azure_kusto: Added support for region-based(Global and China cloud) authentication for Azure Kusto

[venkatesu-t]

Added Authentication based on two different clouds, Azure global and Azure china

Direct log ingestion from Fluent Bit to Azure Data Explorer via the azure_kusto plugin previously supported only Azure Global, as token generation relied on the Global Azure authentication authority.

Azure China uses a different authentication host, which was not supported by the existing Fluent Bit image, preventing direct ingestion into China cloud clusters.

This change adds support for Azure China cloud by updating the authentication configuration, enabling direct ingestion to Azure Data Explorer in China cloud.

Testing
Before we can approve your change; please submit the following in a comment:

• [ N/A] Example configuration file for the change
• Debug log output from testing the change
  Use case1: Using Global ingestion endpoint
  Config file used

Output :

Use case2: Using China ingestion endpoint
Config file used

Output:

• [ N/A] Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Added explicit support for Azure China cloud alongside Azure Global.

• Improvements

  • Automatic cloud environment detection from ingestion endpoint.
  • Cloud-aware authentication: scopes, token endpoints and managed identity resource selection vary by cloud.
  • OAuth/MSI URL and scope handling now adapt at runtime to the detected cloud.

• Tests

  • Added tests validating cloud environment inference for Global and China.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@venkatesu-t has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 59 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Adds cloud-environment awareness to the Azure Kusto plugin: new cloud enum and per-cloud macros/helpers, detection of Global vs China from endpoints, and runtime selection of cloud-specific MSAL auth URL templates, OAuth scopes, and IMDS resources across auth and config flows.

Changes

Cohort / File(s)	Summary
Cloud Environment Configuration Infrastructure plugins/out_azure_kusto/azure_kusto.h	Add flb_azure_cloud_environment enum; per-cloud macros (_GLOBAL / _CHINA) for Kusto scope, MSAL auth URL templates, and IMDS resources; add cloud_environment to struct flb_azure_kusto; add static inline helpers flb_azure_kusto_get_scope() and flb_azure_kusto_get_imds_resource().
Dynamic Scope Usage in Plugin Core plugins/out_azure_kusto/azure_kusto.c	Replace hard-coded OAuth2 scope with dynamic scope obtained via flb_azure_kusto_get_scope(ctx->cloud_environment) and use actual scope length when building the token payload.
Config, Detection and URL Construction plugins/out_azure_kusto/azure_kusto_conf.c	Infer cloud_environment from ingestion_endpoint (checks chinacloudapi.cn); add helpers to select MSAL auth URL template, scope, and IMDS resource by cloud; build OAuth/MSI URLs using chosen templates/resources and allocate buffers using template lengths.
MSI / Workload Identity Auth Adjustments plugins/out_azure_kusto/azure_msiauth.c, plugins/out_azure_kusto/azure_msiauth.h	Replace fixed scope in workload identity token flows with cloud-aware scope selection; parameterize MSI auth URL template resource field (%s) for dynamic IMDS resource substitution.
Tests — Cloud Inference tests/runtime/out_azure_kusto.c	Add tests flb_test_azure_kusto_cloud_global_inference and flb_test_azure_kusto_cloud_china_inference; register them in TEST_LIST to validate cloud detection and behavior.

Sequence Diagram

sequenceDiagram
    participant Config as Configuration Handler
    participant Detector as Cloud Detector
    participant Helpers as Cloud Helpers
    participant Auth as OAuth/MSI Client

    Config->>Detector: parse ingestion_endpoint
    Detector-->>Config: return cloud_environment (GLOBAL / CHINA)
    Config->>Helpers: get MSAL template / IMDS resource / scope (cloud_environment)
    Helpers-->>Config: return template / resource / scope
    Config->>Auth: build OAuth/MSI request with returned values
    Auth->>Auth: append cloud-specific scope/resource and request token

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I sniffed endpoints under moonlit code,
Two cloud paths where token rivers flowed.
I swapped the scopes and tuned each URL,
Now auth hops clean from global to CHN.
A happy rabbit pats the build with a twirl.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding region-based (Global and China cloud) authentication support to the Azure Kusto plugin.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

fluent-bit/plugins/out_azure_kusto/azure_kusto_conf.c

Lines 836 to 837 in 10ec400

	flb_sds_snprintf(&ctx->oauth_url, flb_sds_alloc(ctx->oauth_url),
	FLB_AZURE_MSIAUTH_URL_TEMPLATE, "", "");

Pass resource arg when formatting MSI auth URL

The MSI URL template now includes a third %s for the IMDS resource (FLB_AZURE_MSIAUTH_URL_TEMPLATE in azure_msiauth.h), but this call (and the user-assigned branch below) still passes only two arguments. With the extra %s, vsnprintf reads an invalid pointer, producing a corrupted URL or crashing, so managed-identity auth will fail (both global and China). Please pass the resource string (e.g., get_imds_resource(ctx->cloud_environment)) when formatting.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@plugins/out_azure_kusto/azure_msiauth.c`:
- Around line 180-188: The two flb_sds_cat calls in azure_msiauth.c are passing
-1 which causes memcpy overflow; update the first call to pass the literal byte
length of the constant (use (int)(sizeof("&scope=") - 1)) instead of -1, and
ensure the second flb_sds_cat uses (int)strlen(scope) (or equivalent) rather
than relying on -1/implicit conversion; modify the calls that construct body
(referencing flb_sds_cat and flb_azure_kusto_get_scope) to use explicit positive
int lengths for both the "&scope=" string and the scope variable.

In `@plugins/out_azure_kusto/azure_msiauth.h`:
- Around line 23-24: The FLB_AZURE_MSIAUTH_URL_TEMPLATE has three %s
placeholders but the two call sites in azure_kusto_conf.c use only two
arguments; update both sprintf/http URL constructions that reference
FLB_AZURE_MSIAUTH_URL_TEMPLATE to pass the resource parameter as the third
argument (e.g., use the existing resource variable in the context such as
ctx->resource or the constant used for Kusto/AAD resource) so the format
receives three strings: the optional prefix ("", "&client_id="), the client_id
when applicable, and the resource string.

[venkatesu-t]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

plugins/out_azure_kusto/azure_kusto_conf.c (1)

833-868: Fix oauth_url sizing: pointer sizeof and missing imds_resource length

Line 860 uses sizeof(tmpl) where tmpl is a const char* pointer (returns ~8 bytes instead of actual string length). Additionally, lines 834, 845, and 860 don't account for imds_resource length in size calculations. Though flb_sds_snprintf has retry logic that auto-grows, undersized allocations trigger unnecessary reallocations.

🛠️ Proposed fix

-            ctx->oauth_url = flb_sds_create_size(sizeof(FLB_AZURE_MSIAUTH_URL_TEMPLATE) - 1);
+            ctx->oauth_url = flb_sds_create_size(sizeof(FLB_AZURE_MSIAUTH_URL_TEMPLATE) - 1 +
+                                                strlen(imds_resource));
 ...
-            ctx->oauth_url = flb_sds_create_size(sizeof(FLB_AZURE_MSIAUTH_URL_TEMPLATE) - 1 +
-                                                sizeof("&client_id=") - 1 +
-                                                flb_sds_len(ctx->client_id));
+            ctx->oauth_url = flb_sds_create_size(sizeof(FLB_AZURE_MSIAUTH_URL_TEMPLATE) - 1 +
+                                                sizeof("&client_id=") - 1 +
+                                                flb_sds_len(ctx->client_id) +
+                                                strlen(imds_resource));
 ...
-        ctx->oauth_url = flb_sds_create_size(sizeof(tmpl) - 1 + flb_sds_len(ctx->tenant_id));
+        ctx->oauth_url = flb_sds_create_size(strlen(tmpl) + flb_sds_len(ctx->tenant_id));

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

plugins/out_azure_kusto/azure_kusto_conf.c (1)

833-856: MSI OAuth URL buffer size ignores imds_resource length.

Line 834 and Line 845 allocate based on the template and client_id only. The template now includes a %s for imds_resource, so the buffer can be too small and flb_sds_snprintf may truncate the URL, breaking MSI auth (especially for China endpoints). Include strlen(imds_resource) in the size.

🐛 Proposed fix

-            ctx->oauth_url = flb_sds_create_size(sizeof(FLB_AZURE_MSIAUTH_URL_TEMPLATE) - 1);
+            ctx->oauth_url = flb_sds_create_size(strlen(FLB_AZURE_MSIAUTH_URL_TEMPLATE) +
+                                                 strlen(imds_resource) + 1);
...
-            ctx->oauth_url = flb_sds_create_size(sizeof(FLB_AZURE_MSIAUTH_URL_TEMPLATE) - 1 +
-                                                sizeof("&client_id=") - 1 +
-                                                flb_sds_len(ctx->client_id));
+            ctx->oauth_url = flb_sds_create_size(strlen(FLB_AZURE_MSIAUTH_URL_TEMPLATE) +
+                                                 strlen("&client_id=") +
+                                                 flb_sds_len(ctx->client_id) +
+                                                 strlen(imds_resource) + 1);

🧹 Nitpick comments (1)

plugins/out_azure_kusto/azure_kusto_conf.c (1)

35-52: Remove or use the unused get_kusto_scope helper.

get_kusto_scope isn’t referenced in this file, so a -Wunused-function build can warn/fail. Either wire it into call sites or drop it.

♻️ Proposed cleanup

-static const char *get_kusto_scope(int cloud_env)
-{
-    return flb_azure_kusto_get_scope(cloud_env);
-}
-