Update WAF Sdk to support RequestBodyCheck and JSON exclussions

src/FrontDoor/FrontDoor.Test/FrontDoor.Test.csproj

@@ -11,7 +11,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.Management.FrontDoor" Version="3.0.0" />
+    <PackageReference Include="Microsoft.Azure.Management.FrontDoor" Version="4.0.0" />
   </ItemGroup>
 
 </Project>

src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1

@@ -35,11 +35,12 @@ function Test-PolicyCrud
     $managedRule1 = New-AzFrontDoorWafManagedRuleObject -Type DefaultRuleSet -Version "1.0" -RuleGroupOverride $override1 -Exclusion $exclusionSet
     $managedRule2 = New-AzFrontDoorWafManagedRuleObject -Type BotProtection -Version "preview-0.1"
 
-    New-AzFrontDoorWafPolicy -Name $Name -ResourceGroupName $resourceGroupName -Customrule $customRule1 -ManagedRule $managedRule1,$managedRule2 -EnabledState Enabled -Mode Prevention
+    New-AzFrontDoorWafPolicy -Name $Name -ResourceGroupName $resourceGroupName -Customrule $customRule1 -ManagedRule $managedRule1,$managedRule2 -EnabledState Enabled -Mode Prevention -RequestBodyCheck Disabled
 
     $retrievedPolicy = Get-AzFrontDoorWafPolicy -Name $Name -ResourceGroupName $resourceGroupName 
     Assert-NotNull $retrievedPolicy
     Assert-AreEqual $Name $retrievedPolicy.Name
+    Assert-AreEqual "Disabled" $retrievedPolicy.RequestBodyCheck
     Assert-AreEqual $customRule1.Name $retrievedPolicy.CustomRules[0].Name
     Assert-AreEqual $customRule1.RuleType $retrievedPolicy.CustomRules[0].RuleType
     Assert-AreEqual $customRule1.Action $retrievedPolicy.CustomRules[0].Action
@@ -100,12 +101,13 @@ function Test-PolicyCrudWithPiping
     $managedRule1 = New-AzFrontDoorWafManagedRuleObject -Type DefaultRuleSet -Version "1.0" -RuleGroupOverride $override1
     $managedRule2 = New-AzFrontDoorWafManagedRuleObject -Type BotProtection -Version "preview-0.1"
 
-    New-AzFrontDoorWafPolicy -Name $Name -ResourceGroupName $resourceGroupName -Customrule $customRule1 -ManagedRule $managedRule1,$managedRule2 -EnabledState Enabled -Mode Prevention
+    New-AzFrontDoorWafPolicy -Name $Name -ResourceGroupName $resourceGroupName -Customrule $customRule1 -ManagedRule $managedRule1,$managedRule2 -EnabledState Enabled -Mode Prevention -RequestBodyCheck Disabled
 
     $customRule2 = New-AzFrontDoorWafCustomRuleObject -Name "Rule2" -RuleType MatchRule -MatchCondition $matchCondition1 -Action Log -Priority 2
     $updatedPolicy = Get-AzFrontDoorWafPolicy -Name $Name -ResourceGroupName $resourceGroupName | Update-AzFrontDoorWafPolicy -Customrule $customRule2
     Assert-NotNull $updatedPolicy
     Assert-AreEqual $Name $updatedPolicy.Name
+    Assert-AreEqual "Disabled" $updatedPolicy.RequestBodyCheck
     Assert-AreEqual $customRule2.Name $updatedPolicy.CustomRules[0].Name
     Assert-AreEqual $customRule2.Action $updatedPolicy.CustomRules[0].Action
     Assert-AreEqual $customRule2.Priority $updatedPolicy.CustomRules[0].Priority
@@ -123,20 +125,24 @@ WAF managed rule set definitions retrieval
 function Test-ManagedRuleSetDefinition
 {
     $definitions = Get-AzFrontDoorWafManagedRuleSetDefinition
-    Assert-AreEqual $definitions.Count 4
-    Assert-AreEqual $definitions[0].RuleSetType "DefaultRuleSet"
-    Assert-AreEqual $definitions[0].RuleSetVersion "1.0"
-    Assert-AreEqual $definitions[0].RuleGroups.Count 9
+    Assert-AreEqual $definitions.Count 5
+    Assert-AreEqual $definitions[0].RuleSetType "Microsoft_DefaultRuleSet"
+    Assert-AreEqual $definitions[0].RuleSetVersion "1.1"
+    Assert-AreEqual $definitions[0].RuleGroups.Count 13
 
-    Assert-AreEqual $definitions[1].RuleSetType "Microsoft_BotManagerRuleSet"
+    Assert-AreEqual $definitions[1].RuleSetType "DefaultRuleSet"
     Assert-AreEqual $definitions[1].RuleSetVersion "1.0"
-    Assert-AreEqual $definitions[1].RuleGroups.Count 3
+    Assert-AreEqual $definitions[1].RuleGroups.Count 9
 
-    Assert-AreEqual $definitions[2].RuleSetType "DefaultRuleSet"
-    Assert-AreEqual $definitions[2].RuleSetVersion "preview-0.1"
-    Assert-AreEqual $definitions[2].RuleGroups.Count 8
+    Assert-AreEqual $definitions[2].RuleSetType "Microsoft_BotManagerRuleSet"
+    Assert-AreEqual $definitions[2].RuleSetVersion "1.0"
+    Assert-AreEqual $definitions[2].RuleGroups.Count 3
 
-    Assert-AreEqual $definitions[3].RuleSetType "BotProtection"
+    Assert-AreEqual $definitions[3].RuleSetType "DefaultRuleSet"
     Assert-AreEqual $definitions[3].RuleSetVersion "preview-0.1"
-    Assert-AreEqual $definitions[3].RuleGroups.Count 1
+    Assert-AreEqual $definitions[3].RuleGroups.Count 8
+
+    Assert-AreEqual $definitions[4].RuleSetType "BotProtection"
+    Assert-AreEqual $definitions[4].RuleSetVersion "preview-0.1"
+    Assert-AreEqual $definitions[4].RuleGroups.Count 1
 }

src/FrontDoor/FrontDoor/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 ## Upcoming Release
 * Added FrontDoorId to properties
+* Added JSON Exclussions and RequestBodyCheck support to managed rules
 
 ## Version 1.6.1
 * Fixed an issue where an exception is being thrown when Enum.Parse tries to coerce a null value to an Enabled or Disabled enum values [#12344]

src/FrontDoor/FrontDoor/Cmdlets/NewFrontDoorWafManagedRuleExclusionObject.cs

@@ -29,7 +29,7 @@ public class NewFrontDoorWafManagedRuleExclusionObject : AzureFrontDoorCmdletBas
         /// Exclusion match variable
         /// </summary>
         [Parameter(Mandatory = true, HelpMessage = "Match variable")]
-        [PSArgumentCompleter("RequestHeaderNames", "RequestCookieNames", "QueryStringArgNames", "RequestBodyPostArgNames")]
+        [PSArgumentCompleter("RequestHeaderNames", "RequestCookieNames", "QueryStringArgNames", "RequestBodyPostArgNames", "RequestBodyJsonArgNames")]
         public string Variable { get; set; }
 
         /// <summary>

src/FrontDoor/FrontDoor/Cmdlets/NewFrontDoorWafManagedRuleObject.cs

@@ -30,14 +30,14 @@ public class NewFrontDoorWafManagedRuleObject : AzureFrontDoorCmdletBase
         /// Type of the ruleset (e.g.: DefaultRuleSet)
         /// </summary>
         [Parameter(Mandatory = true, HelpMessage = "Type of the ruleset")]
-        [PSArgumentCompleter("BotProtection", "DefaultRuleSet")]
+        [PSArgumentCompleter("BotProtection", "DefaultRuleSet", "Microsoft_DefaultRuleSet")]
         public string Type { get; set; }
 
         /// <summary>
         /// Version of the ruleset (e.g.: preview-0.1)
         /// </summary>
         [Parameter(Mandatory = true, HelpMessage = "Version of the ruleset")]
-        [PSArgumentCompleter("1.0", "preview-0.1")]
+        [PSArgumentCompleter("2.0", "1.1", "1.0", "preview-0.1")]
         public string Version { get; set; }
 
         /// <summary>

src/FrontDoor/FrontDoor/Cmdlets/NewFrontDoorWafPolicy.cs

@@ -91,6 +91,13 @@ public class NewFrontDoorWafPolicy : AzureFrontDoorCmdletBase
         [Parameter(Mandatory = false, HelpMessage = "Custom Response Body")]
         public string CustomBlockResponseBody { get; set; }
 
+        /// <summary>
+        /// Defines if the body should be inspected by managed rules. Possible values include: 'Enabled', 'Disabled'
+        /// </summary>
+        [Parameter(Mandatory = false, HelpMessage = "Defines if the body should be inspected by managed rules. Possible values include: 'Enabled', 'Disabled'")]
+        [PSArgumentCompleter("Enabled", "Disabled")]
+        public string RequestBodyCheck { get; set; }
+
         public override void ExecuteCmdlet()
         {
             var existingPolicy = FrontDoorManagementClient.Policies.List(ResourceGroupName)
@@ -119,7 +126,8 @@ public override void ExecuteCmdlet()
                     Mode = this.IsParameterBound(c => c.Mode) ? Mode : PSMode.Prevention.ToString(),
                     CustomBlockResponseBody = CustomBlockResponseBody == null ? CustomBlockResponseBody : Convert.ToBase64String(Encoding.UTF8.GetBytes(CustomBlockResponseBody)),
                     CustomBlockResponseStatusCode = this.IsParameterBound(c => c.CustomBlockResponseStatusCode) ? CustomBlockResponseStatusCode : (int?)null,
-                    RedirectUrl = RedirectUrl
+                    RedirectUrl = RedirectUrl,
+                    RequestBodyCheck = this.IsParameterBound(c => c.RequestBodyCheck) ? RequestBodyCheck : PSEnabledState.Enabled.ToString()
                 }
             };
             if (ShouldProcess(Resources.WebApplicationFirewallPolicyTarget, string.Format(Resources.CreateWebApplicationFirewallPolicy, Name)))

src/FrontDoor/FrontDoor/Cmdlets/UpdateFrontDoorWafPolicy.cs

@@ -105,6 +105,13 @@ public class UpdateFrontDoorWafPolicy : AzureFrontDoorCmdletBase
         [Parameter(Mandatory = false, HelpMessage = "Custom Response Body")]
         public string CustomBlockResponseBody { get; set; }
 
+        /// <summary>
+        /// Defines if the body should be inspected by managed rules. Possible values include: 'Enabled', 'Disabled'
+        /// </summary>
+        [Parameter(Mandatory = false, HelpMessage = "Defines if the body should be inspected by managed rules. Possible values include: 'Enabled', 'Disabled'")]
+        [PSArgumentCompleter("Enabled", "Disabled")]
+        public string RequestBodyCheck { get; set; }
+
         public override void ExecuteCmdlet()
         {
             if (ParameterSetName == ObjectParameterSet)
@@ -184,6 +191,11 @@ public override void ExecuteCmdlet()
                 updateParameters.PolicySettings.RedirectUrl = RedirectUrl;
             }
 
+            if (this.IsParameterBound(c => c.RequestBodyCheck))
+            {
+                updateParameters.PolicySettings.RequestBodyCheck = RequestBodyCheck;
+            }
+
             if (ShouldProcess(Resources.WebApplicationFirewallPolicyTarget, string.Format(Resources.WebApplicationFirewallPolicyChangeWarning, Name)))
             {
                 try

src/FrontDoor/FrontDoor/FrontDoor.csproj

@@ -11,7 +11,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.Management.FrontDoor" Version="3.0.0" />
+    <PackageReference Include="Microsoft.Azure.Management.FrontDoor" Version="4.0.0" />
   </ItemGroup>
 
   <ItemGroup>

src/FrontDoor/FrontDoor/Helpers/ModelExtensions.cs

@@ -570,7 +570,8 @@ public static PSPolicy ToPSPolicy(this SdkFirewallPolicy sdkPolicy)
                 ProvisioningState = sdkPolicy.ProvisioningState,
                 CustomBlockResponseBody = sdkPolicy.PolicySettings?.CustomBlockResponseBody == null ? null : Encoding.UTF8.GetString(Convert.FromBase64String(sdkPolicy.PolicySettings?.CustomBlockResponseBody)),
                 CustomBlockResponseStatusCode = (ushort?)sdkPolicy.PolicySettings?.CustomBlockResponseStatusCode,
-                RedirectUrl = sdkPolicy.PolicySettings?.RedirectUrl
+                RedirectUrl = sdkPolicy.PolicySettings?.RedirectUrl,
+                RequestBodyCheck = sdkPolicy.PolicySettings?.RequestBodyCheck == null ? (PSEnabledState?)null : (PSEnabledState)Enum.Parse(typeof(PSEnabledState), sdkPolicy.PolicySettings.RequestBodyCheck)
             };
         }
 

src/FrontDoor/FrontDoor/Models/PSPolicy.cs

@@ -28,6 +28,8 @@ public class PSPolicy : PSTrackedResource
 
         public string CustomBlockResponseBody { get; set; }
 
+        public PSEnabledState? RequestBodyCheck { get; set; }
+
         public List<PSCustomRule> CustomRules { get; set; }
 
         public List<PSManagedRule> ManagedRules { get; set; }

src/FrontDoor/FrontDoor/help/New-AzFrontDoorWafPolicy.md

@@ -15,7 +15,7 @@ Create WAF policy
 ```
 New-AzFrontDoorWafPolicy -ResourceGroupName <String> -Name <String> [-EnabledState <PSEnabledState>]
  [-Mode <String>] [-Customrule <PSCustomRule[]>] [-ManagedRule <PSManagedRule[]>] [-RedirectUrl <String>]
- [-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>]
+ [-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>] [-RequestBodyCheck <String>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
@@ -175,6 +175,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -RequestBodyCheck
+Defines if the body should be inspected by managed rules. Possible values include: 'Enabled', 'Disabled'
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ResourceGroupName
 The resource group name
 

src/FrontDoor/FrontDoor/help/Update-AzFrontDoorWafPolicy.md

@@ -16,23 +16,23 @@ Update WAF policy
 ```
 Update-AzFrontDoorWafPolicy -ResourceGroupName <String> -Name <String> [-EnabledState <PSEnabledState>]
  [-Mode <String>] [-Customrule <PSCustomRule[]>] [-ManagedRule <PSManagedRule[]>] [-RedirectUrl <String>]
- [-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>]
+ [-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>] [-RequestBodyCheck <String>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### ByObjectParameterSet
 ```
 Update-AzFrontDoorWafPolicy -InputObject <PSPolicy> [-EnabledState <PSEnabledState>] [-Mode <String>]
  [-Customrule <PSCustomRule[]>] [-ManagedRule <PSManagedRule[]>] [-RedirectUrl <String>]
- [-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>]
+ [-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>] [-RequestBodyCheck <String>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### ByResourceIdParameterSet
 ```
 Update-AzFrontDoorWafPolicy -ResourceId <String> [-EnabledState <PSEnabledState>] [-Mode <String>]
  [-Customrule <PSCustomRule[]>] [-ManagedRule <PSManagedRule[]>] [-RedirectUrl <String>]
- [-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>]
+ [-CustomBlockResponseStatusCode <Int32>] [-CustomBlockResponseBody <String>] [-RequestBodyCheck <String>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
@@ -236,6 +236,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -RequestBodyCheck
+Defines if the body should be inspected by managed rules. Possible values include: 'Enabled', 'Disabled'
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ResourceGroupName
 The resource group to which the FireWallPolicy belongs.