Credential issuer config is base64 encoded

[stszap]

Describe the bug
Hello. I tried the latest version of oathkeeper today and our rules stopped working. After some time I found out that rules are mangled during import (credentials_issuer.config becomes base64 encoded and proxy can't decode it back).

To Reproduce
rules.json

[
  {
    "id": "test",
    "upstream": {
      "url": "http://127.0.0.1:8082"
    },
    "match": {
      "url": "<.*>",
      "methods": ["GET"]
    },
    "authenticators": [{
      "handler": "noop"
    }],
    "authorizer": {
      "handler": "allow"
    },
    "credentials_issuer": {
      "handler": "headers",
      "config": {
        "headers": {
          "X-Header-1": "value1",
          "X-Header-2": "value2"
        }
      }
    }
  }
]

Oathkeeper api is started with these env vars:

PORT=4456
DATABASE_URL="memory"
CREDENTIALS_ISSUER_ID_TOKEN_ALGORITHM="HS256"
CREDENTIALS_ISSUER_ID_TOKEN_HS256_SECRET="00000000000000000000000000000000"

Oathkeeper proxy is started with these env vars:

PORT=3000
OATHKEEPER_API_URL="http://127.0.0.1:4456/"
CREDENTIALS_ISSUER_ID_TOKEN_ALGORITHM="HS256"
CREDENTIALS_ISSUER_ID_TOKEN_HS256_SECRET="00000000000000000000000000000000"

First I import the rules oathkeeper rules import --endpoint=http://localhost:4456/ ./rules.json. But when I list them curl localhost:4456/rules I get:

[
    {
        "authenticators": [
            {
                "config": null,
                "handler": "noop"
            }
        ],
        "authorizer": {
            "config": null,
            "handler": "allow"
        },
        "credentials_issuer": {
            "config": "ewogICAgICAgICJoZWFkZXJzIjogewogICAgICAgICAgIlgtSGVhZGVyLTEiOiAidmFsdWUxIiwKICAgICAgICAgICJYLUhlYWRlci0yIjogInZhbHVlMiIKICAgICAgICB9CiAgICAgIH0=",
            "handler": "headers"
        },
        "description": "",
        "id": "test",
        "match": {
            "methods": [
                "GET"
            ],
            "url": "<.*>"
        },
        "upstream": {
            "preserve_host": false,
            "strip_path": "",
            "url": "http://127.0.0.1:8082"
        }
    }
]

When I make a request curl localhost:3000 an error is returned:

time="2019-04-30T14:57:22Z" level=info msg="started handling request" method=GET remote="172.17.0.1:40156" request=/
time="2019-04-30T14:57:22Z" level=warning msg="Access request denied" access_url="http://localhost:3000/" error="json: cannot unmarshal string into Go value of type proxy.CredentialsHeadersConfig" granted=false
time="2019-04-30T14:57:22Z" level=error msg="An error occurred while handling a request" code=500 debug= details="map[]" error="json: cannot unmarshal string into Go value of type proxy.CredentialsHeadersConfig" reason= request-id= status= trace="Stack trace: \ngithub.com/ory/oathkeeper/proxy.(*CredentialsHeaders).Issue\n\t/go/src/github.com/ory/oathkeeper/proxy/credentials_issuer_headers.go:63\ngithub.com/ory/oathkeeper/proxy.(*RequestHandler).HandleRequest\n\t/go/src/github.com/ory/oathkeeper/proxy/request_handler.go:171\ngithub.com/ory/oathkeeper/proxy.(*Proxy).Director\n\t/go/src/github.com/ory/oathkeeper/proxy/proxy.go:121\ngithub.com/ory/oathkeeper/proxy.(*Proxy).Director-fm\n\t/go/src/github.com/ory/oathkeeper/cmd/serve_proxy.go:216\nnet/http/httputil.(*ReverseProxy).ServeHTTP\n\t/usr/local/go/src/net/http/httputil/reverseproxy.go:197\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/urfave/negroni.middleware.ServeHTTP-fm\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:260\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/urfave/negroni.middleware.ServeHTTP-fm\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/meatballhat/negroni-logrus.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/meatballhat/[email protected]/middleware.go:136\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2741\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1847\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1333" writer=JSON
time="2019-04-30T14:57:22Z" level=info msg="completed handling request" measure#oathkeeper-proxy.latency=455696 method=GET remote="172.17.0.1:40156" request=/ status=500 text_status="Internal Server Error" took="455.696µs"
issuing credentials in HandleRequest()

Expected behavior
I expect curl localhost:4456/rules to return

[
    {
        "authenticators": [
            {
                "config": null,
                "handler": "noop"
            }
        ],
        "authorizer": {
            "config": null,
            "handler": "allow"
        },
        "credentials_issuer": {
            "config": {
                "headers": {
                    "X-Header-1": "value1",
                    "X-Header-2": "value2"
                }
            },
            "handler": "headers"
        },
        "description": "",
        "id": "test",
        "match": {
            "methods": [
                "GET"
            ],
            "url": "<.*>"
        },
        "upstream": {
            "preserve_host": false,
            "strip_path": "",
            "url": "http://127.0.0.1:8082"
        }
    }
]

Version:

• Environment: docker
• Version: commit 5c34958

Additional context
I believe that the problem happens because in /cmd/rules_import.go models.RawMessage is used Because models.RawMessage is basically []uint8 it is converted to base64 when encoded as json as per documentation

Array and slice values encode as JSON arrays, except that []byte encodes as a base64-encoded string, and a nil slice encodes as the null JSON value.

It seems that commit 38c52a3 introduced the problem because it replaced json.RawMessage with models.RawMessage. When I replaced it back the problem was gone.

If needed I can create a pr to fix this.

[aeneasr]

Thank you, yeah this is indeed caused by the newly generated SDK. Unfortunately, changing the code there won't work as it will be broken with the next release. There is an issue for this here so maybe adding

// type: string
// format: binary

here and running make sdk can fix that. Would you be open to give that a try?

[aeneasr]

Oh sorry, you're right - changing models.RawMessage to json.RawMessage here should be enough!