Support to enable client certificate revocation check using PS (#19515)

* support enable client certificate revocation check via PS

* update test case for create/update clientauthconfig

* update PS test case, add sessionrecord of testing run

* move the changelog to upcoming release

* when set without VerifyClientRevocation, assign None explicitly

* add test case to verify the property via get

Co-authored-by: Yunchi Wang <[email protected]>

Author: 3quanfeng

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -221,8 +221,6 @@ public void TestApplicationGatewayCRUDWithMutualAuthentication()
             TestRunner.RunTestScript(string.Format("Test-ApplicationGatewayCRUDWithMutualAuthentication -baseDir '{0}'", AppDomain.CurrentDomain.BaseDirectory));
         }
 
-
-
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -4055,9 +4055,14 @@ function Test-ApplicationGatewayCRUDWithMutualAuthentication
 		$clientCertFilePath = $basedir + "/ScenarioTests/Data/TrustedClientCertificate.cer"
 		$trustedClient01 = New-AzApplicationGatewayTrustedClientCertificate -Name $trustedClientCert01Name -CertificateFile $clientCertFilePath
 		$sslPolicy = New-AzApplicationGatewaySslPolicy -PolicyType Custom -MinProtocolVersion TLSv1_0 -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256"
-		$clientAuthConfig = New-AzApplicationGatewayClientAuthConfiguration -VerifyClientCertIssuerDN
+
+		$clientAuthConfig = New-AzApplicationGatewayClientAuthConfiguration -VerifyClientCertIssuerDN -VerifyClientRevocation OCSP
+		Assert-AreEqual $True $clientAuthConfig.VerifyClientCertIssuerDN
+		Assert-AreEqual "OCSP" $clientAuthConfig.VerifyClientRevocation
+
 		$sslProfile01 = New-AzApplicationGatewaySslProfile -Name $sslProfile01Name -SslPolicy $sslPolicy -ClientAuthConfiguration $clientAuthConfig -TrustedClientCertificates $trustedClient01
-		
+		Assert-AreEqual "OCSP" $sslProfile01.ClientAuthConfiguration.VerifyClientRevocation
+
 		$listener = New-AzApplicationGatewayHttpListener -Name $listenerName -Protocol Https -SslCertificate $sslCert -FrontendIPConfiguration $fipconfig -FrontendPort $port -SslProfile $sslProfile01
 
 		# backend part
@@ -4094,6 +4099,7 @@ function Test-ApplicationGatewayCRUDWithMutualAuthentication
 		$clientAuthConfig = Get-AzApplicationGatewayClientAuthConfiguration -SslProfile $sslProfile01
 		Assert-NotNull $clientAuthConfig
 		Assert-AreEqual $True $clientAuthConfig.VerifyClientCertIssuerDN
+		Assert-AreEqual "OCSP" $clientAuthConfig.VerifyClientRevocation
 
 		$getpolicy = Get-AzApplicationGatewaySslProfilePolicy -SslProfile $sslProfile01
 		Assert-AreEqual $sslPolicy.MinProtocolVersion $getpolicy.MinProtocolVersion
@@ -4109,6 +4115,8 @@ function Test-ApplicationGatewayCRUDWithMutualAuthentication
 		$trustedClient02 =  Get-AzApplicationGatewayTrustedClientCertificate -Name $trustedClientCert02Name -ApplicationGateway $getgw
 		$getgw = Add-AzApplicationGatewaySslProfile -Name $sslProfile02Name -ApplicationGateway $getgw -TrustedClientCertificates $trustedClient01,$trustedClient02
 		$sslProfile01 = Set-AzApplicationGatewayClientAuthConfiguration -SslProfile $sslProfile01
+		Assert-AreEqual "None" $sslProfile01.ClientAuthConfiguration.VerifyClientRevocation
+
 		$sslProfile01 = Set-AzApplicationGatewaySslProfilePolicy -SslProfile $sslProfile01 -PolicyType Custom -MinProtocolVersion TLSv1_1 -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256"
 		$sslPolicy02 = New-AzApplicationGatewaySslPolicy -PolicyType Custom -MinProtocolVersion TLSv1_1 -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256"
 		$getgw = Set-AzApplicationGatewaySslProfile -Name $sslProfile02Name -ApplicationGateway $getgw -SslPolicy $sslPolicy02 -TrustedClientCertificates $trustedClient01,$trustedClient02 -ClientAuthConfiguration $clientAuthConfig 
@@ -4134,7 +4142,8 @@ function Test-ApplicationGatewayCRUDWithMutualAuthentication
 
 		$clientAuthConfig = Get-AzApplicationGatewayClientAuthConfiguration -SslProfile $getgw.SslProfiles[0]
 		Assert-AreEqual $False $clientAuthConfig.VerifyClientCertIssuerDN
-		
+		Assert-AreEqual "None" $clientAuthConfig.VerifyClientRevocation
+
 		# Remove operations.
 		$sslProfile02 = Remove-AzApplicationGatewaySslProfilePolicy -SslProfile $sslProfile02
 		$getpolicy = Get-AzApplicationGatewaySslProfilePolicy -SslProfile $sslProfile02

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayCRUDWithMutualAuthentication.json

@@ -24,6 +24,12 @@ public class AzureApplicationGatewayClientAuthConfigurationBase : NetworkBaseCmd
             HelpMessage = "Verify client certificate issuer name.")]
         public SwitchParameter VerifyClientCertIssuerDN { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Verify client certificate revocation status.")]
+        [ValidateSet("None", "OCSP", IgnoreCase = true)]
+        public string VerifyClientRevocation { get; set; }
+
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();
@@ -38,6 +44,15 @@ public PSApplicationGatewayClientAuthConfiguration NewObject()
                 config.VerifyClientCertIssuerDN = true;
             }
 
+            if (!string.IsNullOrEmpty(this.VerifyClientRevocation))
+            {
+                config.VerifyClientRevocation = this.VerifyClientRevocation;
+            }
+            else
+            {
+                config.VerifyClientRevocation = "None";
+            }
+
             return config;
         }
     }

src/Network/Network/ApplicationGateway/ClientAuthConfiguration/AzureApplicationGatewayClientAuthConfigurationBase.cs

@@ -29,6 +29,9 @@
 * Updated commandlets to support specifying an ASN on VPN Gateway
     - `NewAzureRmVpnGatewayCommand.cs`
     - `UpdateAzureRmVpnGatewayCommand.cs`
+* Updated cmdlets to enable verification on client certificate revocation by using a new property VerifyClientRevocation in ApplicationGatewayClientAuthConfiguration
+    - `New-AzApplicationGatewayClientAuthConfiguration`
+    - `Set-AzApplicationGatewayClientAuthConfiguration`
 * Added Uppercase Transform in New-AzApplicationGatewayFirewallCondition
 * Updated commandlet to support specifying an action for a managed rule override in Application Gateway WAF Policy.
     - `New-AzApplicationGatewayFirewallPolicyManagedRuleOverride`

src/Network/Network/ChangeLog.md

@@ -18,5 +18,6 @@ namespace Microsoft.Azure.Commands.Network.Models
     public class PSApplicationGatewayClientAuthConfiguration
     {
         public bool? VerifyClientCertIssuerDN { get; set; }
+        public string VerifyClientRevocation { get; set; }
     }
 }

src/Network/Network/Models/PSApplicationGatewayClientAuthConfiguration.cs

@@ -13,7 +13,7 @@ Creates a new client authentication configuration for SSL profile.
 ## SYNTAX
 
 ```
-New-AzApplicationGatewayClientAuthConfiguration [-VerifyClientCertIssuerDN]
+New-AzApplicationGatewayClientAuthConfiguration [-VerifyClientCertIssuerDN] [-VerifyClientRevocation <String>]
  [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
@@ -24,7 +24,7 @@ The **New-AzApplicationGatewayClientAuthConfiguration** cmdlet creates a new cli
 
 ### Example 1
 ```powershell
-$clientAuthConfig = New-AzApplicationGatewayClientAuthConfiguration -VerifyClientCertIssuerDN
+$clientAuthConfig = New-AzApplicationGatewayClientAuthConfiguration -VerifyClientCertIssuerDN -VerifyClientRevocation OCSP
 ```
 
 The command create a new client auth configuration and stores it in $clientAuthConfig variable to be used in a SSL profile.
@@ -61,6 +61,22 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -VerifyClientRevocation
+Verify client certificate revocation status.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+Accepted values: None, OCSP
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

src/Network/Network/help/New-AzApplicationGatewayClientAuthConfiguration.md

@@ -14,7 +14,7 @@ Modifies the client auth configuration of a ssl profile object.
 
 ```
 Set-AzApplicationGatewayClientAuthConfiguration -SslProfile <PSApplicationGatewaySslProfile>
- [-VerifyClientCertIssuerDN] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
+ [-VerifyClientCertIssuerDN] [-VerifyClientRevocation <String>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -26,7 +26,7 @@ The **Set-AzApplicationGatewayClientAuthConfiguration** cmdlet modifies the clie
 ```powershell
 $AppGw = Get-AzApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
 $profile  = Get-AzApplicationGatewaySslProfile -Name "SslProfile01" -ApplicationGateway $AppGw
-Set-AzApplicationGatewayClientAuthConfiguration -SslProfile $profile -VerifyClientCertIssuerDN
+Set-AzApplicationGatewayClientAuthConfiguration -SslProfile $profile -VerifyClientCertIssuerDN -VerifyClientRevocation OCSP
 ```
 
 The first command gets the application gateway named ApplicationGateway01 in the resource group named ResourceGroup01 and stores it in the $AppGw variable. The second command gets the ssl profile named SslProfile01 for $AppGw and stores the settings in the $profile variable. The last command modifies the client auth configuration of the ssl profile object stored in $profile.
@@ -64,6 +64,22 @@ Accept wildcard characters: False
 ```
 
 ### -VerifyClientCertIssuerDN
+Verify client certificate revocation status.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+Accepted values: None, OCSP
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -VerifyClientRevocation
 Verify client certificate issuer name.
 
 ```yaml