{AppService} Prevent duplicate rules from being created. (#13540)

* Prevent duplicate rules from being created.

* Update ChangeLog

Author: madsd

src/Websites/Websites.Test/ScenarioTests/AccessRestrictionTests.cs

@@ -115,5 +115,12 @@ public void TestAddWebAppAccessRestrictionSlot()
         {
             WebsitesController.NewInstance.RunPsTest(_logger, "Test-AddWebAppAccessRestrictionSlot");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestAddWebAppAccessRestrictionDuplicate()
+        {
+            WebsitesController.NewInstance.RunPsTest(_logger, "Test-AddWebAppAccessRestrictionDuplicate");
+        }
     }
 }

src/Websites/Websites.Test/ScenarioTests/AccessRestrictionTests.ps1

@@ -593,4 +593,54 @@ function Test-AddWebAppAccessRestrictionSlot
 		# Cleanup
 		Remove-AzResourceGroup -Name $rgname -Force
 	}
+}
+
+<#
+.SYNOPSIS
+Add Duplicate IpAddress Access Restriction
+#>
+function Test-AddWebAppAccessRestrictionDuplicate
+{
+	# Setup
+	$rgname = Get-ResourceGroupName
+	$wname = Get-WebsiteName	
+	$location = Get-WebLocation
+	$whpName = Get-WebHostPlanName
+	$tier = "Shared"
+	$ipAddress = "130.220.0.0/27"
+	$duplicateErrorMessage = "Rule for '$ipAddress' already exist"
+
+	try
+	{
+		# Setup
+		New-AzResourceGroup -Name $rgname -Location $location
+		$serverFarm = New-AzAppServicePlan -ResourceGroupName $rgname -Name  $whpName -Location  $location -Tier $tier
+		
+		# Create new web app
+		$webApp = New-AzWebApp -ResourceGroupName $rgname -Name $wname -Location $location -AppServicePlan $whpName 
+		
+		# Assert Setup
+		Assert-AreEqual $wname $webApp.Name
+		Assert-AreEqual $serverFarm.Id $webApp.ServerFarmId
+		
+		# Run Tests
+		$actual = Add-AzWebAppAccessRestrictionRule -ResourceGroupName $rgname -WebAppName $wname -Name developers -Action Allow -IpAddress $ipAddress -Priority 200 -PassThru
+
+		try
+		{
+			Add-AzWebAppAccessRestrictionRule -ResourceGroupName $rgname -WebAppName $wname -Name developers -Action Allow -IpAddress $ipAddress -Priority 200
+		}
+		catch [System.Exception]
+		{
+			$actualErrorMessage = $_.Exception.Message
+		}
+
+		# Assert
+		Assert-AreEqual $actualErrorMessage $duplicateErrorMessage
+	}
+	finally
+	{
+		# Cleanup
+		Remove-AzResourceGroup -Name $rgname -Force
+	}
 }

src/Websites/Websites.Test/SessionRecords/Microsoft.Azure.Commands.Websites.Test.ScenarioTests.AccessRestrictionTests/TestAddWebAppAccessRestrictionDuplicate.json

@@ -20,8 +20,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ScenarioTest.ResourceManage
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TestFx", "..\..\tools\TestFx\TestFx.csproj", "{BC80A1D0-FFA4-43D9-AA74-799F5CB54B58}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Authenticators", "..\Accounts\Authenticators\Authenticators.csproj", "{31473C1B-1B34-4545-BF2D-50BEE84E7283}"
-EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -40,6 +38,10 @@ Global
 		{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Release|Any CPU.Build.0 = Release|Any CPU
 		{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -56,10 +58,6 @@ Global
 		{BC80A1D0-FFA4-43D9-AA74-799F5CB54B58}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{BC80A1D0-FFA4-43D9-AA74-799F5CB54B58}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{BC80A1D0-FFA4-43D9-AA74-799F5CB54B58}.Release|Any CPU.Build.0 = Release|Any CPU
-		{31473C1B-1B34-4545-BF2D-50BEE84E7283}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{31473C1B-1B34-4545-BF2D-50BEE84E7283}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{31473C1B-1B34-4545-BF2D-50BEE84E7283}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{31473C1B-1B34-4545-BF2D-50BEE84E7283}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

src/Websites/Websites.sln

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Prevent duplicate access restriction rules
 
 ## Version 2.1.0
 * Added support for new access restriction features: ServiceTag, multi-ip and http-headers

src/Websites/Websites/ChangeLog.md

@@ -164,12 +164,14 @@ public override void ExecuteCmdlet()
                 int intPriority = checked((int)Priority);
                 switch (ParameterSetName)
                 {
-                    case IpAddressParameterSet:                    
+                    case IpAddressParameterSet:
+                        CheckDuplicateIPRestriction(IpAddress, accessRestrictionList);
                         ipSecurityRestriction = new IpSecurityRestriction(IpAddress, null, null, null, null, Action, null, intPriority, Name, Description, httpHeader);
                         accessRestrictionList.Add(ipSecurityRestriction);                        
                         break;
 
                     case ServiceTagParameterSet:
+                        CheckDuplicateIPRestriction(ServiceTag, accessRestrictionList);
                         ipSecurityRestriction = new IpSecurityRestriction(ServiceTag, null, null, null, null, Action, "ServiceTag", intPriority, Name, Description, httpHeader);
                         accessRestrictionList.Add(ipSecurityRestriction);
                         break;
@@ -182,6 +184,7 @@ public override void ExecuteCmdlet()
                         //If unble to fetch SubNet rg from above step, use the input RG to get validation error from api call.
                         subNetResourceGroupName = !String.IsNullOrEmpty(subNetResourceGroupName) ? subNetResourceGroupName : ResourceGroupName;
                         var subnetResourceId = CmdletHelpers.ValidateSubnet(Subnet, VirtualNetworkName, subNetResourceGroupName, DefaultContext.Subscription.Id);
+                        CheckDuplicateServiceEndpointRestriction(subnetResourceId, accessRestrictionList);
                         if (!IgnoreMissingServiceEndpoint)
                         {
                             CmdletHelpers.VerifySubnetDelegation(subnetResourceId);
@@ -232,5 +235,23 @@ private IDictionary<string, IList<string>> ConvertHeaderHashtable(Hashtable head
             }
             return headerResult;
         }
+
+        private void CheckDuplicateIPRestriction(string ipRange, IList<IpSecurityRestriction> accessRestrictionList)
+        {
+            foreach (var accessRestriction in accessRestrictionList)
+            {
+                if (accessRestriction.IpAddress == ipRange)
+                    throw new Exception($"Rule for '{ipRange}' already exist");
+            }
+        }
+
+        private void CheckDuplicateServiceEndpointRestriction(string subnetResourceId, IList<IpSecurityRestriction> accessRestrictionList)
+        {
+            foreach (var accessRestriction in accessRestrictionList)
+            {
+                if (accessRestriction.VnetSubnetResourceId == subnetResourceId)
+                    throw new Exception($"Rule for '{subnetResourceId}' already exist");
+            }
+        }
     }
 }