Support Default Disabled Rules in AppGW WAF Manifest with ComputedDisabledRules Property (#28327)

Co-authored-by: yoavmalichi_microsoft <[email protected]>

Author: yoavmal

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -115,7 +115,7 @@ public void TestApplicationGatewayGlobalConfig()
         {
             TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayGlobalConfig -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
         }
-        
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.nvadev)]
@@ -380,5 +380,13 @@ public void TestApplicationGatewayFirewallPolicyWithCustomBlockResponse()
         {
             TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithCustomBlockResponse");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayFirewallPolicyComputedDisabledRules()
+        {
+            TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyComputedDisabledRules");
+        }
     }
 }

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -19,6 +19,15 @@
 --->
 
 ## Upcoming Release
+* Added a read-only property `ComputedDisabledRules` to `ApplicationGatewayFirewallPolicyManagedRuleSet`. This property shows which rules are effectively disabled, based on both user-defined WAF policy overrides and the default state of the rules in the managed ruleset.
+    * Primary affected Cmdlet (returns the modified object directly):
+        - `New-AzApplicationGatewayFirewallPolicyManagedRuleSet`
+    * Secondary affected Cmdlets (object is nested within their returned result):
+        - `New-AzApplicationGatewayFirewallPolicyManagedRules`
+        - `Get-AzApplicationGatewayFirewallPolicy`
+        - `Set-AzApplicationGatewayFirewallPolicy`
+        - `New-AzApplicationGatewayFirewallPolicy`
+
 
 ## Version 7.19.0
 * Returned appgw and agc in waf policy

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyComputedDisabledRules.json

@@ -1469,6 +1469,7 @@ private static void Initialize()
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyLogScrubbingRule, MNM.WebApplicationFirewallScrubbingRules>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRules, MNM.ManagedRulesDefinition>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRuleSet, MNM.ManagedRuleSet>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRuleSetRuleGroup, MNM.ManagedRuleSetRuleGroup>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRuleGroupOverride, MNM.ManagedRuleGroupOverride>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyManagedRuleOverride, MNM.ManagedRuleOverride>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicyExclusion, MNM.ApplicationGatewayFirewallExclusion>();
@@ -1573,6 +1574,7 @@ private static void Initialize()
                 cfg.CreateMap<MNM.WebApplicationFirewallScrubbingRules, CNM.PSApplicationGatewayFirewallPolicyLogScrubbingRule>();
                 cfg.CreateMap<MNM.ManagedRulesDefinition, CNM.PSApplicationGatewayFirewallPolicyManagedRules>();
                 cfg.CreateMap<MNM.ManagedRuleSet, CNM.PSApplicationGatewayFirewallPolicyManagedRuleSet>();
+                cfg.CreateMap<MNM.ManagedRuleSetRuleGroup, CNM.PSApplicationGatewayFirewallPolicyManagedRuleSetRuleGroup>();
                 cfg.CreateMap<MNM.ManagedRuleGroupOverride, CNM.PSApplicationGatewayFirewallPolicyManagedRuleGroupOverride>();
                 cfg.CreateMap<MNM.ManagedRuleOverride, CNM.PSApplicationGatewayFirewallPolicyManagedRuleOverride>();
                 cfg.CreateMap<MNM.ApplicationGatewayFirewallExclusion, CNM.PSApplicationGatewayFirewallPolicyExclusion>();

src/Network/Network/ChangeLog.md

@@ -28,5 +28,7 @@ public partial class PSApplicationGatewayFirewallPolicyManagedRuleSet
         public string RuleSetVersion { get; set; }
         [Ps1Xml(Target = ViewControl.Table)]
         public List<PSApplicationGatewayFirewallPolicyManagedRuleGroupOverride> RuleGroupOverrides { get; set; }
+        [Ps1Xml(Target = ViewControl.Table)]
+        public List<PSApplicationGatewayFirewallPolicyManagedRuleSetRuleGroup> ComputedDisabledRules { get; private set; }
     }
 }

src/Network/Network/Common/NetworkResourceManagerProfile.cs

@@ -0,0 +1,29 @@
+//
+// Copyright (c) Microsoft.  All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+using Microsoft.WindowsAzure.Commands.Common.Attributes;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.Network.Models
+{
+    public class PSApplicationGatewayFirewallPolicyManagedRuleSetRuleGroup
+    {
+        [Ps1Xml(Target = ViewControl.Table)]
+        public string RuleGroupName { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public List<string> Rules { get; set; }
+    }
+}