Inspection Limit Feature for Application Gateway Firewall Policy Sett…

…ings (#21603)

* 2

* 1

* 2

* new change

* final test

* true

* new sdk

* test name

* merge conflict

* description change

* change test case var to false

* help msg for var change

* address comment

* edit help file

* revert previous change

* change var to diabled

* help edit

* null condition

* move condition outside

* help function

* new function to new var

* edit var to nullable

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.cs

@@ -261,6 +261,14 @@ public void TestApplicationGatewayFirewallPolicyWithUppercaseTransform()
             TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithUppercaseTransform");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]
+        public void TestApplicationGatewayFirewallPolicyWithInspectionLimit()
+        {
+            TestRunner.RunTestScript("Test-ApplicationGatewayFirewallPolicyWithInspectionLimit");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(Category.Owner, NrpTeamAlias.nvadev_subset1)]

src/Network/Network.Test/ScenarioTests/ApplicationGatewayTests.ps1

@@ -4401,6 +4401,60 @@ function Test-ApplicationGatewayFirewallPolicyWithUppercaseTransform
 	}
 }
 
+function Test-ApplicationGatewayFirewallPolicyWithInspectionLimit
+{
+	# Setup
+	$location = Get-ProviderLocation "Microsoft.Network/applicationGateways" "West US 2"
+
+	$rgname = Get-ResourceGroupName
+	$wafPolicy = Get-ResourceName
+
+	try
+	{
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location -Tags @{ testtag = "APPGw tag"}
+
+		# WAF Policy and Custom Rule
+		$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector Content-Length
+		$condition =  New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator GreaterThan -MatchValue 1000 -Transform Uppercase -NegationCondition $False
+		$rule = New-AzApplicationGatewayFirewallCustomRule -Name example -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
+		$policySettings = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled -DisableRequestBodyEnforcement $True -RequestBodyInspectLimitInKB 2000 -MaxFileUploadInMb 70 -DisableFileUploadEnforcement $True -MaxRequestBodySizeInKb 70
+		$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet -RuleSetType "OWASP" -RuleSetVersion "3.2"
+		$managedRule = New-AzApplicationGatewayFirewallPolicyManagedRule -ManagedRuleSet $managedRuleSet
+		New-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname -Location $location -ManagedRule $managedRule -PolicySetting $policySettings
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+		$policy.CustomRules = $rule
+		Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
+
+		$policy = Get-AzApplicationGatewayFirewallPolicy -Name $wafPolicy -ResourceGroupName $rgname
+
+		# Check firewall policy
+		Assert-AreEqual $policy.CustomRules[0].Name $rule.Name
+		Assert-AreEqual $policy.CustomRules[0].RuleType $rule.RuleType
+		Assert-AreEqual $policy.CustomRules[0].Action $rule.Action
+		Assert-AreEqual $policy.CustomRules[0].Priority $rule.Priority
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].OperatorProperty $rule.MatchConditions[0].OperatorProperty
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].Transforms[0] $rule.MatchConditions[0].Transforms[0]
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].NegationConditon $rule.MatchConditions[0].NegationConditon
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchValues[0] $rule.MatchConditions[0].MatchValues[0]
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].VariableName $rule.MatchConditions[0].MatchVariables[0].VariableName
+		Assert-AreEqual $policy.CustomRules[0].MatchConditions[0].MatchVariables[0].Selector $rule.MatchConditions[0].MatchVariables[0].Selector
+		Assert-AreEqual $policy.PolicySettings.FileUploadLimitInMb $policySettings.FileUploadLimitInMb
+		Assert-AreEqual $policy.PolicySettings.MaxRequestBodySizeInKb $policySettings.MaxRequestBodySizeInKb
+		Assert-AreEqual $policy.PolicySettings.RequestBodyCheck $policySettings.RequestBodyCheck
+		Assert-AreEqual $policy.PolicySettings.Mode $policySettings.Mode
+		Assert-AreEqual $policy.PolicySettings.State $policySettings.State
+		Assert-AreEqual $False $policySettings.RequestBodyEnforcement
+		Assert-AreEqual $policy.PolicySettings.RequestBodyInspectLimitInKB $policySettings.RequestBodyInspectLimitInKB
+		Assert-AreEqual $False $policySettings.FileUploadEnforcement
+	}
+	finally
+	{
+		# Cleanup
+		Clean-ResourceGroup $rgname
+	}
+}
+
 function Test-ApplicationGatewayFirewallPolicyWithCustomBlockResponse
 {
 	# Setup

src/Network/Network/ChangeLog.md

@@ -45,6 +45,9 @@
     - 'New-AzApplicationGatewayFirewallPolicyLogScrubbingRule',
     - Also updated cmdlet to add the property of LogScrubbing 
     - `New-AzApplicationGatewayFirewallPolicySetting`
+* Updated cmdlet to add the property of DisableRequestBodyEnforcement, RequestBodyInspectLimitInKB and DisableFileUploadEnforcement 
+    - `New-AzApplicationGatewayFirewallPolicySetting`
+
 
 
 ## Version 5.6.0

src/Network/Network/FirewallPolicy/PolicySettings/AzureApplicationGatewayFirewallPolicySetting.cs

@@ -33,7 +33,15 @@ public class AzureApplicationGatewayFirewallPolicySetting : NetworkBaseCmdlet
         [ValidateSet("Disabled", "Enabled", IgnoreCase = true)]
         [ValidateNotNullOrEmpty]
         public string State { get; set; }
-
+
+        [Parameter(Mandatory = false, HelpMessage = "Disable request body enforcement limits for WAF.")]
+        [ValidateNotNullOrEmpty]
+        public bool? DisableRequestBodyEnforcement { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Max inspection limit in KB for request body inspection.")]
+        [ValidateNotNullOrEmpty]
+        public int? RequestBodyInspectLimitInKB { get; set; }
+
         [Parameter(
             HelpMessage = "Disable Request Body check.")]
         public SwitchParameter DisableRequestBodyCheck { get; set; }
@@ -43,6 +51,10 @@ public class AzureApplicationGatewayFirewallPolicySetting : NetworkBaseCmdlet
         [ValidateNotNullOrEmpty]
         public int MaxRequestBodySizeInKb { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Disable file upload enforcement limits for WAF.")]
+        [ValidateNotNullOrEmpty]
+        public bool? DisableFileUploadEnforcement { get; set; }
+
         [Parameter(
            HelpMessage = "Maximum fileUpload size in MB.")]
         [ValidateNotNullOrEmpty]
@@ -89,6 +101,21 @@ public override void ExecuteCmdlet()
                 this.CustomBlockResponseStatusCode = (int?)null;
             }
 
+            if (!this.MyInvocation.BoundParameters.ContainsKey("RequestBodyInspectLimitInKB"))
+            {
+                this.RequestBodyInspectLimitInKB = (int?)null;
+            }
+
+            if (!this.MyInvocation.BoundParameters.ContainsKey("DisableFileUploadEnforcement"))
+            {
+                this.DisableFileUploadEnforcement = (bool?)null;
+            }
+
+            if (!this.MyInvocation.BoundParameters.ContainsKey("DisableRequestBodyEnforcement"))
+            {
+                this.DisableRequestBodyEnforcement = (bool?)null;
+            }
+
             if (this.MyInvocation.BoundParameters.ContainsKey("CustomBlockResponseBody"))
             {
                 this.CustomBlockResponseBody = System.Convert.ToBase64String(Encoding.UTF8.GetBytes(CustomBlockResponseBody));
@@ -102,12 +129,34 @@ public override void ExecuteCmdlet()
 
         protected PSApplicationGatewayFirewallPolicySettings NewObject()
         {
+            bool? RequestBodyEnforcementVal = null;
+            if (this.DisableRequestBodyEnforcement != null)
+            {
+                RequestBodyEnforcementVal = true;
+                if (this.DisableRequestBodyEnforcement == true)
+                {
+                    RequestBodyEnforcementVal = false;
+                }
+            }
+            bool? FileUploadEnforcementVal = null;
+            if (this.DisableFileUploadEnforcement != null)
+            {
+                FileUploadEnforcementVal = true;
+                if (this.DisableFileUploadEnforcement == true)
+                {
+                    FileUploadEnforcementVal = false;
+                }
+            }
+
             return new PSApplicationGatewayFirewallPolicySettings()
             {
                 Mode = this.Mode,
                 State = this.State,
+                RequestBodyEnforcement = RequestBodyEnforcementVal,
+                RequestBodyInspectLimitInKB = this.RequestBodyInspectLimitInKB,
                 RequestBodyCheck = this.DisableRequestBodyCheck.IsPresent ? false : true,
                 MaxRequestBodySizeInKb = this.MaxRequestBodySizeInKb,
+                FileUploadEnforcement = FileUploadEnforcementVal,
                 FileUploadLimitInMb = this.MaxFileUploadInMb,
                 CustomBlockResponseBody = this.CustomBlockResponseBody,
                 CustomBlockResponseStatusCode = this.CustomBlockResponseStatusCode,

src/Network/Network/Models/PSApplicationGatewayFirewallPolicySettings.cs

@@ -28,12 +28,21 @@ public partial class PSApplicationGatewayFirewallPolicySettings
         [Ps1Xml(Target = ViewControl.Table)]
         public string Mode { get; set; }
 
+        [Ps1Xml(Target = ViewControl.Table)]
+        public bool? RequestBodyEnforcement { get; set; }
+
+        [Ps1Xml(Target = ViewControl.Table)]
+        public int? RequestBodyInspectLimitInKB { get; set; }
+
         [Ps1Xml(Target = ViewControl.Table)]
         public bool RequestBodyCheck { get; set; }
 
         [Ps1Xml(Target = ViewControl.Table)]
         public int MaxRequestBodySizeInKb { get; set; }
 
+        [Ps1Xml(Target = ViewControl.Table)]
+        public bool? FileUploadEnforcement { get; set; }
+
         [Ps1Xml(Target = ViewControl.Table)]
         public int FileUploadLimitInMb { get; set; }
 

src/Network/Network/help/New-AzApplicationGatewayFirewallPolicySetting.md

@@ -13,8 +13,8 @@ Creates a policy setting for the firewall policy
 ## SYNTAX
 
 ```
-New-AzApplicationGatewayFirewallPolicySetting [-Mode <String>] [-State <String>] [-DisableRequestBodyCheck]
- [-MaxRequestBodySizeInKb <Int32>] [-MaxFileUploadInMb <Int32>] [-CustomBlockResponseStatusCode <Int32>]
+New-AzApplicationGatewayFirewallPolicySetting [-Mode <String>] [-State <String>] [-DisableRequestBodyEnforcement <Boolean>] [-RequestBodyInspectLimitInKB <Int32>] [-DisableRequestBodyCheck] 
+ [-MaxRequestBodySizeInKb <Int32>] [-MaxFileUploadInMb <Int32>] [-DisableFileUploadEnforcement <Boolean>] [-CustomBlockResponseStatusCode <Int32>]
  [-CustomBlockResponseBody <String>] [-LogScrubbing <PSApplicationGatewayFirewallPolicyLogScrubbingConfiguration>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
@@ -39,8 +39,60 @@ $condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState
 The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb with a scrubbing rule as $logScrubbingRuleConfig.
 The new policySettings is stored to $condition.
 
+### Example 3
+```powershell
+$condition = New-AzApplicationGatewayFirewallPolicySetting -State $enabledState -Mode $enabledMode -DisableRequestBodyEnforcement true -RequestBodyInspectLimitInKB 2000 -DisableRequestBodyCheck -MaxFileUploadInMb $fileUploadLimitInMb -DisableFileUploadEnforcement true -MaxRequestBodySizeInKb $maxRequestBodySizeInKb
+```
+
+The command creates a policy setting with state as $enabledState, mode as $enabledMode, RequestBodyEnforcement as false, RequestBodyInspectLimitInKB as 2000, RequestBodyCheck as false, FileUploadLimitInMb as $fileUploadLimitInMb, FileUploadEnforcement as false and MaxRequestBodySizeInKb as $$maxRequestBodySizeInKb.
+
 ## PARAMETERS
 
+### -DisableRequestBodyEnforcement 
+Disable request body enforcement limits for WAF.
+
+```yaml
+Type: System.Nullable`1[System.Boolean]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RequestBodyInspectLimitInKB  
+Max inspection limit in KB for request body inspection.
+
+```yaml
+Type: System.Nullable`1[System.Int32]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisableFileUploadEnforcement  
+Disable file upload enforcement limits for WAF.
+
+```yaml
+Type: System.Nullable`1[System.Boolean]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -CustomBlockResponseBody
 Custom Block Response Body in policy settings of the firewall policy.