diff --git a/sdk/resourcemanager/azure-resourcemanager-network/CHANGELOG.md b/sdk/resourcemanager/azure-resourcemanager-network/CHANGELOG.md index 22be6969a4d1f..33ea8412b39ec 100644 --- a/sdk/resourcemanager/azure-resourcemanager-network/CHANGELOG.md +++ b/sdk/resourcemanager/azure-resourcemanager-network/CHANGELOG.md @@ -5,6 +5,7 @@ ### Features Added - Supported `backends` for `LoadBalancingRule`. +- Supported `withSslPolicy` for `ApplicationGateway`. ### Other Changes diff --git a/sdk/resourcemanager/azure-resourcemanager-network/assets.json b/sdk/resourcemanager/azure-resourcemanager-network/assets.json index ff67fea858c12..528b95c8b128f 100644 --- a/sdk/resourcemanager/azure-resourcemanager-network/assets.json +++ b/sdk/resourcemanager/azure-resourcemanager-network/assets.json @@ -2,5 +2,5 @@ "AssetsRepo": "Azure/azure-sdk-assets", "AssetsRepoPrefixPath": "java", "TagPrefix": "java/resourcemanager/azure-resourcemanager-network", - "Tag": "java/resourcemanager/azure-resourcemanager-network_e62d4a4979" + "Tag": "java/resourcemanager/azure-resourcemanager-network_5e9598fd90" } diff --git a/sdk/resourcemanager/azure-resourcemanager-network/src/main/java/com/azure/resourcemanager/network/implementation/ApplicationGatewayImpl.java b/sdk/resourcemanager/azure-resourcemanager-network/src/main/java/com/azure/resourcemanager/network/implementation/ApplicationGatewayImpl.java index 5187416e2b00a..2d0ed8d63bfa6 100644 --- a/sdk/resourcemanager/azure-resourcemanager-network/src/main/java/com/azure/resourcemanager/network/implementation/ApplicationGatewayImpl.java +++ b/sdk/resourcemanager/azure-resourcemanager-network/src/main/java/com/azure/resourcemanager/network/implementation/ApplicationGatewayImpl.java @@ -37,7 +37,10 @@ import com.azure.resourcemanager.network.models.ApplicationGatewaySku; import com.azure.resourcemanager.network.models.ApplicationGatewaySkuName; import com.azure.resourcemanager.network.models.ApplicationGatewaySslCertificate; +import com.azure.resourcemanager.network.models.ApplicationGatewaySslCipherSuite; import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicy; +import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicyName; +import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicyType; import com.azure.resourcemanager.network.models.ApplicationGatewaySslProtocol; import com.azure.resourcemanager.network.models.ApplicationGatewayTier; import com.azure.resourcemanager.network.models.ApplicationGatewayUrlPathMap; @@ -691,6 +694,29 @@ public ApplicationGatewayImpl withNewWebApplicationFirewallPolicy(Creatable cipherSuites) { + return withSslPolicy( + new ApplicationGatewaySslPolicy() + .withPolicyType(ApplicationGatewaySslPolicyType.CUSTOM_V2) + .withMinProtocolVersion(minProtocolVersion) + .withCipherSuites(cipherSuites)); + } + + @Override + public ApplicationGatewayImpl withSslPolicy(ApplicationGatewaySslPolicy sslPolicy) { + this.innerModel().withSslPolicy(sslPolicy); + return this; + } + enum CreationState { Found, NeedToCreate, @@ -1503,6 +1529,11 @@ public Mono getWebApplicationFirewallPolicyAsync() .getByIdAsync(this.innerModel().firewallPolicy().id()); } + @Override + public ApplicationGatewaySslPolicy sslPolicy() { + return this.innerModel().sslPolicy(); + } + @Override public Map authenticationCertificates() { return Collections.unmodifiableMap(this.authCertificates); diff --git a/sdk/resourcemanager/azure-resourcemanager-network/src/main/java/com/azure/resourcemanager/network/models/ApplicationGateway.java b/sdk/resourcemanager/azure-resourcemanager-network/src/main/java/com/azure/resourcemanager/network/models/ApplicationGateway.java index 17d78d64d2d5b..08df6aac06766 100644 --- a/sdk/resourcemanager/azure-resourcemanager-network/src/main/java/com/azure/resourcemanager/network/models/ApplicationGateway.java +++ b/sdk/resourcemanager/azure-resourcemanager-network/src/main/java/com/azure/resourcemanager/network/models/ApplicationGateway.java @@ -15,6 +15,7 @@ import reactor.core.publisher.Mono; import java.util.Collection; +import java.util.List; import java.util.Map; import java.util.Set; @@ -65,7 +66,14 @@ public interface ApplicationGateway // Getters - /** @return disabled SSL protocols */ + /** + * Get the disabled SSL protocols. + * + * @return disabled SSL protocols + * @deprecated Application Gateway V1 is officially deprecated on April 28, 2023. + * This attribute has no effect for V2 gateways, instead, use {@link ApplicationGateway#sslPolicy()}. + */ + @Deprecated Collection disabledSslProtocols(); /** @@ -202,6 +210,13 @@ public interface ApplicationGateway */ Mono getWebApplicationFirewallPolicyAsync(); + /** + * Get the SSL policy for the application gateway. + * + * @return SSL policy of the application gateway + */ + ApplicationGatewaySslPolicy sslPolicy(); + /** Grouping of application gateway definition stages. */ interface DefinitionStages { /** The first stage of an application gateway definition. */ @@ -551,7 +566,12 @@ interface WithDisabledSslProtocol { * * @param protocol an SSL protocol * @return the next stage of the definition + * @deprecated This method no longer has effect. + * Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use + * pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)} + * for custom TLS/SSL policy. */ + @Deprecated WithCreate withDisabledSslProtocol(ApplicationGatewaySslProtocol protocol); /** @@ -559,7 +579,12 @@ interface WithDisabledSslProtocol { * * @param protocols SSL protocols * @return the next stage of the definition + * @deprecated This method no longer has effect. + * Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use + * pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)} + * for custom TLS/SSL policy. */ + @Deprecated WithCreate withDisabledSslProtocols(ApplicationGatewaySslProtocol... protocols); } @@ -638,6 +663,37 @@ interface WithWebApplicationFirewallPolicy { WithCreate withNewWebApplicationFirewallPolicy(Creatable creatable); } + /** + * The stage of the application gateway definition allowing to configure TLS/SSL policy for the application gateway. + */ + interface WithSslPolicy { + /** + * Configures to use predefined TLS/SSL policy for the application gateway. + * + * @param policyName predefined TLS/SSL policy name + * @return the next stage of the definition + */ + WithCreate withPredefinedSslPolicy(ApplicationGatewaySslPolicyName policyName); + + /** + * Configures to use CustomV2 policy for the application gateway. + * + * @param minProtocolVersion minimum version of TLS/SSL protocol to be supported on application gateway. + * @param cipherSuites TLS/SSL cipher suites to be enabled in the specified order to application gateway. + * @return the next stage of the definition + */ + WithCreate withCustomV2SslPolicy(ApplicationGatewaySslProtocol minProtocolVersion, + List cipherSuites); + + /** + * Configures to use the provided TLS/SSL policy for the application gateway. + * + * @param sslPolicy the TLS/SSL policy to use for the application gateway + * @return the next stage of the definition + */ + WithCreate withSslPolicy(ApplicationGatewaySslPolicy sslPolicy); + } + /** * The stage of an application gateway definition containing all the required inputs for the resource to be * created, but also allowing for any other optional settings to be specified. @@ -665,7 +721,8 @@ interface WithCreate WithAvailabilityZone, WithManagedServiceIdentity, WithHttp2, - WithWebApplicationFirewallPolicy { + WithWebApplicationFirewallPolicy, + WithSslPolicy { } } @@ -1256,7 +1313,12 @@ interface WithDisabledSslProtocol { * * @param protocol an SSL protocol * @return the next stage of the update + * @deprecated This method no longer has effect. + * Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use + * pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)} + * for custom TLS/SSL policy. */ + @Deprecated Update withDisabledSslProtocol(ApplicationGatewaySslProtocol protocol); /** @@ -1264,7 +1326,12 @@ interface WithDisabledSslProtocol { * * @param protocols SSL protocols * @return the next stage of the update + * @deprecated This method no longer has effect. + * Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use + * pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)} + * for custom TLS/SSL policy. */ + @Deprecated Update withDisabledSslProtocols(ApplicationGatewaySslProtocol... protocols); /** @@ -1272,7 +1339,12 @@ interface WithDisabledSslProtocol { * * @param protocol an SSL protocol * @return the next stage of the update + * @deprecated This method no longer has effect. + * Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use + * pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)} + * for custom TLS/SSL policy. */ + @Deprecated Update withoutDisabledSslProtocol(ApplicationGatewaySslProtocol protocol); /** @@ -1280,14 +1352,24 @@ interface WithDisabledSslProtocol { * * @param protocols SSL protocols * @return the next stage of the update + * @deprecated This method no longer has effect. + * Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use + * pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)} + * for custom TLS/SSL policy. */ + @Deprecated Update withoutDisabledSslProtocols(ApplicationGatewaySslProtocol... protocols); /** * Enables all SSL protocols, if previously disabled. * * @return the next stage of the update + * @deprecated This method no longer has effect. + * Consider {@link WithSslPolicy#withPredefinedSslPolicy(ApplicationGatewaySslPolicyName)} to use + * pre-defined TLS/SSL policy, or {@link WithSslPolicy#withCustomV2SslPolicy(ApplicationGatewaySslProtocol, List)} + * for custom TLS/SSL policy. */ + @Deprecated Update withoutAnyDisabledSslProtocols(); } @@ -1351,6 +1433,37 @@ interface WithWebApplicationFirewallPolicy { */ Update withNewWebApplicationFirewallPolicy(Creatable creatable); } + + /** + * The stage of the application gateway update allowing to configure TLS/SSL policy for the application gateway. + */ + interface WithSslPolicy { + /** + * Configures to use predefined TLS/SSL policy for the application gateway. + * + * @param policyName predefined TLS/SSL policy name + * @return the next stage of the update + */ + Update withPredefinedSslPolicy(ApplicationGatewaySslPolicyName policyName); + + /** + * Configures to use CustomV2 policy for the application gateway. + * + * @param minProtocolVersion minimum version of TLS/SSL protocol to be supported on application gateway. + * @param cipherSuites TLS/SSL cipher suites to be enabled in the specified order to application gateway. + * @return the next stage of the update + */ + Update withCustomV2SslPolicy(ApplicationGatewaySslProtocol minProtocolVersion, + List cipherSuites); + + /** + * Configures to use the provided TLS/SSL policy for the application gateway. + * + * @param sslPolicy the TLS/SSL policy to use for the application gateway + * @return the next stage of the update + */ + Update withSslPolicy(ApplicationGatewaySslPolicy sslPolicy); + } } /** The template for an application gateway update operation, containing all the settings that can be modified. */ @@ -1377,6 +1490,7 @@ interface Update UpdateStages.WithUrlPathMap, UpdateStages.WithManagedServiceIdentity, UpdateStages.WithHttp2, - UpdateStages.WithWebApplicationFirewallPolicy { + UpdateStages.WithWebApplicationFirewallPolicy, + UpdateStages.WithSslPolicy { } } diff --git a/sdk/resourcemanager/azure-resourcemanager-network/src/test/java/com/azure/resourcemanager/network/ApplicationGatewayTests.java b/sdk/resourcemanager/azure-resourcemanager-network/src/test/java/com/azure/resourcemanager/network/ApplicationGatewayTests.java index fb511f1369f9d..217cc2178c10a 100644 --- a/sdk/resourcemanager/azure-resourcemanager-network/src/test/java/com/azure/resourcemanager/network/ApplicationGatewayTests.java +++ b/sdk/resourcemanager/azure-resourcemanager-network/src/test/java/com/azure/resourcemanager/network/ApplicationGatewayTests.java @@ -4,6 +4,7 @@ package com.azure.resourcemanager.network; import com.azure.core.management.Region; +import com.azure.core.management.exception.ManagementException; import com.azure.core.test.annotation.DoNotRecord; import com.azure.core.util.serializer.JacksonAdapter; import com.azure.core.util.serializer.SerializerEncoding; @@ -16,6 +17,11 @@ import com.azure.resourcemanager.network.models.ApplicationGatewayFirewallExclusion; import com.azure.resourcemanager.network.models.ApplicationGatewayFirewallMode; import com.azure.resourcemanager.network.models.ApplicationGatewaySkuName; +import com.azure.resourcemanager.network.models.ApplicationGatewaySslCipherSuite; +import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicy; +import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicyName; +import com.azure.resourcemanager.network.models.ApplicationGatewaySslPolicyType; +import com.azure.resourcemanager.network.models.ApplicationGatewaySslProtocol; import com.azure.resourcemanager.network.models.ApplicationGatewayTier; import com.azure.resourcemanager.network.models.ApplicationGatewayWebApplicationFirewallConfiguration; import com.azure.resourcemanager.network.models.KnownWebApplicationGatewayManagedRuleSet; @@ -613,6 +619,69 @@ public void canAssociateWafPolicy() { .noneMatch(policy -> policy.name().equals(invalidPolicyName))); } + @Test + public void canSetSslPolicy() { + String appGatewayName = generateRandomResourceName("agw", 15); + String appPublicIp = generateRandomResourceName("pip", 15); + + PublicIpAddress pip = + networkManager + .publicIpAddresses() + .define(appPublicIp) + .withRegion(Region.US_EAST) + .withNewResourceGroup(rgName) + .withSku(PublicIPSkuType.STANDARD) + .withStaticIP() + .create(); + + // create with predefined ssl policy + ApplicationGateway appGateway = + networkManager + .applicationGateways() + .define(appGatewayName) + .withRegion(Region.US_EAST) + .withExistingResourceGroup(rgName) + // Request routing rules + .defineRequestRoutingRule("rule1") + .fromPublicFrontend() + .fromFrontendHttpPort(80) + .toBackendHttpPort(8080) + .toBackendIPAddress("11.1.1.1") + .attach() + .withExistingPublicIpAddress(pip) + .withTier(ApplicationGatewayTier.WAF_V2) + .withSize(ApplicationGatewaySkuName.WAF_V2) + .withPredefinedSslPolicy(ApplicationGatewaySslPolicyName.APP_GW_SSL_POLICY20150501) + .create(); + + ApplicationGatewaySslPolicy sslPolicy = appGateway.sslPolicy(); + Assertions.assertNotNull(sslPolicy); + Assertions.assertEquals(ApplicationGatewaySslPolicyType.PREDEFINED, sslPolicy.policyType()); + Assertions.assertEquals(ApplicationGatewaySslPolicyName.APP_GW_SSL_POLICY20150501, sslPolicy.policyName()); + + // update with custom ssl policy + appGateway.update() + .withCustomV2SslPolicy(ApplicationGatewaySslProtocol.TLSV1_2, Collections.singletonList(ApplicationGatewaySslCipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)) + .apply(); + + sslPolicy = appGateway.sslPolicy(); + Assertions.assertNotNull(sslPolicy); + Assertions.assertEquals(ApplicationGatewaySslPolicyType.CUSTOM_V2, sslPolicy.policyType()); + Assertions.assertNull(sslPolicy.policyName()); + Assertions.assertEquals(ApplicationGatewaySslProtocol.TLSV1_2, sslPolicy.minProtocolVersion()); + Assertions.assertTrue(sslPolicy.cipherSuites().contains(ApplicationGatewaySslCipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)); + + // predefined policy doesn't not support minProtocolVersion + Assertions.assertThrows(ManagementException.class, () -> { + appGateway.update() + .withSslPolicy(new ApplicationGatewaySslPolicy() + .withPolicyType(ApplicationGatewaySslPolicyType.PREDEFINED) + .withPolicyName(ApplicationGatewaySslPolicyName.APP_GW_SSL_POLICY20150501) + .withMinProtocolVersion(ApplicationGatewaySslProtocol.TLSV1_1)) + .apply(); + }); + } + private String createKeyVaultCertificate(String servicePrincipal, String identityPrincipal) { String vaultName = generateRandomResourceName("vlt", 10); String secretName = generateRandomResourceName("srt", 10);