oauth2: restore legacy context creation behavior

[edsiper]

Fixes #11649

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Add configuration option to override the OAuth2 token endpoint URL.

• Bug Fixes

  • OAuth2 contexts now enable token retrieval/refresh by default.
  • Validation updated to allow an authentication URL override as an alternative to tenant configuration.

• Tests

  • Added a new test covering a legacy/manual OAuth2 token request flow.

• Chores

  • Commit message prefix validation expanded to accept test-specific prefixes.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added an auth_url override option and context field to azure_logs_ingestion with validation and conditional auth-URL construction; flb_oauth2 now enables OAuth2 by default on create; added a legacy/manual OAuth2 payload unit test; commit-prefix script accepts test-specific prefixes.

Changes

Cohort / File(s)	Summary
Azure Logs Ingestion: config map & context plugins/out_azure_logs_ingestion/azure_logs_ingestion.c, plugins/out_azure_logs_ingestion/azure_logs_ingestion.h	Added auth_url config option (auth_url_override) and new flb_sds_t auth_url_override field on the plugin context to store a custom OAuth2 token endpoint.
Azure Logs Ingestion: config parsing & validation plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c	Added validate_auth_url_override(); made tenant_id required only when no override is provided; when override is present, ctx->auth_url is created from the validated override, otherwise built from the tenant template.
OAuth2 core behavior src/flb_oauth2.c	flb_oauth2_create() now sets cfg.enabled = FLB_TRUE, enabling token fetch/refresh for newly created OAuth2 contexts.
OAuth2 tests tests/internal/oauth2.c	Added create_legacy_oauth_ctx helper and test_legacy_create_manual_payload_flow to exercise manual payload token retrieval; registered the test in TEST_LIST.
Commit prefix validation script .github/scripts/commit_prefix_check.py	Extended accepted commit-subject prefixes to include tests: internal:, tests: runtime:, tests: integration: and added normalize_subject_prefix() to canonicalize test-specific prefixes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• cosmo0920
• niedbalski
• patrick-stephens
• celalettin1286

Poem

🐰 I hopped to a config, small and spry,
A URL override gave tokens wings to fly.
OAuth woke up, fresh and bold—hooray!
Tests clapped softly for the new relay.
🥕 Logs leap onwards through the bright new day.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: restoring legacy OAuth2 context creation behavior by enabling OAuth2 contexts so they can fetch tokens.
Linked Issues check	✅ Passed	The PR directly addresses the regression in #11649 by fixing OAuth2 token retrieval failure in v5.0.0 through enabling OAuth2 contexts and adding Azure auth_url override support.
Out of Scope Changes check	✅ Passed	The commit prefix check script update is tangentially related but necessary for test categorization; all other changes directly support the OAuth2 regression fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue-11649-oauth2_azure

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch issue-11649-oauth2_azure

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c`:
- Around line 94-113: Validate auth_url_override before assigning it: in the
branch that handles ctx->auth_url_override (before calling flb_sds_create),
ensure the provided URL uses the HTTPS scheme or is an explicit localhost
loopback HTTP (e.g., host equals "localhost" or "127.0.0.1" with any port) to
allow tests; if the scheme is plain "http" for any non-loopback host, log/return
an error, call flb_az_li_ctx_destroy(ctx) and return NULL. Implement the check
around ctx->auth_url_override parsing (inspect the prefix/host) so
flb_sds_create is only called for validated URLs and insecure cleartext token
endpoints are rejected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a30ba3e9-a88d-4c7b-8c7d-d3a5bc6918ae

📥 Commits

Reviewing files that changed from the base of the PR and between 66ffbe4 and 6b78767.

📒 Files selected for processing (5)

• plugins/out_azure_logs_ingestion/azure_logs_ingestion.c
• plugins/out_azure_logs_ingestion/azure_logs_ingestion.h
• plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c
• src/flb_oauth2.c
• tests/internal/oauth2.c

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c (1)

104-109: ⚠️ Potential issue | 🟡 Minor

Pre-existing memory leak: missing context cleanup on config_map_set failure.

If flb_output_config_map_set fails at line 106, the allocated ctx is not freed before returning NULL. While this is existing code, it's worth fixing alongside the current changes for consistency with the cleanup pattern used elsewhere in this function.

🔧 Proposed fix

     /* Load config map */
     ret = flb_output_config_map_set(ins, (void *) ctx);
     if (ret == -1) {
         flb_plg_error(ins, "unable to load configuration");
+        flb_az_li_ctx_destroy(ctx);
         return NULL;
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c` around lines
104 - 109, If flb_output_config_map_set(ins, (void *) ctx) fails the allocated
ctx is leaked; before returning NULL free the context (e.g., call the same
allocator's free used elsewhere, such as flb_free(ctx) or free(ctx)) and null it
if needed, then call flb_plg_error and return NULL so that ctx is cleaned up on
error; update the failure branch around flb_output_config_map_set to release ctx
before returning.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c`:
- Around line 104-109: If flb_output_config_map_set(ins, (void *) ctx) fails the
allocated ctx is leaked; before returning NULL free the context (e.g., call the
same allocator's free used elsewhere, such as flb_free(ctx) or free(ctx)) and
null it if needed, then call flb_plg_error and return NULL so that ctx is
cleaned up on error; update the failure branch around flb_output_config_map_set
to release ctx before returning.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 39adb285-f021-4b34-86f0-d03d7190dfb7

📥 Commits

Reviewing files that changed from the base of the PR and between 6b78767 and 33bb6b7.

📒 Files selected for processing (1)

• plugins/out_azure_logs_ingestion/azure_logs_ingestion_conf.c

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/scripts/commit_prefix_check.py:
- Around line 24-34: The regex PREFIX_RE allows multiple spaces (e.g., "tests: 
internal:"), but normalize_subject_prefix() compares against exact strings like
"tests: internal:" so such inputs won't normalize; update
normalize_subject_prefix() to normalize whitespace before doing comparisons
(e.g., collapse consecutive spaces and trim, or run a regex replacement to
convert any run of whitespace between tokens into a single space) and then
perform the existing lower-case and equality checks so that values matched by
PREFIX_RE (and the constant PREFIX_RE itself) are normalized consistently to
"tests:".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2f1d3438-1830-48c4-b7da-20bc3c283b2c

📥 Commits

Reviewing files that changed from the base of the PR and between 33bb6b7 and bda4be6.

📒 Files selected for processing (1)

• .github/scripts/commit_prefix_check.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Minor inconsistency between regex and normalization logic.

The PREFIX_RE regex uses \s+ which allows multiple whitespace characters between tests: and the subcategory (e.g., tests: internal:). However, normalize_subject_prefix() at lines 60-61 performs exact string matching with single spaces ("tests: internal:").

If a commit uses extra whitespace like tests: internal: add test, the regex will match and extract tests: internal:, but normalization will fall through to line 63 returning the lowered string as-is instead of normalizing to tests:.

Consider normalizing whitespace before comparison:

Proposed fix

 def normalize_subject_prefix(prefix: str) -> str:
     """
     Map accepted subject-prefix variants to the canonical prefix used by
     path-based validation.
     """
-    lowered = prefix.lower()
+    # Normalize internal whitespace to single space before comparison
+    lowered = ' '.join(prefix.lower().split())
 
     if lowered in ("tests: internal:", "tests: runtime:", "tests: integration:"):
         return "tests:"
 
     return lowered

Also applies to: 53-64

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/scripts/commit_prefix_check.py around lines 24 - 34, The regex
PREFIX_RE allows multiple spaces (e.g., "tests:  internal:"), but
normalize_subject_prefix() compares against exact strings like "tests:
internal:" so such inputs won't normalize; update normalize_subject_prefix() to
normalize whitespace before doing comparisons (e.g., collapse consecutive spaces
and trim, or run a regex replacement to convert any run of whitespace between
tokens into a single space) and then perform the existing lower-case and
equality checks so that values matched by PREFIX_RE (and the constant PREFIX_RE
itself) are normalized consistently to "tests:".