-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #130 from SkillsFundingAgency/WAF_script_and_UT
Automation of whitelisting on WAF
Showing
2 changed files
with
222 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
<# | ||
.SYNOPSIS | ||
Add a custom rule to whitelist an IP address on the WAF | ||
.DESCRIPTION | ||
Add a custom rule to whitelist an IP address on the WAF | ||
.PARAMETER ResourceGroupName | ||
Name of the resource group | ||
.PARAMETER PolicyName | ||
Name of the Web Application Firewall policy | ||
.PARAMETER IPAddress | ||
An IP address to add to the ip range filter | ||
.PARAMETER Name | ||
Name of the user who will whitelist their IP | ||
.EXAMPLE | ||
Add-WAFIPException -Name JoeBlogs -IPAddress 192.168.0.1 -PolicyName daspolicy -ResourceGroupName rgname | ||
#> | ||
|
||
[CmdletBinding()] | ||
Param ( | ||
[Parameter(Mandatory = $true)] | ||
[ValidateNotNull()] | ||
[String]$Name, | ||
[Parameter(Mandatory = $true)] | ||
[ValidateNotNull()] | ||
[IPAddress]$IPAddress, | ||
[Parameter(Mandatory = $true)] | ||
[ValidateNotNull()] | ||
[String]$PolicyName, | ||
[Parameter(Mandatory = $true)] | ||
[ValidateNotNull()] | ||
[String]$ResourceGroupName | ||
) | ||
|
||
# Get the WAF policy | ||
$WafPolicy = Get-AzApplicationGatewayFirewallPolicy -Name $PolicyName -ResourceGroupName $ResourceGroupName | ||
|
||
# Creates a match variable for firewall condition and a match condition for custom rule | ||
$MatchVariable = New-AzApplicationGatewayFirewallMatchVariable -VariableName "RemoteAddr" | ||
|
||
$MatchCondition = New-AzApplicationGatewayFirewallCondition -MatchVariable $MatchVariable -Operator IPMatch -MatchValue $IPAddress | ||
|
||
# Check if the IP address already exists in the WAF whitelist | ||
foreach ($IP in $WafPolicy.CustomRules.MatchConditions.MatchValues) { | ||
if ($IP -contains $IPAddress) { | ||
$IPExists = $true | ||
} | ||
else { | ||
$IPExists = $false | ||
} | ||
} | ||
|
||
# Workout which priority the custom rule should be | ||
$StartPriority = 1 | ||
$CurrentHighestPriority = ($WafPolicy.CustomRules | Measure-Object -Property Priority -Maximum).Maximum | ||
|
||
if (!$WafPolicy.CustomRules) { | ||
$NewPriority = $StartPriority | ||
} | ||
else { | ||
$NewPriority = $CurrentHighestPriority + 1 | ||
} | ||
|
||
# Create a new custom rule with the match condition set above and allow action | ||
$CustomRule = New-AzApplicationGatewayFirewallCustomRule -Name $Name -Priority $NewPriority -RuleType MatchRule -MatchCondition $MatchCondition -Action Allow | ||
|
||
try { | ||
# Add the IP address to the WAF whitelist if it doesn't already exist | ||
if ($IPExists) { | ||
Write-Host "The IP address $IPAddress is already in the WAF whitelist." | ||
} | ||
else { | ||
$WafPolicy.CustomRules.Add($CustomRule) | ||
Set-AzApplicationGatewayFirewallPolicy -InputObject $WafPolicy | ||
Write-Host "The IP address $IPAddress has been added to the WAF whitelist." | ||
} | ||
} | ||
catch { | ||
throw "Failed to add firewall exception: $_" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
$Config = Get-Content $PSScriptRoot\..\Tests\Configuration\Unit.Tests.Config.json -Raw | ConvertFrom-Json | ||
Set-Location $PSScriptRoot\..\Infrastructure-Scripts\ | ||
|
||
Describe "Add-WAFIPException Unit Tests" -Tags @("Unit") { | ||
|
||
$Params = @{ | ||
Name = "TestUser" | ||
IPAddress = $Config.ipAddress | ||
PolicyName = $Config.resourceName | ||
ResourceGroupName = $Config.resourceGroupName | ||
} | ||
|
||
Context "Web Application Firewall policy does not exist" { | ||
It 'The specified Resource was not found in the resource group, throw an error' { | ||
Mock Get-AzApplicationGatewayFirewallPolicy -MockWith { return $null } | ||
{ ./Add-WAFIPException -Name "TestUser" -IPAddress $Config.ipAddress -PolicyName "testpolicy" -ResourceGroupName $Config.resourceGroupName } | Should throw | ||
Assert-MockCalled -CommandName 'Get-AzApplicationGatewayFirewallPolicy' -Times 1 -Scope It | ||
} | ||
} | ||
|
||
Context "Web Application Firewall policy does exist" { | ||
It 'The specified Resource was found in the resource group' { | ||
Mock Get-AzApplicationGatewayFirewallPolicy -MockWith { | ||
return @{ | ||
"PolicyName" = $Config.resourceName | ||
"ResourceGroupName" = $Config.resourceGroupName | ||
} | ||
{ ./Add-WAFIPException @Params} | Should -Not throw | ||
Assert-MockCalled -CommandName 'Get-AzApplicationGatewayFirewallPolicy' -Times 1 -Scope It | ||
} | ||
} | ||
} | ||
|
||
Context "Check for users IP address" { | ||
$WafPolicy = @{ | ||
CustomRules = @{ | ||
MatchCondition = @{ | ||
MatchValues = @("192.168.0.10", "10.0.0.1") | ||
} | ||
} | ||
} | ||
It "does exist" { | ||
$IPAddress = "10.0.0.1" | ||
|
||
if ($WafPolicy.CustomRules.MatchCondition.MatchValues -contains $IPAddress) { | ||
$IPExists = $true | ||
} | ||
else { | ||
$IPExists = $false | ||
} | ||
|
||
$IPExists | Should -Be $true | ||
} | ||
It "does not exist" { | ||
$IPAddress = "" | ||
|
||
if ($WafPolicy.CustomRules.MatchCondition.MatchValues -contains $IPAddress) { | ||
$IPExists = $true | ||
} | ||
else { | ||
$IPExists = $false | ||
} | ||
|
||
$IPExists | Should -Not -Be $true | ||
} | ||
} | ||
|
||
Context "Check which priority custom rule should be set as" { | ||
It "sets the new priority as the starting priority" { | ||
$WafPolicy = @{ | ||
CustomRules = @() | ||
} | ||
$StartPriority = 1 | ||
if ($WafPolicy.CustomRules.Count -eq 0) { | ||
$NewPriority = $StartPriority | ||
} | ||
$NewPriority | Should -Be 1 | ||
} | ||
It "sets the new priority as the next highest priority" { | ||
$WafPolicy = @{ | ||
CustomRules = @( | ||
@{ Priority = 1}, | ||
@{ Priority = 2} | ||
) | ||
} | ||
|
||
$CurrentHighestPriority = ($WafPolicy.CustomRules | Measure-Object -Property Priority -Maximum).Maximum | ||
if ($WafPolicy.CustomRules) { | ||
$NewPriority = $CurrentHighestPriority + 1 | ||
} | ||
$NewPriority | Should -Be 3 | ||
} | ||
} | ||
|
||
Context "New custom rule for the web application firewall policy created" { | ||
$NewCustomRule = @{ | ||
Name = 'test' | ||
Priority = '3' | ||
RuleType = 'MatchRule' | ||
MatchCondition = 'MatchCondition' | ||
Action = 'Allow' | ||
} | ||
It 'should create a custom rule' { | ||
Mock New-AzApplicationGatewayFirewallCustomRule -MockWith { | ||
return @{ | ||
Name = 'test' | ||
Priority = '3' | ||
RuleType = 'MatchRule' | ||
MatchCondition = 'MatchCondition' | ||
Action = 'Allow' | ||
} | ||
{ ./Add-WAFIPException @Params} | Should -Not throw | ||
Assert-MockCalled -CommandName 'New-AzApplicationGatewayFirewallCustomRule' -Times 1 -Scope It | ||
} | ||
} | ||
It 'should add a new custom rule' { | ||
$WafPolicy = @{ | ||
CustomRules = @() | ||
} | ||
$IPExists = $true | ||
if ($IPExists) { | ||
$CustomRuleCreated = $WafPolicy.CustomRules += $NewCustomRule | ||
} | ||
$CustomRuleCreated | Should -Not -BeNullOrEmpty | ||
} | ||
It 'should not add a new custom rule' { | ||
$WafPolicy = @{ | ||
CustomRules = @() | ||
} | ||
$IPExists = $true | ||
if (!$IPExists) { | ||
$CustomRuleCreated = $WafPolicy.CustomRules | ||
} | ||
$CustomRuleCreated | Should -BeNullOrEmpty | ||
} | ||
} | ||
} |