Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: a7d6224bda
Branches Tags
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook.go

webhook.go 13 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package webhook
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"context"
    20. 

  20. 	"crypto/tls"
    21. 

  21. 	"crypto/x509"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io"
    24. 

  24. 	"net/http"
    25. 

  25. 	"net/url"
    26. 

  26. 	"strings"
    27. 

  27. 	tpl "text/template"
    28. 

  28. 	"time"
    29. 

  29. 

  30. 	"github.com/Masterminds/sprig/v3"
    31. 

  31. 	"github.com/PaesslerAG/jsonpath"
    32. 

  32. 	"gopkg.in/yaml.v3"
    33. 

  33. 	corev1 "k8s.io/api/core/v1"
    34. 

  34. 	"sigs.k8s.io/controller-runtime/pkg/client"
    35. 

  35. 

  36. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    37. 

  37. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/template/v2"
    39. 

  39. 	"github.com/external-secrets/external-secrets/pkg/utils"
    40. 

  40. )
    41. 

  41. 

  42. // https://github.com/external-secrets/external-secrets/issues/644
    43. 

  43. var _ esv1beta1.SecretsClient = &WebHook{}
    44. 

  44. var _ esv1beta1.Provider = &Provider{}
    45. 

  45. 

  46. // Provider satisfies the provider interface.
    47. 

  47. type Provider struct{}
    48. 

  48. 

  49. type WebHook struct {
    50. 

  50. 	kube      client.Client
    51. 

  51. 	store     esv1beta1.GenericStore
    52. 

  52. 	namespace string
    53. 

  53. 	storeKind string
    54. 

  54. 	http      *http.Client
    55. 

  55. 	url       string
    56. 

  56. }
    57. 

  57. 

  58. func init() {
    59. 

  59. 	esv1beta1.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
    60. 

  60. 		Webhook: &esv1beta1.WebhookProvider{},
    61. 

  61. 	})
    62. 

  62. }
    63. 

  63. 

  64. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
    65. 

  65. func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
    66. 

  66. 	return esv1beta1.SecretStoreReadOnly
    67. 

  67. }
    68. 

  68. 

  69. func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
    70. 

  70. 	whClient := &WebHook{
    71. 

  71. 		kube:      kube,
    72. 

  72. 		store:     store,
    73. 

  73. 		namespace: namespace,
    74. 

  74. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    75. 

  75. 	}
    76. 

  76. 	provider, err := getProvider(store)
    77. 

  77. 	if err != nil {
    78. 

  78. 		return nil, err
    79. 

  79. 	}
    80. 

  80. 	whClient.url = provider.URL
    81. 

  81. 

  82. 	whClient.http, err = whClient.getHTTPClient(provider)
    83. 

  83. 	if err != nil {
    84. 

  84. 		return nil, err
    85. 

  85. 	}
    86. 

  86. 	return whClient, nil
    87. 

  87. }
    88. 

  88. 

  89. func (p *Provider) ValidateStore(store esv1beta1.GenericStore) error {
    90. 

  90. 	return nil
    91. 

  91. }
    92. 

  92. 

  93. func getProvider(store esv1beta1.GenericStore) (*esv1beta1.WebhookProvider, error) {
    94. 

  94. 	spc := store.GetSpec()
    95. 

  95. 	if spc == nil || spc.Provider == nil || spc.Provider.Webhook == nil {
    96. 

  96. 		return nil, fmt.Errorf("missing store provider webhook")
    97. 

  97. 	}
    98. 

  98. 	return spc.Provider.Webhook, nil
    99. 

  99. }
    100. 

  100. 

  101. func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelector) (*corev1.Secret, error) {
    102. 

  102. 	ke := client.ObjectKey{
    103. 

  103. 		Name:      ref.Name,
    104. 

  104. 		Namespace: w.namespace,
    105. 

  105. 	}
    106. 

  106. 	if w.storeKind == esv1beta1.ClusterSecretStoreKind {
    107. 

  107. 		if ref.Namespace == nil {
    108. 

  108. 			return nil, fmt.Errorf("no namespace on ClusterSecretStore webhook secret %s", ref.Name)
    109. 

  109. 		}
    110. 

  110. 		ke.Namespace = *ref.Namespace
    111. 

  111. 	}
    112. 

  112. 	secret := &corev1.Secret{}
    113. 

  113. 	if err := w.kube.Get(ctx, ke, secret); err != nil {
    114. 

  114. 		return nil, fmt.Errorf("failed to get clustersecretstore webhook secret %s: %w", ref.Name, err)
    115. 

  115. 	}
    116. 

  116. 	return secret, nil
    117. 

  117. }
    118. 

  118. 

  119. func (w *WebHook) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushRemoteRef) error {
    120. 

  120. 	return fmt.Errorf("not implemented")
    121. 

  121. }
    122. 

  122. 

  123. // Not Implemented PushSecret.
    124. 

  124. func (w *WebHook) PushSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
    125. 

  125. 	return fmt.Errorf("not implemented")
    126. 

  126. }
    127. 

  127. 

  128. // Empty GetAllSecrets.
    129. 

  129. func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    130. 

  130. 	// TO be implemented
    131. 

  131. 	return nil, fmt.Errorf("GetAllSecrets not implemented")
    132. 

  132. }
    133. 

  133. 

  134. func (w *WebHook) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    135. 

  135. 	provider, err := getProvider(w.store)
    136. 

  136. 	if err != nil {
    137. 

  137. 		return nil, fmt.Errorf("failed to get store: %w", err)
    138. 

  138. 	}
    139. 

  139. 	result, err := w.getWebhookData(ctx, provider, ref)
    140. 

  140. 	if err != nil {
    141. 

  141. 		return nil, err
    142. 

  142. 	}
    143. 

  143. 	// Only parse as json if we have a jsonpath set
    144. 

  144. 	if provider.Result.JSONPath != "" {
    145. 

  145. 		jsondata := interface{}(nil)
    146. 

  146. 		if err := yaml.Unmarshal(result, &jsondata); err != nil {
    147. 

  147. 			return nil, fmt.Errorf("failed to parse response json: %w", err)
    148. 

  148. 		}
    149. 

  149. 		jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
    150. 

  150. 		if err != nil {
    151. 

  151. 			return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
    152. 

  152. 		}
    153. 

  153. 		jsonvalue, ok := jsondata.(string)
    154. 

  154. 		if !ok {
    155. 

  155. 			return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    156. 

  156. 		}
    157. 

  157. 		return []byte(jsonvalue), nil
    158. 

  158. 	}
    159. 

  159. 

  160. 	return result, nil
    161. 

  161. }
    162. 

  162. 

  163. func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    164. 

  164. 	provider, err := getProvider(w.store)
    165. 

  165. 	if err != nil {
    166. 

  166. 		return nil, fmt.Errorf("failed to get store: %w", err)
    167. 

  167. 	}
    168. 

  168. 	result, err := w.getWebhookData(ctx, provider, ref)
    169. 

  169. 	if err != nil {
    170. 

  170. 		return nil, err
    171. 

  171. 	}
    172. 

  172. 

  173. 	// We always want json here, so just parse it out
    174. 

  174. 	jsondata := interface{}(nil)
    175. 

  175. 	if err := yaml.Unmarshal(result, &jsondata); err != nil {
    176. 

  176. 		return nil, fmt.Errorf("failed to parse response json: %w", err)
    177. 

  177. 	}
    178. 

  178. 	// Get subdata via jsonpath, if given
    179. 

  179. 	if provider.Result.JSONPath != "" {
    180. 

  180. 		jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
    181. 

  181. 		if err != nil {
    182. 

  182. 			return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
    183. 

  183. 		}
    184. 

  184. 	}
    185. 

  185. 	// If the value is a string, try to parse it as json
    186. 

  186. 	jsonstring, ok := jsondata.(string)
    187. 

  187. 	if ok {
    188. 

  188. 		// This could also happen if the response was a single json-encoded string
    189. 

  189. 		// but that is an extremely unlikely scenario
    190. 

  190. 		if err := yaml.Unmarshal([]byte(jsonstring), &jsondata); err != nil {
    191. 

  191. 			return nil, fmt.Errorf("failed to parse response json from jsonpath: %w", err)
    192. 

  192. 		}
    193. 

  193. 	}
    194. 

  194. 	// Use the data as a key-value map
    195. 

  195. 	jsonvalue, ok := jsondata.(map[string]interface{})
    196. 

  196. 	if !ok {
    197. 

  197. 		return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
    198. 

  198. 	}
    199. 

  199. 

  200. 	// Change the map of generic objects to a map of byte arrays
    201. 

  201. 	values := make(map[string][]byte)
    202. 

  202. 	for rKey, rValue := range jsonvalue {
    203. 

  203. 		jVal, ok := rValue.(string)
    204. 

  204. 		if !ok {
    205. 

  205. 			return nil, fmt.Errorf("failed to get response (wrong type in key '%s': %T)", rKey, rValue)
    206. 

  206. 		}
    207. 

  207. 		values[rKey] = []byte(jVal)
    208. 

  208. 	}
    209. 

  209. 	return values, nil
    210. 

  210. }
    211. 

  211. 

  212. func (w *WebHook) getTemplateData(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef, secrets []esv1beta1.WebhookSecret) (map[string]map[string]string, error) {
    213. 

  213. 	data := map[string]map[string]string{
    214. 

  214. 		"remoteRef": {
    215. 

  215. 			"key":      url.QueryEscape(ref.Key),
    216. 

  216. 			"version":  url.QueryEscape(ref.Version),
    217. 

  217. 			"property": url.QueryEscape(ref.Property),
    218. 

  218. 		},
    219. 

  219. 	}
    220. 

  220. 	for _, secref := range secrets {
    221. 

  221. 		if _, ok := data[secref.Name]; !ok {
    222. 

  222. 			data[secref.Name] = make(map[string]string)
    223. 

  223. 		}
    224. 

  224. 		secret, err := w.getStoreSecret(ctx, secref.SecretRef)
    225. 

  225. 		if err != nil {
    226. 

  226. 			return nil, err
    227. 

  227. 		}
    228. 

  228. 		for sKey, sVal := range secret.Data {
    229. 

  229. 			data[secref.Name][sKey] = string(sVal)
    230. 

  230. 		}
    231. 

  231. 	}
    232. 

  232. 	return data, nil
    233. 

  233. }
    234. 

  234. 

  235. func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1beta1.WebhookProvider, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    236. 

  236. 	if w.http == nil {
    237. 

  237. 		return nil, fmt.Errorf("http client not initialized")
    238. 

  238. 	}
    239. 

  239. 	data, err := w.getTemplateData(ctx, ref, provider.Secrets)
    240. 

  240. 	if err != nil {
    241. 

  241. 		return nil, err
    242. 

  242. 	}
    243. 

  243. 	method := provider.Method
    244. 

  244. 	if method == "" {
    245. 

  245. 		method = http.MethodGet
    246. 

  246. 	}
    247. 

  247. 	url, err := executeTemplateString(provider.URL, data)
    248. 

  248. 	if err != nil {
    249. 

  249. 		return nil, fmt.Errorf("failed to parse url: %w", err)
    250. 

  250. 	}
    251. 

  251. 	body, err := executeTemplate(provider.Body, data)
    252. 

  252. 	if err != nil {
    253. 

  253. 		return nil, fmt.Errorf("failed to parse body: %w", err)
    254. 

  254. 	}
    255. 

  255. 

  256. 	req, err := http.NewRequestWithContext(ctx, method, url, &body)
    257. 

  257. 	if err != nil {
    258. 

  258. 		return nil, fmt.Errorf("failed to create request: %w", err)
    259. 

  259. 	}
    260. 

  260. 	for hKey, hValueTpl := range provider.Headers {
    261. 

  261. 		hValue, err := executeTemplateString(hValueTpl, data)
    262. 

  262. 		if err != nil {
    263. 

  263. 			return nil, fmt.Errorf("failed to parse header %s: %w", hKey, err)
    264. 

  264. 		}
    265. 

  265. 		req.Header.Add(hKey, hValue)
    266. 

  266. 	}
    267. 

  267. 

  268. 	resp, err := w.http.Do(req)
    269. 

  269. 	if err != nil {
    270. 

  270. 		return nil, fmt.Errorf("failed to call endpoint: %w", err)
    271. 

  271. 	}
    272. 

  272. 	defer resp.Body.Close()
    273. 

  273. 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
    274. 

  274. 		return nil, fmt.Errorf("endpoint gave error %s", resp.Status)
    275. 

  275. 	}
    276. 

  276. 	return io.ReadAll(resp.Body)
    277. 

  277. }
    278. 

  278. 

  279. func (w *WebHook) getHTTPClient(provider *esv1beta1.WebhookProvider) (*http.Client, error) {
    280. 

  280. 	client := &http.Client{}
    281. 

  281. 	if provider.Timeout != nil {
    282. 

  282. 		client.Timeout = provider.Timeout.Duration
    283. 

  283. 	}
    284. 

  284. 	if len(provider.CABundle) == 0 && provider.CAProvider == nil {
    285. 

  285. 		// No need to process ca stuff if it is not there
    286. 

  286. 		return client, nil
    287. 

  287. 	}
    288. 

  288. 	caCertPool, err := w.getCACertPool(provider)
    289. 

  289. 	if err != nil {
    290. 

  290. 		return nil, err
    291. 

  291. 	}
    292. 

  292. 

  293. 	tlsConf := &tls.Config{
    294. 

  294. 		RootCAs:    caCertPool,
    295. 

  295. 		MinVersion: tls.VersionTLS12,
    296. 

  296. 	}
    297. 

  297. 	client.Transport = &http.Transport{TLSClientConfig: tlsConf}
    298. 

  298. 	return client, nil
    299. 

  299. }
    300. 

  300. 

  301. func (w *WebHook) getCACertPool(provider *esv1beta1.WebhookProvider) (*x509.CertPool, error) {
    302. 

  302. 	caCertPool := x509.NewCertPool()
    303. 

  303. 	if len(provider.CABundle) > 0 {
    304. 

  304. 		ok := caCertPool.AppendCertsFromPEM(provider.CABundle)
    305. 

  305. 		if !ok {
    306. 

  306. 			return nil, fmt.Errorf("failed to append cabundle")
    307. 

  307. 		}
    308. 

  308. 	}
    309. 

  309. 

  310. 	if provider.CAProvider != nil && w.storeKind == esv1beta1.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
    311. 

  311. 		return nil, fmt.Errorf("missing namespace on CAProvider secret")
    312. 

  312. 	}
    313. 

  313. 

  314. 	if provider.CAProvider != nil {
    315. 

  315. 		var cert []byte
    316. 

  316. 		var err error
    317. 

  317. 

  318. 		switch provider.CAProvider.Type {
    319. 

  319. 		case esv1beta1.WebhookCAProviderTypeSecret:
    320. 

  320. 			cert, err = w.getCertFromSecret(provider)
    321. 

  321. 		case esv1beta1.WebhookCAProviderTypeConfigMap:
    322. 

  322. 			cert, err = w.getCertFromConfigMap(provider)
    323. 

  323. 		default:
    324. 

  324. 			err = fmt.Errorf("unknown caprovider type: %s", provider.CAProvider.Type)
    325. 

  325. 		}
    326. 

  326. 

  327. 		if err != nil {
    328. 

  328. 			return nil, err
    329. 

  329. 		}
    330. 

  330. 

  331. 		ok := caCertPool.AppendCertsFromPEM(cert)
    332. 

  332. 		if !ok {
    333. 

  333. 			return nil, fmt.Errorf("failed to append cabundle")
    334. 

  334. 		}
    335. 

  335. 	}
    336. 

  336. 	return caCertPool, nil
    337. 

  337. }
    338. 

  338. 

  339. func (w *WebHook) getCertFromSecret(provider *esv1beta1.WebhookProvider) ([]byte, error) {
    340. 

  340. 	secretRef := esmeta.SecretKeySelector{
    341. 

  341. 		Name: provider.CAProvider.Name,
    342. 

  342. 		Key:  provider.CAProvider.Key,
    343. 

  343. 	}
    344. 

  344. 

  345. 	if provider.CAProvider.Namespace != nil {
    346. 

  346. 		secretRef.Namespace = provider.CAProvider.Namespace
    347. 

  347. 	}
    348. 

  348. 

  349. 	ctx := context.Background()
    350. 

  350. 	res, err := w.secretKeyRef(ctx, &secretRef)
    351. 

  351. 	if err != nil {
    352. 

  352. 		return nil, err
    353. 

  353. 	}
    354. 

  354. 

  355. 	return []byte(res), nil
    356. 

  356. }
    357. 

  357. 

  358. func (w *WebHook) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    359. 

  359. 	secret := &corev1.Secret{}
    360. 

  360. 	ref := client.ObjectKey{
    361. 

  361. 		Namespace: w.namespace,
    362. 

  362. 		Name:      secretRef.Name,
    363. 

  363. 	}
    364. 

  364. 	if (w.storeKind == esv1beta1.ClusterSecretStoreKind) &&
    365. 

  365. 		(secretRef.Namespace != nil) {
    366. 

  366. 		ref.Namespace = *secretRef.Namespace
    367. 

  367. 	}
    368. 

  368. 	err := w.kube.Get(ctx, ref, secret)
    369. 

  369. 	if err != nil {
    370. 

  370. 		return "", err
    371. 

  371. 	}
    372. 

  372. 

  373. 	keyBytes, ok := secret.Data[secretRef.Key]
    374. 

  374. 	if !ok {
    375. 

  375. 		return "", err
    376. 

  376. 	}
    377. 

  377. 

  378. 	value := string(keyBytes)
    379. 

  379. 	valueStr := strings.TrimSpace(value)
    380. 

  380. 	return valueStr, nil
    381. 

  381. }
    382. 

  382. 

  383. func (w *WebHook) getCertFromConfigMap(provider *esv1beta1.WebhookProvider) ([]byte, error) {
    384. 

  384. 	objKey := client.ObjectKey{
    385. 

  385. 		Name: provider.CAProvider.Name,
    386. 

  386. 	}
    387. 

  387. 

  388. 	if provider.CAProvider.Namespace != nil {
    389. 

  389. 		objKey.Namespace = *provider.CAProvider.Namespace
    390. 

  390. 	}
    391. 

  391. 

  392. 	configMapRef := &corev1.ConfigMap{}
    393. 

  393. 	ctx := context.Background()
    394. 

  394. 	err := w.kube.Get(ctx, objKey, configMapRef)
    395. 

  395. 	if err != nil {
    396. 

  396. 		return nil, fmt.Errorf("failed to get caprovider secret %s: %w", objKey.Name, err)
    397. 

  397. 	}
    398. 

  398. 

  399. 	val, ok := configMapRef.Data[provider.CAProvider.Key]
    400. 

  400. 	if !ok {
    401. 

  401. 		return nil, fmt.Errorf("failed to get caprovider configmap %s -> %s", objKey.Name, provider.CAProvider.Key)
    402. 

  402. 	}
    403. 

  403. 

  404. 	return []byte(val), nil
    405. 

  405. }
    406. 

  406. 

  407. func (w *WebHook) Close(ctx context.Context) error {
    408. 

  408. 	return nil
    409. 

  409. }
    410. 

  410. 

  411. func (w *WebHook) Validate() (esv1beta1.ValidationResult, error) {
    412. 

  412. 	timeout := 15 * time.Second
    413. 

  413. 	url := w.url
    414. 

  414. 

  415. 	if err := utils.NetworkValidate(url, timeout); err != nil {
    416. 

  416. 		return esv1beta1.ValidationResultError, err
    417. 

  417. 	}
    418. 

  418. 	return esv1beta1.ValidationResultReady, nil
    419. 

  419. }
    420. 

  420. 

  421. func executeTemplateString(tmpl string, data map[string]map[string]string) (string, error) {
    422. 

  422. 	result, err := executeTemplate(tmpl, data)
    423. 

  423. 	if err != nil {
    424. 

  424. 		return "", err
    425. 

  425. 	}
    426. 

  426. 	return result.String(), nil
    427. 

  427. }
    428. 

  428. 

  429. func executeTemplate(tmpl string, data map[string]map[string]string) (bytes.Buffer, error) {
    430. 

  430. 	var result bytes.Buffer
    431. 

  431. 	if tmpl == "" {
    432. 

  432. 		return result, nil
    433. 

  433. 	}
    434. 

  434. 	urlt, err := tpl.New("webhooktemplate").Funcs(sprig.TxtFuncMap()).Funcs(template.FuncMap()).Parse(tmpl)
    435. 

  435. 	if err != nil {
    436. 

  436. 		return result, err
    437. 

  437. 	}
    438. 

  438. 	if err := urlt.Execute(&result, data); err != nil {
    439. 

  439. 		return result, err
    440. 

  440. 	}
    441. 

  441. 	return result, nil
    442. 

  442. }
    443.