out_azure_kusto: migrate to common Azure authentication

Refactor Azure Kusto plugin to use the centralized Azure authentication
module instead of local azure_msiauth implementation.

Changes:
- Remove azure_msiauth.c from build (deprecated)
- Use common flb_azure_auth functions for MSI and workload identity
- Replace local auth enum with common flb_azure_auth_type
- Use flb_azure_auth_build_oauth_url for OAuth URL construction
- Pass Kusto-specific resource scope to auth functions

This unifies authentication behavior across all Azure output plugins
while maintaining full backward compatibility.

Signed-off-by: zshuang0316 <zshuang0316@163.com>

Author: zshuang0316

plugins/out_azure_kusto/CMakeLists.txt

@@ -2,8 +2,11 @@ set(src
   azure_kusto.c
   azure_kusto_conf.c
   azure_kusto_ingest.c
-  azure_msiauth.c
   azure_kusto_store.c
   )
 
-FLB_PLUGIN(out_azure_kusto "${src}" "")
+if(FLB_TLS)
+  FLB_PLUGIN(out_azure_kusto "${src}" "")
+else()
+  message(STATUS "out_azure_kusto plugin disabled (requires FLB_TLS=ON)")
+endif()

plugins/out_azure_kusto/azure_kusto.c

@@ -36,15 +36,14 @@
 #include "azure_kusto.h"
 #include "azure_kusto_conf.h"
 #include "azure_kusto_ingest.h"
-#include "azure_msiauth.h"
 #include "azure_kusto_store.h"
 
 static int azure_kusto_get_msi_token(struct flb_azure_kusto *ctx)
 {
     char *token;
 
-    /* Retrieve access token */
-    token = flb_azure_msiauth_token_get(ctx->o);
+    /* Retrieve access token using common auth function */
+    token = flb_azure_msi_token_get(ctx->o);
     if (!token) {
         flb_plg_error(ctx->ins, "error retrieving oauth2 access token");
         return -1;
@@ -57,10 +56,12 @@ static int azure_kusto_get_workload_identity_token(struct flb_azure_kusto *ctx)
 {
     int ret;
 
+    /* Use common auth function for workload identity */
     ret = flb_azure_workload_identity_token_get(ctx->o, 
                                                ctx->workload_identity_token_file,
                                                ctx->client_id, 
-                                               ctx->tenant_id);
+                                               ctx->tenant_id,
+                                               FLB_AZURE_KUSTO_RESOURCE_SCOPE);
     if (ret == -1) {
         flb_plg_error(ctx->ins, "error retrieving workload identity token");
         return -1;
@@ -83,7 +84,8 @@ static int azure_kusto_get_service_principal_token(struct flb_azure_kusto *ctx)
         return -1;
     }
 
-    ret = flb_oauth2_payload_append(ctx->o, "scope", 5, FLB_AZURE_KUSTO_SCOPE, 39);
+    ret = flb_oauth2_payload_append(ctx->o, "scope", 5, FLB_AZURE_KUSTO_SCOPE, 
+                                    sizeof(FLB_AZURE_KUSTO_SCOPE) - 1);
     if (ret == -1) {
         flb_plg_error(ctx->ins, "error appending oauth2 params");
         return -1;
@@ -124,14 +126,14 @@ flb_sds_t get_azure_kusto_token(struct flb_azure_kusto *ctx)
 
     if (flb_oauth2_token_expired(ctx->o) == FLB_TRUE) {
         switch (ctx->auth_type) {
-            case FLB_AZURE_KUSTO_AUTH_WORKLOAD_IDENTITY:
+            case FLB_AZURE_AUTH_WORKLOAD_IDENTITY:
                 ret = azure_kusto_get_workload_identity_token(ctx);
                 break;
-            case FLB_AZURE_KUSTO_AUTH_MANAGED_IDENTITY_SYSTEM:
-            case FLB_AZURE_KUSTO_AUTH_MANAGED_IDENTITY_USER:
+            case FLB_AZURE_AUTH_MANAGED_IDENTITY_SYSTEM:
+            case FLB_AZURE_AUTH_MANAGED_IDENTITY_USER:
                 ret = azure_kusto_get_msi_token(ctx);
                 break;
-            case FLB_AZURE_KUSTO_AUTH_SERVICE_PRINCIPAL:
+            case FLB_AZURE_AUTH_SERVICE_PRINCIPAL:
             default:
                 ret = azure_kusto_get_service_principal_token(ctx);
                 break;

plugins/out_azure_kusto/azure_kusto.h

@@ -25,6 +25,7 @@
 #include <fluent-bit/flb_output.h>
 #include <fluent-bit/flb_sds.h>
 #include <fluent-bit/flb_upstream_ha.h>
+#include <fluent-bit/flb_azure_auth.h>
 
 #include <fluent-bit/flb_scheduler.h>
 #include <fluent-bit/flb_utils.h>
@@ -35,13 +36,8 @@
 /* refresh token every 50 minutes */
 #define FLB_AZURE_KUSTO_TOKEN_REFRESH 3000
 
-/* Authentication types */
-typedef enum {
-    FLB_AZURE_KUSTO_AUTH_SERVICE_PRINCIPAL = 0,   /* Client ID + Client Secret */
-    FLB_AZURE_KUSTO_AUTH_MANAGED_IDENTITY_SYSTEM, /* System-assigned managed identity */
-    FLB_AZURE_KUSTO_AUTH_MANAGED_IDENTITY_USER,   /* User-assigned managed identity */
-    FLB_AZURE_KUSTO_AUTH_WORKLOAD_IDENTITY        /* Workload Identity */
-} flb_azure_kusto_auth_type;
+/* Kusto resource scope for Azure authentication */
+#define FLB_AZURE_KUSTO_RESOURCE_SCOPE "https://help.kusto.windows.net/"
 
 /* Kusto streaming inserts oauth scope */
 #define FLB_AZURE_KUSTO_SCOPE "https://help.kusto.windows.net/.default"

plugins/out_azure_kusto/azure_kusto_conf.c

@@ -31,7 +31,6 @@
 
 #include "azure_kusto.h"
 #include "azure_kusto_conf.h"
-#include "azure_msiauth.h"
 
 /* Constants for PCG random number generator */
 #define PCG_DEFAULT_MULTIPLIER_64  6364136223846793005ULL
@@ -724,7 +723,7 @@ struct flb_azure_kusto *flb_azure_kusto_conf_create(struct flb_output_instance *
 
     /* Auth method validation and setup */
     if (strcasecmp(ctx->auth_type_str, "service_principal") == 0) {
-        ctx->auth_type = FLB_AZURE_KUSTO_AUTH_SERVICE_PRINCIPAL;
+        ctx->auth_type = FLB_AZURE_AUTH_SERVICE_PRINCIPAL;
 
         /* Verify required parameters for Service Principal auth */
         if (!ctx->tenant_id || !ctx->client_id || !ctx->client_secret) {
@@ -742,13 +741,13 @@ struct flb_azure_kusto *flb_azure_kusto_conf_create(struct flb_output_instance *
         }
 
         if (strcasecmp(ctx->client_id, "system") == 0) {
-            ctx->auth_type = FLB_AZURE_KUSTO_AUTH_MANAGED_IDENTITY_SYSTEM;
+            ctx->auth_type = FLB_AZURE_AUTH_MANAGED_IDENTITY_SYSTEM;
         } else {
-            ctx->auth_type = FLB_AZURE_KUSTO_AUTH_MANAGED_IDENTITY_USER;
+            ctx->auth_type = FLB_AZURE_AUTH_MANAGED_IDENTITY_USER;
         }
     }
     else if (strcasecmp(ctx->auth_type_str, "workload_identity") == 0) {
-        ctx->auth_type = FLB_AZURE_KUSTO_AUTH_WORKLOAD_IDENTITY;
+        ctx->auth_type = FLB_AZURE_AUTH_WORKLOAD_IDENTITY;
 
         /* Verify required parameters for Workload Identity auth */
         if (!ctx->tenant_id || !ctx->client_id) {
@@ -759,7 +758,7 @@ struct flb_azure_kusto *flb_azure_kusto_conf_create(struct flb_output_instance *
 
         /* Set default token file path if not specified */
         if (!ctx->workload_identity_token_file) {
-            ctx->workload_identity_token_file = flb_strdup("/var/run/secrets/azure/tokens/azure-identity-token");
+            ctx->workload_identity_token_file = flb_strdup(FLB_AZURE_WORKLOAD_IDENTITY_TOKEN_FILE);
             if (!ctx->workload_identity_token_file) {
                 flb_errno();
                 flb_plg_error(ins, "Could not allocate default workload identity token path");
@@ -796,44 +795,15 @@ struct flb_azure_kusto *flb_azure_kusto_conf_create(struct flb_output_instance *
         return NULL;
     }
 
-    /* Create oauth2 context */
-    if (ctx->auth_type == FLB_AZURE_KUSTO_AUTH_MANAGED_IDENTITY_SYSTEM || 
-        ctx->auth_type == FLB_AZURE_KUSTO_AUTH_MANAGED_IDENTITY_USER) {
-        /* MSI auth */
-        /* Construct the URL template with or without client_id for managed identity */
-        if (ctx->auth_type == FLB_AZURE_KUSTO_AUTH_MANAGED_IDENTITY_SYSTEM) {
-            ctx->oauth_url = flb_sds_create_size(sizeof(FLB_AZURE_MSIAUTH_URL_TEMPLATE) - 1);
-            if (!ctx->oauth_url) {
-                flb_errno();
-                flb_azure_kusto_conf_destroy(ctx);
-                return NULL;
-            }
-            flb_sds_snprintf(&ctx->oauth_url, flb_sds_alloc(ctx->oauth_url),
-                            FLB_AZURE_MSIAUTH_URL_TEMPLATE, "", "");
-        } else {
-            /* User-assigned managed identity */
-            ctx->oauth_url = flb_sds_create_size(sizeof(FLB_AZURE_MSIAUTH_URL_TEMPLATE) - 1 +
-                                                sizeof("&client_id=") - 1 +
-                                                flb_sds_len(ctx->client_id));
-            if (!ctx->oauth_url) {
-                flb_errno();
-                flb_azure_kusto_conf_destroy(ctx);
-                return NULL;
-            }
-            flb_sds_snprintf(&ctx->oauth_url, flb_sds_alloc(ctx->oauth_url),
-                            FLB_AZURE_MSIAUTH_URL_TEMPLATE, "&client_id=", ctx->client_id);
-        }
-    } else {
-        /* Standard OAuth2 for service principal or workload identity */
-        ctx->oauth_url = flb_sds_create_size(sizeof(FLB_MSAL_AUTH_URL_TEMPLATE) - 1 +
-                                            flb_sds_len(ctx->tenant_id));
-        if (!ctx->oauth_url) {
-            flb_errno();
-            flb_azure_kusto_conf_destroy(ctx);
-            return NULL;
-        }
-        flb_sds_snprintf(&ctx->oauth_url, flb_sds_alloc(ctx->oauth_url),
-                        FLB_MSAL_AUTH_URL_TEMPLATE, ctx->tenant_id);
+    /* Create oauth2 context using common auth URL builder */
+    ctx->oauth_url = flb_azure_auth_build_oauth_url(ctx->auth_type,
+                                                     ctx->tenant_id,
+                                                     ctx->client_id,
+                                                     FLB_AZURE_KUSTO_RESOURCE_SCOPE);
+    if (!ctx->oauth_url) {
+        flb_plg_error(ctx->ins, "failed to create OAuth URL");
+        flb_azure_kusto_conf_destroy(ctx);
+        return NULL;
     }
 
     ctx->resources = flb_calloc(1, sizeof(struct flb_azure_kusto_resources));
@@ -862,6 +832,11 @@ int flb_azure_kusto_conf_destroy(struct flb_azure_kusto *ctx)
         ctx->oauth_url = NULL;
     }
 
+    if (ctx->workload_identity_token_file) {
+        flb_free(ctx->workload_identity_token_file);
+        ctx->workload_identity_token_file = NULL;
+    }
+
     if (ctx->o) {
         flb_oauth2_destroy(ctx->o);
         ctx->o = NULL;