Merge pull request #10414 from andreycpp/merge-network

Add ThreatIntelWhitelist to AzFirewall commands

Author: isra-fel

src/Accounts/Accounts/AzureRmAlias/Mappings.json

@@ -1262,7 +1262,7 @@
     "Set-AzApplicationGatewayAutoscaleConfiguration": "Set-AzureRmApplicationGatewayAutoscaleConfiguration",
     "Set-AzApplicationGatewayAuthenticationCertificate": "Set-AzureRmApplicationGatewayAuthenticationCertificate",
     "Get-AzApplicationGatewayAvailableWafRuleSets": "Get-AzureRmApplicationGatewayAvailableWafRuleSets",
-   	"Get-AzApplicationGatewayAvailableServerVariableAndHeader": "Get-AzureRmApplicationGatewayAvailableServerVariableAndHeader",
+    "Get-AzApplicationGatewayAvailableServerVariableAndHeader": "Get-AzureRmApplicationGatewayAvailableServerVariableAndHeader",
     "Get-AzApplicationGatewayAvailableSslOptions": "Get-AzureRmApplicationGatewayAvailableSslOptions",
     "Add-AzApplicationGatewayBackendAddressPool": "Add-AzureRmApplicationGatewayBackendAddressPool",
     "Get-AzApplicationGatewayBackendAddressPool": "Get-AzureRmApplicationGatewayBackendAddressPool",
@@ -2519,4 +2519,4 @@
     "New-AzWebAppAzureStoragePath": "New-AzureRmWebAppAzureStoragePath",
     "Swap-AzWebAppSlot": "Swap-AzureRmWebAppSlot"
   }
-}
+}

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.cs

@@ -66,5 +66,13 @@ public void TestAzureFirewallVirtualHubCRUD()
             TestRunner.RunTestScript("Test-AzureFirewallVirtualHubCRUD");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.azurefirewall)]
+        public void TestAzureFirewallThreatIntelWhitelistCRUD()
+        {
+            TestRunner.RunTestScript("Test-AzureFirewallThreatIntelWhitelistCRUD");
+        }
+
     }
 }

src/Network/Network.Test/ScenarioTests/AzureFirewallTests.ps1

@@ -1156,3 +1156,52 @@ function Test-AzureFirewallVirtualHubCRUD {
         Clean-ResourceGroup $rgname
     }
 }
+
+<#
+.SYNOPSIS
+Tests AzureFirewall ThreatIntelWhitelist
+#>
+function Test-AzureFirewallThreatIntelWhitelistCRUD {
+    $rgname = Get-ResourceGroupName
+    $azureFirewallName = Get-ResourceName
+    $resourceTypeParent = "Microsoft.Network/AzureFirewalls"
+    $location = Get-ProviderLocation $resourceTypeParent "eastus2euap"
+
+    $vnetName = Get-ResourceName
+    $subnetName = "AzureFirewallSubnet"
+    $publicIpName = Get-ResourceName
+
+    $threatIntelWhitelist1 = New-AzFirewallThreatIntelWhitelist -FQDN @("*.microsoft.com", "microsoft.com") -IpAddress @("8.8.8.8", "1.1.1.1")
+    $threatIntelWhitelist2 = New-AzFirewallThreatIntelWhitelist -IpAddress @("  2.2.2.2  ","  3.3.3.3  ") -FQDN @("  bing.com  ",  "yammer.com  ")
+
+    try {
+        # Create the resource group
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
+
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+
+        # Create public ip
+        $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -Sku Standard
+
+        # Create AzureFirewall
+        $azureFirewall = New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -ThreatIntelWhitelist $threatIntelWhitelist1
+
+        # Verify
+        $getAzureFirewall = Get-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname
+        Assert-AreEqualArray $threatIntelWhitelist1.FQDNs $getAzureFirewall.ThreatIntelWhitelist.FQDNs
+        Assert-AreEqualArray $threatIntelWhitelist1.IpAddresses $getAzureFirewall.ThreatIntelWhitelist.IpAddresses
+
+        # Modify
+        $azureFirewall.ThreatIntelWhitelist = $threatIntelWhitelist2
+        Set-AzFirewall -AzureFirewall $azureFirewall
+        $getAzureFirewall = Get-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname
+        Assert-AreEqualArray $threatIntelWhitelist2.FQDNs $getAzureFirewall.ThreatIntelWhitelist.FQDNs
+        Assert-AreEqualArray $threatIntelWhitelist2.IpAddresses $getAzureFirewall.ThreatIntelWhitelist.IpAddresses
+    }
+    finally {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.AzureFirewallTests/TestAzureFirewallThreatIntelWhitelistCRUD.json

@@ -389,7 +389,8 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
                'New-AzFirewallApplicationRuleCollection', 
                'New-AzFirewallApplicationRule', 'New-AzFirewallNatRuleCollection', 
                'New-AzFirewallNatRule', 'New-AzFirewallNetworkRuleCollection', 
-               'New-AzFirewallNetworkRule', 'Get-AzFirewallFqdnTag', 
+               'New-AzFirewallNetworkRule', 'New-AzFirewallThreatIntelWhitelist',
+               'Get-AzFirewallFqdnTag', 
                'Get-AzNetworkProfile', 'New-AzNetworkProfile', 
                'Remove-AzNetworkProfile', 'Set-AzNetworkProfile', 
                'New-AzContainerNicConfig', 'New-AzContainerNicConfigIpConfig', 
@@ -459,7 +460,8 @@ AliasesToExport = 'List-AzApplicationGatewayAvailableWafRuleSets',
                'Get-AzExpressRouteCircuitStats', 
                'Get-AzApplicationGatewayAvailableWafRuleSets', 
                'Get-AzApplicationGatewayAvailableSslOptions', 
-               'Get-AzInterfaceEndpoint'
+               'Get-AzInterfaceEndpoint',
+               'New-AzFirewallThreatIntelWhitelistObject'
 
 # DSC resources to export from this module
 # DscResourcesToExport = @()

src/Network/Network/Az.Network.psd1

@@ -135,6 +135,11 @@ public class NewAzureFirewallCommand : AzureFirewallBaseCmdlet
             IgnoreCase = false)]
         public string ThreatIntelMode { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The whitelist for Threat Intelligence")]
+        public PSAzureFirewallThreatIntelWhitelist ThreatIntelWhitelist { get; set; }
+
         [Parameter(
             Mandatory = false,
             ValueFromPipelineByPropertyName = true,
@@ -256,6 +261,7 @@ private PSAzureFirewall CreateAzureFirewall()
                     NatRuleCollections = this.NatRuleCollection?.ToList(),
                     NetworkRuleCollections = this.NetworkRuleCollection?.ToList(),
                     ThreatIntelMode = this.ThreatIntelMode ?? MNM.AzureFirewallThreatIntelMode.Alert,
+                    ThreatIntelWhitelist = this.ThreatIntelWhitelist,
                     Sku = sku
                 };
 

src/Network/Network/AzureFirewall/NewAzureFirewallCommand.cs

@@ -0,0 +1,51 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.Network.Models;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "FirewallThreatIntelWhitelist"), OutputType(typeof(PSAzureFirewallThreatIntelWhitelist))]
+    [Alias("New-AzFirewallThreatIntelWhitelistObject")]
+    public class NewAzureFirewallThreatIntelWhitelistCommand : AzureFirewallBaseCmdlet
+    {
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The FQDNs of the Threat Intel Whitelist")]
+        [ValidateNotNull]
+        public string[] FQDN { get; set; }
+
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "The IP Addresses of the Threat Intel Whitelist")]
+        [ValidateNotNull]
+        public string[] IpAddress { get; set; }
+
+        public override void Execute()
+        {
+            base.Execute();
+
+            var threatIntelWhitelist = new PSAzureFirewallThreatIntelWhitelist
+            {
+                FQDNs = this.FQDN?.Select(str => str.Trim()).ToArray(),
+                IpAddresses = this.IpAddress?.Select(str => str.Trim()).ToArray(),
+            };
+            WriteObject(threatIntelWhitelist);
+        }
+    }
+}

src/Network/Network/AzureFirewall/ThreatIntelWhitelist/NewAzureFirewallThreatIntelWhitelistCommand.cs

@@ -35,6 +35,11 @@
     - Updated New-AzPrivateLinkService to add a new optional parameter EnableProxyProtocol.
 * Fix incorrect parameter description in `New-AzApplicationGatewaySku` reference documentation
 * New cmdlets to support the azure firewall policy
+* Add support for ThreatIntelWhitelist property for AzFirewall
+    - New cmdlet added:
+        - New-AzFirewallThreatIntelWhitelist
+    - Cmdlets updated with optional parameters:
+        - New-AzFirewall : added parameter ThreatIntelWhitelist
 * Add support for child resource RouteTables of VirtualHub
     - New cmdlets added:
         - Add-AzVirtualHubRoute

src/Network/Network/ChangeLog.md

@@ -15,8 +15,10 @@
 namespace Microsoft.Azure.Commands.Network
 {
     using AutoMapper;
+    using System;
     using System.Collections.Generic;
     using System.Linq;
+    using System.Management.Automation;
     using WindowsAzure.Commands.Common;
     using CNM = Microsoft.Azure.Commands.Network.Models;
     using MNM = Microsoft.Azure.Management.Network.Models;
@@ -101,7 +103,7 @@ public CNM.PSVirtualRouter Convert(MNM.VirtualRouter source, CNM.PSVirtualRouter
                     Location = source.Location,
                     Type = source.Type,
                     ProvisioningState = source.ProvisioningState,
-                    VirtualRouterAsn = (uint) source.VirtualRouterAsn
+                    VirtualRouterAsn = (uint)source.VirtualRouterAsn
                 };
                 if (source.HostedGateway != null)
                 {
@@ -178,7 +180,7 @@ private static void MapRouteTableV2sToRouteTables<MnmType, CnmType>(MnmType mnmO
 
                 List<CNM.PSVirtualHubRoute> cnmRoutes = new List<CNM.PSVirtualHubRoute>();
                 var cnmAttachedConnections = new List<string>(mnmAttachedConnections);
-                
+
                 foreach (var mnmRoute in mnmRoutes)
                 {
                     var cnmRoute = new CNM.PSVirtualHubRoute
@@ -708,7 +710,7 @@ private static void Initialize()
                     .AfterMap((src, dest) =>
                     {
                         MapSecurityRuleCommandToManagement<CNM.PSEffectiveSecurityRule, MNM.EffectiveNetworkSecurityRule>(src, dest);
-                     });
+                    });
 
                 // MNM to CNM
                 cfg.CreateMap<MNM.EffectiveNetworkSecurityGroup, CNM.PSEffectiveNetworkSecurityGroup>();
@@ -1119,7 +1121,14 @@ private static void Initialize()
 
                 // Azure Firewalls
                 // CNM to MNM
-                cfg.CreateMap<CNM.PSAzureFirewall, MNM.AzureFirewall>();
+                cfg.CreateMap<CNM.PSAzureFirewall, MNM.AzureFirewall>().AfterMap((src, dest) =>
+                {
+                    dest.AdditionalProperties = new Dictionary<string, string>()
+                    {
+                        { "ThreatIntel.Whitelist.FQDNs", src.ThreatIntelWhitelist?.FQDNs?.Aggregate((result, item) => result + "," + item) },
+                        { "ThreatIntel.Whitelist.IpAddresses", src.ThreatIntelWhitelist?.IpAddresses?.Aggregate((result, item) => result + "," + item) },
+                    }.Where(kvp => kvp.Value != null).ToDictionary(key => key.Key, val => val.Value);   // TODO: remove after backend code is refactored
+                });
                 cfg.CreateMap<CNM.PSAzureFirewallSku, MNM.AzureFirewallSku>();
                 cfg.CreateMap<CNM.PSAzureFirewallIpConfiguration, MNM.AzureFirewallIPConfiguration>();
                 cfg.CreateMap<CNM.PSAzureFirewallApplicationRuleCollection, MNM.AzureFirewallApplicationRuleCollection>();
@@ -1133,7 +1142,27 @@ private static void Initialize()
                 cfg.CreateMap<CNM.PSAzureFirewallApplicationRuleProtocol, MNM.AzureFirewallApplicationRuleProtocol>();
 
                 // MNM to CNM
-                cfg.CreateMap<MNM.AzureFirewall, CNM.PSAzureFirewall>();
+                cfg.CreateMap<MNM.AzureFirewall, CNM.PSAzureFirewall>().AfterMap((src, dest) =>
+                {
+                    // TODO: refactor after backend is refactored
+                    dest.ThreatIntelWhitelist = new CNM.PSAzureFirewallThreatIntelWhitelist();
+                    try
+                    {
+                        dest.ThreatIntelWhitelist.FQDNs = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("ThreatIntel.Whitelist.FQDNs", StringComparison.OrdinalIgnoreCase)).Value?.Split(',').Select(str => str.Trim()).ToArray();
+                    }
+                    catch (PSArgumentException)
+                    {
+                        dest.ThreatIntelWhitelist.FQDNs = null;
+                    }
+                    try
+                    {
+                        dest.ThreatIntelWhitelist.IpAddresses = src.AdditionalProperties?.SingleOrDefault(kvp => kvp.Key.Equals("ThreatIntel.Whitelist.IpAddresses", StringComparison.OrdinalIgnoreCase)).Value?.Split(',').Select(str => str.Trim()).ToArray();
+                    }
+                    catch (PSArgumentException)
+                    {
+                        dest.ThreatIntelWhitelist.IpAddresses = null;
+                    }
+                });
                 cfg.CreateMap<MNM.AzureFirewallSku, CNM.PSAzureFirewallSku>();
                 cfg.CreateMap<MNM.AzureFirewallIPConfiguration, CNM.PSAzureFirewallIpConfiguration>();
                 cfg.CreateMap<MNM.AzureFirewallApplicationRuleCollection, CNM.PSAzureFirewallApplicationRuleCollection>();

src/Network/Network/Common/NetworkResourceManagerProfile.cs

@@ -42,6 +42,8 @@ public class PSAzureFirewall : PSTopLevelResource
 
         public string ThreatIntelMode { get; set; }
 
+        public PSAzureFirewallThreatIntelWhitelist ThreatIntelWhitelist { get; set; }
+
         public string ProvisioningState { get; set; }
 
         public List<string> Zones { get; set; }
@@ -70,6 +72,12 @@ public string NetworkRuleCollectionsText
             get { return JsonConvert.SerializeObject(NetworkRuleCollections, Formatting.Indented); }
         }
 
+        [JsonIgnore]
+        public string ThreatIntelWhitelistText
+        {
+            get { return JsonConvert.SerializeObject(ThreatIntelWhitelist, Formatting.Indented); }
+        }
+
         #region Ip Configuration Operations
 
         public void Allocate(PSVirtualNetwork virtualNetwork, PSPublicIpAddress[] publicIpAddresses)
@@ -96,7 +104,7 @@ public void Allocate(PSVirtualNetwork virtualNetwork, PSPublicIpAddress[] public
 
             this.IpConfigurations = new List<PSAzureFirewallIpConfiguration>();
 
-            for(var i = 0; i < publicIpAddresses.Count(); i++)
+            for (var i = 0; i < publicIpAddresses.Count(); i++)
             {
                 this.IpConfigurations.Add(
                     new PSAzureFirewallIpConfiguration
@@ -111,7 +119,7 @@ public void Allocate(PSVirtualNetwork virtualNetwork, PSPublicIpAddress[] public
 
         public void Deallocate()
         {
-            this.IpConfigurations = new List<PSAzureFirewallIpConfiguration> ();
+            this.IpConfigurations = new List<PSAzureFirewallIpConfiguration>();
         }
 
         public void AddPublicIpAddress(PSPublicIpAddress publicIpAddress)
@@ -277,7 +285,7 @@ private List<BaseRuleCollection> AddRuleCollection<BaseRuleCollection>(BaseRuleC
             return existingRuleCollections;
         }
 
-        private BaseRuleCollection GetRuleCollectionByName<BaseRuleCollection> (string ruleCollectionName, List<BaseRuleCollection> ruleCollections) where BaseRuleCollection : PSAzureFirewallBaseRuleCollection
+        private BaseRuleCollection GetRuleCollectionByName<BaseRuleCollection>(string ruleCollectionName, List<BaseRuleCollection> ruleCollections) where BaseRuleCollection : PSAzureFirewallBaseRuleCollection
         {
             if (string.IsNullOrEmpty(ruleCollectionName))
             {