Merge pull request Azure#10197 from venkatsvpr/network-september

Toplevel waf powershell changes

Author: msJinLei

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -105,5 +105,21 @@ public void TestApplicationGatewayCRUDRewriteRuleSetWithConditions()
         {
             TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayCRUDRewriteRuleSetWithConditions -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev)]
+        public void TestTopLevelWafResourceWithApplicationGateway()
+        {
+            TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayTopLevelFirewallPolicy -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev)]
+        public void TestApplicationGatewayWithFirewallPolicy()
+        {
+            TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayWithFirewallPolicy -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
+        }
     }
 }

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -58,6 +58,16 @@ public class AzureApplicationGatewayHttpListenerBase : NetworkBaseCmdlet
         [ValidateNotNullOrEmpty]
         public string SslCertificateId { get; set; }
 
+        [Parameter(
+           ParameterSetName = "SetByResourceId",
+           HelpMessage = "FirewallPolicyId")]
+        public string FirewallPolicyId { get; set; }
+
+        [Parameter(
+            ParameterSetName = "SetByResource",
+            HelpMessage = "FirewallPolicy")]
+        public PSApplicationGatewayWebApplicationFirewallPolicy FirewallPolicy { get; set; }
+
         [Parameter(
                 ParameterSetName = "SetByResource",
                 HelpMessage = "Application gateway SslCertificate")]
@@ -97,14 +107,21 @@ public override void ExecuteCmdlet()
                 {
                     this.FrontendIPConfigurationId = this.FrontendIPConfiguration.Id;
                 }
+
                 if (FrontendPort != null)
                 {
                     this.FrontendPortId = this.FrontendPort.Id;
                 }
+
                 if (SslCertificate != null)
                 {
                     this.SslCertificateId = this.SslCertificate.Id;
                 }
+
+                if (FirewallPolicy != null)
+                {
+                    this.FirewallPolicyId = this.FirewallPolicy.Id;
+                }
             }
         }
 
@@ -147,6 +164,12 @@ public PSApplicationGatewayHttpListener NewObject()
                 httpListener.SslCertificate.Id = this.SslCertificateId;
             }
 
+            if (!string.IsNullOrEmpty(this.FirewallPolicyId))
+            {
+                httpListener.FirewallPolicy = new PSResourceId();
+                httpListener.FirewallPolicy.Id = this.FirewallPolicyId;
+            }
+
             if (this.CustomErrorConfiguration != null)
             {
                 httpListener.CustomErrorConfigurations = this.CustomErrorConfiguration?.ToList();

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayWithFirewallPolicy.json

@@ -80,7 +80,17 @@ public class AzureApplicationGatewayPathRuleConfigBase : NetworkBaseCmdlet
                 HelpMessage = "Application gateway RedirectConfiguration")]
         [ValidateNotNullOrEmpty]
         public PSApplicationGatewayRedirectConfiguration RedirectConfiguration { get; set; }
+        
+        [Parameter(
+           ParameterSetName = "SetByResourceId",
+           HelpMessage = "FirewallPolicyId")]
+        public string FirewallPolicyId { get; set; }
 
+        [Parameter(
+            ParameterSetName = "SetByResource",
+            HelpMessage = "FirewallPolicy")]
+        public PSApplicationGatewayWebApplicationFirewallPolicy FirewallPolicy { get; set; }
+        
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();
@@ -91,18 +101,26 @@ public override void ExecuteCmdlet()
                 {
                     this.BackendAddressPoolId = this.BackendAddressPool.Id;
                 }
+
                 if (BackendHttpSettings != null)
                 {
                     this.BackendHttpSettingsId = this.BackendHttpSettings.Id;
                 }
+
                 if (RewriteRuleSet != null)
                 {
                     this.RewriteRuleSetId = this.RewriteRuleSet.Id;
                 }
+
                 if (RedirectConfiguration != null)
                 {
                     this.RedirectConfigurationId = this.RedirectConfiguration.Id;
                 }
+
+                if (FirewallPolicy != null)
+                {
+                    this.FirewallPolicyId = this.FirewallPolicy.Id;
+                }
             }
         }
 
@@ -136,6 +154,12 @@ public PSApplicationGatewayPathRule NewObject()
                 pathRule.RedirectConfiguration = new PSResourceId();
                 pathRule.RedirectConfiguration.Id = this.RedirectConfigurationId;
             }
+            
+            if (!string.IsNullOrEmpty(this.FirewallPolicyId))
+            {
+                pathRule.FirewallPolicy = new PSResourceId();
+                pathRule.FirewallPolicy.Id = this.FirewallPolicyId;
+            }
 
             return pathRule;
         }

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestTopLevelWafResourceWithApplicationGateway.json

@@ -110,7 +110,13 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
                'New-AzApplicationGatewayFirewallPolicy', 
                'Get-AzApplicationGatewayFirewallPolicy', 
                'Remove-AzApplicationGatewayFirewallPolicy', 
-               'Set-AzApplicationGatewayFirewallPolicy', 
+               'Set-AzApplicationGatewayFirewallPolicy',
+			   'New-AzApplicationGatewayFirewallPolicyExclusion',
+			   'New-AzApplicationGatewayFirewallPolicyManagedRule',
+			   'New-AzApplicationGatewayFirewallPolicyManagedRuleOverride',
+			   'New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride',
+			   'New-AzApplicationGatewayFirewallPolicyManagedRuleSet',
+			   'New-AzApplicationGatewayFirewallPolicySetting',
                'Add-AzApplicationGatewayFrontendIPConfig', 
                'Get-AzApplicationGatewayFrontendIPConfig', 
                'New-AzApplicationGatewayFrontendIPConfig', 

src/Network/Network/ApplicationGateway/HttpListener/AzureApplicationGatewayHttpListenerBase.cs

@@ -57,6 +57,22 @@
         - Update-AzureRmVpnConnection : added parameter EnableInternetSecurity
         - New-AzureRmExpressRouteConnection : added parameter EnableInternetSecurity
         - Set-AzureRmExpressRouteConnection : added parameter EnableInternetSecurity
+* Add support for Configuring TopLevel WebApplicationFirewall Policy
+    - New cmdlets added:
+        - New-AzApplicationGatewayFirewallPolicySetting
+        - New-AzApplicationGatewayFirewallPolicyExclusion
+        - New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride
+        - New-AzApplicationGatewayFirewallPolicyManagedRuleOverride
+        - New-AzApplicationGatewayFirewallPolicyManagedRule
+        - New-AzApplicationGatewayFirewallPolicyManagedRuleSet
+    - Cmdlets updated with optional parameters:
+        - New-AzApplicationGatewayFirewallPolicy : added parameter PolicySetting, ManagedRule
+* Added support for Geo-Match operator on CustomRule
+    - Added GeoMatch to the operator on the FirewallCondition
+* Added support for perListener and perSite Firewall policy
+    - Cmdlets updated with optional parameters:
+        - New-AzApplicationGatewayHttpListener : added parameter FirewallPolicy, FirewallPolicyId
+        - New-AzApplicationGatewayPathRuleConfig : added parameter FirewallPolicy, FirewallPolicyId
 * Fix required subnet with name AzureBastionSubnet in `PSBastion` can be case insensitive
 * Support for Destination FQDNs in Network Rules and Translated FQDN in NAT Rules for Azure Firewall
 * Add support for top level resource RouteTables of IpGroup

src/Network/Network/ApplicationGateway/PathRule/AzureApplicationGatewayPathRuleConfigBase.cs

@@ -916,6 +916,12 @@ private static void Initialize()
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallCustomRule, MNM.WebApplicationFirewallCustomRule>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallMatchVariable, MNM.MatchVariable>();
                 cfg.CreateMap<CNM.PSApplicationGatewayWebApplicationFirewallPolicy, MNM.WebApplicationFirewallPolicy>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicySettings, MNM.PolicySettings>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRules, MNM.ManagedRulesDefinition>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRuleSet, MNM.ManagedRuleSet>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRuleGroupOverride, MNM.ManagedRuleGroupOverride>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRuleOverride, MNM.ManagedRuleOverride>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyExclusion, MNM.ApplicationGatewayFirewallExclusion>();
                 cfg.CreateMap<CNM.PSApplicationGatewayConnectionDraining, MNM.ApplicationGatewayConnectionDraining>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallDisabledRuleGroup, MNM.ApplicationGatewayFirewallDisabledRuleGroup>()
                     .AfterMap((src, dest) => dest.Rules = (src.Rules == null) ? null : dest.Rules);
@@ -972,6 +978,12 @@ private static void Initialize()
                 cfg.CreateMap<MNM.WebApplicationFirewallCustomRule, CNM.PSApplicationGatewayFirewallCustomRule>();
                 cfg.CreateMap<MNM.MatchVariable, CNM.PSApplicationGatewayFirewallMatchVariable>();
                 cfg.CreateMap<MNM.WebApplicationFirewallPolicy, CNM.PSApplicationGatewayWebApplicationFirewallPolicy>();
+                cfg.CreateMap<MNM.PolicySettings, CNM.PSApplicationGatewayFirewallPolicySettings>();
+                cfg.CreateMap<MNM.ManagedRulesDefinition, CNM.PSApplicationGatewayFirewallPolicyManagedRules>();
+                cfg.CreateMap<MNM.ManagedRuleSet, CNM.PSApplicationGatewayFirewallPolicyManagedRuleSet>();
+                cfg.CreateMap<MNM.ManagedRuleGroupOverride, CNM.PSApplicationGatewayFirewallPolicyManagedRuleGroupOverride>();
+                cfg.CreateMap<MNM.ManagedRuleOverride, CNM.PSApplicationGatewayFirewallPolicyManagedRuleOverride>();
+                cfg.CreateMap<MNM.ApplicationGatewayFirewallExclusion, CNM.PSApplicationGatewayFirewallPolicyExclusion>();
                 cfg.CreateMap<MNM.ApplicationGatewayConnectionDraining, CNM.PSApplicationGatewayConnectionDraining>();
                 cfg.CreateMap<MNM.ApplicationGatewayFirewallDisabledRuleGroup, CNM.PSApplicationGatewayFirewallDisabledRuleGroup>()
                     .AfterMap((src, dest) => dest.Rules = (src.Rules == null) ? null : dest.Rules);

src/Network/Network/Az.Network.psd1

@@ -67,9 +67,7 @@ public PSApplicationGatewayWebApplicationFirewallPolicy GetApplicationGatewayFir
         public PSApplicationGatewayWebApplicationFirewallPolicy ToPsApplicationGatewayFirewallPolicy(WebApplicationFirewallPolicy firewallPolicy)
         {
             var psFirewallPolicy = NetworkResourceManagerProfile.Mapper.Map<PSApplicationGatewayWebApplicationFirewallPolicy>(firewallPolicy);
-
             psFirewallPolicy.Tag = TagsConversionHelper.CreateTagHashtable(firewallPolicy.Tags);
-
             return psFirewallPolicy;
         }
     }

src/Network/Network/ChangeLog.md

@@ -31,7 +31,7 @@ public class AzureApplicationGatewayFirewallConditionBase : NetworkBaseCmdlet
         [Parameter(
             Mandatory = true,
             HelpMessage = "Describes operator to be matched.")]
-        [ValidateSet("IPMatch", "Equal", "Contains", "LessThan", "GreaterThan", "LessThanOrEqual", "GreaterThanOrEqual", "BeginsWith", "EndsWith", "Regex", IgnoreCase = true)]
+        [ValidateSet("IPMatch", "Equal", "Contains", "LessThan", "GreaterThan", "LessThanOrEqual", "GreaterThanOrEqual", "BeginsWith", "EndsWith", "Regex", "GeoMatch", IgnoreCase = true)]
         [ValidateNotNullOrEmpty]
         public string Operator { get; set; }
 

src/Network/Network/Common/NetworkResourceManagerProfile.cs

@@ -0,0 +1,64 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Models;
+using System.Collections.Generic;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    public class AzureApplicationGatewayFirewallPolicyManagedRules : NetworkBaseCmdlet
+    {
+        [Parameter(
+          Mandatory = false,
+          HelpMessage = "List of Managed ruleSets.")]
+        [ValidateNotNullOrEmpty]
+        public PSApplicationGatewayFirewallPolicyManagedRuleSet[] ManagedRuleSet { get; set; }
+        
+        [Parameter(
+          Mandatory = false,
+          HelpMessage = "List of Exclusion Entry.")]
+        [ValidateNotNullOrEmpty]
+        public PSApplicationGatewayFirewallPolicyExclusion[] Exclusion { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+        }
+
+        protected PSApplicationGatewayFirewallPolicyManagedRules NewObject()
+        {
+            var managedRules = new PSApplicationGatewayFirewallPolicyManagedRules()
+            {
+                Exclusions = this.Exclusion?.ToList(),
+                ManagedRuleSets = this.ManagedRuleSet?.ToList()
+            };
+
+            if (this.ManagedRuleSet == null || this.ManagedRuleSet.Count() == 0)
+            {
+                managedRules.ManagedRuleSets = new List<PSApplicationGatewayFirewallPolicyManagedRuleSet>()
+                {
+                    new PSApplicationGatewayFirewallPolicyManagedRuleSet()
+                    {
+                        RuleSetType = "OWASP",
+                        RuleSetVersion = "3.0"
+                    }
+                };
+            }
+
+            return managedRules;
+        }
+    }
+}

src/Network/Network/FirewallPolicy/ApplicationGatewayFirewallPolicyBaseCmdlet.cs

@@ -0,0 +1,58 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Models;
+using System.Collections.Generic;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    public class AzureApplicationGatewayFirewallPolicyExclusion : NetworkBaseCmdlet
+    {
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "MatchVariable on Exclusion entry.")]
+        [ValidateSet("RequestHeaderNames", "RequestCookieNames", "RequestArgNames", IgnoreCase = true)]
+        [ValidateNotNullOrEmpty]
+        public string MatchVariable { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "Selector Match Operator.")]
+        [ValidateSet("Equals", "Contains", "StartsWith", "EndsWith", "EqualsAny", IgnoreCase = true)]
+        [ValidateNotNullOrEmpty]
+        public string SelectorMatchOperator { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "Selector")]
+        public string Selector { get; set; }
+
+
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+        }
+
+        protected PSApplicationGatewayFirewallPolicyExclusion NewObject()
+        {
+            return new PSApplicationGatewayFirewallPolicyExclusion()
+            {
+                MatchVariable = this.MatchVariable,
+                SelectorMatchOperator = this.SelectorMatchOperator,
+                Selector = this.Selector
+            };
+        }
+    }
+}

src/Network/Network/FirewallPolicy/FirewallCondition/AzureApplicationGatewayFirewallConditionBase.cs

@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Models;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    [Cmdlet("New", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "ApplicationGatewayFirewallPolicyExclusion"), OutputType(typeof(PSApplicationGatewayFirewallPolicyExclusion))]
+    public class NewAzureApplicationGatewayFirewallPolicyExclusionCommand : AzureApplicationGatewayFirewallPolicyExclusion
+    {
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+            WriteObject(base.NewObject());
+        }
+    }
+}