Skip to content

Commit

Permalink
Merge pull request #130 from SkillsFundingAgency/WAF_script_and_UT
Browse files Browse the repository at this point in the history
Automation of whitelisting on WAF
debrr07 authored May 4, 2023
2 parents ae61f2e + 3d16cf9 commit f60337f
Showing 2 changed files with 222 additions and 0 deletions.
85 changes: 85 additions & 0 deletions Infrastructure-Scripts/Add-WAFIPException.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
<#
.SYNOPSIS
Add a custom rule to whitelist an IP address on the WAF
.DESCRIPTION
Add a custom rule to whitelist an IP address on the WAF
.PARAMETER ResourceGroupName
Name of the resource group
.PARAMETER PolicyName
Name of the Web Application Firewall policy
.PARAMETER IPAddress
An IP address to add to the ip range filter
.PARAMETER Name
Name of the user who will whitelist their IP
.EXAMPLE
Add-WAFIPException -Name JoeBlogs -IPAddress 192.168.0.1 -PolicyName daspolicy -ResourceGroupName rgname
#>

[CmdletBinding()]
Param (
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[String]$Name,
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[IPAddress]$IPAddress,
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[String]$PolicyName,
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[String]$ResourceGroupName
)

# Get the WAF policy
$WafPolicy = Get-AzApplicationGatewayFirewallPolicy -Name $PolicyName -ResourceGroupName $ResourceGroupName

# Creates a match variable for firewall condition and a match condition for custom rule
$MatchVariable = New-AzApplicationGatewayFirewallMatchVariable -VariableName "RemoteAddr"

$MatchCondition = New-AzApplicationGatewayFirewallCondition -MatchVariable $MatchVariable -Operator IPMatch -MatchValue $IPAddress

# Check if the IP address already exists in the WAF whitelist
foreach ($IP in $WafPolicy.CustomRules.MatchConditions.MatchValues) {
if ($IP -contains $IPAddress) {
$IPExists = $true
}
else {
$IPExists = $false
}
}

# Workout which priority the custom rule should be
$StartPriority = 1
$CurrentHighestPriority = ($WafPolicy.CustomRules | Measure-Object -Property Priority -Maximum).Maximum

if (!$WafPolicy.CustomRules) {
$NewPriority = $StartPriority
}
else {
$NewPriority = $CurrentHighestPriority + 1
}

# Create a new custom rule with the match condition set above and allow action
$CustomRule = New-AzApplicationGatewayFirewallCustomRule -Name $Name -Priority $NewPriority -RuleType MatchRule -MatchCondition $MatchCondition -Action Allow

try {
# Add the IP address to the WAF whitelist if it doesn't already exist
if ($IPExists) {
Write-Host "The IP address $IPAddress is already in the WAF whitelist."
}
else {
$WafPolicy.CustomRules.Add($CustomRule)
Set-AzApplicationGatewayFirewallPolicy -InputObject $WafPolicy
Write-Host "The IP address $IPAddress has been added to the WAF whitelist."
}
}
catch {
throw "Failed to add firewall exception: $_"
}
137 changes: 137 additions & 0 deletions Tests/UT.Add-WAFIPException.Tests.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
$Config = Get-Content $PSScriptRoot\..\Tests\Configuration\Unit.Tests.Config.json -Raw | ConvertFrom-Json
Set-Location $PSScriptRoot\..\Infrastructure-Scripts\

Describe "Add-WAFIPException Unit Tests" -Tags @("Unit") {

$Params = @{
Name = "TestUser"
IPAddress = $Config.ipAddress
PolicyName = $Config.resourceName
ResourceGroupName = $Config.resourceGroupName
}

Context "Web Application Firewall policy does not exist" {
It 'The specified Resource was not found in the resource group, throw an error' {
Mock Get-AzApplicationGatewayFirewallPolicy -MockWith { return $null }
{ ./Add-WAFIPException -Name "TestUser" -IPAddress $Config.ipAddress -PolicyName "testpolicy" -ResourceGroupName $Config.resourceGroupName } | Should throw
Assert-MockCalled -CommandName 'Get-AzApplicationGatewayFirewallPolicy' -Times 1 -Scope It
}
}

Context "Web Application Firewall policy does exist" {
It 'The specified Resource was found in the resource group' {
Mock Get-AzApplicationGatewayFirewallPolicy -MockWith {
return @{
"PolicyName" = $Config.resourceName
"ResourceGroupName" = $Config.resourceGroupName
}
{ ./Add-WAFIPException @Params} | Should -Not throw
Assert-MockCalled -CommandName 'Get-AzApplicationGatewayFirewallPolicy' -Times 1 -Scope It
}
}
}

Context "Check for users IP address" {
$WafPolicy = @{
CustomRules = @{
MatchCondition = @{
MatchValues = @("192.168.0.10", "10.0.0.1")
}
}
}
It "does exist" {
$IPAddress = "10.0.0.1"

if ($WafPolicy.CustomRules.MatchCondition.MatchValues -contains $IPAddress) {
$IPExists = $true
}
else {
$IPExists = $false
}

$IPExists | Should -Be $true
}
It "does not exist" {
$IPAddress = ""

if ($WafPolicy.CustomRules.MatchCondition.MatchValues -contains $IPAddress) {
$IPExists = $true
}
else {
$IPExists = $false
}

$IPExists | Should -Not -Be $true
}
}

Context "Check which priority custom rule should be set as" {
It "sets the new priority as the starting priority" {
$WafPolicy = @{
CustomRules = @()
}
$StartPriority = 1
if ($WafPolicy.CustomRules.Count -eq 0) {
$NewPriority = $StartPriority
}
$NewPriority | Should -Be 1
}
It "sets the new priority as the next highest priority" {
$WafPolicy = @{
CustomRules = @(
@{ Priority = 1},
@{ Priority = 2}
)
}

$CurrentHighestPriority = ($WafPolicy.CustomRules | Measure-Object -Property Priority -Maximum).Maximum
if ($WafPolicy.CustomRules) {
$NewPriority = $CurrentHighestPriority + 1
}
$NewPriority | Should -Be 3
}
}

Context "New custom rule for the web application firewall policy created" {
$NewCustomRule = @{
Name = 'test'
Priority = '3'
RuleType = 'MatchRule'
MatchCondition = 'MatchCondition'
Action = 'Allow'
}
It 'should create a custom rule' {
Mock New-AzApplicationGatewayFirewallCustomRule -MockWith {
return @{
Name = 'test'
Priority = '3'
RuleType = 'MatchRule'
MatchCondition = 'MatchCondition'
Action = 'Allow'
}
{ ./Add-WAFIPException @Params} | Should -Not throw
Assert-MockCalled -CommandName 'New-AzApplicationGatewayFirewallCustomRule' -Times 1 -Scope It
}
}
It 'should add a new custom rule' {
$WafPolicy = @{
CustomRules = @()
}
$IPExists = $true
if ($IPExists) {
$CustomRuleCreated = $WafPolicy.CustomRules += $NewCustomRule
}
$CustomRuleCreated | Should -Not -BeNullOrEmpty
}
It 'should not add a new custom rule' {
$WafPolicy = @{
CustomRules = @()
}
$IPExists = $true
if (!$IPExists) {
$CustomRuleCreated = $WafPolicy.CustomRules
}
$CustomRuleCreated | Should -BeNullOrEmpty
}
}
}

0 comments on commit f60337f

Please sign in to comment.