Apply remaining changes

Author: Copilot

src/services/api-extractor.ts

@@ -14,6 +14,7 @@ import { ResourceType, RESOURCE_TYPE_METADATA } from '../models/resource-types.j
 import { FilterConfig } from '../models/config.js';
 import { shouldIncludeResource } from './filter-service.js';
 import { extractResourceType, ExtractedResource } from './resource-extractor.js';
+import { redactPolicySecrets, warnPolicySecretRedactions } from './secret-redactor.js';
 import { logger } from '../lib/logger.js';
 import { buildResourceLabel } from '../lib/resource-uri.js';
 import { getNamePart } from '../lib/resource-path.js';
@@ -363,14 +364,16 @@ async function extractApiPolicy(
   const policyContent = properties?.value as string | undefined;
 
   if (policyContent) {
+    const { redactedContent, findings } = redactPolicySecrets(policyContent);
+    warnPolicySecretRedactions(policyDescriptor, findings);
     await store.writeContent(
       outputDir,
       policyDescriptor,
-      policyContent,
+      redactedContent,
       'policy'
     );
     logger.debug(`Extracted ${buildResourceLabel(policyDescriptor)}`);
-    return policyContent;
+    return redactedContent;
   }
 
   return undefined;
@@ -420,13 +423,15 @@ async function extractApiOperations(
     const policyContent = properties?.value as string | undefined;
 
     if (policyContent) {
-      await store.writeContent(outputDir, opPolicyDescriptor, policyContent, 'policy');
+      const { redactedContent, findings } = redactPolicySecrets(policyContent);
+      warnPolicySecretRedactions(opPolicyDescriptor, findings);
+      await store.writeContent(outputDir, opPolicyDescriptor, redactedContent, 'policy');
       operationPolicies.push({
         descriptor: opPolicyDescriptor,
         json: policyJson,
         status: 'success',
       });
-      policies.push(policyContent);
+      policies.push(redactedContent);
       logger.debug(`Extracted ${buildResourceLabel(opPolicyDescriptor)}`);
     }
   }
@@ -531,13 +536,15 @@ async function extractGraphQLResolvers(
     const policyContent = props?.value as string | undefined;
 
     if (policyContent) {
-      await store.writeContent(outputDir, resolverPolicyDescriptor, policyContent, 'policy');
+      const { redactedContent, findings } = redactPolicySecrets(policyContent);
+      warnPolicySecretRedactions(resolverPolicyDescriptor, findings);
+      await store.writeContent(outputDir, resolverPolicyDescriptor, redactedContent, 'policy');
       resolverPolicies.push({
         descriptor: resolverPolicyDescriptor,
         json: policyJson,
         status: 'success',
       });
-      policies.push(policyContent);
+      policies.push(redactedContent);
       logger.debug(`Extracted ${buildResourceLabel(resolverPolicyDescriptor)}`);
     }
   }

src/services/extract-service.ts

@@ -29,6 +29,7 @@ import { extractWorkspaces, WorkspaceExtractionResult } from './workspace-extrac
 import {
   findTransitiveDependencies,
 } from './transitive-resolver.js';
+import { redactPolicySecrets, warnPolicySecretRedactions } from './secret-redactor.js';
 import { logger } from '../lib/logger.js';
 import { buildResourceLabel } from '../lib/resource-uri.js';
 import { EXIT_SUCCESS, EXIT_PARTIAL, EXIT_FATAL } from '../lib/exit-codes.js';
@@ -401,10 +402,12 @@ async function extractServicePolicy(
   const policyContent = properties?.value as string | undefined;
 
   if (policyContent) {
-    await store.writeContent(outputDir, descriptor, policyContent, 'policy');
+    const { redactedContent, findings } = redactPolicySecrets(policyContent);
+    warnPolicySecretRedactions(descriptor, findings);
+    await store.writeContent(outputDir, descriptor, redactedContent, 'policy');
     result.totalExtracted++;
     result.extractedDescriptors.push(descriptor);
-    result.collectedPolicies.set('service-policy', policyContent);
+    result.collectedPolicies.set('service-policy', redactedContent);
     logger.info('Extracted service-level policy');
   }
 }

src/services/product-extractor.ts

@@ -11,6 +11,7 @@ import { ApimServiceContext, AssociationEntry, ResourceDescriptor } from '../mod
 import { ResourceType, RESOURCE_TYPE_METADATA } from '../models/resource-types.js';
 import { FilterConfig } from '../models/config.js';
 import { extractResourceName } from './resource-extractor.js';
+import { redactPolicySecrets, warnPolicySecretRedactions } from './secret-redactor.js';
 import { logger } from '../lib/logger.js';
 import { getNamePart } from '../lib/resource-path.js';
 import { isWorkspaceScope, extractNameFromLink, extractLinkTarget } from '../lib/workspace-link.js';
@@ -215,9 +216,11 @@ async function extractProductPolicy(
   const policyContent = properties?.value as string | undefined;
 
   if (policyContent) {
-    await store.writeContent(outputDir, policyDescriptor, policyContent, 'policy');
+    const { redactedContent, findings } = redactPolicySecrets(policyContent);
+    warnPolicySecretRedactions(policyDescriptor, findings);
+    await store.writeContent(outputDir, policyDescriptor, redactedContent, 'policy');
     logger.debug(`Extracted policy for product "${getNamePart(productDescriptor.nameParts, 0)}"`);
-    return policyContent;
+    return redactedContent;
   }
 
   return undefined;

src/services/resource-publisher.ts

@@ -21,6 +21,7 @@ import { logger } from '../lib/logger.js';
 import { REDACTION_MARKER } from './secret-redactor.js';
 import { isLinkAlreadyExistsError } from '../clients/apim-client.js';
 import type { OverrideConfig } from '../models/config.js';
+import { buildResourceLabel } from '../lib/resource-uri.js';
 
 export interface ResourcePublishResult {
   descriptor: ResourceDescriptor;
@@ -416,6 +417,17 @@ async function publishPolicy(
       };
     }
 
+    // Fail-safe guard: extracted policies don't currently carry separate metadata
+    // indicating prior redaction, so marker detection is a deliberate content
+    // check to block publishing placeholder secrets.
+    if (policyContent.content.includes(REDACTION_MARKER)) {
+      throw new Error(
+        `Cannot publish ${buildResourceLabel(descriptor)}: policy contains '${REDACTION_MARKER}'. ` +
+        'Replace inline secrets with named values before publish: ' +
+        'https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-properties'
+      );
+    }
+
     const payload: Record<string, unknown> = {
       properties: {
         value: policyContent.content,

src/services/secret-redactor.ts

@@ -10,9 +10,31 @@ import { ResourceType } from '../models/resource-types.js';
 import { ResourceDescriptor } from '../models/types.js';
 import { logger } from '../lib/logger.js';
 import { getNamePart } from '../lib/resource-path.js';
+import { buildResourceLabel } from '../lib/resource-uri.js';
 
 /** Marker used to replace secret values in extracted artifacts */
 export const REDACTION_MARKER = '*** REDACTED ***';
+const NAMED_VALUE_REFERENCE_PATTERN = /^\s*\{\{[^{}]+\}\}\s*$/;
+// Headers where inline literal values are typically secrets and should be
+// redacted when present in policy XML. Extend this allow-list when APIM adds
+// new secret-bearing header conventions.
+const SECRET_HEADER_NAMES = new Set([
+  'authorization',
+  'ocp-apim-subscription-key',
+  'x-functions-key',
+  'api-key',
+]);
+// Query parameters commonly used to carry secrets/tokens in APIM policies.
+// Keep focused on secret-bearing names to avoid over-redacting non-secrets.
+const SECRET_QUERY_PARAMETER_NAMES = new Set([
+  'code',
+  'sig',
+  'subscription-key',
+]);
+
+export interface PolicySecretFinding {
+  location: string;
+}
 
 /**
  * Redact secret values from a resource's JSON payload.
@@ -56,3 +78,161 @@ export function redactSecrets(
   logger.debug(`Redacted secret value for named value "${getNamePart(descriptor.nameParts, 0)}"`);
   return redacted;
 }
+
+function isApimNamedValueReference(value: string): boolean {
+  return NAMED_VALUE_REFERENCE_PATTERN.test(value);
+}
+
+function shouldRedactLiteral(value: string): boolean {
+  const trimmed = value.trim();
+  if (!trimmed || trimmed === REDACTION_MARKER) {
+    return false;
+  }
+  return !isApimNamedValueReference(trimmed);
+}
+
+/**
+ * Redact inline literal secrets in policy XML content.
+ */
+export function redactPolicySecrets(
+  policyContent: string
+): { redactedContent: string; findings: PolicySecretFinding[] } {
+  const findings: PolicySecretFinding[] = [];
+  const addFinding = (location: string): void => {
+    findings.push({ location });
+  };
+
+  let redacted = policyContent;
+
+  redacted = redacted.replace(/<set-header\b[\s\S]*?<\/set-header>/gi, (setHeaderBlock) => {
+    const nameMatch = /\bname\s*=\s*["']([^"']+)["']/i.exec(setHeaderBlock);
+    const headerName = nameMatch?.[1]?.toLowerCase();
+    if (!headerName || !SECRET_HEADER_NAMES.has(headerName)) {
+      return setHeaderBlock;
+    }
+
+    return setHeaderBlock.replace(
+      /(<value\b[^>]*>)([\s\S]*?)(<\/value>)/gi,
+      (_full, openTag: string, value: string, closeTag: string) => {
+        if (!shouldRedactLiteral(value)) {
+          return `${openTag}${value}${closeTag}`;
+        }
+
+        addFinding(`set-header[${headerName}]`);
+        return `${openTag}${REDACTION_MARKER}${closeTag}`;
+      }
+    );
+  });
+
+  redacted = redacted.replace(/<set-query-parameter\b[\s\S]*?<\/set-query-parameter>/gi, (setQueryBlock) => {
+    const nameMatch = /\bname\s*=\s*["']([^"']+)["']/i.exec(setQueryBlock);
+    const parameterName = nameMatch?.[1]?.toLowerCase();
+    if (!parameterName || !SECRET_QUERY_PARAMETER_NAMES.has(parameterName)) {
+      return setQueryBlock;
+    }
+
+    return setQueryBlock.replace(
+      /(<value\b[^>]*>)([\s\S]*?)(<\/value>)/gi,
+      (_full, openTag: string, value: string, closeTag: string) => {
+        if (!shouldRedactLiteral(value)) {
+          return `${openTag}${value}${closeTag}`;
+        }
+
+        addFinding(`set-query-parameter[${parameterName}]`);
+        return `${openTag}${REDACTION_MARKER}${closeTag}`;
+      }
+    );
+  });
+
+  redacted = redacted.replace(/<authentication-basic\b[^>]*>/gi, (tag) => {
+    return tag.replace(/(\bpassword\s*=\s*["'])([^"']*)(["'])/i, (_full, prefix: string, value: string, suffix: string) => {
+      if (!shouldRedactLiteral(value)) {
+        return `${prefix}${value}${suffix}`;
+      }
+
+      addFinding('authentication-basic@password');
+      return `${prefix}${REDACTION_MARKER}${suffix}`;
+    });
+  });
+
+  redacted = redacted.replace(/<authentication-certificate\b[^>]*>/gi, (tag) => {
+    return tag.replace(/(\bbody\s*=\s*["'])([^"']*)(["'])/i, (_full, prefix: string, value: string, suffix: string) => {
+      if (!shouldRedactLiteral(value)) {
+        return `${prefix}${value}${suffix}`;
+      }
+
+      addFinding('authentication-certificate@body');
+      return `${prefix}${REDACTION_MARKER}${suffix}`;
+    });
+  });
+
+  redacted = redacted.replace(/<authentication-certificate\b[\s\S]*?<\/authentication-certificate>/gi, (certificateBlock) => {
+    return certificateBlock.replace(
+      /(<certificate\b[^>]*>)([\s\S]*?)(<\/certificate>)/gi,
+      (_full, openTag: string, value: string, closeTag: string) => {
+        if (!shouldRedactLiteral(value)) {
+          return `${openTag}${value}${closeTag}`;
+        }
+
+        addFinding('authentication-certificate/certificate');
+        return `${openTag}${REDACTION_MARKER}${closeTag}`;
+      }
+    );
+  });
+
+  for (const keySection of ['issuer-signing-keys', 'decryption-keys']) {
+    const sectionRegex = new RegExp(`<${keySection}\\b[\\s\\S]*?<\\/${keySection}>`, 'gi');
+    redacted = redacted.replace(sectionRegex, (sectionBlock) => {
+      return sectionBlock.replace(
+        /(<key\b[^>]*>)([\s\S]*?)(<\/key>)/gi,
+        (_full, openTag: string, value: string, closeTag: string) => {
+          if (!shouldRedactLiteral(value)) {
+            return `${openTag}${value}${closeTag}`;
+          }
+
+          addFinding(`validate-jwt ${keySection}/key`);
+          return `${openTag}${REDACTION_MARKER}${closeTag}`;
+        }
+      );
+    });
+  }
+
+  // AccountKey/SharedAccessKey fragments are used by storage/service-bus style
+  // connection strings. App Insights connection strings use InstrumentationKey
+  // and therefore do not match this pattern (allow-listed by design).
+  // Value exclusions:
+  // - ';' stops at the next connection-string key/value delimiter
+  // - whitespace/newlines avoid over-capturing adjacent text
+  // - '<' and '"' avoid crossing into XML tags/attributes
+  redacted = redacted.replace(/(AccountKey|SharedAccessKey)\s*=\s*([^;\r\n<"\s]+)/gi, (_full, key: string, value: string) => {
+    if (!shouldRedactLiteral(value)) {
+      return `${key}=${value}`;
+    }
+
+    addFinding(`connection-string[${key}]`);
+    return `${key}=${REDACTION_MARKER}`;
+  });
+
+  return {
+    redactedContent: redacted,
+    findings,
+  };
+}
+
+/**
+ * Emit warning logs for policy secret redaction findings.
+ */
+export function warnPolicySecretRedactions(
+  descriptor: ResourceDescriptor,
+  findings: PolicySecretFinding[]
+): void {
+  const label = buildResourceLabel(descriptor);
+  for (const finding of findings) {
+    logger.warn(
+      `Found and redacted inline secret in ${label} (${finding.location}). ` +
+      `Publish will fail while '${REDACTION_MARKER}' remains. ` +
+      'Update the policy to use a named value: ' +
+      'https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-properties'
+    );
+  }
+}

tests/unit/services/api-product-extractor.test.ts

@@ -10,6 +10,7 @@ import { ApimServiceContext, ResourceDescriptor } from '../../../src/models/type
 import { FilterConfig } from '../../../src/models/config.js';
 import { extractApiResources } from '../../../src/services/api-extractor.js';
 import { extractProductResources } from '../../../src/services/product-extractor.js';
+import { REDACTION_MARKER } from '../../../src/services/secret-redactor.js';
 
 const testContext: ApimServiceContext = {
   subscriptionId: 'sub-1',
@@ -261,8 +262,9 @@ describe('api-extractor', () => {
       expect(getApiSpecification).toHaveBeenCalledWith(testContext, 'openapi-rest', 'http', 'openapi3');
     });
 
-    it('should extract API policy and collect content', async () => {
-      const policyContent = '<policies><inbound><base /></inbound></policies>';
+    it('should extract API policy and redact inline secrets', async () => {
+      const policyContent = '<policies><inbound><set-header name="Authorization"><value>AUTH_LITERAL_VALUE</value></set-header></inbound></policies>';
+      const redactedPolicy = `<policies><inbound><set-header name="Authorization"><value>${REDACTION_MARKER}</value></set-header></inbound></policies>`;
       const client = createMockClient({
         getResource: vi.fn().mockImplementation(async (_ctx: unknown, desc: ResourceDescriptor) => {
           if (desc.type === ResourceType.ApiPolicy) {
@@ -284,7 +286,13 @@ describe('api-extractor', () => {
         '/output'
       );
 
-      expect(result.policies).toContain(policyContent);
+      expect(result.policies).toContain(redactedPolicy);
+      expect(store.writeContent).toHaveBeenCalledWith(
+        '/output',
+        expect.objectContaining({ type: ResourceType.ApiPolicy, nameParts: ['my-api'] }),
+        redactedPolicy,
+        'policy'
+      );
       // Verify the descriptor used the API name, not 'policy'
       expect(client.getResource).toHaveBeenCalledWith(
         expect.anything(),
@@ -1014,8 +1022,9 @@ describe('product-extractor', () => {
       expect(result.groups).toEqual(['group-1']);
     });
 
-    it('should extract product policy', async () => {
-      const policyContent = '<policies><inbound></inbound></policies>';
+    it('should extract product policy and redact inline secrets', async () => {
+      const policyContent = '<policies><inbound><set-query-parameter name="code"><value>abc123</value></set-query-parameter></inbound></policies>';
+      const redactedPolicy = `<policies><inbound><set-query-parameter name="code"><value>${REDACTION_MARKER}</value></set-query-parameter></inbound></policies>`;
       const client = createMockClient();
       client.listResources = async function* () {};
       client.getResource = vi.fn().mockImplementation(async (_ctx: unknown, desc: ResourceDescriptor) => {
@@ -1032,8 +1041,14 @@ describe('product-extractor', () => {
         '/output'
       );
 
-      expect(result.policy).toBe(policyContent);
-      expect(result.policies).toContain(policyContent);
+      expect(result.policy).toBe(redactedPolicy);
+      expect(result.policies).toContain(redactedPolicy);
+      expect(store.writeContent).toHaveBeenCalledWith(
+        '/output',
+        expect.objectContaining({ type: ResourceType.ProductPolicy, nameParts: ['starter'] }),
+        redactedPolicy,
+        'policy'
+      );
     });
 
     it('should propagate write errors from store.writeContent for product policy', async () => {