Support Rate Limit Rule For Application Gateway WAF Custom Rule (#21557)

* try

* 1

* 1

* 1

* 1

* 1

* 1

* 1

* 1

* 1

* 1

* 1

* 1

* 2

* 2

* 2

* 1

* comment

* 2

* 2

* 2

* 2

* name

* 2

* test

* 2

* 1

* 1

* 1

* 2

* 1

* 1

* 1

* 1

Author: Shawnli222

src/Network/Network.Test/Network.Test.csproj

@@ -23,6 +23,7 @@
     <PackageReference Include="Microsoft.Azure.Management.OperationalInsights" Version="0.25.0-preview" />
     <PackageReference Include="Microsoft.Azure.Management.ManagedServiceIdentity" Version="0.10.0-preview" />
     <PackageReference Include="Microsoft.Azure.Management.Storage" Version="25.0.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Network" Version="26.0.0" />
   </ItemGroup>
 
   <ItemGroup>
@@ -49,9 +50,6 @@
   <ItemGroup>
     <Folder Include="SessionRecords\Commands.Network.Test.ScenarioTests.NetworkManagerTests\" />
   </ItemGroup>
-  
-  <ItemGroup>
-    <ProjectReference Include="..\Network.Management.Sdk\Network.Management.Sdk.csproj" />
-  </ItemGroup>
 
 </Project>
+

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -237,6 +237,13 @@ public void TestApplicationGatewayFirewallPolicyWithCustomRules()
             TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithCustomRules");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayFirewallPolicyWithRateLimitRule()
+        {
+            TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithRateLimitRule");
+        }
 
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -4245,6 +4245,62 @@ function Test-ApplicationGatewayFirewallPolicyWithCustomRules
 	}
 }
 
+function Test-ApplicationGatewayFirewallPolicyWithRateLimitRule
+{
+	# Setup
+	$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
+	$rgname = Get-ResourceGroupName
+	$wafPolicyName = "wafPolicy1"
+
+	try {
+		
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
+
+		# WAF Policy with rate limiting rule custom Rule
+		$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector Malicious-Header
+		$condition =  New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Any -NegationCondition $False
+		$groupbyVar = New-AzApplicationGatewayFirewallCustomRuleGroupByVariable -VariableName ClientAddr 
+		$groupbyUserSes = New-AzApplicationGatewayFirewallCustomRuleGroupByUserSession -GroupByVariable $groupbyVar
+		$customRule = New-AzApplicationGatewayFirewallCustomRule -Name example -Priority 2 -RateLimitDuration OneMin -RateLimitThreshold 10 -RuleType RateLimitRule -MatchCondition $condition -GroupByUserSession $groupbyUserSes -Action Block
+
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet 
+		New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings -CustomRule $customRule
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+
+		# Check WAF policy
+		Assert-AreEqual $policy.CustomRules[0].Name $customRule.Name
+		Assert-AreEqual $policy.CustomRules[0].RuleType $customRule.RuleType
+		Assert-AreEqual $policy.CustomRules[0].Action $customRule.Action
+		Assert-AreEqual $policy.CustomRules[0].Priority $customRule.Priority
+		Assert-AreEqual $policy.CustomRules[0].RateLimitDuration $customRule.RateLimitDuration
+		Assert-AreEqual $policy.CustomRules[0].RateLimitThreshold $customRule.RateLimitThreshold
+		Assert-AreEqual $policy.CustomRules[0].State "Enabled"
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].OperatorProperty $customRule.MatchConditions[0].OperatorProperty
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].NegationConditon $customRule.MatchConditions[0].NegationConditon
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].VariableName $customRule.MatchConditions[0].MatchVariables[0].VariableName
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].Selector $customRule.MatchConditions[0].MatchVariables[0].Selector
+		Assert-AreEqual $policy.CustomRules[0].GroupByUserSession[0].GroupByVariables[0].VariableName $customRule.GroupByUserSession[0].GroupByVariables[0].VariableName
+		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
+		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
+		Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
+		Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
+		Assert-AreEqual $policy.PolicySettings.State $policySettings.State
+
+		$policy.CustomRules[0].State = "Disabled"
+		Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
+		$policy1 = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname
+		Assert-AreEqual $policy1.CustomRules[0].State "Disabled"
+	}
+	finally
+	{
+		# Cleanup
+		Clean-ResourceGroup $rgname
+	}
+}
+
 function Test-ApplicationGatewayFirewallPolicyWithUppercaseTransform
 {
 	# Setup

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyWithCustomRules.json

@@ -111,6 +111,8 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
                'New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet', 
                'New-AzApplicationGatewayFirewallCondition', 
                'New-AzApplicationGatewayFirewallCustomRule', 
+               'New-AzApplicationGatewayFirewallCustomRuleGroupByUserSession',
+               'New-AzApplicationGatewayFirewallCustomRuleGroupByVariable',
                'New-AzApplicationGatewayFirewallMatchVariable', 
                'New-AzApplicationGatewayFirewallPolicy', 
                'Get-AzApplicationGatewayFirewallPolicy', 

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.ApplicationGatewayTests/TestApplicationGatewayFirewallPolicyWithRateLimitRule.json

@@ -30,6 +30,11 @@
     -`Remove-AzRouteMap`
 * Update cmdlets to add inbound/outbound route maps in routingConfiguration
     -`New-AzRoutingConfiguration`
+* Added new cmdlets to support Rate Limiting Rule for Application Gateway WAF
+    - 'New-AzApplicationGatewayFirewallCustomRuleGroupByUserSession',
+    - 'New-AzApplicationGatewayFirewallCustomRuleGroupByVariable',
+    - Also updated cmdlet to add the property of RateLimitDuration, RateLimitThreshold and GroupByUserSession
+    - `New-AzureApplicationGatewayFirewallCustomRule`
 
 ## Version 5.6.0
 * Updated `New-AzLoadBalancer` and `Set-AzLoadBalancer` to validate surface level parameters for global tier load balancers
@@ -45,6 +50,7 @@
 * Fixed bugs related to auto learn IP prefixes and Snat
 * Updated multi-auth to be supported when both OpenVPN and IkeV2 protocols are used for VNG and VWAN VPN
 
+
 ## Version 5.5.0
 * Updated cmdlets to add new property of `Snat` in Azure Firewall Policy.
     - `New-AzFirewallPolicySnat`

src/Network/Network/Az.Network.psd1

@@ -1018,6 +1018,8 @@ private static void Initialize()
                 cfg.CreateMap<CNM.PSApplicationGatewayWebApplicationFirewallConfiguration, MNM.ApplicationGatewayWebApplicationFirewallConfiguration>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallCondition, MNM.MatchCondition>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallCustomRule, MNM.WebApplicationFirewallCustomRule>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallCustomRuleGroupByUserSession, MNM.GroupByUserSession>();
+                cfg.CreateMap<CNM.PSApplicationGatewayFirewallCustomRuleGroupByVariable, MNM.GroupByVariable>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallMatchVariable, MNM.MatchVariable>();
                 cfg.CreateMap<CNM.PSApplicationGatewayWebApplicationFirewallPolicy, MNM.WebApplicationFirewallPolicy>();
                 cfg.CreateMap<CNM.PSApplicationGatewayFirewallPolicySettings, MNM.PolicySettings>();
@@ -1094,6 +1096,8 @@ private static void Initialize()
                 cfg.CreateMap<MNM.ApplicationGatewayWebApplicationFirewallConfiguration, CNM.PSApplicationGatewayWebApplicationFirewallConfiguration>();
                 cfg.CreateMap<MNM.MatchCondition, CNM.PSApplicationGatewayFirewallCondition>();
                 cfg.CreateMap<MNM.WebApplicationFirewallCustomRule, CNM.PSApplicationGatewayFirewallCustomRule>();
+                cfg.CreateMap<MNM.GroupByUserSession, CNM.PSApplicationGatewayFirewallCustomRuleGroupByUserSession>();
+                cfg.CreateMap<MNM.GroupByVariable, CNM.PSApplicationGatewayFirewallCustomRuleGroupByVariable>();
                 cfg.CreateMap<MNM.MatchVariable, CNM.PSApplicationGatewayFirewallMatchVariable>();
                 cfg.CreateMap<MNM.WebApplicationFirewallPolicy, CNM.PSApplicationGatewayWebApplicationFirewallPolicy>();
                 cfg.CreateMap<MNM.PolicySettings, CNM.PSApplicationGatewayFirewallPolicySettings>();

src/Network/Network/ChangeLog.md

@@ -34,10 +34,23 @@ public class AzureApplicationGatewayFirewallCustomRuleBase : NetworkBaseCmdlet
         [ValidateNotNullOrEmpty]
         public int Priority { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Duration over which Rate Limit policy will be applied. Applies only when ruleType is RateLimitRule.")]
+        [ValidateSet("OneMin", "FiveMins", IgnoreCase = true)]
+        [ValidateNotNullOrEmpty]
+        public string RateLimitDuration { get; set; }
+
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Rate Limit threshold to apply in case ruleType is RateLimitRule. Must be greater than or equal to 1")]
+        [ValidateNotNullOrEmpty]
+        public int RateLimitThreshold { get; set; } 
+
         [Parameter(
             Mandatory = true,
             HelpMessage = "Describes type of rule.")]
-        [ValidateSet("MatchRule", IgnoreCase = true)]
+        [ValidateSet("MatchRule", "RateLimitRule", IgnoreCase = true)]
         [ValidateNotNullOrEmpty]
         public string RuleType { get; set; }
 
@@ -47,6 +60,13 @@ public class AzureApplicationGatewayFirewallCustomRuleBase : NetworkBaseCmdlet
         [ValidateNotNullOrEmpty]
         public PSApplicationGatewayFirewallCondition[] MatchCondition { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = "Define user session identifier group by clauses.")]
+        [ValidateCount(1, 1)]
+        [ValidateNotNullOrEmpty]
+        public PSApplicationGatewayFirewallCustomRuleGroupByUserSession[] GroupByUserSession { get; set; }
+
         [Parameter(
             Mandatory = true,
             HelpMessage = "Type of Actions.")]
@@ -77,7 +97,10 @@ protected PSApplicationGatewayFirewallCustomRule NewObject()
                 Name = this.Name,
                 Priority = this.Priority,
                 RuleType = this.RuleType,
+                RateLimitDuration = this.RateLimitDuration,
+                RateLimitThreshold = this.RateLimitThreshold,
                 MatchConditions = this.MatchCondition?.ToList(),
+                GroupByUserSession = this.GroupByUserSession?.ToList(),
                 Action = this.Action,
                 State = this.State
             };

src/Network/Network/Common/NetworkResourceManagerProfile.cs

@@ -0,0 +1,45 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Network.Models;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.Network
+{
+    [Cmdlet("New", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "ApplicationGatewayFirewallCustomRuleGroupByVariable"), OutputType(typeof(PSApplicationGatewayFirewallCustomRuleGroupByVariable))]
+    public class NewAzureApplicationGatewayFirewallCustomRuleGroupByVariableCommand : NetworkBaseCmdlet
+    {
+        [Parameter(
+            Mandatory = true,
+            HelpMessage = "User Session clause variable.")]
+        [ValidateNotNullOrEmpty]
+        [ValidateSet("ClientAddr", "Geo", "None", IgnoreCase = true)]
+        public string VariableName { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+            WriteObject(NewObject());
+        }
+
+        protected PSApplicationGatewayFirewallCustomRuleGroupByVariable NewObject()
+        {
+            return new PSApplicationGatewayFirewallCustomRuleGroupByVariable()
+            {
+                VariableName = this.VariableName
+            };
+        }
+    }
+}