Webhook Generator JSON Issues

[davidcorrigan714]

Describe the bug
When using the Webhook generator there seems to be some issues parsing non-string types in the response JSON:

"could not generate [0]: failed to get response (wrong type in key 'expires_in': float64)"

The request works with the non-generator version of the Webhook provider and digging through the code it seems like some of the conversion logic implemented here is missing here. The issue seems very reminiscent of #2899 .

To Reproduce

The API response the Webhook is receiving looks like:

{
    "access_token": "long_jwt_token",
    "expires_in": 86400,
    "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
    "token_type": "Bearer"
}

Haven't quite poked through the code enough to try to work that into a unit test and try to fix it myself. Golang is not my strong suite but I've done some from time to time.

The resources I've been testing with look like this:

apiVersion: generators.external-secrets.io/v1alpha1
kind: Webhook
metadata:
  name: artifactory-role-token-generator-2
spec:
  method: "POST"
  url: https://example.com/access/api/v1/oidc/token
  result:
    jsonPath: "$"
  body: |
      {
          "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
          "subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
          "subject_token": "{{ "{{" }} .oidc_token.token {{ "}}" }}",
          "provider_name": "eks-rdssis-dev"
      }
  headers:
    Content-Type: application/json
  secrets:
  - name: oidc_token
    secretRef:
      name: role-oidc-token
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: webhook-backend
spec:
  provider:
    webhook:
      method: "POST"
      url: https://example.com/access/api/v1/oidc/token
      result:
        jsonPath: "$"
      body: |
          {
              "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
              "subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
              "subject_token": "{{ "{{" }} .oidc_token.token {{ "}}" }}",
              "provider_name": "eks-rdssis-dev"
          }
      headers:
        Content-Type: application/json
      secrets:
      - name: oidc_token
        secretRef:
          name: role-oidc-token
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: artifactory-external-secret-loader-opaque-3
spec:
  refreshInterval: "20h"
  target:
    name: token-test
  secretStoreRef:
    name: webhook-backend
    kind: SecretStore
  data:
  - secretKey: foobar
    remoteRef:
      key: secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: artifactory-external-secret-loader-opaque-2
spec:
  refreshInterval: "20h"
  target:
    # Name of the private registry secret to create
    name: niartifacts-pre
    template:
      data:
        ".dockerconfigjson": 'long-template-string-here'
      type: kubernetes.io/dockerconfigjson
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: Webhook
        name: artifactory-role-token-generator-2
---

I'm using ESO version 0.9.13 .

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[cringdahl]

@davidcorrigan714, I'm seeing the bug, but in the non-generator webhook provider. The error is "error":"failed to get response (wrong type in key 'every_single_key': float64)". Were you doing anything differently in your webhook provider test?

edit: I'm using 0.9.19

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: passwords-example
spec:
  provider:
    webhook:
      url: "https://passwords.example.com/credentials/{{ .remoteRef.key }}/search"
      result:
        jsonPath: "$.credential"
      headers:
        Content-Type: application/json
        Accept: application/json
        X-Auth-Token: "{{ .auth.token }}"
      secrets:
      - name: auth
        secretRef:
          name: secret-token
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: eso-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: passwords-example
  target:
    name: generated-secret
    creationPolicy: Owner
  dataFrom:
  - extract:
      key: "169957"

[davidcorrigan714]

Just getting back to this project and trying to figure out what I did myself, should be able to reproduce it tomorrow. Think I was trying a workaround and hadn't quite figured out if it did what I wanted to last time I was working on it.

[cardoe]

Been able to reproduce @cringdahl's issue by having the endpoint return something like...

{
  "credential": {
    "category": "Service Account",
    "created_at": "2017-08-11T12:01:54.971-05:00",
    "description": "service_account",
    "hostname": "hostname-of-validity",
    "id": 169957,
    "password": "s3cr3t-d@ta",
    "prerequisites": "",
    "project_id": 19215,
    "updated_at": "2018-10-04T10:26:28.273-05:00",
    "url": "",
    "user_id": 10070,
    "username": "svc-user-name",
    "version": 2
  }
}

The error is as follows:

 {
    "level": "error",
    "ts": 1718912981.6553566,
    "msg": "Reconciler error",
    "controller": "externalsecret",
    "controllerGroup": "external-secrets.io",
    "controllerKind": "ExternalSecret",
    "ExternalSecret":
    {
        "name": "test-case",
        "namespace": "default"
    },
    "namespace": "default",
    "name": "test-case",
    "reconcileID": "ac4d8c86-dde7-40eb-99ba-08ae167bc91e",
    "error": "failed to get response (wrong type in key 'id': float64)",
    "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.3/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.3/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.3/pkg/internal/controller/controller.go:222"
}

[moolen]

This is the problematic line which supports only string values.

It should re-use this from the utils package here, it is shared across providers and was built for this case:

external-secrets/pkg/utils/utils.go

Lines 296 to 329 in 907e8eb

	func GetByteValueFromMap(data map[string]any, key string) ([]byte, error) {
	v, ok := data[key]
	if !ok {
	return nil, fmt.Errorf("%w: %s", ErrUnexpectedKey, key)
	}
	return GetByteValue(v)
	}
	func GetByteValue(v any) ([]byte, error) {
	switch t := v.(type) {
	case string:
	return []byte(t), nil
	case map[string]any:
	return json.Marshal(t)
	case []string:
	return []byte(strings.Join(t, "\n")), nil
	case json.RawMessage:
	return t, nil
	case []byte:
	return t, nil
	// also covers int and float32 due to json.Marshal
	case float64:
	return []byte(strconv.FormatFloat(t, 'f', -1, 64)), nil
	case json.Number:
	return []byte(t.String()), nil
	case []any:
	return json.Marshal(t)
	case bool:
	return []byte(strconv.FormatBool(t)), nil
	case nil:
	return []byte(nil), nil
	default:
	return nil, fmt.Errorf("%w: %T", ErrSecretType, t)
	}
	}

Only dataFrom.extract seems to be affected.

Can someone please provide a fix and write a test for it? 🙏

[cardoe]

I’ve got a patch but I don’t have a test yet. There’s a function that does nearly the same thing in the webhook.go in the provider directory that I used. I’ll share specifics tomorrow. (Sorry I’m on mobile and not at my laptop).

[cardoe]

This was my approach cardoe@eb10a1d but it looks really close to that common function so I'll switch to using that. My patch did fix the issue for @cringdahl

[cardoe]

I pushed an updated image with my PRed fix to ghcr.io/cardoe/external-secrets:v0.9.19-53.gda81a0a9 It's just an amd64 build but give it a shot.