fix(migration): revert webhook authType back to secretKey in v1126 and remove broken v1125 migration (#27427)

* fix(migration): add v1126 reverse migration to revert webhook authType back to secretKey

* fix(migration): remove migrateWebhookSecretKeyToAuthType from v1125 migration

* fix(test): remove migrateWebhookSecretKeyToAuthType references from v1125 migration tests

* fix(migration): address copilot review comments on v1126 migration

* fix(migration): case-insensitive bearer check and verify JSON content in v1126 tests

* fix(migration): remove unused constants from v1125 and add postgres path + SQL verification to v1126 tests

(cherry picked from commit 35ede8f)

Author: yan-3005

bootstrap/sql/migrations/native/1.12.6/mysql/postDataMigrationSQLScript.sql

@@ -0,0 +1 @@
+-- Placeholder for 1.12.6 MySQL post data migration SQL script

bootstrap/sql/migrations/native/1.12.6/mysql/schemaChanges.sql

@@ -0,0 +1 @@
+-- Placeholder for 1.12.6 MySQL schema changes

bootstrap/sql/migrations/native/1.12.6/postgres/postDataMigrationSQLScript.sql

@@ -0,0 +1 @@
+-- Placeholder for 1.12.6 Postgres post data migration SQL script

bootstrap/sql/migrations/native/1.12.6/postgres/schemaChanges.sql

@@ -0,0 +1 @@
+-- Placeholder for 1.12.6 Postgres schema changes

openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1125/Migration.java

@@ -17,14 +17,6 @@ public Migration(MigrationFile migrationFile) {
   @Override
   @SneakyThrows
   public void runDataMigration() {
-    try {
-      MigrationUtil.migrateWebhookSecretKeyToAuthType(handle);
-    } catch (Exception e) {
-      LOG.error(
-          "Failed to migrate webhook secretKey to authType in v1125 migration. "
-              + "Webhook authentication may not work correctly until re-saved.",
-          e);
-    }
     try {
       MigrationUtil.migrateWorkflowDefinitions();
     } catch (Exception e) {

openmetadata-service/src/main/java/org/openmetadata/service/migration/mysql/v1126/Migration.java

@@ -0,0 +1,25 @@
+package org.openmetadata.service.migration.mysql.v1126;
+
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.openmetadata.service.migration.api.MigrationProcessImpl;
+import org.openmetadata.service.migration.utils.MigrationFile;
+import org.openmetadata.service.migration.utils.v1126.MigrationUtil;
+
+@Slf4j
+public class Migration extends MigrationProcessImpl {
+
+  public Migration(MigrationFile migrationFile) {
+    super(migrationFile);
+  }
+
+  @Override
+  @SneakyThrows
+  public void runDataMigration() {
+    try {
+      MigrationUtil.revertWebhookAuthTypeToSecretKey(handle);
+    } catch (Exception e) {
+      LOG.error("Failed to revert webhook authType to secretKey in v1126 migration.", e);
+    }
+  }
+}

openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1125/Migration.java

@@ -17,14 +17,6 @@ public Migration(MigrationFile migrationFile) {
   @Override
   @SneakyThrows
   public void runDataMigration() {
-    try {
-      MigrationUtil.migrateWebhookSecretKeyToAuthType(handle);
-    } catch (Exception e) {
-      LOG.error(
-          "Failed to migrate webhook secretKey to authType in v1125 migration. "
-              + "Webhook authentication may not work correctly until re-saved.",
-          e);
-    }
     try {
       MigrationUtil.migrateWorkflowDefinitions();
     } catch (Exception e) {

openmetadata-service/src/main/java/org/openmetadata/service/migration/postgres/v1126/Migration.java

@@ -0,0 +1,25 @@
+package org.openmetadata.service.migration.postgres.v1126;
+
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.openmetadata.service.migration.api.MigrationProcessImpl;
+import org.openmetadata.service.migration.utils.MigrationFile;
+import org.openmetadata.service.migration.utils.v1126.MigrationUtil;
+
+@Slf4j
+public class Migration extends MigrationProcessImpl {
+
+  public Migration(MigrationFile migrationFile) {
+    super(migrationFile);
+  }
+
+  @Override
+  @SneakyThrows
+  public void runDataMigration() {
+    try {
+      MigrationUtil.revertWebhookAuthTypeToSecretKey(handle);
+    } catch (Exception e) {
+      LOG.error("Failed to revert webhook authType to secretKey in v1126 migration.", e);
+    }
+  }
+}

openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1125/MigrationUtil.java

@@ -11,15 +11,13 @@
 import lombok.extern.slf4j.Slf4j;
 import org.jdbi.v3.core.Handle;
 import org.jdbi.v3.core.statement.PreparedBatch;
-import org.openmetadata.schema.entity.events.SubscriptionDestination;
 import org.openmetadata.schema.governance.workflows.WorkflowDefinition;
 import org.openmetadata.schema.type.TagLabel;
 import org.openmetadata.schema.utils.JsonUtils;
 import org.openmetadata.service.Entity;
 import org.openmetadata.service.jdbi3.ListFilter;
 import org.openmetadata.service.jdbi3.WorkflowDefinitionRepository;
 import org.openmetadata.service.jdbi3.locator.ConnectionType;
-import org.openmetadata.service.resources.databases.DatasourceConfig;
 import org.openmetadata.service.util.EntityUtil;
 import org.openmetadata.service.util.FullyQualifiedName;
 
@@ -28,81 +26,9 @@ public class MigrationUtil {
 
   private MigrationUtil() {}
 
-  private static final String UPDATE_EVENT_SUB_MYSQL =
-      "UPDATE event_subscription_entity SET json = :json WHERE id = :id";
-  private static final String UPDATE_EVENT_SUB_POSTGRESQL =
-      "UPDATE event_subscription_entity SET json = :json::jsonb WHERE id = :id";
   private static final ObjectMapper MAPPER = new ObjectMapper();
   private static final String ADMIN_USER_NAME = "admin";
 
-  public static void migrateWebhookSecretKeyToAuthType(Handle handle) {
-    LOG.info("Starting migration of webhook secretKey to authType");
-
-    List<Map<String, Object>> rows =
-        handle.createQuery("SELECT id, json FROM event_subscription_entity").mapToMap().list();
-
-    int migratedCount = 0;
-    for (Map<String, Object> row : rows) {
-      String id = row.get("id").toString();
-      String jsonStr = row.get("json").toString();
-
-      try {
-        ObjectNode root = (ObjectNode) JsonUtils.readTree(jsonStr);
-        JsonNode destinations = root.get("destinations");
-        if (destinations == null || !destinations.isArray()) {
-          continue;
-        }
-
-        boolean modified = false;
-        for (JsonNode destination : destinations) {
-          String destinationType =
-              destination.get("type") != null
-                  ? destination.get("type").asText().toLowerCase()
-                  : null;
-          if (destinationType == null
-              || !destinationType.equals(
-                  SubscriptionDestination.SubscriptionType.WEBHOOK.value().toLowerCase())) {
-            continue;
-          }
-          JsonNode config = destination.get("config");
-          if (config == null || !config.isObject()) {
-            continue;
-          }
-
-          JsonNode secretKeyNode = config.get("secretKey");
-          if (secretKeyNode == null
-              || secretKeyNode.isNull()
-              || secretKeyNode.asText().trim().isEmpty()) {
-            continue;
-          }
-
-          ObjectNode configObj = (ObjectNode) config;
-          ObjectNode bearerAuth =
-              JsonUtils.getObjectMapper()
-                  .createObjectNode()
-                  .put("type", "bearer")
-                  .put("secretKey", secretKeyNode.asText());
-          configObj.set("authType", bearerAuth);
-          configObj.remove("secretKey");
-          modified = true;
-        }
-
-        if (modified) {
-          String updateSql =
-              Boolean.TRUE.equals(DatasourceConfig.getInstance().isMySQL())
-                  ? UPDATE_EVENT_SUB_MYSQL
-                  : UPDATE_EVENT_SUB_POSTGRESQL;
-          handle.createUpdate(updateSql).bind("json", root.toString()).bind("id", id).execute();
-          migratedCount++;
-        }
-      } catch (Exception e) {
-        LOG.warn("Error migrating event subscription {}: {}", id, e.getMessage());
-      }
-    }
-
-    LOG.info("Migrated {} event subscriptions with secretKey to authType", migratedCount);
-  }
-
   public static void migrateWorkflowDefinitions() {
     LOG.info(
         "Starting v1125 migration: converting include fields from map to array format in workflow trigger configurations");

openmetadata-service/src/main/java/org/openmetadata/service/migration/utils/v1126/MigrationUtil.java

@@ -0,0 +1,98 @@
+package org.openmetadata.service.migration.utils.v1126;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import java.util.List;
+import java.util.Map;
+import lombok.extern.slf4j.Slf4j;
+import org.jdbi.v3.core.Handle;
+import org.openmetadata.schema.entity.events.SubscriptionDestination;
+import org.openmetadata.schema.utils.JsonUtils;
+import org.openmetadata.service.resources.databases.DatasourceConfig;
+
+@Slf4j
+public final class MigrationUtil {
+
+  private MigrationUtil() {}
+
+  private static final String UPDATE_MYSQL =
+      "UPDATE event_subscription_entity SET json = :json WHERE id = :id";
+  private static final String UPDATE_POSTGRES =
+      "UPDATE event_subscription_entity SET json = :json::jsonb WHERE id = :id";
+
+  public static void revertWebhookAuthTypeToSecretKey(Handle handle) {
+    LOG.info("Reverting webhook authType back to secretKey");
+    List<Map<String, Object>> rows =
+        handle.createQuery("SELECT id, json FROM event_subscription_entity").mapToMap().list();
+    int revertedCount = 0;
+
+    for (Map<String, Object> row : rows) {
+      String id = row.get("id").toString();
+      String jsonStr = row.get("json").toString();
+
+      try {
+        ObjectNode root = (ObjectNode) JsonUtils.readTree(jsonStr);
+        JsonNode destinations = root.get("destinations");
+        if (destinations == null || !destinations.isArray()) {
+          continue;
+        }
+
+        boolean modified = false;
+        for (JsonNode destination : destinations) {
+          String type =
+              destination.get("type") != null
+                  ? destination.get("type").asText().toLowerCase()
+                  : null;
+          if (!SubscriptionDestination.SubscriptionType.WEBHOOK
+              .value()
+              .toLowerCase()
+              .equals(type)) {
+            continue;
+          }
+
+          JsonNode config = destination.get("config");
+          if (config == null || !config.isObject()) {
+            continue;
+          }
+
+          JsonNode authTypeNode = config.get("authType");
+          if (authTypeNode == null || !authTypeNode.isObject()) {
+            continue;
+          }
+
+          ObjectNode configObj = (ObjectNode) config;
+          String authNodeType =
+              authTypeNode.has("type") && !authTypeNode.get("type").isNull()
+                  ? authTypeNode.get("type").asText()
+                  : null;
+
+          if ("bearer".equalsIgnoreCase(authNodeType)
+              && authTypeNode.has("secretKey")
+              && !authTypeNode.get("secretKey").isNull()) {
+            configObj.put("secretKey", authTypeNode.get("secretKey").asText());
+          } else {
+            LOG.warn(
+                "Dropping unrecognized authType (type={}) from webhook config for subscription {}",
+                authNodeType,
+                id);
+          }
+          configObj.remove("authType");
+          modified = true;
+        }
+
+        if (modified) {
+          String updateSql =
+              Boolean.TRUE.equals(DatasourceConfig.getInstance().isMySQL())
+                  ? UPDATE_MYSQL
+                  : UPDATE_POSTGRES;
+          handle.createUpdate(updateSql).bind("json", root.toString()).bind("id", id).execute();
+          revertedCount++;
+        }
+      } catch (Exception e) {
+        LOG.warn("Error reverting event subscription {}", id, e);
+      }
+    }
+
+    LOG.info("Reverted {} event subscriptions from authType back to secretKey", revertedCount);
+  }
+}