Главная Обзор Помощь
Вход
logic855
/
helm-external-secrets
зеркало из https://github.com/external-secrets/external-secrets
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: 6da8b96d4d
Ветки Метки
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook.go

webhook.go 13 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package webhook
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"context"
    20. 

  20. 	"crypto/tls"
    21. 

  21. 	"crypto/x509"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io"
    24. 

  24. 	"net/http"
    25. 

  25. 	"net/url"
    26. 

  26. 	"strings"
    27. 

  27. 	tpl "text/template"
    28. 

  28. 	"time"
    29. 

  29. 

  30. 	"github.com/PaesslerAG/jsonpath"
    31. 

  31. 	"gopkg.in/yaml.v3"
    32. 

  32. 	corev1 "k8s.io/api/core/v1"
    33. 

  33. 	"sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 

  35. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/template/v2"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/utils"
    39. 

  39. )
    40. 

  40. 

  41. // https://github.com/external-secrets/external-secrets/issues/644
    42. 

  42. var _ esv1beta1.SecretsClient = &WebHook{}
    43. 

  43. var _ esv1beta1.Provider = &Provider{}
    44. 

  44. 

  45. // Provider satisfies the provider interface.
    46. 

  46. type Provider struct{}
    47. 

  47. 

  48. type WebHook struct {
    49. 

  49. 	kube      client.Client
    50. 

  50. 	store     esv1beta1.GenericStore
    51. 

  51. 	namespace string
    52. 

  52. 	storeKind string
    53. 

  53. 	http      *http.Client
    54. 

  54. 	url       string
    55. 

  55. }
    56. 

  56. 

  57. func init() {
    58. 

  58. 	esv1beta1.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
    59. 

  59. 		Webhook: &esv1beta1.WebhookProvider{},
    60. 

  60. 	})
    61. 

  61. }
    62. 

  62. 

  63. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
    64. 

  64. func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
    65. 

  65. 	return esv1beta1.SecretStoreReadOnly
    66. 

  66. }
    67. 

  67. 

  68. func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
    69. 

  69. 	whClient := &WebHook{
    70. 

  70. 		kube:      kube,
    71. 

  71. 		store:     store,
    72. 

  72. 		namespace: namespace,
    73. 

  73. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    74. 

  74. 	}
    75. 

  75. 	provider, err := getProvider(store)
    76. 

  76. 	if err != nil {
    77. 

  77. 		return nil, err
    78. 

  78. 	}
    79. 

  79. 	whClient.url = provider.URL
    80. 

  80. 

  81. 	whClient.http, err = whClient.getHTTPClient(provider)
    82. 

  82. 	if err != nil {
    83. 

  83. 		return nil, err
    84. 

  84. 	}
    85. 

  85. 	return whClient, nil
    86. 

  86. }
    87. 

  87. 

  88. func (p *Provider) ValidateStore(store esv1beta1.GenericStore) error {
    89. 

  89. 	return nil
    90. 

  90. }
    91. 

  91. 

  92. func getProvider(store esv1beta1.GenericStore) (*esv1beta1.WebhookProvider, error) {
    93. 

  93. 	spc := store.GetSpec()
    94. 

  94. 	if spc == nil || spc.Provider == nil || spc.Provider.Webhook == nil {
    95. 

  95. 		return nil, fmt.Errorf("missing store provider webhook")
    96. 

  96. 	}
    97. 

  97. 	return spc.Provider.Webhook, nil
    98. 

  98. }
    99. 

  99. 

  100. func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelector) (*corev1.Secret, error) {
    101. 

  101. 	ke := client.ObjectKey{
    102. 

  102. 		Name:      ref.Name,
    103. 

  103. 		Namespace: w.namespace,
    104. 

  104. 	}
    105. 

  105. 	if w.storeKind == esv1beta1.ClusterSecretStoreKind {
    106. 

  106. 		if ref.Namespace == nil {
    107. 

  107. 			return nil, fmt.Errorf("no namespace on ClusterSecretStore webhook secret %s", ref.Name)
    108. 

  108. 		}
    109. 

  109. 		ke.Namespace = *ref.Namespace
    110. 

  110. 	}
    111. 

  111. 	secret := &corev1.Secret{}
    112. 

  112. 	if err := w.kube.Get(ctx, ke, secret); err != nil {
    113. 

  113. 		return nil, fmt.Errorf("failed to get clustersecretstore webhook secret %s: %w", ref.Name, err)
    114. 

  114. 	}
    115. 

  115. 	return secret, nil
    116. 

  116. }
    117. 

  117. 

  118. func (w *WebHook) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
    119. 

  119. 	return fmt.Errorf("not implemented")
    120. 

  120. }
    121. 

  121. 

  122. // Not Implemented PushSecret.
    123. 

  123. func (w *WebHook) PushSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
    124. 

  124. 	return fmt.Errorf("not implemented")
    125. 

  125. }
    126. 

  126. 

  127. // Empty GetAllSecrets.
    128. 

  128. func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    129. 

  129. 	// TO be implemented
    130. 

  130. 	return nil, fmt.Errorf("GetAllSecrets not implemented")
    131. 

  131. }
    132. 

  132. 

  133. func (w *WebHook) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    134. 

  134. 	provider, err := getProvider(w.store)
    135. 

  135. 	if err != nil {
    136. 

  136. 		return nil, fmt.Errorf("failed to get store: %w", err)
    137. 

  137. 	}
    138. 

  138. 	result, err := w.getWebhookData(ctx, provider, ref)
    139. 

  139. 	if err != nil {
    140. 

  140. 		return nil, err
    141. 

  141. 	}
    142. 

  142. 	// Only parse as json if we have a jsonpath set
    143. 

  143. 	data, err := w.getTemplateData(ctx, ref, provider.Secrets)
    144. 

  144. 	if err != nil {
    145. 

  145. 		return nil, err
    146. 

  146. 	}
    147. 

  147. 	resultJSONPath, err := executeTemplateString(provider.Result.JSONPath, data)
    148. 

  148. 	if err != nil {
    149. 

  149. 		return nil, err
    150. 

  150. 	}
    151. 

  151. 	if resultJSONPath != "" {
    152. 

  152. 		jsondata := interface{}(nil)
    153. 

  153. 		if err := yaml.Unmarshal(result, &jsondata); err != nil {
    154. 

  154. 			return nil, fmt.Errorf("failed to parse response json: %w", err)
    155. 

  155. 		}
    156. 

  156. 		jsondata, err = jsonpath.Get(resultJSONPath, jsondata)
    157. 

  157. 		if err != nil {
    158. 

  158. 			return nil, fmt.Errorf("failed to get response path %s: %w", resultJSONPath, err)
    159. 

  159. 		}
    160. 

  160. 		jsonvalue, ok := jsondata.(string)
    161. 

  161. 		if !ok {
    162. 

  162. 			jsonvalues, ok := jsondata.([]interface{})
    163. 

  163. 			if !ok {
    164. 

  164. 				return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    165. 

  165. 			}
    166. 

  166. 			if len(jsonvalues) == 0 {
    167. 

  167. 				return nil, fmt.Errorf("filter worked but didn't get any result")
    168. 

  168. 			}
    169. 

  169. 			jsonvalue = jsonvalues[0].(string)
    170. 

  170. 		}
    171. 

  171. 		return []byte(jsonvalue), nil
    172. 

  172. 	}
    173. 

  173. 

  174. 	return result, nil
    175. 

  175. }
    176. 

  176. 

  177. func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    178. 

  178. 	provider, err := getProvider(w.store)
    179. 

  179. 	if err != nil {
    180. 

  180. 		return nil, fmt.Errorf("failed to get store: %w", err)
    181. 

  181. 	}
    182. 

  182. 	result, err := w.getWebhookData(ctx, provider, ref)
    183. 

  183. 	if err != nil {
    184. 

  184. 		return nil, err
    185. 

  185. 	}
    186. 

  186. 

  187. 	// We always want json here, so just parse it out
    188. 

  188. 	jsondata := interface{}(nil)
    189. 

  189. 	if err := yaml.Unmarshal(result, &jsondata); err != nil {
    190. 

  190. 		return nil, fmt.Errorf("failed to parse response json: %w", err)
    191. 

  191. 	}
    192. 

  192. 	// Get subdata via jsonpath, if given
    193. 

  193. 	if provider.Result.JSONPath != "" {
    194. 

  194. 		jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
    195. 

  195. 		if err != nil {
    196. 

  196. 			return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
    197. 

  197. 		}
    198. 

  198. 	}
    199. 

  199. 	// If the value is a string, try to parse it as json
    200. 

  200. 	jsonstring, ok := jsondata.(string)
    201. 

  201. 	if ok {
    202. 

  202. 		// This could also happen if the response was a single json-encoded string
    203. 

  203. 		// but that is an extremely unlikely scenario
    204. 

  204. 		if err := yaml.Unmarshal([]byte(jsonstring), &jsondata); err != nil {
    205. 

  205. 			return nil, fmt.Errorf("failed to parse response json from jsonpath: %w", err)
    206. 

  206. 		}
    207. 

  207. 	}
    208. 

  208. 	// Use the data as a key-value map
    209. 

  209. 	jsonvalue, ok := jsondata.(map[string]interface{})
    210. 

  210. 	if !ok {
    211. 

  211. 		return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    212. 

  212. 	}
    213. 

  213. 

  214. 	// Change the map of generic objects to a map of byte arrays
    215. 

  215. 	values := make(map[string][]byte)
    216. 

  216. 	for rKey, rValue := range jsonvalue {
    217. 

  217. 		jVal, ok := rValue.(string)
    218. 

  218. 		if !ok {
    219. 

  219. 			return nil, fmt.Errorf("failed to get response (wrong type in key '%s': %T)", rKey, rValue)
    220. 

  220. 		}
    221. 

  221. 		values[rKey] = []byte(jVal)
    222. 

  222. 	}
    223. 

  223. 	return values, nil
    224. 

  224. }
    225. 

  225. 

  226. func (w *WebHook) getTemplateData(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef, secrets []esv1beta1.WebhookSecret) (map[string]map[string]string, error) {
    227. 

  227. 	data := map[string]map[string]string{
    228. 

  228. 		"remoteRef": {
    229. 

  229. 			"key":      url.QueryEscape(ref.Key),
    230. 

  230. 			"version":  url.QueryEscape(ref.Version),
    231. 

  231. 			"property": url.QueryEscape(ref.Property),
    232. 

  232. 		},
    233. 

  233. 	}
    234. 

  234. 	for _, secref := range secrets {
    235. 

  235. 		if _, ok := data[secref.Name]; !ok {
    236. 

  236. 			data[secref.Name] = make(map[string]string)
    237. 

  237. 		}
    238. 

  238. 		secret, err := w.getStoreSecret(ctx, secref.SecretRef)
    239. 

  239. 		if err != nil {
    240. 

  240. 			return nil, err
    241. 

  241. 		}
    242. 

  242. 		for sKey, sVal := range secret.Data {
    243. 

  243. 			data[secref.Name][sKey] = string(sVal)
    244. 

  244. 		}
    245. 

  245. 	}
    246. 

  246. 	return data, nil
    247. 

  247. }
    248. 

  248. 

  249. func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1beta1.WebhookProvider, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    250. 

  250. 	if w.http == nil {
    251. 

  251. 		return nil, fmt.Errorf("http client not initialized")
    252. 

  252. 	}
    253. 

  253. 	data, err := w.getTemplateData(ctx, ref, provider.Secrets)
    254. 

  254. 	if err != nil {
    255. 

  255. 		return nil, err
    256. 

  256. 	}
    257. 

  257. 	method := provider.Method
    258. 

  258. 	if method == "" {
    259. 

  259. 		method = http.MethodGet
    260. 

  260. 	}
    261. 

  261. 	url, err := executeTemplateString(provider.URL, data)
    262. 

  262. 	if err != nil {
    263. 

  263. 		return nil, fmt.Errorf("failed to parse url: %w", err)
    264. 

  264. 	}
    265. 

  265. 	body, err := executeTemplate(provider.Body, data)
    266. 

  266. 	if err != nil {
    267. 

  267. 		return nil, fmt.Errorf("failed to parse body: %w", err)
    268. 

  268. 	}
    269. 

  269. 

  270. 	req, err := http.NewRequestWithContext(ctx, method, url, &body)
    271. 

  271. 	if err != nil {
    272. 

  272. 		return nil, fmt.Errorf("failed to create request: %w", err)
    273. 

  273. 	}
    274. 

  274. 	for hKey, hValueTpl := range provider.Headers {
    275. 

  275. 		hValue, err := executeTemplateString(hValueTpl, data)
    276. 

  276. 		if err != nil {
    277. 

  277. 			return nil, fmt.Errorf("failed to parse header %s: %w", hKey, err)
    278. 

  278. 		}
    279. 

  279. 		req.Header.Add(hKey, hValue)
    280. 

  280. 	}
    281. 

  281. 

  282. 	resp, err := w.http.Do(req)
    283. 

  283. 	if err != nil {
    284. 

  284. 		return nil, fmt.Errorf("failed to call endpoint: %w", err)
    285. 

  285. 	}
    286. 

  286. 	defer resp.Body.Close()
    287. 

  287. 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
    288. 

  288. 		return nil, fmt.Errorf("endpoint gave error %s", resp.Status)
    289. 

  289. 	}
    290. 

  290. 	return io.ReadAll(resp.Body)
    291. 

  291. }
    292. 

  292. 

  293. func (w *WebHook) getHTTPClient(provider *esv1beta1.WebhookProvider) (*http.Client, error) {
    294. 

  294. 	client := &http.Client{}
    295. 

  295. 	if provider.Timeout != nil {
    296. 

  296. 		client.Timeout = provider.Timeout.Duration
    297. 

  297. 	}
    298. 

  298. 	if len(provider.CABundle) == 0 && provider.CAProvider == nil {
    299. 

  299. 		// No need to process ca stuff if it is not there
    300. 

  300. 		return client, nil
    301. 

  301. 	}
    302. 

  302. 	caCertPool, err := w.getCACertPool(provider)
    303. 

  303. 	if err != nil {
    304. 

  304. 		return nil, err
    305. 

  305. 	}
    306. 

  306. 

  307. 	tlsConf := &tls.Config{
    308. 

  308. 		RootCAs:    caCertPool,
    309. 

  309. 		MinVersion: tls.VersionTLS12,
    310. 

  310. 	}
    311. 

  311. 	client.Transport = &http.Transport{TLSClientConfig: tlsConf}
    312. 

  312. 	return client, nil
    313. 

  313. }
    314. 

  314. 

  315. func (w *WebHook) getCACertPool(provider *esv1beta1.WebhookProvider) (*x509.CertPool, error) {
    316. 

  316. 	caCertPool := x509.NewCertPool()
    317. 

  317. 	if len(provider.CABundle) > 0 {
    318. 

  318. 		ok := caCertPool.AppendCertsFromPEM(provider.CABundle)
    319. 

  319. 		if !ok {
    320. 

  320. 			return nil, fmt.Errorf("failed to append cabundle")
    321. 

  321. 		}
    322. 

  322. 	}
    323. 

  323. 

  324. 	if provider.CAProvider != nil && w.storeKind == esv1beta1.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
    325. 

  325. 		return nil, fmt.Errorf("missing namespace on CAProvider secret")
    326. 

  326. 	}
    327. 

  327. 

  328. 	if provider.CAProvider != nil {
    329. 

  329. 		var cert []byte
    330. 

  330. 		var err error
    331. 

  331. 

  332. 		switch provider.CAProvider.Type {
    333. 

  333. 		case esv1beta1.WebhookCAProviderTypeSecret:
    334. 

  334. 			cert, err = w.getCertFromSecret(provider)
    335. 

  335. 		case esv1beta1.WebhookCAProviderTypeConfigMap:
    336. 

  336. 			cert, err = w.getCertFromConfigMap(provider)
    337. 

  337. 		default:
    338. 

  338. 			err = fmt.Errorf("unknown caprovider type: %s", provider.CAProvider.Type)
    339. 

  339. 		}
    340. 

  340. 

  341. 		if err != nil {
    342. 

  342. 			return nil, err
    343. 

  343. 		}
    344. 

  344. 

  345. 		ok := caCertPool.AppendCertsFromPEM(cert)
    346. 

  346. 		if !ok {
    347. 

  347. 			return nil, fmt.Errorf("failed to append cabundle")
    348. 

  348. 		}
    349. 

  349. 	}
    350. 

  350. 	return caCertPool, nil
    351. 

  351. }
    352. 

  352. 

  353. func (w *WebHook) getCertFromSecret(provider *esv1beta1.WebhookProvider) ([]byte, error) {
    354. 

  354. 	secretRef := esmeta.SecretKeySelector{
    355. 

  355. 		Name: provider.CAProvider.Name,
    356. 

  356. 		Key:  provider.CAProvider.Key,
    357. 

  357. 	}
    358. 

  358. 

  359. 	if provider.CAProvider.Namespace != nil {
    360. 

  360. 		secretRef.Namespace = provider.CAProvider.Namespace
    361. 

  361. 	}
    362. 

  362. 

  363. 	ctx := context.Background()
    364. 

  364. 	res, err := w.secretKeyRef(ctx, &secretRef)
    365. 

  365. 	if err != nil {
    366. 

  366. 		return nil, err
    367. 

  367. 	}
    368. 

  368. 

  369. 	return []byte(res), nil
    370. 

  370. }
    371. 

  371. 

  372. func (w *WebHook) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    373. 

  373. 	secret := &corev1.Secret{}
    374. 

  374. 	ref := client.ObjectKey{
    375. 

  375. 		Namespace: w.namespace,
    376. 

  376. 		Name:      secretRef.Name,
    377. 

  377. 	}
    378. 

  378. 	if (w.storeKind == esv1beta1.ClusterSecretStoreKind) &&
    379. 

  379. 		(secretRef.Namespace != nil) {
    380. 

  380. 		ref.Namespace = *secretRef.Namespace
    381. 

  381. 	}
    382. 

  382. 	err := w.kube.Get(ctx, ref, secret)
    383. 

  383. 	if err != nil {
    384. 

  384. 		return "", err
    385. 

  385. 	}
    386. 

  386. 

  387. 	keyBytes, ok := secret.Data[secretRef.Key]
    388. 

  388. 	if !ok {
    389. 

  389. 		return "", err
    390. 

  390. 	}
    391. 

  391. 

  392. 	value := string(keyBytes)
    393. 

  393. 	valueStr := strings.TrimSpace(value)
    394. 

  394. 	return valueStr, nil
    395. 

  395. }
    396. 

  396. 

  397. func (w *WebHook) getCertFromConfigMap(provider *esv1beta1.WebhookProvider) ([]byte, error) {
    398. 

  398. 	objKey := client.ObjectKey{
    399. 

  399. 		Name: provider.CAProvider.Name,
    400. 

  400. 	}
    401. 

  401. 

  402. 	if provider.CAProvider.Namespace != nil {
    403. 

  403. 		objKey.Namespace = *provider.CAProvider.Namespace
    404. 

  404. 	}
    405. 

  405. 

  406. 	configMapRef := &corev1.ConfigMap{}
    407. 

  407. 	ctx := context.Background()
    408. 

  408. 	err := w.kube.Get(ctx, objKey, configMapRef)
    409. 

  409. 	if err != nil {
    410. 

  410. 		return nil, fmt.Errorf("failed to get caprovider secret %s: %w", objKey.Name, err)
    411. 

  411. 	}
    412. 

  412. 

  413. 	val, ok := configMapRef.Data[provider.CAProvider.Key]
    414. 

  414. 	if !ok {
    415. 

  415. 		return nil, fmt.Errorf("failed to get caprovider configmap %s -> %s", objKey.Name, provider.CAProvider.Key)
    416. 

  416. 	}
    417. 

  417. 

  418. 	return []byte(val), nil
    419. 

  419. }
    420. 

  420. 

  421. func (w *WebHook) Close(ctx context.Context) error {
    422. 

  422. 	return nil
    423. 

  423. }
    424. 

  424. 

  425. func (w *WebHook) Validate() (esv1beta1.ValidationResult, error) {
    426. 

  426. 	timeout := 15 * time.Second
    427. 

  427. 	url := w.url
    428. 

  428. 

  429. 	if err := utils.NetworkValidate(url, timeout); err != nil {
    430. 

  430. 		return esv1beta1.ValidationResultError, err
    431. 

  431. 	}
    432. 

  432. 	return esv1beta1.ValidationResultReady, nil
    433. 

  433. }
    434. 

  434. 

  435. func executeTemplateString(tmpl string, data map[string]map[string]string) (string, error) {
    436. 

  436. 	result, err := executeTemplate(tmpl, data)
    437. 

  437. 	if err != nil {
    438. 

  438. 		return "", err
    439. 

  439. 	}
    440. 

  440. 	return result.String(), nil
    441. 

  441. }
    442. 

  442. 

  443. func executeTemplate(tmpl string, data map[string]map[string]string) (bytes.Buffer, error) {
    444. 

  444. 	var result bytes.Buffer
    445. 

  445. 	if tmpl == "" {
    446. 

  446. 		return result, nil
    447. 

  447. 	}
    448. 

  448. 	urlt, err := tpl.New("webhooktemplate").Funcs(template.FuncMap()).Parse(tmpl)
    449. 

  449. 	if err != nil {
    450. 

  450. 		return result, err
    451. 

  451. 	}
    452. 

  452. 	if err := urlt.Execute(&result, data); err != nil {
    453. 

  453. 		return result, err
    454. 

  454. 	}
    455. 

  455. 	return result, nil
    456. 

  456. }
    457.