Skip to content

Commit 5703873

Browse files
Adding support for per rule actions feature in application gateway WAF (#19574)
* Saving changes * Updating tests * Update documentation and set Action * Update change log * Fix md file * Fix * Fix * Fix test * Revert test change * Merge latest * Update test recording * Update comment * Ignore network api-version check for Event hub and Service bus as the tests are failing * Update ServiceBusTestRunner.cs * Update EventHubTestRunner.cs Co-authored-by: Yunchi Wang <[email protected]>
1 parent b62ec36 commit 5703873

File tree

10 files changed

+620
-352
lines changed

10 files changed

+620
-352
lines changed

src/EventHub/EventHub.Test/ScenarioTests/EventHubTestRunner.cs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,8 @@ protected EventHubTestRunner(ITestOutputHelper output)
6060
{"Microsoft.Authorization", null},
6161
{"Microsoft.Storage", null},
6262
{"Microsoft.KeyVault", null},
63-
{"Microsoft.ManagedServiceIdentity", null}
63+
{"Microsoft.ManagedServiceIdentity", null},
64+
{"Microsoft.Network", null}
6465
}
6566
)
6667
.Build();

src/Network/Network.Test/Network.Test.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414

1515
<ItemGroup>
1616
<PackageReference Include="Microsoft.Azure.Graph.RBAC" Version="3.4.0-preview" />
17-
<PackageReference Include="Microsoft.Azure.Management.Network" Version="23.0.0" />
17+
<PackageReference Include="Microsoft.Azure.Management.Network" Version="24.0.0" />
1818
<PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.5" />
1919
<PackageReference Include="Microsoft.Azure.Management.KeyVault" Version="4.0.0-preview.1" />
2020
<PackageReference Include="Microsoft.Azure.Insights" Version="0.16.0-preview" />

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3352,10 +3352,11 @@ function Test-ApplicationGatewayFirewallPolicyExclusions
33523352

33533353
$ruleOverrideEntry1 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 942100
33543354
$ruleOverrideEntry2 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 942110
3355-
$sqlRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName REQUEST-942-APPLICATION-ATTACK-SQLI -Rule $ruleOverrideEntry1,$ruleOverrideEntry2
3355+
$ruleOverrideEntry3 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 942160 -State Enabled -Action Log
3356+
$sqlRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName REQUEST-942-APPLICATION-ATTACK-SQLI -Rule $ruleOverrideEntry1,$ruleOverrideEntry2, $ruleOverrideEntry3
33563357

3357-
$ruleOverrideEntry3 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 941100
3358-
$xssRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName REQUEST-941-APPLICATION-ATTACK-XSS -Rule $ruleOverrideEntry3
3358+
$ruleOverrideEntry4 = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId 941100
3359+
$xssRuleGroupOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride -RuleGroupName REQUEST-941-APPLICATION-ATTACK-XSS -Rule $ruleOverrideEntry4
33593360

33603361
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2" -RuleGroupOverride $sqlRuleGroupOverrideEntry,$xssRuleGroupOverrideEntry
33613362
$managedRules = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet -Exclusion $exclusionEntry1,$exclusionEntry2,$exclusionEntry3,$exclusionEntry4,$exclusionEntry5,$exclusionEntry6,$exclusionEntry7,$exclusionEntry8,$exclusionEntry9
@@ -3369,6 +3370,7 @@ function Test-ApplicationGatewayFirewallPolicyExclusions
33693370
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
33703371
Assert-AreEqual $policy.ManagedRules.ManagedRuleSets.Count 1
33713372
Assert-AreEqual $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides.Count 2
3373+
Assert-AreEqual $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides[0].Rules[2].Action Log
33723374
Assert-AreEqual $policy.ManagedRules.Exclusions.Count 9
33733375
Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
33743376
Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestTopLevelWafPolicyExclusions.json

Lines changed: 569 additions & 341 deletions
Large diffs are not rendered by default.

src/Network/Network/ChangeLog.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,8 @@
3030
- `NewAzureRmVpnGatewayCommand.cs`
3131
- `UpdateAzureRmVpnGatewayCommand.cs`
3232
* Added Uppercase Transform in New-AzApplicationGatewayFirewallCondition
33+
* Updated commandlet to support specifying an action for a managed rule override in Application Gateway WAF Policy.
34+
- `New-AzApplicationGatewayFirewallPolicyManagedRuleOverride`
3335

3436
## Version 4.20.1
3537
* Added breaking change notification for `Get-AzFirewall`, `New-AzFirewall`, `Set-AzFirewall` and `New-AzFirewallHubIpAddress`

src/Network/Network/FirewallPolicy/ManagedRules/ManagedRuleSet/ManagedRuleGroupOverride/ManagedRuleOverride/AzureApplicationGatewayFirewallPolicyManagedRuleOverride.cs

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,10 +29,17 @@ public class AzureApplicationGatewayFirewallPolicyManagedRuleOverride : NetworkB
2929
[Parameter(
3030
Mandatory = false,
3131
HelpMessage = "State of the Rule.")]
32-
[ValidateSet("Disabled", IgnoreCase = true)]
32+
[ValidateSet("Disabled", "Enabled", IgnoreCase = true)]
3333
[ValidateNotNullOrEmpty]
3434
public string State { get; set; }
3535

36+
[Parameter(
37+
Mandatory = false,
38+
HelpMessage = "Action of the Rule.")]
39+
[ValidateSet("AnomalyScoring", "Allow", "Block", "Log", IgnoreCase = true)]
40+
[ValidateNotNullOrEmpty]
41+
public string Action { get; set; }
42+
3643
public override void ExecuteCmdlet()
3744
{
3845
base.ExecuteCmdlet();
@@ -43,7 +50,8 @@ protected PSApplicationGatewayFirewallPolicyManagedRuleOverride NewObject()
4350
return new PSApplicationGatewayFirewallPolicyManagedRuleOverride()
4451
{
4552
RuleId = this.RuleId,
46-
State = string.IsNullOrEmpty(State) ? "Disabled" : this.State
53+
State = string.IsNullOrEmpty(State) ? "Disabled" : this.State,
54+
Action = this.Action
4755
};
4856
}
4957
}

src/Network/Network/Models/PSApplicationGatewayFirewallPolicyManagedRuleOverride.cs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,5 +27,8 @@ public partial class PSApplicationGatewayFirewallPolicyManagedRuleOverride
2727

2828
[Ps1Xml(Target = ViewControl.Table)]
2929
public string State { get; set; }
30+
31+
[Ps1Xml(Target = ViewControl.Table)]
32+
public string Action { get; set; }
3033
}
3134
}

src/Network/Network/Network.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414

1515
<ItemGroup>
1616
<PackageReference Include="AutoMapper" Version="6.2.2" />
17-
<PackageReference Include="Microsoft.Azure.Management.Network" Version="23.0.0" />
17+
<PackageReference Include="Microsoft.Azure.Management.Network" Version="24.0.0" />
1818
</ItemGroup>
1919

2020
<ItemGroup>

src/Network/Network/help/New-AzApplicationGatewayFirewallPolicyManagedRuleOverride.md

Lines changed: 25 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ Creates a managedRuleOverride entry for RuleGroupOverrideGroup entry.
1313
## SYNTAX
1414

1515
```
16-
New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId <String> [-State <String>]
16+
New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId <String> [-State <String>] [-Action <String>]
1717
[-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
1818
```
1919

@@ -29,8 +29,31 @@ $ruleOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -
2929

3030
Creates a ruleOverride Entry with RuleId as $ruleId and State as Disabled.
3131

32+
### Example 2
33+
```powershell
34+
$ruleOverrideEntry = New-AzApplicationGatewayFirewallPolicyManagedRuleOverride -RuleId $ruleId -State Enabled -Action Log
35+
```
36+
37+
Creates a ruleOverride Entry with RuleId as $ruleId, State as Enabled and Action as Log.
38+
3239
## PARAMETERS
3340

41+
### -Action
42+
Specify the Action in override rule entry.
43+
44+
```yaml
45+
Type: System.String
46+
Parameter Sets: (All)
47+
Aliases:
48+
Accepted values: AnomalyScoring, Allow, Block, Log
49+
50+
Required: False
51+
Position: Named
52+
Default value: None
53+
Accept pipeline input: False
54+
Accept wildcard characters: False
55+
```
56+
3457
### -DefaultProfile
3558
The credentials, account, tenant, and subscription used for communication with Azure.
3659
@@ -68,7 +91,7 @@ Specify the RuleId in override rule entry.
6891
Type: System.String
6992
Parameter Sets: (All)
7093
Aliases:
71-
Accepted values: Disabled
94+
Accepted values: Disabled, Enabled
7295

7396
Required: False
7497
Position: Named

src/ServiceBus/ServiceBus.Test/ScenarioTests/ServiceBusTestRunner.cs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,8 @@ protected ServiceBusTestRunner(ITestOutputHelper output)
5252
{"Microsoft.Features", null},
5353
{"Microsoft.Authorization", null},
5454
{"Microsoft.KeyVault", null},
55-
{"Microsoft.EventGrid", null }
55+
{"Microsoft.EventGrid", null },
56+
{"Microsoft.Network", null }
5657
}
5758
)
5859
.Build();

0 commit comments

Comments
 (0)