplicationGatewayFirewallPolicyWithPerRuleExclusions
43694369
}
43704370
}
43714371

4372+
function Test-ApplicationGatewayFirewallPolicyWithException
4373+
{
4374+
# Setup
4375+
$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
4376+
4377+
$rgname = Get-ResourceGroupName
4378+
$wafPolicyName = Get-ResourceName
4379+
4380+
try
4381+
{
4382+
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
4383+
4384+
$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70
4385+
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
4386+
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
4387+
New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings
4388+
4389+
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
4390+
4391+
# Check firewall policy
4392+
Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
4393+
Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
4394+
Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
4395+
Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
4396+
Assert-AreEqual $policy.PolicySettings.State $policySettings.State
4397+
4398+
$ruleEntry1 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule -RuleId 942100
4399+
$ruleEntry2 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule -RuleId 942110
4400+
$sqlRuleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup -Name REQUEST-942-APPLICATION-ATTACK-SQLI -Rule $ruleEntry1,$ruleEntry2
4401+
4402+
$ruleEntry3 = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule -RuleId 941100
4403+
$xssRuleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup -Name REQUEST-941-APPLICATION-ATTACK-XSS -Rule $ruleEntry3
4404+
4405+
$exceptionRuleSetEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet -Type "OWASP" -Version "3.2" -RuleGroup $sqlRuleGroupEntry,$xssRuleGroupEntry
4406+
4407+
$exceptionValue1 = "hey"
4408+
$exceptionValue2 = "hi"
4409+
4410+
$exceptionEntry = New-AzApplicationGatewayFirewallPolicyException -MatchVariable RequestURI -Value $exceptionValue1,$exceptionValue2 -ValueMatchOperator Contains -ExceptionManagedRuleSet $exceptionRuleSetEntry
4411+
4412+
$managedRules = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet -Exception $exceptionEntry
4413+
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
4414+
$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 750 -MaxRequestBodySizeInKb 128
4415+
$policy.managedRules = $managedRules
4416+
$policy.PolicySettings = $policySettings
4417+
Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
4418+
4419+
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
4420+
Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.Count 1
4421+
Assert-AreEqual $policy.ManagedRules.Exceptions.Count 1
4422+
Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets.Count 1
4423+
Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets[0].RuleGroups.Count 2
4424+
Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets[0].RuleGroups[0].Rules.Count 2
4425+
Assert-AreEqual $policy.ManagedRules.Exceptions[0].ExceptionManagedRuleSets[0].RuleGroups[1].Rules.Count 1
4426+
Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
4427+
Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
4428+
Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
4429+
Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
4430+
Assert-AreEqual $policy.PolicySettings.State $policySettings.State
4431+
}
4432+
finally
4433+
{
4434+
# Cleanup
4435+
Clean-ResourceGroup $rgname
4436+
}
4437+
}
4438+
43724439
<#
43734440
.SYNOPSIS
43744441
Application gateway v2 waf policy with log scrubbing

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayWafPolicyExceptions.json

Lines changed: 1507 additions & 0 deletions
Large diffs are not rendered by default.

src/Network/Network/Az.Network.psd1

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -341,6 +341,7 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
341341
'New-AzApplicationGatewayFirewallDisabledRuleGroupConfig',
342342
'New-AzApplicationGatewayFirewallExclusionConfig',
343343
'New-AzApplicationGatewayFirewallMatchVariable',
344+
'New-AzApplicationGatewayFirewallPolicyException',
344345
'New-AzApplicationGatewayFirewallPolicy',
345346
'New-AzApplicationGatewayFirewallPolicyExclusion',
346347
'New-AzApplicationGatewayFirewallPolicyExclusionManagedRule',

src/Network/Network/ChangeLog.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,8 @@
106106
* Updated Add-AzNetworkInterfaceIpConfig and New-AzNetworkInterfaceIpConfig cmdlets to add new parameter PrivateIpAddressPrefixLength.
107107
- `Add-AzNetworkInterfaceIpConfig`
108108
- `New-AzNetworkInterfaceIpConfig`
109+
* Onboarded Application Gateway WAF Exceptions cmdlet.
110+
- `New-AzApplicationGatewayFirewallPolicyException`
109111

110112
## Version 7.15.1
111113
* Updated VirtualNetworkGatewayConnection cmdlets to pass AuxilaryAuthHeader for referenced resourceIds i.e. LocalNetworkGateway2, VirtualNetworkGateway2. This is needed in case referenced resourceIds are in different AAD Tenant.

src/Network/Network/FirewallPolicy/ManagedRules/AzureApplicationGatewayFirewallPolicyManagedRules.cs

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,12 @@ public class AzureApplicationGatewayFirewallPolicyManagedRules : NetworkBaseCmdl
3333
[ValidateNotNullOrEmpty]
3434
public PSApplicationGatewayFirewallPolicyExclusion[] Exclusion { get; set; }
3535

36+
[Parameter(
37+
Mandatory = false,
38+
HelpMessage = "List of Exception Entry.")]
39+
[ValidateNotNullOrEmpty]
40+
public PSApplicationGatewayFirewallPolicyException[] Exception { get; set; }
41+
3642
public override void ExecuteCmdlet()
3743
{
3844
base.ExecuteCmdlet();
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
// ----------------------------------------------------------------------------------
2+
//
3+
// Copyright Microsoft Corporation
4+
// Licensed under the Apache License, Version 2.0 (the "License");
5+
// you may not use this file except in compliance with the License.
6+
// You may obtain a copy of the License at
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
// Unless required by applicable law or agreed to in writing, software
9+
// distributed under the License is distributed on an "AS IS" BASIS,
10+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11+
// See the License for the specific language governing permissions and
12+
// limitations under the License.
13+
// ----------------------------------------------------------------------------------
14+
15+
using Microsoft.Azure.Commands.Network.Models;
16+
using System.Collections.Generic;
17+
using System.Linq;
18+
using System.Management.Automation;
19+
20+
namespace Microsoft.Azure.Commands.Network
21+
{
22+
public class AzureApplicationGatewayFirewallPolicyException : NetworkBaseCmdlet
23+
{
24+
[Parameter(
25+
Mandatory = true,
26+
HelpMessage = "The variable on which we evaluate the exception condition.")]
27+
[ValidateSet("RequestURI", "RemoteAddr", "RequestHeader", IgnoreCase = true)]
28+
[ValidateNotNullOrEmpty]
29+
public string MatchVariable { get; set; }
30+
31+
[Parameter(
32+
Mandatory = true,
33+
HelpMessage = "Allowed values for the matchVariable.")]
34+
[ValidateNotNullOrEmpty]
35+
public string[] Value { get; set; }
36+
37+
[Parameter(
38+
Mandatory = true,
39+
HelpMessage = "Operates on the allowed values for the matchVariable.")]
40+
[ValidateSet("Equals", "Contains", "StartsWith", "EndsWith", "IPMatch", IgnoreCase = true)]
41+
[ValidateNotNullOrEmpty]
42+
public string ValueMatchOperator { get; set; }
43+
44+
[Parameter(
45+
Mandatory = false,
46+
HelpMessage = "When the matchVariable points to a key-value pair (e.g, RequestHeader), this operates on the selector.")]
47+
[ValidateSet("Equals", "Contains", "StartsWith", "EndsWith", IgnoreCase = true)]
48+
public string SelectorMatchOperator { get; set; }
49+
50+
[Parameter(
51+
Mandatory = false,
52+
HelpMessage = "When the matchVariable points to a key-value pair (e.g, RequestHeader), this identifies the key.")]
53+
public string Selector { get; set; }
54+
55+
[Parameter(
56+
Mandatory = false,
57+
HelpMessage = "The managed rule sets that are associated with the exception.")]
58+
[ValidateNotNullOrEmpty]
59+
public PSApplicationGatewayFirewallPolicyExclusionManagedRuleSet[] ExceptionManagedRuleSet { get; set; }
60+
61+
public override void ExecuteCmdlet()
62+
{
63+
base.ExecuteCmdlet();
64+
}
65+
66+
protected PSApplicationGatewayFirewallPolicyException NewObject()
67+
{
68+
return new PSApplicationGatewayFirewallPolicyException()
69+
{
70+
MatchVariable = this.MatchVariable,
71+
Values = this.Value.ToList(),
72+
ValueMatchOperator = this.ValueMatchOperator,
73+
SelectorMatchOperator = this.SelectorMatchOperator,
74+
Selector = this.Selector,
75+
ExceptionManagedRuleSets = this.ExceptionManagedRuleSet?.ToList()
76+
};
77+
}
78+
}
79+
}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
// ----------------------------------------------------------------------------------
2+
//
3+
// Copyright Microsoft Corporation
4+
// Licensed under the Apache License, Version 2.0 (the "License");
5+
// you may not use this file except in compliance with the License.
6+
// You may obtain a copy of the License at
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
// Unless required by applicable law or agreed to in writing, software
9+
// distributed under the License is distributed on an "AS IS" BASIS,
10+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11+
// See the License for the specific language governing permissions and
12+
// limitations under the License.
13+
// ----------------------------------------------------------------------------------
14+
15+
using Microsoft.Azure.Commands.Network.Models;
16+
using System.Management.Automation;
17+
18+
namespace Microsoft.Azure.Commands.Network
19+
{
20+
[Cmdlet("New", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "ApplicationGatewayFirewallPolicyException", SupportsShouldProcess = true), OutputType(typeof(PSApplicationGatewayFirewallPolicyException))]
21+
public class NewAzureApplicationGatewayFirewallPolicyExceptionCommand : AzureApplicationGatewayFirewallPolicyException
22+
{
23+
public override void ExecuteCmdlet()
24+
{
25+
base.ExecuteCmdlet();
26+
WriteObject(base.NewObject());
27+
}
28+
}
29+
}
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
//
2+
// Copyright (c) Microsoft. All rights reserved.
3+
//
4+
// Licensed under the Apache License, Version 2.0 (the "License");
5+
// you may not use this file except in compliance with the License.
6+
// You may obtain a copy of the License at
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
//
15+
16+
using Microsoft.Azure.Management.Network.Models;
17+
using Microsoft.WindowsAzure.Commands.Common.Attributes;
18+
using System.Collections.Generic;
19+
20+
namespace Microsoft.Azure.Commands.Network.Models
21+
{
22+
public partial class PSApplicationGatewayFirewallPolicyException
23+
{
24+
[Ps1Xml(Target = ViewControl.Table)]
25+
public string MatchVariable { get; set; }
26+
27+
[Ps1Xml(Target = ViewControl.Table)]
28+
public List<string> Values { get; set; }
29+
30+
[Ps1Xml(Target = ViewControl.Table)]
31+
public string ValueMatchOperator { get; set; }
32+
33+
[Ps1Xml(Target = ViewControl.Table)]
34+
public string SelectorMatchOperator { get; set; }
35+
36+
[Ps1Xml(Target = ViewControl.Table)]
37+
public string Selector { get; set; }
38+
39+
[Ps1Xml(Target = ViewControl.Table)]
40+
public List<PSApplicationGatewayFirewallPolicyExclusionManagedRuleSet> ExceptionManagedRuleSets { get; set; }
41+
}
42+
}

src/Network/Network/Models/PSApplicationGatewayFirewallPolicyManagedRules.cs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,5 +27,8 @@ public partial class PSApplicationGatewayFirewallPolicyManagedRules
2727

2828
[Ps1Xml(Target = ViewControl.Table)]
2929
public List<PSApplicationGatewayFirewallPolicyExclusion> Exclusions { get; set; }
30+
31+
[Ps1Xml(Target = ViewControl.Table)]
32+
public List<PSApplicationGatewayFirewallPolicyException> Exceptions { get; set; }
3033
}
3134
}

src/Network/Network/help/Az.Network.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -942,6 +942,9 @@ Creates a match variable for firewall condition.
942942
### [New-AzApplicationGatewayFirewallPolicy](New-AzApplicationGatewayFirewallPolicy.md)
943943
Creates a application gateway firewall policy.
944944

945+
### [New-AzApplicationGatewayFirewallPolicyException](New-AzApplicationGatewayFirewallPolicyException.md)
946+
Creates an exception on the Firewall Policy
947+
945948
### [New-AzApplicationGatewayFirewallPolicyExclusion](New-AzApplicationGatewayFirewallPolicyExclusion.md)
946949
Creates an exclusion on the Firewall Policy
947950

0 commit comments

Comments
 (0)