Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inspection Limit Feature for Application Gateway Firewall Policy Settings #21603

Merged
merged 30 commits into from
May 4, 2023
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
f1d0a93
2
Shawnli222 Apr 17, 2023
aabc37b
1
Shawnli222 Apr 17, 2023
6e9375e
2
Shawnli222 Apr 17, 2023
fb42c6f
Merge branch 'main' into inspectionlimit
Shawnli222 Apr 19, 2023
20a2fad
new change
Shawnli222 Apr 20, 2023
f391db7
final test
Shawnli222 Apr 20, 2023
0971fa5
true
Shawnli222 Apr 20, 2023
ad9a676
new sdk
Shawnli222 Apr 22, 2023
88c2983
test name
Shawnli222 Apr 22, 2023
7d3c939
merge conflict
Shawnli222 Apr 24, 2023
baf4c60
merge conflict
Shawnli222 Apr 24, 2023
ed2b83b
merge conflict
Shawnli222 Apr 25, 2023
317fdc1
description change
Shawnli222 Apr 26, 2023
27c3043
Merge branch 'main' into inspectionlimit
Shawnli222 Apr 26, 2023
9044169
change test case var to false
Shawnli222 Apr 27, 2023
014fb29
merge conflict
Shawnli222 Apr 28, 2023
24af927
help msg for var change
Shawnli222 Apr 28, 2023
8899c00
Merge branch 'release-network-2022-11-01' into inspectionlimit
Shawnli222 Apr 28, 2023
89ead37
Merge branch 'main' into inspectionlimit
Shawnli222 Apr 28, 2023
2383af8
Merge branch 'inspectionlimit' of https://github.com/Shawnli222/azure…
Shawnli222 Apr 28, 2023
ada16e7
address comment
Shawnli222 Apr 28, 2023
bfb9019
edit help file
Shawnli222 Apr 28, 2023
b4dbc2a
revert previous change
Shawnli222 Apr 28, 2023
cce3f9d
change var to diabled
Shawnli222 May 1, 2023
ad7446b
help edit
Shawnli222 May 1, 2023
cec8f24
null condition
Shawnli222 May 1, 2023
4646a2e
move condition outside
Shawnli222 May 2, 2023
dca61e5
help function
Shawnli222 May 2, 2023
ff89efc
new function to new var
Shawnli222 May 2, 2023
cf28a28
edit var to nullable
Shawnli222 May 3, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,14 @@ public void TestApplicationGatewayFirewallPolicyWithUppercaseTransform()
TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithUppercaseTransform");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
public void TestApplicationGatewayFirewallPolicyWithInspectionLimit()
{
TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithInspectionLimit");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
Expand Down
54 changes: 54 additions & 0 deletions src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -4352,6 +4352,60 @@ function Test-ApplicationGatewayFirewallPolicyWithUppercaseTransform
}
}

function Test-ApplicationGatewayFirewallPolicyWithInspectionLimit
{
# Setup
$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"

$rgname = Get-ResourceGroupName
$wafPolicy = Get-ResourceName

try
{
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}

# WAF Policy and Custom Rule
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector Content-Length
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator GreaterThan -MatchValue 1000 -Transform Uppercase -NegationCondition $False
$rule = New-AzApplicationGatewayFirewallCustomRule -Name example -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -RequestBodyEnforcement $True -RequestBodyInspectLimitInKB 2000 -MaxFileUploadInMb 70 -FileUploadEnforcement $True -MaxRequestBodySizeInKb 70
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
New-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings

$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
$policy.CustomRules = $rule
Set-AzApplicationGatewayFirewallPolicy -InputObject $policy

$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname

# Check firewall policy
Assert-AreEqual $policy.CustomRules[0].Name $rule.Name
Assert-AreEqual $policy.CustomRules[0].RuleType $rule.RuleType
Assert-AreEqual $policy.CustomRules[0].Action $rule.Action
Assert-AreEqual $policy.CustomRules[0].Priority $rule.Priority
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].OperatorProperty $rule.MatchConditions[0].OperatorProperty
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].Transforms[0] $rule.MatchConditions[0].Transforms[0]
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].NegationConditon $rule.MatchConditions[0].NegationConditon
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchValues[0] $rule.MatchConditions[0].MatchValues[0]
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].VariableName $rule.MatchConditions[0].MatchVariables[0].VariableName
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].Selector $rule.MatchConditions[0].MatchVariables[0].Selector
Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
Assert-AreEqual $policy.PolicySettings.State $policySettings.State
Assert-AreEqual $policy.PolicySettings.RequestBodyEnforcement $policySettings.RequestBodyEnforcement
Assert-AreEqual $policy.PolicySettings.RequestBodyInspectLimitInKB $policySettings.RequestBodyInspectLimitInKB
Assert-AreEqual $policy.PolicySettings.FileUploadEnforcement $policySettings.FileUploadEnforcement
}
finally
{
# Cleanup
Clean-ResourceGroup $rgname
}
}

function Test-ApplicationGatewayFirewallPolicyWithCustomBlockResponse
{
# Setup
Expand Down

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions src/Network/Network/ChangeLog.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@
* Added support of `AdditionalNic` Property in New-AzNetworkVirtualAppliance
* Added the new cmdlet for supporting `AdditionalNic` Property
- 'New-AzVirtualApplianceAdditionalNicProperty'
* Updated cmdlet to add the property of RequestBodyEnforcement, RequestBodyInspectLimitInKB and FileUploadEnforcement
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved
- `New-AzApplicationGatewayFirewallPolicySetting`


## Version 5.6.0
* Updated `New-AzLoadBalancer` and `Set-AzLoadBalancer` to validate surface level parameters for global tier load balancers
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,15 @@ public class AzureApplicationGatewayFirewallPolicySetting : NetworkBaseCmdlet
[ValidateSet("Disabled", "Enabled", IgnoreCase = true)]
[ValidateNotNullOrEmpty]
public string State { get; set; }


[Parameter(Mandatory = false, HelpMessage = "Configure WAF to enforce request body limits.")]
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved
[ValidateNotNullOrEmpty]
public bool RequestBodyEnforcement { get; set; }
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved

[Parameter(Mandatory = false, HelpMessage = "Max inspection limit in KB for request body inspection for WAF.")]
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved
[ValidateNotNullOrEmpty]
public int RequestBodyInspectLimitInKB { get; set; }
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved

[Parameter(
HelpMessage = "Disable Request Body check.")]
public SwitchParameter DisableRequestBodyCheck { get; set; }
Expand All @@ -43,6 +51,10 @@ public class AzureApplicationGatewayFirewallPolicySetting : NetworkBaseCmdlet
[ValidateNotNullOrEmpty]
public int MaxRequestBodySizeInKb { get; set; }

[Parameter(Mandatory = false, HelpMessage = "Configure WAF to enforce file upload limits.")]
[ValidateNotNullOrEmpty]
public bool FileUploadEnforcement { get; set; }
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved

[Parameter(
HelpMessage = "Maximum fileUpload size in MB.")]
[ValidateNotNullOrEmpty]
Expand Down Expand Up @@ -70,6 +82,16 @@ public override void ExecuteCmdlet()
this.State = "Enabled";
}

if (!this.MyInvocation.BoundParameters.ContainsKey("RequestBodyEnforcement"))
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved
{
this.RequestBodyEnforcement = true;
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved
}

if (!this.MyInvocation.BoundParameters.ContainsKey("FileUploadEnforcement"))
{
this.FileUploadEnforcement = true;
}

if (!this.MyInvocation.BoundParameters.ContainsKey("MaxRequestBodySizeInKb"))
{
this.MaxRequestBodySizeInKb = 128;
Expand Down Expand Up @@ -102,8 +124,11 @@ protected PSApplicationGatewayFirewallPolicySettings NewObject()
{
Mode = this.Mode,
State = this.State,
RequestBodyEnforcement = this.RequestBodyEnforcement,
RequestBodyInspectLimitInKB = this.RequestBodyInspectLimitInKB,
RequestBodyCheck = this.DisableRequestBodyCheck.IsPresent ? false : true,
MaxRequestBodySizeInKb = this.MaxRequestBodySizeInKb,
FileUploadEnforcement = this.FileUploadEnforcement,
FileUploadLimitInMb = this.MaxFileUploadInMb,
CustomBlockResponseBody = this.CustomBlockResponseBody,
CustomBlockResponseStatusCode = this.CustomBlockResponseStatusCode,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,21 @@ public partial class PSApplicationGatewayFirewallPolicySettings
[Ps1Xml(Target = ViewControl.Table)]
public string Mode { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public bool RequestBodyEnforcement { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public int RequestBodyInspectLimitInKB { get; set; }
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved

[Ps1Xml(Target = ViewControl.Table)]
public bool RequestBodyCheck { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public int MaxRequestBodySizeInKb { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public bool FileUploadEnforcement { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public int FileUploadLimitInMb { get; set; }

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ Creates a policy setting for the firewall policy
## SYNTAX

```
New-AzApplicationGatewayFirewallPolicySetting [-Mode <String>] [-State <String>] [-DisableRequestBodyCheck]
[-MaxRequestBodySizeInKb <Int32>] [-MaxFileUploadInMb <Int32>] [-CustomBlockResponseStatusCode <Int32>]
New-AzApplicationGatewayFirewallPolicySetting [-Mode <String>] [-State <String>] [-RequestBodyEnforcement <Boolean>] [-RequestBodyInspectLimitInKB <Int32>] [-DisableRequestBodyCheck]
[-MaxRequestBodySizeInKb <Int32>] [-MaxFileUploadInMb <Int32>] [-FileUploadEnforcement <Boolean>] [-CustomBlockResponseStatusCode <Int32>]
[-CustomBlockResponseBody <String>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
```

Expand All @@ -31,8 +31,61 @@ $condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState
The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb.
The new policySettings is stored to $condition.

### Example 3
```powershell
$condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -RequestBodyEnforcement true -RequestBodyInspectLimitInKB 2000 -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -FileUploadEnforcement true -MaxRequestBodySizeInKb $maxRequestBodySizeInKb
```

The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyEnforcement as true, RequestBodyInspectLimitInKB as 2000, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb, FileUploadEnforcement as true and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb.
The new policySettings is stored to $condition.

## PARAMETERS

### -RequestBodyEnforcement
Configure WAF to enforce request body limits.

```yaml
Type: System.Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved
Accept pipeline input: False
Accept wildcard characters: False
```

### -RequestBodyInspectLimitInKB
Max inspection limit in KB for request body inspection for WAF.

```yaml
Type: System.Int32
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -FileUploadEnforcement
Configure WAF to enforce file upload limits.

```yaml
Type: System.Boolean
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Shawnli222 marked this conversation as resolved.
Show resolved Hide resolved
Accept pipeline input: False
Accept wildcard characters: False
```

### -CustomBlockResponseBody
Custom Block Response Body in policy settings of the firewall policy.

Expand Down
Binary file not shown.
Binary file not shown.