mgmt network, support application gateway ssl policy (Azure#36244)

* test case * interface * implementation * deprecation * assets.json * javadocs
azure-sdk · Aug 8, 2023 · 6546507 · 6546507
1 parent c525c96
commit 6546507
Show file tree

Hide file tree

Showing 5 changed files with 219 additions and 4 deletions.
diff --git a/sdk/resourcemanager/azure-resourcemanager-network/CHANGELOG.md b/sdk/resourcemanager/azure-resourcemanager-network/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Features Added
 
 - Supported `backends` for `LoadBalancingRule`.
+- Supported `withSslPolicy` for `ApplicationGateway`.
 
 ### Other Changes
 

diff --git a/sdk/resourcemanager/azure-resourcemanager-network/assets.json b/sdk/resourcemanager/azure-resourcemanager-network/assets.json
@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "java",
   "TagPrefix": "java/resourcemanager/azure-resourcemanager-network",
-  "Tag": "java/resourcemanager/azure-resourcemanager-network_e62d4a4979"
+  "Tag": "java/resourcemanager/azure-resourcemanager-network_5e9598fd90"
 }
diff --git a/...rc/main/java/com/azure/resourcemanager/network/implementation/ApplicationGatewayImpl.java b/...rc/main/java/com/azure/resourcemanager/network/implementation/ApplicationGatewayImpl.java
@@ -37,7 +37,10 @@
 import com.azure.resourcemanager.network.models.ApplicationGatewaySku;
 import com.azure.resourcemanager.network.models.ApplicationGatewaySkuName;
 import com.azure.resourcemanager.network.models.ApplicationGatewaySslCertificate;
+import com.azure.resourcemanager.network.models.ApplicationGatewaySslCipherSuite;
 import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicy;
+import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicyName;
+import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicyType;
 import com.azure.resourcemanager.network.models.ApplicationGatewaySslProtocol;
 import com.azure.resourcemanager.network.models.ApplicationGatewayTier;
 import com.azure.resourcemanager.network.models.ApplicationGatewayUrlPathMap;
@@ -691,6 +694,29 @@ public ApplicationGatewayImpl withNewWebApplicationFirewallPolicy(Creatable<WebA
         return this;
     }
 
+    @Override
+    public ApplicationGatewayImpl withPredefinedSslPolicy(ApplicationGatewaySslPolicyName policyName) {
+        return withSslPolicy(
+            new ApplicationGatewaySslPolicy()
+                .withPolicyName(policyName)
+                .withPolicyType(ApplicationGatewaySslPolicyType.PREDEFINED));
+    }
+
+    @Override
+    public ApplicationGatewayImpl withCustomV2SslPolicy(ApplicationGatewaySslProtocol minProtocolVersion, List<ApplicationGatewaySslCipherSuite> cipherSuites) {
+        return withSslPolicy(
+            new ApplicationGatewaySslPolicy()
+                .withPolicyType(ApplicationGatewaySslPolicyType.CUSTOM_V2)
+                .withMinProtocolVersion(minProtocolVersion)
+                .withCipherSuites(cipherSuites));
+    }
+
+    @Override
+    public ApplicationGatewayImpl withSslPolicy(ApplicationGatewaySslPolicy sslPolicy) {
+        this.innerModel().withSslPolicy(sslPolicy);
+        return this;
+    }
+
     enum CreationState {
         Found,
         NeedToCreate,
@@ -1503,6 +1529,11 @@ public Mono<WebApplicationFirewallPolicy> getWebApplicationFirewallPolicyAsync()
             .getByIdAsync(this.innerModel().firewallPolicy().id());
     }
 
+    @Override
+    public ApplicationGatewaySslPolicy sslPolicy() {
+        return this.innerModel().sslPolicy();
+    }
+
     @Override
     public Map<String, ApplicationGatewayAuthenticationCertificate> authenticationCertificates() {
         return Collections.unmodifiableMap(this.authCertificates);

diff --git a/...er-network/src/main/java/com/azure/resourcemanager/network/models/ApplicationGateway.java b/...er-network/src/main/java/com/azure/resourcemanager/network/models/ApplicationGateway.java
@@ -15,6 +15,7 @@
 import reactor.core.publisher.Mono;
 
 import java.util.Collection;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -65,7 +66,14 @@ public interface ApplicationGateway
 
     // Getters
 
-    /** @return disabled SSL protocols */
+    /**
+     * Get the disabled SSL protocols.
+     *
+     * @return disabled SSL protocols
+     * @deprecated Application Gateway V1 is officially deprecated on April 28, 2023.
+     *             This attribute has no effect for V2 gateways, instead, use {@link ApplicationGateway#sslPolicy()}.
+     */
+    @Deprecated
     Collection<ApplicationGatewaySslProtocol> disabledSslProtocols();
 
     /**
@@ -202,6 +210,13 @@ public interface ApplicationGateway
      */
     Mono<WebApplicationFirewallPolicy> getWebApplicationFirewallPolicyAsync();
 
+    /**
+     * Get the SSL policy for the application gateway.
+     *
+     * @return SSL policy of the application gateway
+     */
+    ApplicationGatewaySslPolicy sslPolicy();
+
     /** Grouping of application gateway definition stages. */
     interface DefinitionStages {
         /** The first stage of an application gateway definition. */
@@ -551,15 +566,25 @@ interface WithDisabledSslProtocol {
              *
              * @param protocol an SSL protocol
              * @return the next stage of the definition
+             * @deprecated This method no longer has effect.
+             *             Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use
+             *             pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)}
+             *             for custom TLS/SSL policy.
              */
+            @Deprecated
             WithCreate withDisabledSslProtocol(ApplicationGatewaySslProtocol protocol);
 
             /**
              * Disables the specified SSL protocols.
              *
              * @param protocols SSL protocols
              * @return the next stage of the definition
+             * @deprecated This method no longer has effect.
+             *             Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use
+             *             pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)}
+             *             for custom TLS/SSL policy.
              */
+            @Deprecated
             WithCreate withDisabledSslProtocols(ApplicationGatewaySslProtocol... protocols);
         }
 
@@ -638,6 +663,37 @@ interface WithWebApplicationFirewallPolicy {
             WithCreate withNewWebApplicationFirewallPolicy(Creatable<WebApplicationFirewallPolicy> creatable);
         }
 
+        /**
+         * The stage of the application gateway definition allowing to configure TLS/SSL policy for the application gateway.
+         */
+        interface WithSslPolicy {
+            /**
+             * Configures to use predefined TLS/SSL policy for the application gateway.
+             *
+             * @param policyName predefined TLS/SSL policy name
+             * @return the next stage of the definition
+             */
+            WithCreate withPredefinedSslPolicy(ApplicationGatewaySslPolicyName policyName);
+
+            /**
+             * Configures to use CustomV2 policy for the application gateway.
+             *
+             * @param minProtocolVersion minimum version of TLS/SSL protocol to be supported on application gateway.
+             * @param cipherSuites TLS/SSL cipher suites to be enabled in the specified order to application gateway.
+             * @return the next stage of the definition
+             */
+            WithCreate withCustomV2SslPolicy(ApplicationGatewaySslProtocol minProtocolVersion,
+                                             List<ApplicationGatewaySslCipherSuite> cipherSuites);
+
+            /**
+             * Configures to use the provided TLS/SSL policy for the application gateway.
+             *
+             * @param sslPolicy the TLS/SSL policy to use for the application gateway
+             * @return the next stage of the definition
+             */
+            WithCreate withSslPolicy(ApplicationGatewaySslPolicy sslPolicy);
+        }
+
         /**
          * The stage of an application gateway definition containing all the required inputs for the resource to be
          * created, but also allowing for any other optional settings to be specified.
@@ -665,7 +721,8 @@ interface WithCreate
                 WithAvailabilityZone,
                 WithManagedServiceIdentity,
                 WithHttp2,
-                WithWebApplicationFirewallPolicy {
+                WithWebApplicationFirewallPolicy,
+                WithSslPolicy {
         }
     }
 
@@ -1256,38 +1313,63 @@ interface WithDisabledSslProtocol {
              *
              * @param protocol an SSL protocol
              * @return the next stage of the update
+             * @deprecated This method no longer has effect.
+             *             Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use
+             *             pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)}
+             *             for custom TLS/SSL policy.
              */
+            @Deprecated
             Update withDisabledSslProtocol(ApplicationGatewaySslProtocol protocol);
 
             /**
              * Disables the specified SSL protocols.
              *
              * @param protocols SSL protocols
              * @return the next stage of the update
+             * @deprecated This method no longer has effect.
+             *             Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use
+             *             pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)}
+             *             for custom TLS/SSL policy.
              */
+            @Deprecated
             Update withDisabledSslProtocols(ApplicationGatewaySslProtocol... protocols);
 
             /**
              * Enables the specified SSL protocol, if previously disabled.
              *
              * @param protocol an SSL protocol
              * @return the next stage of the update
+             * @deprecated This method no longer has effect.
+             *             Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use
+             *             pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)}
+             *             for custom TLS/SSL policy.
              */
+            @Deprecated
             Update withoutDisabledSslProtocol(ApplicationGatewaySslProtocol protocol);
 
             /**
              * Enables the specified SSL protocols, if previously disabled.
              *
              * @param protocols SSL protocols
              * @return the next stage of the update
+             * @deprecated This method no longer has effect.
+             *             Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use
+             *             pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)}
+             *             for custom TLS/SSL policy.
              */
+            @Deprecated
             Update withoutDisabledSslProtocols(ApplicationGatewaySslProtocol... protocols);
 
             /**
              * Enables all SSL protocols, if previously disabled.
              *
              * @return the next stage of the update
+             * @deprecated This method no longer has effect.
+             *             Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use
+             *             pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)}
+             *             for custom TLS/SSL policy.
              */
+            @Deprecated
             Update withoutAnyDisabledSslProtocols();
         }
 
@@ -1351,6 +1433,37 @@ interface WithWebApplicationFirewallPolicy {
              */
             Update withNewWebApplicationFirewallPolicy(Creatable<WebApplicationFirewallPolicy> creatable);
         }
+
+        /**
+         * The stage of the application gateway update allowing to configure TLS/SSL policy for the application gateway.
+         */
+        interface WithSslPolicy {
+            /**
+             * Configures to use predefined TLS/SSL policy for the application gateway.
+             *
+             * @param policyName predefined TLS/SSL policy name
+             * @return the next stage of the update
+             */
+            Update withPredefinedSslPolicy(ApplicationGatewaySslPolicyName policyName);
+
+            /**
+             * Configures to use CustomV2 policy for the application gateway.
+             *
+             * @param minProtocolVersion minimum version of TLS/SSL protocol to be supported on application gateway.
+             * @param cipherSuites TLS/SSL cipher suites to be enabled in the specified order to application gateway.
+             * @return the next stage of the update
+             */
+            Update withCustomV2SslPolicy(ApplicationGatewaySslProtocol minProtocolVersion,
+                                                              List<ApplicationGatewaySslCipherSuite> cipherSuites);
+
+            /**
+             * Configures to use the provided TLS/SSL policy for the application gateway.
+             *
+             * @param sslPolicy the TLS/SSL policy to use for the application gateway
+             * @return the next stage of the update
+             */
+            Update withSslPolicy(ApplicationGatewaySslPolicy sslPolicy);
+        }
     }
 
     /** The template for an application gateway update operation, containing all the settings that can be modified. */
@@ -1377,6 +1490,7 @@ interface Update
             UpdateStages.WithUrlPathMap,
             UpdateStages.WithManagedServiceIdentity,
             UpdateStages.WithHttp2,
-            UpdateStages.WithWebApplicationFirewallPolicy {
+            UpdateStages.WithWebApplicationFirewallPolicy,
+            UpdateStages.WithSslPolicy {
     }
 }
diff --git a/...ager-network/src/test/java/com/azure/resourcemanager/network/ApplicationGatewayTests.java b/...ager-network/src/test/java/com/azure/resourcemanager/network/ApplicationGatewayTests.java
@@ -4,6 +4,7 @@
 package com.azure.resourcemanager.network;
 
 import com.azure.core.management.Region;
+import com.azure.core.management.exception.ManagementException;
 import com.azure.core.test.annotation.DoNotRecord;
 import com.azure.core.util.serializer.JacksonAdapter;
 import com.azure.core.util.serializer.SerializerEncoding;
@@ -16,6 +17,11 @@
 import com.azure.resourcemanager.network.models.ApplicationGatewayFirewallExclusion;
 import com.azure.resourcemanager.network.models.ApplicationGatewayFirewallMode;
 import com.azure.resourcemanager.network.models.ApplicationGatewaySkuName;
+import com.azure.resourcemanager.network.models.ApplicationGatewaySslCipherSuite;
+import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicy;
+import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicyName;
+import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicyType;
+import com.azure.resourcemanager.network.models.ApplicationGatewaySslProtocol;
 import com.azure.resourcemanager.network.models.ApplicationGatewayTier;
 import com.azure.resourcemanager.network.models.ApplicationGatewayWebApplicationFirewallConfiguration;
 import com.azure.resourcemanager.network.models.KnownWebApplicationGatewayManagedRuleSet;
@@ -613,6 +619,69 @@ public void canAssociateWafPolicy() {
                 .noneMatch(policy -> policy.name().equals(invalidPolicyName)));
     }
 
+    @Test
+    public void canSetSslPolicy() {
+        String appGatewayName = generateRandomResourceName("agw", 15);
+        String appPublicIp = generateRandomResourceName("pip", 15);
+
+        PublicIpAddress pip =
+            networkManager
+                .publicIpAddresses()
+                .define(appPublicIp)
+                .withRegion(Region.US_EAST)
+                .withNewResourceGroup(rgName)
+                .withSku(PublicIPSkuType.STANDARD)
+                .withStaticIP()
+                .create();
+
+        // create with predefined ssl policy
+        ApplicationGateway appGateway =
+            networkManager
+                .applicationGateways()
+                .define(appGatewayName)
+                .withRegion(Region.US_EAST)
+                .withExistingResourceGroup(rgName)
+                // Request routing rules
+                .defineRequestRoutingRule("rule1")
+                    .fromPublicFrontend()
+                    .fromFrontendHttpPort(80)
+                    .toBackendHttpPort(8080)
+                    .toBackendIPAddress("11.1.1.1")
+                    .attach()
+                .withExistingPublicIpAddress(pip)
+                .withTier(ApplicationGatewayTier.WAF_V2)
+                .withSize(ApplicationGatewaySkuName.WAF_V2)
+                .withPredefinedSslPolicy(ApplicationGatewaySslPolicyName.APP_GW_SSL_POLICY20150501)
+                .create();
+
+        ApplicationGatewaySslPolicy sslPolicy = appGateway.sslPolicy();
+        Assertions.assertNotNull(sslPolicy);
+        Assertions.assertEquals(ApplicationGatewaySslPolicyType.PREDEFINED, sslPolicy.policyType());
+        Assertions.assertEquals(ApplicationGatewaySslPolicyName.APP_GW_SSL_POLICY20150501, sslPolicy.policyName());
+
+        // update with custom ssl policy
+        appGateway.update()
+            .withCustomV2SslPolicy(ApplicationGatewaySslProtocol.TLSV1_2, Collections.singletonList(ApplicationGatewaySslCipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256))
+            .apply();
+
+        sslPolicy = appGateway.sslPolicy();
+        Assertions.assertNotNull(sslPolicy);
+        Assertions.assertEquals(ApplicationGatewaySslPolicyType.CUSTOM_V2, sslPolicy.policyType());
+        Assertions.assertNull(sslPolicy.policyName());
+        Assertions.assertEquals(ApplicationGatewaySslProtocol.TLSV1_2, sslPolicy.minProtocolVersion());
+        Assertions.assertTrue(sslPolicy.cipherSuites().contains(ApplicationGatewaySslCipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256));
+
+        // predefined policy doesn't not support minProtocolVersion
+        Assertions.assertThrows(ManagementException.class, () -> {
+            appGateway.update()
+                .withSslPolicy(new ApplicationGatewaySslPolicy()
+                    .withPolicyType(ApplicationGatewaySslPolicyType.PREDEFINED)
+                    .withPolicyName(ApplicationGatewaySslPolicyName.APP_GW_SSL_POLICY20150501)
+                    .withMinProtocolVersion(ApplicationGatewaySslProtocol.TLSV1_1))
+                .apply();
+        });
+    }
+
     private String createKeyVaultCertificate(String servicePrincipal, String identityPrincipal) {
         String vaultName = generateRandomResourceName("vlt", 10);
         String secretName = generateRandomResourceName("srt", 10);