out_azure_kusto: add support for Azure sovereign and custom clouds

[tanmaya-panda1]

This pull request adds support for multiple Azure cloud environments (AzureCloud, AzureChinaCloud, AzureUSGovernmentCloud) to the Azure Kusto output plugin. It introduces cloud-specific endpoint resolution, updates the authentication logic and configuration to be cloud-aware, and adds comprehensive tests for each supported cloud environment and error handling for invalid configurations.

The most important changes are:

Cloud Environment Support and Endpoint Resolution

• Added a new cloud_name configuration option and associated logic to resolve cloud-specific endpoints (login host, Kusto scope, and resource) based on the selected Azure environment. This enables the plugin to work with Azure public, China, US Government, and German clouds. (azure_kusto.c, azure_kusto.h, azure_kusto_conf.c) [1] [2] [3] [4] [5]
• Updated all authentication and token request flows to use the resolved cloud-specific endpoints and scopes, ensuring correct behavior across different Azure environments. (azure_kusto.c, azure_msiauth.c, azure_msiauth.h) [1] [2] [3] [4] [5] [6]

Configuration and Resource Management

• Extended the plugin context structure to store cloud-specific parameters, and ensured proper allocation and cleanup of these resources during plugin lifecycle. (azure_kusto.h, azure_kusto_conf.c) [1] [2]
• Updated the configuration map to include the new cloud_name parameter with validation and documentation. (azure_kusto.c)

Testing

• Added new runtime tests covering each supported cloud environment, as well as a test for invalid cloud configuration to verify error handling. (out_azure_kusto.c) [1] [2] [3]

These changes make the Azure Kusto output plugin more flexible and robust for users operating in various Azure cloud environments.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change
• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Support for multiple Azure cloud environments (Public, China, US Government).
  • New configuration options: cloud_name, cloud_login_host, cloud_kusto_scope, cloud_kusto_resource.

• Bug Fixes / Improvements

  • Token acquisition (workload identity and service principal) now uses the configured Kusto scope.
  • OAuth/endpoints are resolved dynamically based on cloud settings with improved logging and safer cleanup on configuration errors.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds multi-cloud support to the Azure Kusto output plugin: introduces cloud configuration options, per-cloud login/scope/resource resolution at init, threads dynamic Kusto OAuth scope/resource through MSI and OAuth token requests, and updates related signatures and URL templates.

Changes

Cohort / File(s)	Summary
Public types & constants plugins/out_azure_kusto/azure_kusto.h	Added flb_azure_cloud_type enum; replaced fixed MSAL/IMDS macros with templated MSAL URL and per-cloud login_host, kusto_scope, kusto_resource macros; removed global IMDS resource macro; extended struct flb_azure_kusto with cloud fields and custom override fields.
Config map & plugin core plugins/out_azure_kusto/azure_kusto.c	Added config entries: cloud_name, cloud_login_host, cloud_kusto_scope, cloud_kusto_resource; wired them into public config_map and threaded ctx->kusto_scope into token payloads and token retrieval calls.
Config resolution & init plugins/out_azure_kusto/azure_kusto_conf.c	Added azure_kusto_resolve_cloud_endpoints() to derive login_host, kusto_scope, kusto_resource from cloud_name or custom overrides; call integrated into conf create flow; updated MSI/OAuth URL construction to use resolved endpoints; extended cleanup to free new fields; added resolution logging.
MSI auth changes plugins/out_azure_kusto/azure_msiauth.c, plugins/out_azure_kusto/azure_msiauth.h	Extended flb_azure_workload_identity_token_get() signature to accept scope; request body building now injects dynamic scope and validates concatenations with explicit error paths; MSIAUTH URL template updated to accept a resource placeholder.
Callsites & payloads plugins/out_azure_kusto/...	Updated call sites and OAuth payload constructions to use dynamic kusto_scope, kusto_resource, and login_host when building token requests for both MSI and standard OAuth flows.

Sequence Diagram(s)

sequenceDiagram
    participant Config as Configuration
    participant ConfInit as KustoConf Init
    participant Resolver as Cloud Resolver
    participant AuthModule as Auth (MSI/OAuth)
    participant TokenEndpoint as Token Service

    Config->>ConfInit: flb_azure_kusto_conf_create()
    ConfInit->>Resolver: azure_kusto_resolve_cloud_endpoints(ctx)
    Resolver->>Resolver: determine login_host, kusto_scope, kusto_resource
    Resolver-->>ConfInit: resolved endpoints
    ConfInit->>AuthModule: request token (pass login_host, kusto_scope, kusto_resource)
    AuthModule->>TokenEndpoint: POST token request (includes dynamic scope/resource)
    TokenEndpoint-->>AuthModule: access token
    AuthModule-->>ConfInit: token returned for Kusto operations

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• edsiper
• cosmo0920
• patrick-stephens

Poem

🐇 I hopped through clouds both near and far,
I stitched each scope, each login host, each star.
From public sky to sovereign shore,
Tokens in paw — I fetch and store.
A rabbit's patchwork Kusto chore! 🎩🐰

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.14% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding support for Azure sovereign and custom clouds to the Azure Kusto plugin.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

plugins/out_azure_kusto/azure_msiauth.c (2)

163-163: ⚠️ Potential issue | 🟠 Major

Security: Do not log the federated token at info level.

This logs the full federated token (a JWT client assertion) which is a sensitive credential. Even at debug level this would be risky, but at info level it will appear in production logs by default. Remove or redact this log statement.

Proposed fix

-    flb_info("[azure workload identity] after read token from file %s", federated_token);
+    flb_debug("[azure workload identity] successfully read federated token from file");

---

173-189: ⚠️ Potential issue | 🔴 Critical

Unchecked flb_sds_cat return values can lead to NULL dereference.

If any intermediate flb_sds_cat call fails (returns NULL), the next call receives NULL as input, causing a crash in flb_sds_len()/flb_sds_avail(). The NULL check at line 184 only catches the final call's failure. Each call (or at least the chain) needs early-exit on NULL.

Proposed fix — bail out after each cat

     body = flb_sds_cat(body, "client_id=", 10);
+    if (!body) goto body_error;
     body = flb_sds_cat(body, client_id, strlen(client_id));
+    if (!body) goto body_error;
     /* Use the correct grant_type and length for workload identity */
     body = flb_sds_cat(body, "&grant_type=client_credentials", 30);
+    if (!body) goto body_error;
     body = flb_sds_cat(body, "&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer", 77);
+    if (!body) goto body_error;
     body = flb_sds_cat(body, "&client_assertion=", 18);
+    if (!body) goto body_error;
     body = flb_sds_cat(body, federated_token, flb_sds_len(federated_token));
+    if (!body) goto body_error;
     /* Use the cloud-specific scope for Kusto */
     body = flb_sds_cat(body, "&scope=", 7);
+    if (!body) goto body_error;
     body = flb_sds_cat(body, scope, strlen(scope));
-
-    if (!body) {
-        /* This check might be redundant if flb_sds_cat handles errors, but safe */
-        flb_error("[azure workload identity] failed to build request body");
-        flb_sds_destroy(federated_token);
-        return -1;
-    }
+    if (!body) goto body_error;

Then add the error label before the upstream connection block:

    /* fall through to upstream connection ... */
    goto body_ok;

body_error:
    flb_error("[azure workload identity] failed to build request body");
    flb_sds_destroy(federated_token);
    return -1;

body_ok:

🧹 Nitpick comments (2)

plugins/out_azure_kusto/azure_msiauth.c (1)

149-149: Consider lowering log level from info to debug for routine entry-point tracing.

flb_info on every token fetch call adds noise to production logs. This is a tracing statement better suited for flb_debug.

plugins/out_azure_kusto/azure_kusto.h (1)

54-55: Remove unused macro FLB_AZURE_KUSTO_SCOPE.

The macro at line 55 is dead code—it's not referenced anywhere in the codebase. It has been replaced by FLB_AZURE_KUSTO_SCOPE_PUBLIC (line 68) and the per-cloud variants, along with dynamic scope resolution via ctx->kusto_scope. Delete line 55 to reduce confusion.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

plugins/out_azure_kusto/azure_msiauth.c (1)

163-163: ⚠️ Potential issue | 🟠 Major

Federated token logged at info level — credential leakage risk.

Line 163 logs the full federated token content at flb_info level. This token is a security credential and should not appear in production logs. Consider changing to flb_debug or removing the token value from the message entirely.

🤖 Fix all issues with AI agents

In `@plugins/out_azure_kusto/azure_msiauth.c`:
- Around line 180-182: The chained flb_sds_cat calls that append "&scope=" and
scope to body risk dereferencing NULL on OOM; after each flb_sds_cat invocation
(including the new calls that append "&scope=" and the scope string) check that
body != NULL before making the next flb_sds_cat or using body, and if NULL
perform the same cleanup/early-return path used elsewhere in this function
(match existing error handling in this file). Specifically, add a NULL check for
body immediately after the flb_sds_cat that appends "&scope=" and again after
the flb_sds_cat that appends scope so the function (the azure MSIAUTH flow using
variable body and scope) does not continue with a NULL sds.

🧹 Nitpick comments (1)

plugins/out_azure_kusto/azure_kusto.h (1)

54-55: Remove dead code macro FLB_AZURE_KUSTO_SCOPE.

This macro is unused and has been superseded by the per-cloud variants (FLB_AZURE_KUSTO_SCOPE_PUBLIC, FLB_AZURE_KUSTO_SCOPE_CHINA, FLB_AZURE_KUSTO_SCOPE_US_GOVERNMENT, FLB_AZURE_KUSTO_SCOPE_GERMAN), which are actively used throughout the codebase. Delete the definition at line 55 to reduce confusion.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

plugins/out_azure_kusto/azure_msiauth.c (2)

163-163: ⚠️ Potential issue | 🟠 Major

Sensitive federated token logged at info level — credential leak risk.

flb_info will emit the raw JWT federated token into logs under normal operation. This token grants authentication capabilities and should never appear in logs. At minimum, remove this line or downgrade to flb_debug with a truncated/redacted representation.

Proposed fix

-    flb_info("[azure workload identity] after read token from file %s", federated_token);
+    flb_debug("[azure workload identity] federated token read successfully (length=%zu)", flb_sds_len(federated_token));

---

220-220: ⚠️ Potential issue | 🟠 Major

Debug log exposes client_assertion (federated token) in request body.

The body contains client_assertion=<JWT>, which is a sensitive credential. Even at debug level, this risks leaking credentials to log aggregation systems. Consider logging only the body length or a sanitized version.

Proposed fix

-    flb_debug("[azure workload identity] Sending request body (len=%zu): %s", flb_sds_len(body), body);
+    flb_debug("[azure workload identity] Sending request body (len=%zu)", flb_sds_len(body));

🤖 Fix all issues with AI agents

In `@plugins/out_azure_kusto/azure_kusto.h`:
- Around line 46-77: Remove the unused dead macro FLB_AZURE_KUSTO_SCOPE and
eliminate all references to the retired German sovereign cloud by deleting
FLB_AZURE_CLOUD_GERMAN and the German-specific constants
FLB_AZURE_LOGIN_HOST_GERMAN, FLB_AZURE_KUSTO_SCOPE_GERMAN, and
FLB_AZURE_KUSTO_RESOURCE_GERMAN from azure_kusto.h; ensure any switch/selection
logic elsewhere only handles PUBLIC, CHINA and US_GOVERNMENT and update any
documentation/comments that mention the removed German cloud constants.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

plugins/out_azure_kusto/azure_msiauth.c (1)

163-163: ⚠️ Potential issue | 🟠 Major

Security: Federated token logged at INFO level — leaks credential to logs.

Line 163 logs the full federated token content via flb_info. This token is a bearer credential and should never be logged, especially at INFO level which is enabled in production.

Suggested fix

-    flb_info("[azure workload identity] after read token from file %s", federated_token);
+    flb_debug("[azure workload identity] successfully read federated token from file (len=%zu)", flb_sds_len(federated_token));

🧹 Nitpick comments (3)

plugins/out_azure_kusto/azure_msiauth.c (3)

173-215: OOM in flb_sds_cat leaks the original SDS buffer.

When flb_sds_cat fails (returns NULL), the original body pointer is overwritten and lost. The body_error label doesn't (and can't) free it since body is already NULL. This is a minor memory leak on OOM conditions. The NULL checks themselves are good and address the previous review concern about crash-on-OOM.

To fully fix the leak, use a temporary variable pattern:

flb_sds_t tmp;
tmp = flb_sds_cat(body, "client_id=", 10);
if (!tmp) { flb_sds_destroy(body); goto body_error; }
body = tmp;

However, this is a pervasive pattern in the Fluent Bit codebase and OOM is a catastrophic condition, so this can be deferred.

---

197-205: Use flb_sds_len(scope) instead of strlen(scope) for consistency.

On line 202, strlen(scope) is used where the caller passes ctx->kusto_scope (an flb_sds_t). While functionally equivalent (SDS strings are NUL-terminated), using strlen on an flb_sds_t bypasses the cached length, and is inconsistent with the flb_sds_len(federated_token) usage on line 193.

Suggested fix

-    body = flb_sds_cat(body, scope, strlen(scope));
+    body = flb_sds_cat(body, scope, flb_sds_len(scope));

Note: This would require changing the parameter type from const char *scope to flb_sds_t scope (or const flb_sds_t scope), or keeping strlen if the function must accept plain C strings.

---

208-215: The goto body_ok / body_error pattern is unconventional and harms readability.

Jumping forward over an error label with goto body_ok is an unusual control flow that makes the function harder to follow. A simpler structure would be to check for errors inline and jump to a single cleanup label at the end of the function.