fix: apply CORS, timeout, streaming, and error-handling policies to agent APIs (#958) (#959)

Author: Cataldir

.infra/apim-policies/agent-api-policy.xml

@@ -0,0 +1,53 @@
+<policies>
+    <inbound>
+        <base />
+        <cors allow-credentials="false">
+            <allowed-origins>
+            {{cors-origins}}
+            </allowed-origins>
+            <allowed-methods preflight-result-max-age="300">
+                <method>*</method>
+            </allowed-methods>
+            <allowed-headers>
+                <header>*</header>
+            </allowed-headers>
+            <expose-headers>
+                <header>*</header>
+            </expose-headers>
+        </cors>
+    </inbound>
+    <backend>
+        <forward-request timeout="120" />
+    </backend>
+    <outbound>
+        <base />
+        <set-header name="Access-Control-Allow-Origin" exists-action="override">
+            <value>@(context.Request.Headers.GetValueOrDefault("Origin", "http://localhost:3000"))</value>
+        </set-header>
+        <set-header name="Access-Control-Allow-Methods" exists-action="override">
+            <value>GET,POST,OPTIONS</value>
+        </set-header>
+        <set-header name="Access-Control-Allow-Headers" exists-action="override">
+            <value>*</value>
+        </set-header>
+    </outbound>
+    <on-error>
+        <base />
+        <return-response>
+            <set-status code="502" reason="Bad Gateway" />
+            <set-header name="Access-Control-Allow-Origin" exists-action="override">
+                <value>@(context.Request.Headers.GetValueOrDefault("Origin", "http://localhost:3000"))</value>
+            </set-header>
+            <set-header name="Access-Control-Allow-Methods" exists-action="override">
+                <value>GET,POST,OPTIONS</value>
+            </set-header>
+            <set-header name="Access-Control-Allow-Headers" exists-action="override">
+                <value>*</value>
+            </set-header>
+            <set-header name="Content-Type" exists-action="override">
+                <value>application/json</value>
+            </set-header>
+            <set-body>{"detail":"APIM upstream error while routing to agent backend."}</set-body>
+        </return-response>
+    </on-error>
+</policies>

.infra/apim-policies/agent-stream-operation-policy.xml

@@ -0,0 +1,20 @@
+<policies>
+    <inbound>
+        <base />
+    </inbound>
+    <backend>
+        <forward-request timeout="180" buffer-response="false" />
+    </backend>
+    <outbound>
+        <base />
+        <set-header name="Cache-Control" exists-action="override">
+            <value>no-cache</value>
+        </set-header>
+        <set-header name="X-Accel-Buffering" exists-action="override">
+            <value>no</value>
+        </set-header>
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>

.infra/azd/hooks/sync-apim-agents.ps1

@@ -592,6 +592,8 @@ function Ensure-AgentApi {
                 Write-Host "[preview]   + operation: $($op.method) $($op.template) ($($op.name))"
             }
         }
+        Write-Host "[preview]   + API-level policy (CORS, timeout=120s, on-error)"
+        Write-Host "[preview]   + Operation-level streaming policy (invoke-stream, timeout=180s, buffer-response=false)"
         return
     }
 
@@ -692,6 +694,36 @@ function Ensure-AgentApi {
         }
         Write-Host "Registered $($serviceSpecificOperations[$Service].Count) extra operations for $Service"
     }
+
+    # --- Apply API-level policy ---
+    $subscriptionId = az account show --query id -o tsv 2>$null
+    if (-not $subscriptionId) {
+        throw "Failed to resolve Azure subscription id for agent API policy update ($Service)."
+    }
+
+    $agentPolicyPath = Join-Path $PSScriptRoot '..\..\apim-policies\agent-api-policy.xml'
+    if (Test-Path $agentPolicyPath) {
+        $corsOriginXml = Get-CorsOriginXml -OriginsCsv $ApimCorsAllowedOrigins
+        $agentPolicyXml = (Get-Content -Path $agentPolicyPath -Raw) -replace '\{\{cors-origins\}\}', $corsOriginXml
+        $policyPayload = @{ properties = @{ format = 'rawxml'; value = $agentPolicyXml } } | ConvertTo-Json -Depth 8
+        $policyTempFile = Join-Path ([System.IO.Path]::GetTempPath()) "apim-agent-policy-$Service.json"
+        Set-Content -Path $policyTempFile -Value $policyPayload -Encoding UTF8
+        $policyUrl = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$Rg/providers/Microsoft.ApiManagement/service/$Apim/apis/$apiId/policies/policy?api-version=2022-08-01"
+        az rest --method put --url $policyUrl --headers 'Content-Type=application/json' --body "@$policyTempFile" --only-show-errors *> $null
+        Write-Host "Applied API-level policy for $Service"
+    }
+
+    # --- Apply operation-level streaming policy for /invoke/stream ---
+    $streamPolicyPath = Join-Path $PSScriptRoot '..\..\apim-policies\agent-stream-operation-policy.xml'
+    if (Test-Path $streamPolicyPath) {
+        $streamPolicyXml = Get-Content -Path $streamPolicyPath -Raw
+        $streamPayload = @{ properties = @{ format = 'rawxml'; value = $streamPolicyXml } } | ConvertTo-Json -Depth 8
+        $streamTempFile = Join-Path ([System.IO.Path]::GetTempPath()) "apim-agent-stream-policy-$Service.json"
+        Set-Content -Path $streamTempFile -Value $streamPayload -Encoding UTF8
+        $streamOpUrl = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$Rg/providers/Microsoft.ApiManagement/service/$Apim/apis/$apiId/operations/invoke-stream/policies/policy?api-version=2022-08-01"
+        az rest --method put --url $streamOpUrl --headers 'Content-Type=application/json' --body "@$streamTempFile" --only-show-errors *> $null
+        Write-Host "Applied streaming operation policy for $Service"
+    }
 }
 
 function Update-CrudApi {