webhook.go 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package webhook
  13. import (
  14. "bytes"
  15. "context"
  16. "crypto/tls"
  17. "crypto/x509"
  18. "encoding/json"
  19. "fmt"
  20. "io"
  21. "net/http"
  22. "net/url"
  23. "strconv"
  24. tpl "text/template"
  25. "time"
  26. "github.com/PaesslerAG/jsonpath"
  27. corev1 "k8s.io/api/core/v1"
  28. "sigs.k8s.io/controller-runtime/pkg/client"
  29. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  30. esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
  31. "github.com/external-secrets/external-secrets/pkg/constants"
  32. "github.com/external-secrets/external-secrets/pkg/metrics"
  33. "github.com/external-secrets/external-secrets/pkg/template/v2"
  34. "github.com/external-secrets/external-secrets/pkg/utils"
  35. )
  36. // https://github.com/external-secrets/external-secrets/issues/644
  37. var _ esv1beta1.SecretsClient = &WebHook{}
  38. var _ esv1beta1.Provider = &Provider{}
  39. // Provider satisfies the provider interface.
  40. type Provider struct{}
  41. type WebHook struct {
  42. kube client.Client
  43. store esv1beta1.GenericStore
  44. namespace string
  45. storeKind string
  46. http *http.Client
  47. url string
  48. }
  49. func init() {
  50. esv1beta1.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
  51. Webhook: &esv1beta1.WebhookProvider{},
  52. })
  53. }
  54. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
  55. func (p *Provider) Capabilities() esv1beta1.SecretStoreCapabilities {
  56. return esv1beta1.SecretStoreReadOnly
  57. }
  58. func (p *Provider) NewClient(_ context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
  59. whClient := &WebHook{
  60. kube: kube,
  61. store: store,
  62. namespace: namespace,
  63. storeKind: store.GetObjectKind().GroupVersionKind().Kind,
  64. }
  65. provider, err := getProvider(store)
  66. if err != nil {
  67. return nil, err
  68. }
  69. whClient.url = provider.URL
  70. whClient.http, err = whClient.getHTTPClient(provider)
  71. if err != nil {
  72. return nil, err
  73. }
  74. return whClient, nil
  75. }
  76. func (p *Provider) ValidateStore(_ esv1beta1.GenericStore) error {
  77. return nil
  78. }
  79. func getProvider(store esv1beta1.GenericStore) (*esv1beta1.WebhookProvider, error) {
  80. spc := store.GetSpec()
  81. if spc == nil || spc.Provider == nil || spc.Provider.Webhook == nil {
  82. return nil, fmt.Errorf("missing store provider webhook")
  83. }
  84. return spc.Provider.Webhook, nil
  85. }
  86. func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelector) (*corev1.Secret, error) {
  87. ke := client.ObjectKey{
  88. Name: ref.Name,
  89. Namespace: w.namespace,
  90. }
  91. if w.storeKind == esv1beta1.ClusterSecretStoreKind {
  92. if ref.Namespace == nil {
  93. return nil, fmt.Errorf("no namespace on ClusterSecretStore webhook secret %s", ref.Name)
  94. }
  95. ke.Namespace = *ref.Namespace
  96. }
  97. secret := &corev1.Secret{}
  98. if err := w.kube.Get(ctx, ke, secret); err != nil {
  99. return nil, fmt.Errorf("failed to get clustersecretstore webhook secret %s: %w", ref.Name, err)
  100. }
  101. return secret, nil
  102. }
  103. func (w *WebHook) DeleteSecret(_ context.Context, _ esv1beta1.PushSecretRemoteRef) error {
  104. return fmt.Errorf("not implemented")
  105. }
  106. // Not Implemented PushSecret.
  107. func (w *WebHook) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1beta1.PushSecretData) error {
  108. return fmt.Errorf("not implemented")
  109. }
  110. // Empty GetAllSecrets.
  111. func (w *WebHook) GetAllSecrets(_ context.Context, _ esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  112. // TO be implemented
  113. return nil, fmt.Errorf("GetAllSecrets not implemented")
  114. }
  115. func (w *WebHook) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  116. provider, err := getProvider(w.store)
  117. if err != nil {
  118. return nil, fmt.Errorf("failed to get store: %w", err)
  119. }
  120. result, err := w.getWebhookData(ctx, provider, ref)
  121. if err != nil {
  122. return nil, err
  123. }
  124. // Only parse as json if we have a jsonpath set
  125. data, err := w.getTemplateData(ctx, ref, provider.Secrets)
  126. if err != nil {
  127. return nil, err
  128. }
  129. resultJSONPath, err := executeTemplateString(provider.Result.JSONPath, data)
  130. if err != nil {
  131. return nil, err
  132. }
  133. if resultJSONPath != "" {
  134. jsondata := interface{}(nil)
  135. if err := json.Unmarshal(result, &jsondata); err != nil {
  136. return nil, fmt.Errorf("failed to parse response json: %w", err)
  137. }
  138. jsondata, err = jsonpath.Get(resultJSONPath, jsondata)
  139. if err != nil {
  140. return nil, fmt.Errorf("failed to get response path %s: %w", resultJSONPath, err)
  141. }
  142. return extractSecretData(jsondata)
  143. }
  144. return result, nil
  145. }
  146. // tries to extract data from an interface{}
  147. // it is supposed to return a single value.
  148. func extractSecretData(jsondata any) ([]byte, error) {
  149. switch val := jsondata.(type) {
  150. case bool:
  151. return []byte(strconv.FormatBool(val)), nil
  152. case nil:
  153. return []byte{}, nil
  154. case int:
  155. return []byte(strconv.Itoa(val)), nil
  156. case float64:
  157. return []byte(strconv.FormatFloat(val, 'f', 0, 64)), nil
  158. case []byte:
  159. return val, nil
  160. case string:
  161. return []byte(val), nil
  162. // due to backwards compatibility we must keep this!
  163. // in case we see a []something we pick the first element and return it
  164. case []any:
  165. if len(val) == 0 {
  166. return nil, fmt.Errorf("filter worked but didn't get any result")
  167. }
  168. return extractSecretData(val[0])
  169. // in case we encounter a map we serialize it instead of erroring out
  170. // The user should use that data from within a template and figure
  171. // out how to deal with it.
  172. case map[string]any:
  173. return json.Marshal(val)
  174. default:
  175. return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
  176. }
  177. }
  178. func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  179. provider, err := getProvider(w.store)
  180. if err != nil {
  181. return nil, fmt.Errorf("failed to get store: %w", err)
  182. }
  183. result, err := w.getWebhookData(ctx, provider, ref)
  184. if err != nil {
  185. return nil, err
  186. }
  187. // We always want json here, so just parse it out
  188. jsondata := interface{}(nil)
  189. if err := json.Unmarshal(result, &jsondata); err != nil {
  190. return nil, fmt.Errorf("failed to parse response json: %w", err)
  191. }
  192. // Get subdata via jsonpath, if given
  193. if provider.Result.JSONPath != "" {
  194. jsondata, err = jsonpath.Get(provider.Result.JSONPath, jsondata)
  195. if err != nil {
  196. return nil, fmt.Errorf("failed to get response path %s: %w", provider.Result.JSONPath, err)
  197. }
  198. }
  199. // If the value is a string, try to parse it as json
  200. jsonstring, ok := jsondata.(string)
  201. if ok {
  202. // This could also happen if the response was a single json-encoded string
  203. // but that is an extremely unlikely scenario
  204. if err := json.Unmarshal([]byte(jsonstring), &jsondata); err != nil {
  205. return nil, fmt.Errorf("failed to parse response json from jsonpath: %w", err)
  206. }
  207. }
  208. // Use the data as a key-value map
  209. jsonvalue, ok := jsondata.(map[string]interface{})
  210. if !ok {
  211. return nil, fmt.Errorf("failed to get response (wrong type: %T)", jsondata)
  212. }
  213. // Change the map of generic objects to a map of byte arrays
  214. values := make(map[string][]byte)
  215. for rKey, rValue := range jsonvalue {
  216. jVal, ok := rValue.(string)
  217. if !ok {
  218. return nil, fmt.Errorf("failed to get response (wrong type in key '%s': %T)", rKey, rValue)
  219. }
  220. values[rKey] = []byte(jVal)
  221. }
  222. return values, nil
  223. }
  224. func (w *WebHook) getTemplateData(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef, secrets []esv1beta1.WebhookSecret) (map[string]map[string]string, error) {
  225. data := map[string]map[string]string{
  226. "remoteRef": {
  227. "key": url.QueryEscape(ref.Key),
  228. "version": url.QueryEscape(ref.Version),
  229. "property": url.QueryEscape(ref.Property),
  230. },
  231. }
  232. for _, secref := range secrets {
  233. if _, ok := data[secref.Name]; !ok {
  234. data[secref.Name] = make(map[string]string)
  235. }
  236. secret, err := w.getStoreSecret(ctx, secref.SecretRef)
  237. if err != nil {
  238. return nil, err
  239. }
  240. for sKey, sVal := range secret.Data {
  241. data[secref.Name][sKey] = string(sVal)
  242. }
  243. }
  244. return data, nil
  245. }
  246. func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1beta1.WebhookProvider, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  247. if w.http == nil {
  248. return nil, fmt.Errorf("http client not initialized")
  249. }
  250. data, err := w.getTemplateData(ctx, ref, provider.Secrets)
  251. if err != nil {
  252. return nil, err
  253. }
  254. method := provider.Method
  255. if method == "" {
  256. method = http.MethodGet
  257. }
  258. url, err := executeTemplateString(provider.URL, data)
  259. if err != nil {
  260. return nil, fmt.Errorf("failed to parse url: %w", err)
  261. }
  262. body, err := executeTemplate(provider.Body, data)
  263. if err != nil {
  264. return nil, fmt.Errorf("failed to parse body: %w", err)
  265. }
  266. req, err := http.NewRequestWithContext(ctx, method, url, &body)
  267. if err != nil {
  268. return nil, fmt.Errorf("failed to create request: %w", err)
  269. }
  270. for hKey, hValueTpl := range provider.Headers {
  271. hValue, err := executeTemplateString(hValueTpl, data)
  272. if err != nil {
  273. return nil, fmt.Errorf("failed to parse header %s: %w", hKey, err)
  274. }
  275. req.Header.Add(hKey, hValue)
  276. }
  277. resp, err := w.http.Do(req)
  278. metrics.ObserveAPICall(constants.ProviderWebhook, constants.CallWebhookHTTPReq, err)
  279. if err != nil {
  280. return nil, fmt.Errorf("failed to call endpoint: %w", err)
  281. }
  282. defer resp.Body.Close()
  283. if resp.StatusCode == 404 {
  284. return nil, esv1beta1.NoSecretError{}
  285. }
  286. if resp.StatusCode < 200 || resp.StatusCode >= 300 {
  287. return nil, fmt.Errorf("endpoint gave error %s", resp.Status)
  288. }
  289. return io.ReadAll(resp.Body)
  290. }
  291. func (w *WebHook) getHTTPClient(provider *esv1beta1.WebhookProvider) (*http.Client, error) {
  292. client := &http.Client{}
  293. if provider.Timeout != nil {
  294. client.Timeout = provider.Timeout.Duration
  295. }
  296. if len(provider.CABundle) == 0 && provider.CAProvider == nil {
  297. // No need to process ca stuff if it is not there
  298. return client, nil
  299. }
  300. caCertPool, err := w.getCACertPool(provider)
  301. if err != nil {
  302. return nil, err
  303. }
  304. tlsConf := &tls.Config{
  305. RootCAs: caCertPool,
  306. MinVersion: tls.VersionTLS12,
  307. }
  308. client.Transport = &http.Transport{TLSClientConfig: tlsConf}
  309. return client, nil
  310. }
  311. func (w *WebHook) getCACertPool(provider *esv1beta1.WebhookProvider) (*x509.CertPool, error) {
  312. caCertPool := x509.NewCertPool()
  313. if len(provider.CABundle) > 0 {
  314. ok := caCertPool.AppendCertsFromPEM(provider.CABundle)
  315. if !ok {
  316. return nil, fmt.Errorf("failed to append cabundle")
  317. }
  318. }
  319. if provider.CAProvider != nil && w.storeKind == esv1beta1.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
  320. return nil, fmt.Errorf("missing namespace on CAProvider secret")
  321. }
  322. if provider.CAProvider != nil {
  323. var cert []byte
  324. var err error
  325. switch provider.CAProvider.Type {
  326. case esv1beta1.WebhookCAProviderTypeSecret:
  327. cert, err = w.getCertFromSecret(provider)
  328. case esv1beta1.WebhookCAProviderTypeConfigMap:
  329. cert, err = w.getCertFromConfigMap(provider)
  330. default:
  331. err = fmt.Errorf("unknown caprovider type: %s", provider.CAProvider.Type)
  332. }
  333. if err != nil {
  334. return nil, err
  335. }
  336. ok := caCertPool.AppendCertsFromPEM(cert)
  337. if !ok {
  338. return nil, fmt.Errorf("failed to append cabundle")
  339. }
  340. }
  341. return caCertPool, nil
  342. }
  343. func (w *WebHook) getCertFromSecret(provider *esv1beta1.WebhookProvider) ([]byte, error) {
  344. secretRef := esmeta.SecretKeySelector{
  345. Name: provider.CAProvider.Name,
  346. Namespace: &w.namespace,
  347. Key: provider.CAProvider.Key,
  348. }
  349. if provider.CAProvider.Namespace != nil {
  350. secretRef.Namespace = provider.CAProvider.Namespace
  351. }
  352. ctx := context.Background()
  353. cert, err := utils.ResolveSecretKeyRef(
  354. ctx,
  355. w.kube,
  356. w.storeKind,
  357. w.namespace,
  358. &secretRef,
  359. )
  360. if err != nil {
  361. return nil, err
  362. }
  363. return []byte(cert), nil
  364. }
  365. func (w *WebHook) getCertFromConfigMap(provider *esv1beta1.WebhookProvider) ([]byte, error) {
  366. objKey := client.ObjectKey{
  367. Name: provider.CAProvider.Name,
  368. }
  369. if provider.CAProvider.Namespace != nil {
  370. objKey.Namespace = *provider.CAProvider.Namespace
  371. }
  372. configMapRef := &corev1.ConfigMap{}
  373. ctx := context.Background()
  374. err := w.kube.Get(ctx, objKey, configMapRef)
  375. if err != nil {
  376. return nil, fmt.Errorf("failed to get caprovider secret %s: %w", objKey.Name, err)
  377. }
  378. val, ok := configMapRef.Data[provider.CAProvider.Key]
  379. if !ok {
  380. return nil, fmt.Errorf("failed to get caprovider configmap %s -> %s", objKey.Name, provider.CAProvider.Key)
  381. }
  382. return []byte(val), nil
  383. }
  384. func (w *WebHook) Close(_ context.Context) error {
  385. return nil
  386. }
  387. func (w *WebHook) Validate() (esv1beta1.ValidationResult, error) {
  388. timeout := 15 * time.Second
  389. url := w.url
  390. if err := utils.NetworkValidate(url, timeout); err != nil {
  391. return esv1beta1.ValidationResultError, err
  392. }
  393. return esv1beta1.ValidationResultReady, nil
  394. }
  395. func executeTemplateString(tmpl string, data map[string]map[string]string) (string, error) {
  396. result, err := executeTemplate(tmpl, data)
  397. if err != nil {
  398. return "", err
  399. }
  400. return result.String(), nil
  401. }
  402. func executeTemplate(tmpl string, data map[string]map[string]string) (bytes.Buffer, error) {
  403. var result bytes.Buffer
  404. if tmpl == "" {
  405. return result, nil
  406. }
  407. urlt, err := tpl.New("webhooktemplate").Funcs(template.FuncMap()).Parse(tmpl)
  408. if err != nil {
  409. return result, err
  410. }
  411. if err := urlt.Execute(&result, data); err != nil {
  412. return result, err
  413. }
  414. return result, nil
  415. }