Framework/Core/SVT/Services/CDN.ps1
Set-StrictMode -Version Latest class CDN: AzSVTBase { hidden [PSObject] $ResourceObject; CDN([string] $subscriptionId, [SVTResource] $svtResource): Base($subscriptionId, $svtResource) { } hidden [ControlResult] CheckCDNHttpsProtocol([ControlResult] $controlResult) { $cdnEndpoints = Get-AzCdnEndpoint -ProfileName $this.ResourceContext.ResourceName ` -ResourceGroupName $this.ResourceContext.ResourceGroupName ` -ErrorAction Stop if(($cdnEndpoints | Measure-Object).Count -eq 0) { $controlResult.AddMessage([VerificationResult]::Passed, [MessageData]::new("No CDN endpoints are found in the CDN profile.")); } else { # list of CDN endpoints which have only http enabled $onlyHttpAllowedEndpointList = @($cdnEndpoints | Where-Object { $_.IsHttpAllowed -eq $true -and $_.IsHttpsAllowed -eq $false}) # list of CDN endpoints which have http enabled (irrespective of https) $httpAllowedEndpointList = $cdnEndpoints | Where-Object { $_.IsHttpAllowed -eq $true } if(($httpAllowedEndpointList | Measure-Object).Count -eq 0) { $controlResult.AddMessage([VerificationResult]::Passed, [MessageData]::new("All CDN endpoints in the CDN profile [" + $this.ResourceContext.ResourceName + "] are using HTTPS protocol only - ", ($cdnEndpoints | Select-Object -Property Name, HostName, OriginHostHeader, IsHttpAllowed, IsHttpsAllowed))); }elseif($null -ne $onlyHttpAllowedEndpointList -and ($onlyHttpAllowedEndpointList | Measure-Object).Count -gt 0){ # If only http protocol is enabled, Fail the control directly without checking for redirection rule $httpEndpointObjList=@() $httpAllowedEndpointList| Foreach-Object { $httpEndpointObj = New-Object -TypeName PSObject $httpEndpointObj | Add-Member -NotePropertyName HostName -NotePropertyValue $_.HostName $httpEndpointObj | Add-Member -NotePropertyName IsHttpAllowed -NotePropertyValue $_.IsHttpAllowed $httpEndpointObj | Add-Member -NotePropertyName IsHttpsAllowed -NotePropertyValue $_.IsHttpsAllowed $httpEndpointObjList+=$httpEndpointObj } $controlResult.SetStateData("Http Enabled Endpoints", $httpEndpointObjList); $controlResult.EnableFixControl = $true; $controlResult.AddMessage([VerificationResult]::Failed, [MessageData]::new("Only HTTP protocol is enabled for following CDN endpoints in the CDN profile [" + $this.ResourceContext.ResourceName + "] ", ($onlyHttpAllowedEndpointList | Select-Object -Property Name, HostName, OriginHostHeader, IsHttpAllowed, IsHttpsAllowed))); } else { $httpEndpointObjList=@() $httpAllowedEndpointList| Foreach-Object { $httpEndpointObj = New-Object -TypeName PSObject $httpEndpointObj | Add-Member -NotePropertyName HostName -NotePropertyValue $_.HostName $httpEndpointObj | Add-Member -NotePropertyName IsHttpAllowed -NotePropertyValue $_.IsHttpAllowed $httpEndpointObj | Add-Member -NotePropertyName IsHttpsAllowed -NotePropertyValue $_.IsHttpsAllowed $httpEndpointObjList+=$httpEndpointObj } $httpEndpointsWithRedirectRule = @() $httpEndpointsWithoutRedirectRule = @() $httpAllowedEndpointList | Foreach-Object { $currentEndpoint = $_ $isRedirectRuleConfigured = $false $currentEndpoint.DeliveryPolicy.Rules | Foreach-Object { $currentRule = $_ $requiredHttpCondition = $currentRule.Conditions | Where-Object { $_.MatchVariable -eq "RequestScheme" -and $_.MatchValue -eq "HTTP"} $requiredRedirectAction = $currentRule.Actions | Where-Object { $_.RedirectType -eq "Found" -and $_.DestinationProtocol -eq "HTTPS"} if($null -ne $requiredHttpCondition -and $null -ne $requiredRedirectAction){ $isRedirectRuleConfigured = $true } } if($isRedirectRuleConfigured) { $httpEndpointsWithRedirectRule += $currentEndpoint } else { $httpEndpointsWithoutRedirectRule += $currentEndpoint } } if(($httpEndpointsWithoutRedirectRule | Measure-Object).Count -gt 0){ $controlResult.SetStateData("Http Enabled Endpoints", $httpEndpointObjList); $controlResult.EnableFixControl = $true; $controlResult.AddMessage([VerificationResult]::Failed, [MessageData]::new("Below CDN endpoints in the CDN profile [" + $this.ResourceContext.ResourceName + "] are using HTTP protocol and don't have HTTP to HTTPS redirection rule configured - ", ($httpEndpointsWithoutRedirectRule | Select-Object -Property Name, HostName, OriginHostHeader, IsHttpAllowed, IsHttpsAllowed))); }else{ $controlResult.AddMessage([VerificationResult]::Passed, [MessageData]::new("For all the CDN endpoints (using HTTP protocol) in the CDN profile, HTTP to HTTPs redirection rule is configured in rules engine - ", ($httpEndpointsWithRedirectRule | Select-Object -Property Name, HostName, OriginHostHeader, IsHttpAllowed, IsHttpsAllowed))); } } } return $controlResult; } } |