oauth2: restore legacy context creation behavior

[edsiper]

Fixes #11649

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Added configuration option to override the OAuth2 token endpoint URL.

• Bug Fixes

  • Fixed OAuth2 token retrieval that was previously disabled by default, preventing proper token refresh functionality.
  • Relaxed validation to allow authentication URL override as an alternative to tenant configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR fixes OAuth2 token retrieval failure in v5.0.0 by enabling the OAuth2 client by default in flb_oauth2_create(), and adds configuration flexibility to the Azure Logs Ingestion plugin to override the authentication URL endpoint. A new test validates the OAuth2 token retrieval flow.

Changes

Cohort / File(s)	Summary
Azure Logs Ingestion Configuration plugins/out_azure_logs_ingestion/azure_logs_ingestion.c, plugins/out_azure_logs_ingestion/azure_logs_ingestion.h	Added auth_url_override configuration option and corresponding struct field to allow users to override the OAuth2 token endpoint.
Azure Logs Ingestion Configuration Logic plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c	Loosened tenant_id requirement (now optional when auth_url_override is provided) and updated auth URL construction to use auth_url_override directly when set, falling back to template-based generation otherwise.
OAuth2 Core Fix src/flb_oauth2.c	Set cfg.enabled = FLB_TRUE after applying OAuth2 defaults to enable token retrieval, fixing the regression where newly created OAuth2 contexts were disabled by default.
OAuth2 Testing tests/internal/oauth2.c	Added create_legacy_oauth_ctx helper function and new test_legacy_create_manual_payload_flow test to validate OAuth2 token retrieval with manual payload construction.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• tests: oauth2: Windows support #11506 — Both PRs modify tests/internal/oauth2.c to add OAuth2 test functionality and handle test infrastructure concerns.

Suggested labels

docs-required

Suggested reviewers

• cosmo0920

Poem

🐰 A token once trapped in the cold,
Needed just one line to awake,
A switch flipped on, brave and bold,
Now Azure logs flow for goodness' sake! 🔐✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'oauth2: restore legacy context creation behavior' is clear, concise, and directly summarizes the main change of restoring legacy OAuth2 context creation behavior. It aligns with the PR objectives and commit messages.
Linked Issues check	✅ Passed	The PR successfully addresses issue #11649 by fixing OAuth2 token retrieval failure in v5.0.0. Changes restore legacy context creation behavior, add auth_url override for Azure plugin flexibility, and include comprehensive tests for the manual payload flow.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the OAuth2 token retrieval regression. Modifications to oauth2.c restore legacy behavior, azure_logs_ingestion files add necessary auth_url override support, and tests validate the fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue-11649-oauth2_azure

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c`:
- Around line 94-113: Validate auth_url_override before assigning it: in the
branch that handles ctx->auth_url_override (before calling flb_sds_create),
ensure the provided URL uses the HTTPS scheme or is an explicit localhost
loopback HTTP (e.g., host equals "localhost" or "127.0.0.1" with any port) to
allow tests; if the scheme is plain "http" for any non-loopback host, log/return
an error, call flb_az_li_ctx_destroy(ctx) and return NULL. Implement the check
around ctx->auth_url_override parsing (inspect the prefix/host) so
flb_sds_create is only called for validated URLs and insecure cleartext token
endpoints are rejected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a30ba3e9-a88d-4c7b-8c7d-d3a5bc6918ae

📥 Commits

Reviewing files that changed from the base of the PR and between 66ffbe4 and 6b78767.

📒 Files selected for processing (5)

• plugins/out_azure_logs_ingestion/azure_logs_ingestion.c
• plugins/out_azure_logs_ingestion/azure_logs_ingestion.h
• plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c
• src/flb_oauth2.c
• tests/internal/oauth2.c

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Validate auth_url_override to prevent insecure token endpoint usage.

This branch accepts any override URL, including cleartext http://, while sending client_secret in OAuth2 token requests. Please enforce HTTPS for normal use (with optional localhost-only HTTP allowance for tests).

🔒 Proposed guardrail

     if (ctx->auth_url_override) {
+        if (strncasecmp(ctx->auth_url_override, "https://", 8) != 0 &&
+            strncasecmp(ctx->auth_url_override, "http://127.0.0.1", 16) != 0 &&
+            strncasecmp(ctx->auth_url_override, "http://localhost", 16) != 0) {
+            flb_plg_error(ins,
+                          "property 'auth_url' must use https "
+                          "(http is allowed only for localhost tests)");
+            flb_az_li_ctx_destroy(ctx);
+            return NULL;
+        }
+
         ctx->auth_url = flb_sds_create(ctx->auth_url_override);
         if (!ctx->auth_url) {
             flb_errno();
             flb_az_li_ctx_destroy(ctx);
             return NULL;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c` around lines 94
- 113, Validate auth_url_override before assigning it: in the branch that
handles ctx->auth_url_override (before calling flb_sds_create), ensure the
provided URL uses the HTTPS scheme or is an explicit localhost loopback HTTP
(e.g., host equals "localhost" or "127.0.0.1" with any port) to allow tests; if
the scheme is plain "http" for any non-loopback host, log/return an error, call
flb_az_li_ctx_destroy(ctx) and return NULL. Implement the check around
ctx->auth_url_override parsing (inspect the prefix/host) so flb_sds_create is
only called for validated URLs and insecure cleartext token endpoints are
rejected.