fix: [TKC-3469] use dynamic secret value in webhook (#6315)

* fix: use dynamic secret

Signed-off-by: Vladislav Sukhin <[email protected]>

* fix: move paramteres check to listener

Signed-off-by: Vladislav Sukhin <[email protected]>

* fix: get hashed metadata

Signed-off-by: Vladislav Sukhin <[email protected]>

* fix: remove duplicated code

Signed-off-by: Vladislav Sukhin <[email protected]>

* fix: get text hashed metadata

Signed-off-by: Vladislav Sukhin <[email protected]>

* fix: sort arrays

Signed-off-by: Vladislav Sukhin <[email protected]>

---------

Signed-off-by: Vladislav Sukhin <[email protected]>

Author: vsukhin

pkg/event/kind/webhook/listener.go

@@ -3,15 +3,19 @@ package webhook
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
+	"regexp"
+	"sort"
 	"text/template"
 
 	"github.com/pkg/errors"
 	"go.uber.org/zap"
 
+	executorv1 "github.com/kubeshop/testkube-operator/api/executor/v1"
 	"github.com/kubeshop/testkube/cmd/api-server/commons"
 	v1 "github.com/kubeshop/testkube/internal/app/api/metrics"
 	"github.com/kubeshop/testkube/internal/config"
@@ -21,6 +25,7 @@ import (
 	thttp "github.com/kubeshop/testkube/pkg/http"
 	"github.com/kubeshop/testkube/pkg/log"
 	"github.com/kubeshop/testkube/pkg/repository/testworkflow"
+	"github.com/kubeshop/testkube/pkg/secret"
 	"github.com/kubeshop/testkube/pkg/utils"
 	"github.com/kubeshop/testkube/pkg/utils/text"
 )
@@ -33,9 +38,11 @@ func NewWebhookListener(name, uri, selector string, events []testkube.EventType,
 	testWorkflowExecutionResults testworkflow.Repository,
 	metrics v1.Metrics,
 	webhookRepository cloudwebhook.WebhookRepository,
+	secretClient secret.Interface,
 	proContext *config.ProContext,
 	envs map[string]string,
-	config map[string]string,
+	config map[string]executorv1.WebhookConfigValue,
+	parameters []executorv1.WebhookParameterSchema,
 ) *WebhookListener {
 	return &WebhookListener{
 		name:                         name,
@@ -52,9 +59,11 @@ func NewWebhookListener(name, uri, selector string, events []testkube.EventType,
 		testWorkflowExecutionResults: testWorkflowExecutionResults,
 		metrics:                      metrics,
 		webhookRepository:            webhookRepository,
+		secretClient:                 secretClient,
 		proContext:                   proContext,
 		envs:                         envs,
 		config:                       config,
+		parameters:                   parameters,
 	}
 }
 
@@ -73,9 +82,11 @@ type WebhookListener struct {
 	testWorkflowExecutionResults testworkflow.Repository
 	metrics                      v1.Metrics
 	webhookRepository            cloudwebhook.WebhookRepository
+	secretClient                 secret.Interface
 	proContext                   *config.ProContext
 	envs                         map[string]string
-	config                       map[string]string
+	config                       map[string]executorv1.WebhookConfigValue
+	parameters                   []executorv1.WebhookParameterSchema
 }
 
 func (l *WebhookListener) Name() string {
@@ -90,15 +101,32 @@ func (l *WebhookListener) Events() []testkube.EventType {
 	return l.events
 }
 func (l *WebhookListener) Metadata() map[string]string {
+	headers, err := getMapHashedMetadata(l.headers)
+	if err != nil {
+		l.Log.Errorw("headers hashing error", "error", err)
+	}
+
+	config, err := getMapHashedMetadata(l.config)
+	if err != nil {
+		l.Log.Errorw("config hashing error", "error", err)
+	}
+
+	parameters, err := getSliceHashedMetadata(l.parameters)
+	if err != nil {
+		l.Log.Errorw("parameters hashing error", "error", err)
+	}
+
 	return map[string]string{
 		"name":               l.Name(),
 		"uri":                l.Uri,
 		"selector":           l.selector,
 		"events":             fmt.Sprintf("%v", l.events),
 		"payloadObjectField": l.payloadObjectField,
-		"payloadTemplate":    l.payloadTemplate,
-		"headers":            fmt.Sprintf("%v", l.headers),
+		"payloadTemplate":    getTextHashedMetadata([]byte(l.payloadTemplate)),
+		"headers":            headers,
 		"disabled":           fmt.Sprint(l.disabled),
+		"config":             config,
+		"parameters":         parameters,
 	}
 }
 
@@ -290,8 +318,62 @@ func (l *WebhookListener) processTemplate(field, body string, event testkube.Eve
 		return nil, err
 	}
 
+	config := make(map[string]string)
+	for key, val := range l.config {
+		var data string
+		if val.Value != nil {
+			data = *val.Value
+		}
+
+		if val.Secret != nil {
+			var ns []string
+			if val.Secret.Namespace != "" {
+				ns = append(ns, val.Secret.Namespace)
+			}
+
+			elements, err := l.secretClient.Get(val.Secret.Name, ns...)
+			if err != nil {
+				log.Errorw("error secret loading", "error", err, "name", val.Secret.Name)
+				return nil, err
+			}
+
+			if element, ok := elements[val.Secret.Key]; ok {
+				data = element
+			} else {
+				log.Errorw("error secret key finding loading", "name", val.Secret.Name, "key", val.Secret.Key)
+				return nil, errors.New("error secret key finding loading")
+			}
+		}
+
+		config[key] = data
+	}
+
+	for _, parameter := range l.parameters {
+		if _, ok := config[parameter.Name]; !ok {
+			if parameter.Default_ != nil {
+				config[parameter.Name] = *parameter.Default_
+			} else if parameter.Required {
+				log.Errorw("error missing required parameter", "name", parameter.Name)
+				return nil, errors.New("error missing required parameter")
+			}
+		}
+
+		if parameter.Pattern != "" {
+			re, err := regexp.Compile(parameter.Pattern)
+			if err != nil {
+				log.Errorw("error compiling pattern", "error", err, "name", parameter.Name, "pattern", parameter.Pattern)
+				return nil, err
+			}
+
+			if data, ok := config[parameter.Name]; ok && !re.MatchString(data) {
+				log.Errorw("error matching pattern", "error", err, "name", parameter.Name, "pattern", parameter.Pattern)
+				return nil, errors.New("error matching pattern")
+			}
+		}
+	}
+
 	var buffer bytes.Buffer
-	if err = tmpl.ExecuteTemplate(&buffer, field, NewTemplateVars(event, l.proContext, l.config)); err != nil {
+	if err = tmpl.ExecuteTemplate(&buffer, field, NewTemplateVars(event, l.proContext, config)); err != nil {
 		log.Errorw(fmt.Sprintf("executing webhook %s error", field), "error", err)
 		return nil, err
 	}
@@ -346,3 +428,40 @@ func (l *WebhookListener) hasBecomeState(event testkube.Event) (bool, error) {
 
 	return false, nil
 }
+
+type configKeyValue[T any] struct {
+	Key   string
+	Value T
+}
+
+type configKeyValues[T any] []configKeyValue[T]
+
+// getMapHashedMetadata returns map hashed metadata
+func getMapHashedMetadata[T any](data map[string]T) (string, error) {
+	var slice configKeyValues[T]
+	for key, value := range data {
+		slice = append(slice, configKeyValue[T]{Key: key, Value: value})
+	}
+
+	sort.Slice(slice, func(i, j int) bool {
+		return slice[i].Key < slice[j].Key
+	})
+
+	return getSliceHashedMetadata(slice)
+}
+
+// getSliceHashedMetadata returns slice hashed metadata
+func getSliceHashedMetadata[T any](slice []T) (string, error) {
+	result, err := json.Marshal(slice)
+	if err != nil {
+		return "", err
+	}
+
+	return getTextHashedMetadata(result), nil
+}
+
+// getTextHashedMetadata returns text hashed metadata
+func getTextHashedMetadata(result []byte) string {
+
+	return fmt.Sprintf("%x", sha256.Sum256(result))
+}

pkg/event/kind/webhook/listener_test.go

@@ -40,7 +40,7 @@ func TestWebhookListener_Notify(t *testing.T) {
 		defer mockCtrl.Finish()
 		mockWebhooRepository := cloudwebhook.NewMockWebhookRepository(mockCtrl)
 		mockWebhooRepository.EXPECT().CollectExecutionResult(gomock.Any(), gomock.Any(), "l1", "", http.StatusOK).AnyTimes()
-		l := NewWebhookListener("l1", svr.URL, "", testEventTypes, "", "", nil, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil)
+		l := NewWebhookListener("l1", svr.URL, "", testEventTypes, "", "", nil, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil, nil, nil)
 
 		// when
 		r := l.Notify(testkube.Event{
@@ -66,7 +66,7 @@ func TestWebhookListener_Notify(t *testing.T) {
 		defer mockCtrl.Finish()
 		mockWebhooRepository := cloudwebhook.NewMockWebhookRepository(mockCtrl)
 		mockWebhooRepository.EXPECT().CollectExecutionResult(gomock.Any(), gomock.Any(), "l1", gomock.Any(), http.StatusBadGateway).AnyTimes()
-		l := NewWebhookListener("l1", svr.URL, "", testEventTypes, "", "", nil, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil)
+		l := NewWebhookListener("l1", svr.URL, "", testEventTypes, "", "", nil, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil, nil, nil)
 
 		// when
 		r := l.Notify(testkube.Event{
@@ -87,7 +87,7 @@ func TestWebhookListener_Notify(t *testing.T) {
 		defer mockCtrl.Finish()
 		mockWebhooRepository := cloudwebhook.NewMockWebhookRepository(mockCtrl)
 		mockWebhooRepository.EXPECT().CollectExecutionResult(gomock.Any(), gomock.Any(), "l1", gomock.Any(), 0).AnyTimes()
-		s := NewWebhookListener("l1", "http://baduri.badbadbad", "", testEventTypes, "", "", nil, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil)
+		s := NewWebhookListener("l1", "http://baduri.badbadbad", "", testEventTypes, "", "", nil, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil, nil, nil)
 
 		// when
 		r := s.Notify(testkube.Event{
@@ -124,7 +124,7 @@ func TestWebhookListener_Notify(t *testing.T) {
 		defer mockCtrl.Finish()
 		mockWebhooRepository := cloudwebhook.NewMockWebhookRepository(mockCtrl)
 		mockWebhooRepository.EXPECT().CollectExecutionResult(gomock.Any(), gomock.Any(), "l1", "", http.StatusOK).AnyTimes()
-		l := NewWebhookListener("l1", svr.URL, "", testEventTypes, "field", "", nil, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil)
+		l := NewWebhookListener("l1", svr.URL, "", testEventTypes, "field", "", nil, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil, nil, nil)
 
 		// when
 		r := l.Notify(testkube.Event{
@@ -155,7 +155,7 @@ func TestWebhookListener_Notify(t *testing.T) {
 		mockWebhooRepository := cloudwebhook.NewMockWebhookRepository(mockCtrl)
 		mockWebhooRepository.EXPECT().CollectExecutionResult(gomock.Any(), gomock.Any(), "l1", "", http.StatusOK).AnyTimes()
 		l := NewWebhookListener("l1", svr.URL, "", testEventTypes, "", "{\"id\": \"{{ .Id }}\"}",
-			map[string]string{"Content-Type": "application/json"}, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil)
+			map[string]string{"Content-Type": "application/json"}, false, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil, nil, nil)
 
 		// when
 		r := l.Notify(testkube.Event{
@@ -176,7 +176,7 @@ func TestWebhookListener_Notify(t *testing.T) {
 		defer mockCtrl.Finish()
 		mockWebhooRepository := cloudwebhook.NewMockWebhookRepository(mockCtrl)
 		mockWebhooRepository.EXPECT().CollectExecutionResult(gomock.Any(), gomock.Any(), "l1", "", 0).AnyTimes()
-		s := NewWebhookListener("l1", "http://baduri.badbadbad", "", testEventTypes, "", "", nil, true, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil)
+		s := NewWebhookListener("l1", "http://baduri.badbadbad", "", testEventTypes, "", "", nil, true, nil, nil, v1.NewMetrics(), mockWebhooRepository, nil, nil, nil, nil, nil)
 
 		// when
 		r := s.Notify(testkube.Event{

pkg/event/kind/webhook/loader.go

@@ -2,7 +2,7 @@ package webhook
 
 import (
 	"fmt"
-	"regexp"
+	"sort"
 
 	"go.uber.org/zap"
 
@@ -68,7 +68,6 @@ func (r WebhooksLoader) Load() (listeners common.Listeners, err error) {
 	}
 
 	// and create listeners for each webhook spec
-OuterLoop:
 	for _, webhook := range webhookList.Items {
 		if webhook.Spec.WebhookTemplateRef != nil && webhook.Spec.WebhookTemplateRef.Name != "" {
 			webhookTemplate, err := r.WebhookTemplatesClient.Get(webhook.Spec.WebhookTemplateRef.Name)
@@ -109,65 +108,14 @@ OuterLoop:
 
 		types := webhooks.MapEventArrayToCRDEvents(webhook.Spec.Events)
 		name := fmt.Sprintf("%s.%s", webhook.ObjectMeta.Namespace, webhook.ObjectMeta.Name)
-		vars := make(map[string]string)
-		for key, val := range webhook.Spec.Config {
-			data := ""
-			if val.Value != nil {
-				data = *val.Value
-			}
-
-			if val.Secret != nil {
-				var ns []string
-				if val.Secret.Namespace != "" {
-					ns = append(ns, val.Secret.Namespace)
-				}
-
-				elements, err := r.secretClient.Get(val.Secret.Name, ns...)
-				if err != nil {
-					r.log.Errorw("error secret loading", "error", err, "name", val.Secret.Name)
-					continue
-				}
-
-				if element, ok := elements[val.Secret.Key]; ok {
-					data = element
-				} else {
-					r.log.Errorw("error secret key finding loading", "name", val.Secret.Name, "key", val.Secret.Key)
-					continue
-				}
-			}
-
-			vars[key] = data
-		}
-
-		for _, parameter := range webhook.Spec.Parameters {
-			if data, ok := vars[parameter.Name]; !ok {
-				if parameter.Default_ != nil {
-					vars[parameter.Name] = *parameter.Default_
-				} else if parameter.Required {
-					r.log.Errorw("error missing required parameter", "name", parameter.Name)
-					continue OuterLoop
-				}
-			} else if parameter.Pattern != "" {
-				re, err := regexp.Compile(parameter.Pattern)
-				if err != nil {
-					r.log.Errorw("error compiling pattern", "error", err, "name", parameter.Name, "pattern", parameter.Pattern)
-					continue OuterLoop
-				}
-
-				if !re.MatchString(data) {
-					r.log.Errorw("error matching pattern", "error", err, "name", parameter.Name, "pattern", parameter.Pattern)
-					continue OuterLoop
-				}
-			}
-		}
 
 		listeners = append(
 			listeners,
 			NewWebhookListener(
 				name, webhook.Spec.Uri, webhook.Spec.Selector, types,
 				webhook.Spec.PayloadObjectField, payloadTemplate, webhook.Spec.Headers, webhook.Spec.Disabled,
 				r.deprecatedRepositories, r.testWorkflowExecutionResults,
-				r.metrics, r.webhookRepository, r.proContext, r.envs, vars,
+				r.metrics, r.webhookRepository, r.secretClient, r.proContext, r.envs, webhook.Spec.Config, webhook.Spec.Parameters,
 			),
 		)
 	}
@@ -256,6 +204,10 @@ func mergeWebhooks(dst executorv1.Webhook, src executorv1.WebhookTemplate) execu
 		}
 	}
 
+	sort.Slice(dst.Spec.Events, func(i, j int) bool {
+		return dst.Spec.Events[i] < dst.Spec.Events[j]
+	})
+
 	if src.Spec.Config != nil {
 		if dst.Spec.Config == nil {
 			dst.Spec.Config = map[string]executorv1.WebhookConfigValue{}
@@ -284,6 +236,10 @@ func mergeWebhooks(dst executorv1.Webhook, src executorv1.WebhookTemplate) execu
 				dst.Spec.Parameters = append(dst.Spec.Parameters, parameter)
 			}
 		}
+
+		sort.Slice(dst.Spec.Parameters, func(i, j int) bool {
+			return dst.Spec.Parameters[i].Name < dst.Spec.Parameters[j].Name
+		})
 	}
 
 	return dst