Added new parameters to AzApplicationGatewayFirewallPolicySettings for CustomBlockResponseFeature (#19971)

* Powershell changes for waf custom block response feature

* Added test record

* Update ChangeLog.md

* Updating sdk version for 2022-07-01

* Updated tests

* Update ChangeLog.md

Co-authored-by: Akshay Murali <[email protected]>
Co-authored-by: Adishree Mazumder <[email protected]>
Co-authored-by: Beisi Zhou <[email protected]>

Author: 4 people

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -237,5 +237,13 @@ public void TestApplicationGatewayFirewallPolicyWithUppercaseTransform()
         {
             TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithUppercaseTransform");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayFirewallPolicyWithCustomBlockResponse()
+        {
+            TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithCustomBlockResponse");
+        }
     }
 }

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -4270,3 +4270,91 @@ function Test-ApplicationGatewayFirewallPolicyWithUppercaseTransform
 		Clean-ResourceGroup $rgname
 	}
 }
+
+function Test-ApplicationGatewayFirewallPolicyWithCustomBlockResponse
+{
+	# Setup
+	$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
+
+	$rgname = Get-ResourceGroupName
+	$wafPolicy = Get-ResourceName
+
+	try
+	{
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
+
+		# Test both status and body are present
+		$customBlockResponseBody = "Sorry! Forbidden"
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70 -CustomBlockResponseStatusCode 405 -CustomBlockResponseBody $customBlockResponseBody
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
+		New-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings
+	
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+
+		Assert-AreEqual $policySettings.FileUploadLimitInMb $policy.PolicySettings.FileUploadLimitInMb 
+		Assert-AreEqual $policySettings.MaxRequestBodySizeInKb $policy.PolicySettings.MaxRequestBodySizeInKb 
+		Assert-AreEqual $policySettings.RequestBodyCheck $policy.PolicySettings.RequestBodyCheck 
+		Assert-AreEqual $policySettings.Mode $policy.PolicySettings.Mode 
+		Assert-AreEqual $policySettings.State $policy.PolicySettings.State 
+		Assert-AreEqual $policySettings.CustomBlockResponseStatusCode $policy.CustomBlockResponseStatusCode
+		Assert-AreEqual $customBlockResponseBody $policy.CustomBlockResponseBody
+
+		# test status code alone present
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70 -CustomBlockResponseStatusCode 405
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
+		Set-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname -ManagedRule $managedRule -PolicySetting $policySettings
+	
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+
+		# Check firewall policy
+		Assert-AreEqual $policySettings.FileUploadLimitInMb $policy.PolicySettings.FileUploadLimitInMb 
+		Assert-AreEqual $policySettings.MaxRequestBodySizeInKb $policy.PolicySettings.MaxRequestBodySizeInKb 
+		Assert-AreEqual $policySettings.RequestBodyCheck $policy.PolicySettings.RequestBodyCheck 
+		Assert-AreEqual $policySettings.Mode $policy.PolicySettings.Mode 
+		Assert-AreEqual $policySettings.State $policy.PolicySettings.State 
+		Assert-AreEqual $policySettings.CustomBlockResponseStatusCode $policy.CustomBlockResponseStatusCode
+		Assert-Null 	$policy.CustomBlockResponseBody
+
+		# test body alone present 
+		$customBlockResponseBody = "Sorry! Forbidden. You can't access"
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70 -CustomBlockResponseBody $customBlockResponseBody
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
+		Set-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname -ManagedRule $managedRule -PolicySetting $policySettings
+	
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+
+		# Check firewall policy
+		Assert-AreEqual $policySettings.FileUploadLimitInMb $policy.PolicySettings.FileUploadLimitInMb 
+		Assert-AreEqual $policySettings.MaxRequestBodySizeInKb $policy.PolicySettings.MaxRequestBodySizeInKb 
+		Assert-AreEqual $policySettings.RequestBodyCheck $policy.PolicySettings.RequestBodyCheck 
+		Assert-AreEqual $policySettings.Mode $policy.PolicySettings.Mode 
+		Assert-AreEqual $policySettings.State $policy.PolicySettings.State 
+		Assert-Null 	$policy.CustomBlockResponseStatusCode
+		Assert-AreEqual $customBlockResponseBody $policy.CustomBlockResponseBody 
+
+		# test both are not present
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
+		Set-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname -ManagedRule $managedRule -PolicySetting $policySettings
+	
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+
+		# Check firewall policy
+		Assert-AreEqual $policySettings.FileUploadLimitInMb $policy.PolicySettings.FileUploadLimitInMb 
+		Assert-AreEqual $policySettings.MaxRequestBodySizeInKb $policy.PolicySettings.MaxRequestBodySizeInKb 
+		Assert-AreEqual $policySettings.RequestBodyCheck $policy.PolicySettings.RequestBodyCheck 
+		Assert-AreEqual $policySettings.Mode $policy.PolicySettings.Mode 
+		Assert-AreEqual $policySettings.State $policy.PolicySettings.State 
+		Assert-Null 	$policy.CustomBlockResponseStatusCode
+		Assert-Null 	$policy.CustomBlockResponseBody
+	}
+	finally
+	{
+		# Cleanup
+		Clean-ResourceGroup $rgname
+	}
+}

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyWithCustomBlockResponse.json

@@ -19,7 +19,7 @@
 --->
 
 ## Upcoming Release
-* Upgraded AutoMapper to Microsoft.Azure.PowerShell.AutoMapper 6.2.2 with fix [#18721]
+* Added optional parameters `CustomBlockResponseStatusCode` and `CustomBlockResponseBody` parameter to `AzApplicationGatewayFirewallPolicySettings`
 
 ## Version 5.1.2
 * Upgraded AutoMapper to Microsoft.Azure.PowerShell.AutoMapper 6.2.2 with fix [#18721]

src/Network/Network/ChangeLog.md

@@ -19,6 +19,8 @@
 using Microsoft.Azure.Management.Network.Models;
 using Microsoft.Rest.Azure;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System;
+using System.Text;
 
 namespace Microsoft.Azure.Commands.Network
 {
@@ -42,13 +44,29 @@ public class GetAzureApplicationGatewayFirewallPolicyCommand : ApplicationGatewa
         [ValidateNotNullOrEmpty]
         public virtual string ResourceGroupName { get; set; }
 
+        // CustomBlockResponse body is stored as base64. We need to convert it back to string during a GET call
+        private void ConvertCustomBlockResponseBodyToString(PSApplicationGatewayWebApplicationFirewallPolicy firewallPolicy)
+        {
+            byte[] customBlockResponseBodyByteArray = Convert.FromBase64String(firewallPolicy.PolicySettings.CustomBlockResponseBody);
+            firewallPolicy.PolicySettings.CustomBlockResponseBody = Encoding.UTF8.GetString(customBlockResponseBodyByteArray);
+        }
+
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();
             if (!string.IsNullOrEmpty(this.Name))
             {
                 var firewallPolicy = this.GetApplicationGatewayFirewallPolicy(this.ResourceGroupName, this.Name);
 
+                if (!string.IsNullOrEmpty(firewallPolicy.PolicySettings.CustomBlockResponseBody))
+                {
+                    ConvertCustomBlockResponseBodyToString(firewallPolicy);
+                }
+
+                // Assign the CustomBlockResponse fields from policy settings to policy (Feature parity with AFD WAF Policy)
+                firewallPolicy.CustomBlockResponseStatusCode = firewallPolicy.PolicySettings.CustomBlockResponseStatusCode;
+                firewallPolicy.CustomBlockResponseBody = firewallPolicy.PolicySettings.CustomBlockResponseBody;
+
                 WriteObject(firewallPolicy);
             }
             else
@@ -72,6 +90,15 @@ public override void ExecuteCmdlet()
                 {
                     var psFirewallPolicy = this.ToPsApplicationGatewayFirewallPolicy(firewallPolicy);
                     psFirewallPolicy.ResourceGroupName = NetworkBaseCmdlet.GetResourceGroup(firewallPolicy.Id);
+
+                    if (!string.IsNullOrEmpty(psFirewallPolicy.PolicySettings.CustomBlockResponseBody))
+                    {
+                        ConvertCustomBlockResponseBodyToString(psFirewallPolicy);
+                    }
+
+                    psFirewallPolicy.CustomBlockResponseStatusCode = psFirewallPolicy.PolicySettings.CustomBlockResponseStatusCode;
+                    psFirewallPolicy.CustomBlockResponseBody = psFirewallPolicy.PolicySettings.CustomBlockResponseBody;
+
                     psFirewallPolicies.Add(psFirewallPolicy);
                 }
 

src/Network/Network/FirewallPolicy/GetAzureApplicationGatewayFirewallPolicyCommand.cs

@@ -18,10 +18,12 @@
 using Microsoft.Azure.Commands.ResourceManager.Common.Tags;
 using Microsoft.Azure.Management.Network;
 using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
+using System;
 using System.Collections;
 using System.Collections.Generic;
 using System.Linq;
 using System.Management.Automation;
+using System.Text;
 using MNM = Microsoft.Azure.Management.Network.Models;
 
 namespace Microsoft.Azure.Commands.Network
@@ -147,6 +149,17 @@ private PSApplicationGatewayWebApplicationFirewallPolicy CreateApplicationGatewa
             // Execute the Create ApplicationGatewayFirewallPolicy call
             this.ApplicationGatewayFirewallPolicyClient.CreateOrUpdate(this.ResourceGroupName, this.Name, firewallPolicyModel);
             var getApplicationGatewayFirewallPolicy = this.GetApplicationGatewayFirewallPolicy(this.ResourceGroupName, this.Name);
+
+            // Assign the CustomBlockResponse fields from policy settings to policy (Feature parity with AFD WAF Policy)
+            getApplicationGatewayFirewallPolicy.CustomBlockResponseStatusCode = getApplicationGatewayFirewallPolicy.PolicySettings.CustomBlockResponseStatusCode;
+
+            if (!string.IsNullOrEmpty(getApplicationGatewayFirewallPolicy.PolicySettings.CustomBlockResponseBody))
+            {
+                // decode the body value as it is base64 encoded
+                string decodedCustomBlockResponseBody = Encoding.UTF8.GetString(Convert.FromBase64String(getApplicationGatewayFirewallPolicy.PolicySettings.CustomBlockResponseBody));
+                getApplicationGatewayFirewallPolicy.CustomBlockResponseBody = decodedCustomBlockResponseBody;
+            }
+            
             return getApplicationGatewayFirewallPolicy;
         }
     }

src/Network/Network/FirewallPolicy/NewAzureApplicationGatewayFirewallPolicyCommand.cs

@@ -13,8 +13,10 @@
 // ----------------------------------------------------------------------------------
 
 using Microsoft.Azure.Commands.Network.Models;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
 using System.Collections.Generic;
 using System.Management.Automation;
+using System.Text;
 
 namespace Microsoft.Azure.Commands.Network
 {
@@ -46,6 +48,14 @@ public class AzureApplicationGatewayFirewallPolicySetting : NetworkBaseCmdlet
         [ValidateNotNullOrEmpty]
         public int MaxFileUploadInMb { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Custom Response Status Code")]
+        [ValidateNotNullOrEmpty]
+        public int? CustomBlockResponseStatusCode { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Custom Response Body")]
+        [ValidateNotNullOrEmpty]
+        public string CustomBlockResponseBody { get; set; }
+
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();
@@ -69,6 +79,21 @@ public override void ExecuteCmdlet()
             {
                 this.MaxFileUploadInMb = 100;
             }
+
+            if (!this.MyInvocation.BoundParameters.ContainsKey("CustomBlockResponseStatusCode"))
+            {
+                this.CustomBlockResponseStatusCode = (int?)null;
+            }
+
+            if (this.MyInvocation.BoundParameters.ContainsKey("CustomBlockResponseBody"))
+            {
+                this.CustomBlockResponseBody = System.Convert.ToBase64String(Encoding.UTF8.GetBytes(CustomBlockResponseBody));
+            } else
+            {
+                this.CustomBlockResponseBody = null;
+            }
+
+
         }
 
         protected PSApplicationGatewayFirewallPolicySettings NewObject()
@@ -79,7 +104,9 @@ protected PSApplicationGatewayFirewallPolicySettings NewObject()
                 State = this.State,
                 RequestBodyCheck = this.DisableRequestBodyCheck.IsPresent ? false : true,
                 MaxRequestBodySizeInKb = this.MaxRequestBodySizeInKb,
-                FileUploadLimitInMb = this.MaxFileUploadInMb
+                FileUploadLimitInMb = this.MaxFileUploadInMb,
+                CustomBlockResponseBody = this.CustomBlockResponseBody,
+                CustomBlockResponseStatusCode = this.CustomBlockResponseStatusCode,
             };
         }
     }

src/Network/Network/FirewallPolicy/PolicySettings/AzureApplicationGatewayFirewallPolicySetting.cs

@@ -22,6 +22,7 @@
 using System.Linq;
 using System.Management.Automation;
 using MNM = Microsoft.Azure.Management.Network.Models;
+using System.Text;
 
 namespace Microsoft.Azure.Commands.Network
 {
@@ -134,6 +135,17 @@ public override void ExecuteCmdlet()
                 this.ApplicationGatewayFirewallPolicyClient.CreateOrUpdate(ResourceGroupName, Name, firewallPolicyModel);
 
                 var getApplicationGatewayFirewallPolicy = this.GetApplicationGatewayFirewallPolicy(ResourceGroupName, Name);
+
+                // Assign the CustomBlockResponse fields from policy settings to policy (Feature parity with AFD WAF Policy)
+                getApplicationGatewayFirewallPolicy.CustomBlockResponseStatusCode = getApplicationGatewayFirewallPolicy.PolicySettings.CustomBlockResponseStatusCode;
+
+                // decode the body value as it is base64 encoded
+                if (!string.IsNullOrEmpty(getApplicationGatewayFirewallPolicy.PolicySettings.CustomBlockResponseBody))
+                {
+                    string decodedCustomBlockResponseBody = Encoding.UTF8.GetString(Convert.FromBase64String(getApplicationGatewayFirewallPolicy.PolicySettings.CustomBlockResponseBody));
+                    getApplicationGatewayFirewallPolicy.CustomBlockResponseBody = decodedCustomBlockResponseBody;
+                }
+
                 WriteObject(getApplicationGatewayFirewallPolicy);
             }
         }

src/Network/Network/FirewallPolicy/SetAzureApplicationGatewayFirewallPolicyCommand.cs

@@ -36,5 +36,11 @@ public partial class PSApplicationGatewayFirewallPolicySettings
 
         [Ps1Xml(Target = ViewControl.Table)]
         public int FileUploadLimitInMb { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public string CustomBlockResponseBody { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public int? CustomBlockResponseStatusCode { get; set; }
     }
 }

src/Network/Network/Models/PSApplicationGatewayFirewallPolicySettings.cs

@@ -26,5 +26,11 @@ public class PSApplicationGatewayWebApplicationFirewallPolicy : PSTopLevelResour
         public PSApplicationGatewayFirewallPolicySettings PolicySettings { get; set; }
 
         public PSApplicationGatewayFirewallPolicyManagedRules ManagedRules { get; set; }
+
+        // CustomBlockResponse fields to be mapped from inside the policy settings
+        // to be shown as response in PS (Feature parity with AFD WAF Policy)
+        public int? CustomBlockResponseStatusCode { get; set; }
+
+        public string CustomBlockResponseBody { get; set; }
     }
 }

src/Network/Network/Models/PSApplicationGatewayWebApplicationFirewallPolicy.cs

@@ -14,8 +14,8 @@ Creates a policy setting for the firewall policy
 
 ```
 New-AzApplicationGatewayFirewallPolicySetting [-Mode <String>] [-State <String>] [-DisableRequestBodyCheck]
- [-MaxRequestBodySizeInKb <Int32>] [-MaxFileUploadInMb <Int32>] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-MaxRequestBodySizeInKb <Int32>] [-MaxFileUploadInMb <Int32>] [-CustomBlockResponseStatusCode <Int32>]
+ [-CustomBlockResponseBody <String>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -33,6 +33,36 @@ The new policySettings is stored to $condition.
 
 ## PARAMETERS
 
+### -CustomBlockResponseBody
+Custom Block Response Body in policy settings of the firewall policy.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CustomBlockResponseStatusCode
+Custom block response status code in policy settings of the firewall policy.
+
+```yaml
+Type: System.Nullable`1[System.Int32]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -DefaultProfile
 The credentials, account, tenant, and subscription used for communication with Azure.