Log Scrubbing Feature for Application Gateway Firewall Policy Settings (#21568)

* 2

* 1

* 2

* 1

* 1

* 2

* 1

* 1

* 1

* 2

* 2

* 2

* 1

* 1

* 1

* 1

* 1

* 1

* 1

* 2

* 1

* 2

* 1

* 1

* 1

* 1

* 1

* test

* sdk

* name

* staticanalysis

* comment

* revert

* scrubbingrules

* revert scrubbingrules change

---------

Co-authored-by: Yunchi Wang <[email protected]>
Co-authored-by: Jin Lei <[email protected]>

Author: 3 people

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -156,6 +156,14 @@ public void TestApplicationGatewayWithFirewallPolicy()
             TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayWithFirewallPolicy -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayWithFirewallPolicyWithLogScrubbing()
+        {
+            TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayFirewallPolicyWithLogScrubbing -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -3477,6 +3477,55 @@ function Test-ApplicationGatewayFirewallPolicyWithPerRuleExclusions
 	}
 }
 
+<#
+.SYNOPSIS
+Application gateway v2 waf policy with log scrubbing
+#>
+function Test-ApplicationGatewayFirewallPolicyWithLogScrubbing
+{
+	# Setup
+	$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
+
+	$rgname = Get-ResourceGroupName
+	$wafPolicyName = Get-ResourceName
+
+	try
+	{
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
+		
+		# WAF Policy and Custom Rule
+		$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector Content-Length
+		$condition =  New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator GreaterThan -MatchValue 1000 -Transform Lowercase -NegationCondition $False
+		$logScrubbingRule1 = New-AzApplicationGatewayFirewallPolicyLogScrubbingRule -State Enabled -MatchVariable RequestArgNames -SelectorMatchOperator Equals -Selector test
+		$logScrubbingRule2 = New-AzApplicationGatewayFirewallPolicyLogScrubbingRule -State Enabled -MatchVariable RequestIPAddress -SelectorMatchOperator EqualsAny
+		$logScrubbingRuleConfig = New-AzApplicationGatewayFirewallPolicyLogScrubbingConfiguration -State Enabled -ScrubbingRule $logScrubbingRule1, $logScrubbingRule2
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 4000 -MaxRequestBodySizeInKb 2000 -LogScrubbing $logScrubbingRuleConfig
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
+		New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings
+	
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+
+		# Check firewall policy
+		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
+		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
+		Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
+		Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
+		Assert-AreEqual $policy.PolicySettings.State $policySettings.State
+		Assert-AreEqual $policy.PolicySettings.LogScrubbing.ScrubbingRules.Count 2
+		Assert-AreEqual $policy.PolicySettings.LogScrubbing.ScrubbingRules[0].State $policySettings.LogScrubbing.ScrubbingRules[0].State
+		Assert-AreEqual $policy.PolicySettings.LogScrubbing.ScrubbingRules[0].MatchVariable $policySettings.LogScrubbing.ScrubbingRules[0].MatchVariable
+		Assert-AreEqual $policy.PolicySettings.LogScrubbing.ScrubbingRules[0].SelectorMatchOperator $policySettings.LogScrubbing.ScrubbingRules[0].SelectorMatchOperator
+		Assert-AreEqual $policy.PolicySettings.LogScrubbing.ScrubbingRules[0].Selector $policySettings.LogScrubbing.ScrubbingRules[0].Selector
+
+	}
+	finally
+	{
+		# Cleanup
+		Clean-ResourceGroup $rgname
+	}
+}
+
 <#
 .SYNOPSIS
 This case tests the per-listener HostNames feature.

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayWithFirewallPolicyWithLogScrubbing.json

@@ -123,7 +123,9 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
                'New-AzApplicationGatewayFirewallPolicyManagedRuleOverride', 
                'New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride', 
                'New-AzApplicationGatewayFirewallPolicyManagedRuleSet', 
-               'New-AzApplicationGatewayFirewallPolicySetting', 
+               'New-AzApplicationGatewayFirewallPolicySetting',
+               'New-AzApplicationGatewayFirewallPolicyLogScrubbingConfiguration',
+               'New-AzApplicationGatewayFirewallPolicyLogScrubbingRule',
                'Add-AzApplicationGatewayFrontendIPConfig', 
                'Get-AzApplicationGatewayFrontendIPConfig', 
                'New-AzApplicationGatewayFrontendIPConfig', 

src/Network/Network/Az.Network.psd1

@@ -40,6 +40,12 @@
 * Added support of `AdditionalNic` Property in New-AzNetworkVirtualAppliance
 * Added the new cmdlet for supporting `AdditionalNic` Property
     - 'New-AzVirtualApplianceAdditionalNicProperty'
+* Added new cmdlets to support Log Scrubbing Feature for Application Gateway WAF Firewall Policy
+    - 'New-AzApplicationGatewayFirewallPolicyLogScrubbingConfiguration',
+    - 'New-AzApplicationGatewayFirewallPolicyLogScrubbingRule',
+    - Also updated cmdlet to add the property of LogScrubbing 
+    - `New-AzApplicationGatewayFirewallPolicySetting`
+
 
 ## Version 5.6.0
 * Updated `New-AzLoadBalancer` and `Set-AzLoadBalancer` to validate surface level parameters for global tier load balancers

src/Network/Network/ChangeLog.md

@@ -1023,6 +1023,8 @@ private static void Initialize()
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallMatchVariable, MNM.MatchVariable>();
                 cfg.CreateMap<CNM.PSApplicationGatewayWebApplicationFirewallPolicy, MNM.WebApplicationFirewallPolicy>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicySettings, MNM.PolicySettings>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration, MNM.PolicySettingsLogScrubbing>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyLogScrubbingRule, MNM.WebApplicationFirewallScrubbingRules>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRules, MNM.ManagedRulesDefinition>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRuleSet, MNM.ManagedRuleSet>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRuleGroupOverride, MNM.ManagedRuleGroupOverride>();
@@ -1101,6 +1103,8 @@ private static void Initialize()
                 cfg.CreateMap<MNM.MatchVariable, CNM.PSApplicationGatewayFirewallMatchVariable>();
                 cfg.CreateMap<MNM.WebApplicationFirewallPolicy, CNM.PSApplicationGatewayWebApplicationFirewallPolicy>();
                 cfg.CreateMap<MNM.PolicySettings, CNM.PSApplicationGatewayFirewallPolicySettings>();
+                cfg.CreateMap<MNM.PolicySettingsLogScrubbing, CNM.PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration>();
+                cfg.CreateMap<MNM.WebApplicationFirewallScrubbingRules, CNM.PSApplicationGatewayFirewallPolicyLogScrubbingRule>();
                 cfg.CreateMap<MNM.ManagedRulesDefinition, CNM.PSApplicationGatewayFirewallPolicyManagedRules>();
                 cfg.CreateMap<MNM.ManagedRuleSet, CNM.PSApplicationGatewayFirewallPolicyManagedRuleSet>();
                 cfg.CreateMap<MNM.ManagedRuleGroupOverride, CNM.PSApplicationGatewayFirewallPolicyManagedRuleGroupOverride>();

src/Network/Network/Common/NetworkResourceManagerProfile.cs

@@ -56,6 +56,10 @@ public class AzureApplicationGatewayFirewallPolicySetting : NetworkBaseCmdlet
         [ValidateNotNullOrEmpty]
         public string CustomBlockResponseBody { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "To scrub sensitive log fields")]
+        [ValidateNotNullOrEmpty]
+        public PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration LogScrubbing { get; set; }
+
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();
@@ -107,6 +111,7 @@ protected PSApplicationGatewayFirewallPolicySettings NewObject()
                 FileUploadLimitInMb = this.MaxFileUploadInMb,
                 CustomBlockResponseBody = this.CustomBlockResponseBody,
                 CustomBlockResponseStatusCode = this.CustomBlockResponseStatusCode,
+                LogScrubbing = this.LogScrubbing
             };
         }
     }

src/Network/Network/FirewallPolicy/PolicySettings/AzureApplicationGatewayFirewallPolicySetting.cs

@@ -0,0 +1,74 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Models;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    [Cmdlet("New", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "ApplicationGatewayFirewallPolicyLogScrubbingRule"), OutputType(typeof(PSApplicationGatewayFirewallPolicyLogScrubbingRule))]
+    public class NewAzureApplicationGatewayFirewallPolicyLogScrubbingRuleCommand : NetworkBaseCmdlet
+    {
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "State of the log scrubbing rule. Default value is Enabled")]
+        [ValidateNotNullOrEmpty]
+        [ValidateSet("Enabled", "Disabled", IgnoreCase = true)]
+        public string State { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The variable to be scrubbed from the logs.")]
+        [ValidateNotNullOrEmpty]
+        [ValidateSet("RequestHeaderNames", "RequestCookieNames", "RequestArgNames", "RequestPostArgNames", "RequestJSONArgNames", "RequestIPAddress", IgnoreCase = true)]
+        public string MatchVariable { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "When matchVariable is a collection, operate on the selector to specify which elements in the collection this rule applies to.")]
+        [ValidateNotNullOrEmpty]
+        [ValidateSet("Equals", "EqualsAny", IgnoreCase = true)]
+        public string SelectorMatchOperator { get; set; }
+
+        [Parameter(
+         Mandatory = false,
+         HelpMessage = "When matchVariable is a collection, operator used to specify which elements in the collection this rule applies to.")]
+        [ValidateNotNullOrEmpty]
+        public string Selector { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+
+            if (!this.MyInvocation.BoundParameters.ContainsKey("State"))
+            {
+                this.State = "Enabled";
+            }
+
+            WriteObject(NewObject());
+        }
+
+        protected PSApplicationGatewayFirewallPolicyLogScrubbingRule NewObject()
+        {
+            return new PSApplicationGatewayFirewallPolicyLogScrubbingRule()
+            {
+                State = this.State,
+                MatchVariable = this.MatchVariable,
+                SelectorMatchOperator = this.SelectorMatchOperator,
+                Selector = this.Selector
+            };
+        }
+    }
+}

src/Network/Network/FirewallPolicy/PolicySettings/LogScrubbing/LogScrubbingRule/NewAzureApplicationGatewayFirewallPolicyLogScrubbingRuleCommand.cs

@@ -0,0 +1,58 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Models;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    [Cmdlet("New", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "ApplicationGatewayFirewallPolicyLogScrubbingConfiguration"), OutputType(typeof(PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration))]
+    public class NewAzureApplicationGatewayFirewallPolicyLogScrubbingConfigurationCommand : NetworkBaseCmdlet
+    {
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "State of the log scrubbing config. Default value is Enabled")]
+        [ValidateNotNullOrEmpty]
+        [ValidateSet("Enabled", "Disabled", IgnoreCase = true)]
+        public string State { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "The rules that are applied to the logs for scrubbing.")]
+        [ValidateNotNullOrEmpty]
+        public PSApplicationGatewayFirewallPolicyLogScrubbingRule[] ScrubbingRule { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+
+            if (!this.MyInvocation.BoundParameters.ContainsKey("State"))
+            {
+                this.State = "Enabled";
+            }
+
+            WriteObject(NewObject());
+        }
+
+        protected PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration NewObject()
+        {
+            return new PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration()
+            {
+                State = this.State,
+                ScrubbingRules = this.ScrubbingRule?.ToList()
+            };
+        }
+    }
+}

src/Network/Network/FirewallPolicy/PolicySettings/LogScrubbing/NewAzureApplicationGatewayFirewallPolicyLogScrubbingConfigurationCommand.cs

@@ -0,0 +1,31 @@
+//
+// Copyright (c) Microsoft.  All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+using Microsoft.Azure.Management.Network.Models;
+using Microsoft.WindowsAzure.Commands.Common.Attributes;
+using Newtonsoft.Json;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.Network.Models
+{
+    public partial class PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration
+    {
+        [Ps1Xml(Target = ViewControl.Table)]
+        public string State { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public List<PSApplicationGatewayFirewallPolicyLogScrubbingRule> ScrubbingRules { get; set; }
+    }
+}