Skip to content

JavaScript Challenge Feature for Application Gateway Firewall Policy Settings #24425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Apr 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,14 @@ public void TestApplicationGatewayFirewallPolicyWithInspectionLimit()
TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithInspectionLimit");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
public void TestApplicationGatewayFirewallPolicyWithJSChallenge()
{
TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithJSChallenge");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
Expand Down
47 changes: 47 additions & 0 deletions src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -5337,6 +5337,53 @@ function Test-ApplicationGatewayFirewallPolicyWithInspectionLimit
}
}

function Test-ApplicationGatewayFirewallPolicyWithJSChallenge
{
# Setup
$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
$rgname = Get-ResourceGroupName
$wafPolicyName = "wafPolicy1"

try {

$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}

# WAF Policy with custom Rule
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector Malicious-Header
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Any -NegationCondition $False
$customRule = New-AzApplicationGatewayFirewallCustomRule -Name example -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block

$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -MaxFileUploadInMb 70 -MaxRequestBodySizeInKb 70 -JSChallengeCookieExpirationInMins 100
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
New-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings -CustomRule $customRule

$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicyName -ResourceGroupName $rgname

# Check WAF policy
Assert-AreEqual $policy.CustomRules[0].Name $customRule.Name
Assert-AreEqual $policy.CustomRules[0].RuleType $customRule.RuleType
Assert-AreEqual $policy.CustomRules[0].Action $customRule.Action
Assert-AreEqual $policy.CustomRules[0].Priority $customRule.Priority
Assert-AreEqual $policy.CustomRules[0].State "Enabled"
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].OperatorProperty $customRule.MatchConditions[0].OperatorProperty
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].NegationConditon $customRule.MatchConditions[0].NegationConditon
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].VariableName $customRule.MatchConditions[0].MatchVariables[0].VariableName
Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].Selector $customRule.MatchConditions[0].MatchVariables[0].Selector
Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
Assert-AreEqual $policy.PolicySettings.State $policySettings.State
Assert-AreEqual $policy.PolicySettings.JSChallengeCookieExpirationInMins $policySettings.JSChallengeCookieExpirationInMins
}
finally
{
# Cleanup
Clean-ResourceGroup $rgname
}
}

function Test-ApplicationGatewayFirewallPolicyCustomRuleRemoval
{
# Setup
Expand Down

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions src/Network/Network/ChangeLog.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
* Added a new AuxiliaryMode value `AuxiliaryMode.Floating`
* Added support for AzureFirewallPacketCapture
* Added support of `UserAssignedIdentityId` Property in New-AzNetworkWatcherFlowLog and Set-AzNetworkWatcherFlowLog commands
* Updated cmdlet to add the property of JSChallengeCookieExpirationInMins
- `New-AzApplicationGatewayFirewallPolicySetting`

## Version 7.3.0
* Fixed a few minor issues
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,11 @@ public class AzureApplicationGatewayFirewallPolicySetting : NetworkBaseCmdlet
[ValidateNotNullOrEmpty]
public PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration LogScrubbing { get; set; }

[Parameter(Mandatory = false, HelpMessage = "Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes.")]
[ValidateNotNullOrEmpty]
[ValidateRange(5,1440)]
public int? JSChallengeCookieExpirationInMins { get; set; }

public override void ExecuteCmdlet()
{
base.ExecuteCmdlet();
Expand Down Expand Up @@ -124,7 +129,10 @@ public override void ExecuteCmdlet()
this.CustomBlockResponseBody = null;
}


if (!this.MyInvocation.BoundParameters.ContainsKey("JSChallengeCookieExpirationInMins"))
{
this.JSChallengeCookieExpirationInMins = (int?)null;
}
}

protected PSApplicationGatewayFirewallPolicySettings NewObject()
Expand Down Expand Up @@ -160,7 +168,8 @@ protected PSApplicationGatewayFirewallPolicySettings NewObject()
FileUploadLimitInMb = this.MaxFileUploadInMb,
CustomBlockResponseBody = this.CustomBlockResponseBody,
CustomBlockResponseStatusCode = this.CustomBlockResponseStatusCode,
LogScrubbing = this.LogScrubbing
LogScrubbing = this.LogScrubbing,
JSChallengeCookieExpirationInMins = this.JSChallengeCookieExpirationInMins
};
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,5 +54,8 @@ public partial class PSApplicationGatewayFirewallPolicySettings

[Ps1Xml(Target = ViewControl.Table)]
public PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration LogScrubbing { get; set; }

[Ps1Xml(Target = ViewControl.Table)]
public int? JSChallengeCookieExpirationInMins { get; set; }
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ New-AzApplicationGatewayFirewallPolicySetting [-Mode <String>] [-State <String>]
[-MaxRequestBodySizeInKb <Int32>] [-DisableFileUploadEnforcement <Boolean>] [-MaxFileUploadInMb <Int32>]
[-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>]
[-LogScrubbing <PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration>]
[-JSChallengeCookieExpirationInMins <Int32>]
[-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
```

Expand All @@ -31,23 +32,32 @@ The **New-AzApplicationGatewayFirewallPolicySetting** creates a policy settings
$condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -MaxRequestBodySizeInKb $maxRequestBodySizeInKb
```

The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb.
The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $maxRequestBodySizeInKb.
The new policySettings is stored to $condition.

### Example 2
```powershell
$condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -MaxRequestBodySizeInKb $maxRequestBodySizeInKb -LogScrubbing $logScrubbingRuleConfig
```

The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb with a scrubbing rule as $logScrubbingRuleConfig.
The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $maxRequestBodySizeInKb with a scrubbing rule as $logScrubbingRuleConfig.
The new policySettings is stored to $condition.

### Example 3
```powershell
$condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -DisableRequestBodyEnforcement true -RequestBodyInspectLimitInKB 2000 -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -DisableFileUploadEnforcement true -MaxRequestBodySizeInKb $maxRequestBodySizeInKb
```

The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyEnforcement as false, RequestBodyInspectLimitInKB as 2000, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb, FileUploadEnforcement as false and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb.
The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyEnforcement as false, RequestBodyInspectLimitInKB as 2000, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb, FileUploadEnforcement as false and MaxRequestBodySizeInKb as $maxRequestBodySizeInKb.
The new policySettings is stored to $condition.

### Example 4
```powershell
$condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -MaxRequestBodySizeInKb $maxRequestBodySizeInKb -JSChallengeCookieExpirationInMins $jsChallengeCookieExpirationInMins
```

The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $maxRequestBodySizeInKb, JSChallengeCookieExpirationInMins as $jsChallengeCookieExpirationInMins.
The new policySettings is stored to $condition.

## PARAMETERS

Expand Down Expand Up @@ -217,6 +227,21 @@ Accept pipeline input: False
Accept wildcard characters: False
```

### -JSChallengeCookieExpirationInMins
Web Application Firewall JavaScript Challenge Cookie Expiration time in minutes.

```yaml
Type: System.Nullable`1[System.Int32]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -State
State variable in policy settings of the firewall policy.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -446,3 +446,4 @@
"Az.Network","Microsoft.Azure.Commands.Network.UpdateAzureRmP2SVpnGatewayCommand","Update-AzP2sVpnGateway","1","8700","Parameter set 'ByP2SVpnGatewayResourceIdNoVpnServerConfigurationUpdate', 'ByP2SVpnGatewayResourceIdByVpnServerConfigurationObject' of cmdlet 'Update-AzP2sVpnGateway' have the same mandatory parameters, and both of them are not default parameter set which may cause confusion.","Merge these parameter sets into one parameter set."
"Az.Network","Microsoft.Azure.Commands.Network.Bastion.NewAzBastionCommand","New-AzBastion","1","8410","Parameter EnableKerberos of cmdlet New-AzBastion does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
"Az.Network","Microsoft.Azure.Commands.Network.Bastion.SetAzBastionCommand","Set-AzBastion","1","8410","Parameter EnableKerberos of cmdlet Set-AzBastion does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
"Az.Network","Microsoft.Azure.Commands.Network.NewAzureApplicationGatewayFirewallPolicySettingCommand","New-AzApplicationGatewayFirewallPolicySetting","1","8410","Parameter JSChallengeCookieExpirationInMins of cmdlet New-AzApplicationGatewayFirewallPolicySetting does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Shawnli222, can you rename the parameter using a singular noun instead of suppressing the issue?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have to make it the same as the swagger PR so it had to be like this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is the swagger link: Azure/azure-rest-api-specs#28011