Redact app configuration keys

Author: theunrepentantgeek

v2/internal/testcommon/vcr/redact.go

@@ -8,6 +8,7 @@ package vcr
 import (
 	"net/http"
 	"regexp"
+	"strings"
 
 	"github.com/google/uuid"
 
@@ -141,6 +142,7 @@ func (r *Redactor) HideRecordingData(s string) string {
 	s = hideKubeConfigs(s)
 	s = hideKeys(s)
 	s = hideCustomKeys(s)
+	s = hideAppConfigurationKeySecrets(s)
 
 	return s
 }
@@ -213,3 +215,27 @@ func (r *Redactor) HideURLData(s string) string {
 
 	return s
 }
+
+var appConfigKeySecretMatcher = regexp.MustCompile(`Secret=([A-Za-z0-9]+)`)
+
+// hideAppConfigurationKeySecrets hides App Configuration key secrets
+// We can detect the secret in the connection string where it shows up as Secret=REDACTED
+// but also need to replace the bare value elsewhere in the body of the string.
+func hideAppConfigurationKeySecrets(s string) string {
+	// Get all the matches first
+	matches := appConfigKeySecretMatcher.FindAllStringSubmatch(s, -1)
+	if matches == nil {
+		return s
+	}
+
+	// Replace each match
+	for _, match := range matches {
+		if len(match) > 1 {
+			secretValue := match[1]
+			s = strings.ReplaceAll(s, secretValue, "{KEY}")
+		}
+	}
+
+	return s
+
+}

v2/internal/testcommon/vcr/redact_test.go

@@ -0,0 +1,49 @@
+/*
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+*/
+
+package vcr
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+func Test_hideAppConfigurationKeySecrets(t *testing.T) {
+	t.Parallel()
+
+	cases := map[string]struct {
+		input    string
+		expected string
+	}{
+		"Empty string": {
+			input:    "",
+			expected: "",
+		},
+		"No secrets": {
+			input:    `{"someKey":"someValue"}`,
+			expected: `{"someKey":"someValue"}`,
+		},
+		"Connection string": {
+			input:    `"Endpoint=https://asotest-confstore-fsrajl.azconfig.io;Id=GmDj;Secret=SECRETVALUEFROMAZURE"`,
+			expected: `"Endpoint=https://asotest-confstore-fsrajl.azconfig.io;Id=GmDj;Secret={KEY}"`,
+		},
+		"Configuration Key": {
+			input:    `{"id":"GmDj","name":"Primary","value":"SECRETVALUEFROMAZURE","connectionString":"Endpoint=https://asotest-confstore-fsrajl.azconfig.io;Id=GmDj;Secret=SECRETVALUEFROMAZURE","lastModified":"2025-11-19T01:22:31+00:00","readOnly":false}`,
+			expected: `{"id":"GmDj","name":"Primary","value":"{KEY}","connectionString":"Endpoint=https://asotest-confstore-fsrajl.azconfig.io;Id=GmDj;Secret={KEY}","lastModified":"2025-11-19T01:22:31+00:00","readOnly":false}`,
+		},
+	}
+
+	for name, c := range cases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			g := NewGomegaWithT(t)
+
+			actual := hideAppConfigurationKeySecrets(c.input)
+
+			g.Expect(actual).To(Equal(c.expected))
+		})
+	}
+}