Azure · tjprescott · Nov 28, 2018 · Nov 27, 2018
@@ -2,6 +2,11 @@
 
 Release History
 ===============
+
+0.2.3
++++++
+* Minor fixes
+
 0.2.2
 +++++
 * Minor fixes

@@ -16,8 +16,13 @@ def __init__(self, query, expected_result):
 
     def __call__(self, execution_result):
         json_value = execution_result.get_output_in_json()
-        actual_result = jmespath.search(self._query, json_value,
-                                        jmespath.Options(collections.OrderedDict))
+        actual_result = None
+        try:
+            actual_result = jmespath.search(self._query, json_value,
+                                            jmespath.Options(collections.OrderedDict))
+        except jmespath.exceptions.JMESPathTypeError:
+            raise JMESPathCheckAssertionError(self._query, self._expected_result, actual_result,
+                                              execution_result.output)
         if actual_result != self._expected_result and str(actual_result) != str(self._expected_result):
             if actual_result:
                 raise JMESPathCheckAssertionError(self._query, self._expected_result, actual_result,

@@ -14,7 +14,7 @@
     logger.warn("Wheel is not available, disabling bdist_wheel hook")
     cmdclass = {}
 
-VERSION = "0.2.2"
+VERSION = "0.2.3"
 
 CLASSIFIERS = [
     'Development Status :: 3 - Alpha',

diff --git a/src/command_modules/azure-cli-network/HISTORY.rst b/src/command_modules/azure-cli-network/HISTORY.rst
@@ -3,6 +3,10 @@
 Release History
 ===============
 
+2.2.10
+++++++
+* `application-gateway waf-config set`: Added `--exclusion` argument to support WAF exclusions.
+
 2.2.9
 +++++
 * `application-gateway`: Added `root-cert` subcommands to handle trusted root certifcates.

@@ -865,6 +865,12 @@
           short-summary: Space-separated list of rule IDs to disable.
           populator-commands:
           - az network application-gateway waf-config list-rule-sets
+        - name: --exclusion
+          short-summary: Add an exclusion expression to the WAF check.
+          long-summary: |
+            Usage:   --exclusion VARIABLE OPERATOR VALUE
+
+            Multiple exclusions can be specified by using more than one `--exclusion` argument.
     examples:
         - name: Configure WAF on an application gateway in detection mode with default values
           text: |
@@ -874,7 +880,14 @@
           text: |
             az network application-gateway waf-config set -g MyResourceGroup -n MyAppGateway \\
                 --enabled true --rule-set-type OWASP --rule-set-version 3.0 \\
-                --disabled-rules 920130 920140 --disabled-rule-groups REQUEST-942-APPLICATION-ATTACK-SQLI
+                --disabled-rule-groups REQUEST-942-APPLICATION-ATTACK-SQLI \\
+                --disabled-rules 920130 920140
+        - name: Configure WAF on an application gateway with exclusions.
+          text: |
+            az network application-gateway waf-config set -g MyResourceGroup -n MyAppGateway \\
+                --enabled true --firewall-mode Detection --rule-set-version 3.0 \\
+                --exclusion "RequestHeaderNames StartsWith x-header" \\
+                --exclusion "RequestArgNames Equals IgnoreThis"
 """
 
 helps['network application-gateway waf-config show'] = """

diff --git a/src/command_modules/azure-cli-network/azure/cli/command_modules/network/_params.py b/src/command_modules/azure-cli-network/azure/cli/command_modules/network/_params.py
@@ -27,7 +27,8 @@
     get_network_watcher_from_vm, get_network_watcher_from_location,
     get_asg_validator, get_vnet_validator, validate_ip_tags, validate_ddos_name_or_id,
     validate_service_endpoint_policy, validate_delegations, validate_subresource_list,
-    validate_er_peer_circuit, validate_ag_address_pools, validate_custom_error_pages)
+    validate_er_peer_circuit, validate_ag_address_pools, validate_custom_error_pages,
+    WafConfigExclusionAction)
 from azure.mgmt.trafficmanager.models import MonitorProtocol, ProfileStatus
 from azure.cli.command_modules.network._completers import (
     subnet_completion_list, get_lb_subresource_completion_list, get_ag_subresource_completion_list,
@@ -276,6 +277,7 @@ def load_arguments(self, _):
         c.argument('file_upload_limit', help='File upload size limit in MB.', type=int)
         c.argument('max_request_body_size', help='Max request body size in KB.', type=int)
         c.argument('request_body_check', arg_type=get_three_state_flag(), help='Allow WAF to check the request body.')
+        c.argument('exclusions', nargs='+', options_list='--exclusion', action=WafConfigExclusionAction)
 
     for item in ['ssl-policy', 'waf-config']:
         with self.argument_context('network application-gateway {}'.format(item)) as c:

diff --git a/src/command_modules/azure-cli-network/azure/cli/command_modules/network/_validators.py b/src/command_modules/azure-cli-network/azure/cli/command_modules/network/_validators.py
@@ -193,7 +193,7 @@ def validate_ssl_cert(namespace):
     else:
         # cert supplied -- use HTTPS
         if not all(params):
-            raise argparse.ArgumentError(
+            raise CLIError(
                 None, 'To use SSL certificate, you must specify both the filename and password')
 
         # extract the certificate data from the provided file
@@ -1278,3 +1278,23 @@ def validate_custom_error_pages(namespace):
         except (ValueError, TypeError):
             raise CLIError('usage error: --custom-error-pages STATUS_CODE=URL [STATUS_CODE=URL ...]')
     namespace.custom_error_pages = values
+
+
+# pylint: disable=too-few-public-methods
+class WafConfigExclusionAction(argparse.Action):
+    def __call__(self, parser, namespace, values, option_string=None):
+        cmd = namespace._cmd  # pylint: disable=protected-access
+        ApplicationGatewayFirewallExclusion = cmd.get_models('ApplicationGatewayFirewallExclusion')
+        if not namespace.exclusions:
+            namespace.exclusions = []
+        if isinstance(values, list):
+            values = ' '.join(values)
+        try:
+            variable, op, selector = values.split(' ')
+        except (ValueError, TypeError):
+            raise CLIError('usage error: --exclusion VARIABLE OPERATOR VALUE')
+        namespace.exclusions.append(ApplicationGatewayFirewallExclusion(
+            match_variable=variable,
+            selector_match_operator=op,
+            selector=selector
+        ))
diff --git a/src/command_modules/azure-cli-network/azure/cli/command_modules/network/custom.py b/src/command_modules/azure-cli-network/azure/cli/command_modules/network/custom.py
@@ -783,7 +783,8 @@ def set_ag_waf_config_2017_03_01(cmd, resource_group_name, application_gateway_n
                                  rule_set_type='OWASP', rule_set_version=None,
                                  disabled_rule_groups=None,
                                  disabled_rules=None, no_wait=False,
-                                 request_body_check=None, max_request_body_size=None, file_upload_limit=None):
+                                 request_body_check=None, max_request_body_size=None, file_upload_limit=None,
+                                 exclusions=None):
     ApplicationGatewayWebApplicationFirewallConfiguration = cmd.get_models(
         'ApplicationGatewayWebApplicationFirewallConfiguration')
     ncf = network_client_factory(cmd.cli_ctx).application_gateways
@@ -824,6 +825,7 @@ def _flatten(collection, expand_property_fn):
         ag.web_application_firewall_configuration.request_body_check = request_body_check
         ag.web_application_firewall_configuration.max_request_body_size_in_kb = max_request_body_size
         ag.web_application_firewall_configuration.file_upload_limit_in_mb = file_upload_limit
+        ag.web_application_firewall_configuration.exclusions = exclusions
 
     return sdk_no_wait(no_wait, ncf.create_or_update, resource_group_name, application_gateway_name, ag)