out_azure_blob: add OAuth authentication support

Integrate common Azure authentication module to support:
- Managed Identity (system-assigned and user-assigned)
- Workload Identity with federated tokens
- Service Principal with client credentials

This extends the existing shared key and SAS token authentication
methods and maintains full backward compatibility.

New configuration parameters:
- tenant_id: Azure AD tenant ID
- client_id: Azure AD client ID or 'system' for system-assigned MI
- client_secret: Client secret for service principal auth
- workload_identity_token_file: Token file path for workload identity

Signed-off-by: zshuang0316 <zshuang0316@163.com>

Author: zshuang0316

include/fluent-bit/flb_azure_auth.h

@@ -26,8 +26,8 @@
 
 /* Authentication types for Azure services */
 typedef enum {
-    FLB_AZURE_AUTH_KEY = 0,                       /* Shared Access Key */
-    FLB_AZURE_AUTH_SAS,                           /* Shared Access Signature */
+    FLB_AZURE_AUTH_KEY = 0,                       /* Shared Access Key (blob-specific) */
+    FLB_AZURE_AUTH_SAS,                           /* Shared Access Signature (blob-specific) */
     FLB_AZURE_AUTH_SERVICE_PRINCIPAL,             /* Service Principal (Client ID + Secret) */
     FLB_AZURE_AUTH_MANAGED_IDENTITY_SYSTEM,       /* System-assigned Managed Identity */
     FLB_AZURE_AUTH_MANAGED_IDENTITY_USER,         /* User-assigned Managed Identity */

plugins/out_azure_blob/azure_blob.c

@@ -1826,7 +1826,7 @@ static struct flb_config_map config_map[] = {
     {
      FLB_CONFIG_MAP_STR, "auth_type", "key",
      0, FLB_TRUE, offsetof(struct flb_azure_blob, auth_type),
-     "Set the auth type: key or sas"
+     "Set the auth type: key, sas, service_principal, managed_identity, or workload_identity"
     },
 
     {
@@ -1835,6 +1835,31 @@ static struct flb_config_map config_map[] = {
      "Azure Blob SAS token"
     },
 
+    /* OAuth authentication parameters */
+    {
+     FLB_CONFIG_MAP_STR, "tenant_id", NULL,
+     0, FLB_TRUE, offsetof(struct flb_azure_blob, tenant_id),
+     "Azure AD tenant ID (required for service_principal and workload_identity auth)"
+    },
+
+    {
+     FLB_CONFIG_MAP_STR, "client_id", NULL,
+     0, FLB_TRUE, offsetof(struct flb_azure_blob, client_id),
+     "Azure AD client ID / Application ID (required for OAuth-based authentication)"
+    },
+
+    {
+     FLB_CONFIG_MAP_STR, "client_secret", NULL,
+     0, FLB_TRUE, offsetof(struct flb_azure_blob, client_secret),
+     "Azure AD client secret (required for service_principal auth)"
+    },
+
+    {
+     FLB_CONFIG_MAP_STR, "workload_identity_token_file", NULL,
+     0, FLB_TRUE, offsetof(struct flb_azure_blob, workload_identity_token_file),
+     "Path to workload identity token file (for workload_identity auth)"
+    },
+
     {
      FLB_CONFIG_MAP_STR, "database_file", NULL,
      0, FLB_TRUE, offsetof(struct flb_azure_blob, database_file),

plugins/out_azure_blob/azure_blob.h

@@ -24,6 +24,10 @@
 #include <fluent-bit/flb_upstream.h>
 #include <fluent-bit/flb_sds.h>
 #include <fluent-bit/flb_sqldb.h>
+#include <fluent-bit/flb_azure_auth.h>
+#ifdef FLB_HAVE_TLS
+#include <fluent-bit/flb_oauth2.h>
+#endif
 
 /* Content-Type */
 #define AZURE_BLOB_CT          "Content-Type"
@@ -48,9 +52,6 @@
 #define AZURE_BLOB_APPENDBLOB 0
 #define AZURE_BLOB_BLOCKBLOB  1
 
-#define AZURE_BLOB_AUTH_KEY 0
-#define AZURE_BLOB_AUTH_SAS 1
-
 struct flb_azure_blob {
     int auto_create_container;
     int emulator_mode;
@@ -65,6 +66,13 @@ struct flb_azure_blob {
     flb_sds_t date_key;
     flb_sds_t auth_type;
     flb_sds_t sas_token;
+    
+    /* OAuth authentication fields */
+    flb_sds_t tenant_id;
+    flb_sds_t client_id;
+    flb_sds_t client_secret;
+    flb_sds_t workload_identity_token_file;
+    
     flb_sds_t database_file;
     size_t part_size;
     time_t upload_parts_timeout;
@@ -112,7 +120,7 @@ struct flb_azure_blob {
      * Internal use
      */
     int  btype;                  /* blob type */
-    int  atype;                  /* auth type */
+    flb_azure_auth_type atype;   /* auth type (uses flb_azure_auth_type enum from flb_azure_auth.h) */
     flb_sds_t real_endpoint;
     flb_sds_t base_uri;
     flb_sds_t shared_key_prefix;
@@ -121,6 +129,13 @@ struct flb_azure_blob {
     unsigned char *decoded_sk;        /* decoded shared key */
     size_t decoded_sk_size;           /* size of decoded shared key */
 
+#ifdef FLB_HAVE_TLS
+    /* OAuth2 authentication */
+    flb_sds_t oauth_url;
+    struct flb_oauth2 *o;
+    pthread_mutex_t token_mutex;
+#endif
+
 #ifdef FLB_HAVE_SQLDB
     /*
      * SQLite by default is not built with multi-threading enabled, and

plugins/out_azure_blob/azure_blob_appendblob.c

@@ -40,7 +40,7 @@ flb_sds_t azb_append_blob_uri(struct flb_azure_blob *ctx, char *tag)
         flb_sds_printf(&uri, "/%s?comp=appendblock", tag);
     }
 
-    if (ctx->atype == AZURE_BLOB_AUTH_SAS && ctx->sas_token) {
+    if (ctx->atype == FLB_AZURE_AUTH_SAS && ctx->sas_token) {
         flb_sds_printf(&uri, "&%s", ctx->sas_token);
     }
 

plugins/out_azure_blob/azure_blob_blockblob.c

@@ -48,7 +48,7 @@ flb_sds_t azb_block_blob_blocklist_uri(struct flb_azure_blob *ctx, char *name)
         flb_sds_printf(&uri, "/%s?comp=blocklist", name);
     }
 
-    if (ctx->atype == AZURE_BLOB_AUTH_SAS && ctx->sas_token) {
+    if (ctx->atype == FLB_AZURE_AUTH_SAS && ctx->sas_token) {
         flb_sds_printf(&uri, "&%s", ctx->sas_token);
     }
 
@@ -103,7 +103,7 @@ flb_sds_t azb_block_blob_uri(struct flb_azure_blob *ctx, char *name,
         }
     }
 
-    if (ctx->atype == AZURE_BLOB_AUTH_SAS && ctx->sas_token) {
+    if (ctx->atype == FLB_AZURE_AUTH_SAS && ctx->sas_token) {
         flb_sds_printf(&uri, "&%s", ctx->sas_token);
     }
 
@@ -137,7 +137,7 @@ flb_sds_t azb_block_blob_uri_commit(struct flb_azure_blob *ctx,
         flb_sds_printf(&uri, "/%s.%s.%" PRIu64 "%s?comp=blocklist", tag, str, ms, ext);
     }
 
-    if (ctx->atype == AZURE_BLOB_AUTH_SAS && ctx->sas_token) {
+    if (ctx->atype == FLB_AZURE_AUTH_SAS && ctx->sas_token) {
         flb_sds_printf(&uri, "&%s", ctx->sas_token);
     }
 

plugins/out_azure_blob/azure_blob_conf.c

@@ -213,7 +213,7 @@ static int flb_azure_blob_process_remote_configuration_payload(
 
         context->endpoint_overriden_flag = FLB_TRUE;
 
-        if (context->atype == AZURE_BLOB_AUTH_KEY) {
+        if (context->atype == FLB_AZURE_AUTH_KEY) {
             value_backup = context->shared_key;
             context->shared_key = NULL;
 
@@ -233,7 +233,7 @@ static int flb_azure_blob_process_remote_configuration_payload(
 
             context->shared_key_overriden_flag = FLB_TRUE;
         }
-        else if (context->atype == AZURE_BLOB_AUTH_SAS) {
+        else if (context->atype == FLB_AZURE_AUTH_SAS) {
             value_backup = context->sas_token;
             context->sas_token = NULL;
 
@@ -590,27 +590,80 @@ struct flb_azure_blob *flb_azure_blob_conf_create(struct flb_output_instance *in
     /* Set Auth type */
     tmp = (char *) flb_output_get_property("auth_type", ins);
     if (!tmp) {
-        ctx->atype = AZURE_BLOB_AUTH_KEY;
+        ctx->atype = FLB_AZURE_AUTH_KEY; /* Default to legacy key auth */
     }
     else {
         if (strcasecmp(tmp, "key") == 0) {
-            ctx->atype = AZURE_BLOB_AUTH_KEY;
+            ctx->atype = FLB_AZURE_AUTH_KEY;
         }
         else if (strcasecmp(tmp, "sas") == 0) {
-            ctx->atype = AZURE_BLOB_AUTH_SAS;
+            ctx->atype = FLB_AZURE_AUTH_SAS;
+        }
+#ifdef FLB_HAVE_TLS
+        else if (strcasecmp(tmp, "service_principal") == 0) {
+            ctx->atype = FLB_AZURE_AUTH_SERVICE_PRINCIPAL;
+            
+            /* Verify required parameters for Service Principal auth */
+            if (!ctx->tenant_id || !ctx->client_id || !ctx->client_secret) {
+                flb_plg_error(ins, "When using service_principal auth, tenant_id, client_id, and client_secret are required");
+                return NULL;
+            }
+        }
+        else if (strcasecmp(tmp, "managed_identity") == 0) {
+            /* Check if client_id indicates system-assigned or user-assigned managed identity */
+            if (!ctx->client_id) {
+                flb_plg_error(ins, "When using managed_identity auth, client_id must be set to 'system' for system-assigned or the managed identity client ID");
+                return NULL;
+            }
+            
+            if (strcasecmp(ctx->client_id, "system") == 0) {
+                ctx->atype = FLB_AZURE_AUTH_MANAGED_IDENTITY_SYSTEM;
+            } else {
+                ctx->atype = FLB_AZURE_AUTH_MANAGED_IDENTITY_USER;
+            }
         }
+        else if (strcasecmp(tmp, "workload_identity") == 0) {
+            ctx->atype = FLB_AZURE_AUTH_WORKLOAD_IDENTITY;
+            
+            /* Verify required parameters for Workload Identity auth */
+            if (!ctx->tenant_id || !ctx->client_id) {
+                flb_plg_error(ins, "When using workload_identity auth, tenant_id and client_id are required");
+                return NULL;
+            }
+            
+            /* Set default token file path if not specified */
+            if (!ctx->workload_identity_token_file) {
+                ctx->workload_identity_token_file = flb_sds_create(FLB_AZURE_WORKLOAD_IDENTITY_TOKEN_FILE);
+                if (!ctx->workload_identity_token_file) {
+                    flb_errno();
+                    flb_plg_error(ins, "Could not allocate default workload identity token path");
+                    return NULL;
+                }
+            }
+        }
+#else
+        else if (strcasecmp(tmp, "service_principal") == 0 ||
+                 strcasecmp(tmp, "managed_identity") == 0 ||
+                 strcasecmp(tmp, "workload_identity") == 0) {
+            flb_plg_error(ctx->ins, "OAuth authentication requires TLS support. "\
+                          "Rebuild with -DFLB_TLS=ON");
+            return NULL;
+        }
+#endif
         else {
-            flb_plg_error(ctx->ins, "invalid auth_type value '%s'", tmp);
+            flb_plg_error(ctx->ins, "invalid auth_type value '%s'. Valid options are: 'key', 'sas', 'service_principal', 'managed_identity', or 'workload_identity'", tmp);
             return NULL;
         }
     }
-    if (ctx->atype == AZURE_BLOB_AUTH_KEY &&
+    
+    /* Validate auth-specific requirements */
+    if (ctx->atype == FLB_AZURE_AUTH_KEY &&
         ctx->shared_key == NULL) {
         flb_plg_error(ctx->ins, "'shared_key' has not been set");
         return NULL;
     }
 
-    if (ctx->atype == AZURE_BLOB_AUTH_SAS) {
+    if (ctx->atype == FLB_AZURE_AUTH_SAS) {
         if (ctx->sas_token == NULL) {
             flb_plg_error(ctx->ins, "'sas_token' has not been set");
             return NULL;
@@ -621,7 +674,7 @@ struct flb_azure_blob *flb_azure_blob_conf_create(struct flb_output_instance *in
     }
 
     /* If the shared key is set decode it */
-    if (ctx->atype == AZURE_BLOB_AUTH_KEY &&
+    if (ctx->atype == FLB_AZURE_AUTH_KEY &&
         ctx->shared_key != NULL) {
         ret = set_shared_key(ctx);
         if (ret == -1) {
@@ -730,6 +783,37 @@ struct flb_azure_blob *flb_azure_blob_conf_create(struct flb_output_instance *in
     }
     flb_output_upstream_set(ctx->u, ins);
 
+#ifdef FLB_HAVE_TLS
+    /* Initialize OAuth2 context for OAuth-based authentication methods */
+    if (ctx->atype == FLB_AZURE_AUTH_SERVICE_PRINCIPAL ||
+        ctx->atype == FLB_AZURE_AUTH_MANAGED_IDENTITY_SYSTEM ||
+        ctx->atype == FLB_AZURE_AUTH_MANAGED_IDENTITY_USER ||
+        ctx->atype == FLB_AZURE_AUTH_WORKLOAD_IDENTITY) {
+        
+        /* Build OAuth URL based on auth type */
+        ctx->oauth_url = flb_azure_auth_build_oauth_url(ctx->atype,
+                                                         ctx->tenant_id,
+                                                         ctx->client_id,
+                                                         FLB_AZURE_BLOB_RESOURCE);
+        if (!ctx->oauth_url) {
+            flb_plg_error(ctx->ins, "failed to create OAuth URL");
+            return NULL;
+        }
+
+        /* Create OAuth2 context */
+        ctx->o = flb_oauth2_create(ctx->config, ctx->oauth_url, 3000);
+        if (!ctx->o) {
+            flb_plg_error(ctx->ins, "cannot create oauth2 context");
+            return NULL;
+        }
+
+        /* Initialize token mutex */
+        pthread_mutex_init(&ctx->token_mutex, NULL);
+
+        flb_plg_info(ctx->ins, "oauth2 context initialized for auth type");
+    }
+#endif
+
     /* Compose base uri */
     ctx->base_uri = flb_sds_create_size(256);
     if (!ctx->base_uri) {
@@ -746,7 +830,7 @@ struct flb_azure_blob *flb_azure_blob_conf_create(struct flb_output_instance *in
     }
 
     /* Prepare shared key buffer */
-    if (ctx->atype == AZURE_BLOB_AUTH_KEY) {
+    if (ctx->atype == FLB_AZURE_AUTH_KEY) {
         ctx->shared_key_prefix = flb_sds_create_size(256);
         if (!ctx->shared_key_prefix) {
             flb_plg_error(ctx->ins, "cannot create shared key prefix");
@@ -772,13 +856,40 @@ struct flb_azure_blob *flb_azure_blob_conf_create(struct flb_output_instance *in
 
     pthread_mutex_init(&ctx->file_upload_commit_file_parts, NULL);
 
-    flb_plg_info(ctx->ins,
-                 "account_name=%s, container_name=%s, blob_type=%s, emulator_mode=%s, endpoint=%s, auth_type=%s",
-                 ctx->account_name, ctx->container_name,
-                 ctx->btype == AZURE_BLOB_APPENDBLOB ? "appendblob" : "blockblob",
-                 ctx->emulator_mode ? "yes" : "no",
-                 ctx->real_endpoint ? ctx->real_endpoint : "no",
-                 ctx->atype == AZURE_BLOB_AUTH_KEY ? "key" : "sas");
+    /* Log configuration summary */
+    {
+        const char *auth_type_str;
+        switch (ctx->atype) {
+            case FLB_AZURE_AUTH_KEY:
+                auth_type_str = "key";
+                break;
+            case FLB_AZURE_AUTH_SAS:
+                auth_type_str = "sas";
+                break;
+            case FLB_AZURE_AUTH_SERVICE_PRINCIPAL:
+                auth_type_str = "service_principal";
+                break;
+            case FLB_AZURE_AUTH_MANAGED_IDENTITY_SYSTEM:
+                auth_type_str = "managed_identity (system)";
+                break;
+            case FLB_AZURE_AUTH_MANAGED_IDENTITY_USER:
+                auth_type_str = "managed_identity (user)";
+                break;
+            case FLB_AZURE_AUTH_WORKLOAD_IDENTITY:
+                auth_type_str = "workload_identity";
+                break;
+            default:
+                auth_type_str = "unknown";
+        }
+        
+        flb_plg_info(ctx->ins,
+                     "account_name=%s, container_name=%s, blob_type=%s, emulator_mode=%s, endpoint=%s, auth_type=%s",
+                     ctx->account_name, ctx->container_name,
+                     ctx->btype == AZURE_BLOB_APPENDBLOB ? "appendblob" : "blockblob",
+                     ctx->emulator_mode ? "yes" : "no",
+                     ctx->real_endpoint ? ctx->real_endpoint : "no",
+                     auth_type_str);
+    }
     return ctx;
 }
 
@@ -826,6 +937,23 @@ void flb_azure_blob_conf_destroy(struct flb_azure_blob *ctx)
         flb_upstream_destroy(ctx->u);
     }
 
+#ifdef FLB_HAVE_TLS
+    /* Cleanup OAuth2 resources */
+    if (ctx->oauth_url) {
+        flb_sds_destroy(ctx->oauth_url);
+    }
+
+    if (ctx->o) {
+        flb_oauth2_destroy(ctx->o);
+    }
+
+    if (ctx->atype == FLB_AZURE_AUTH_SERVICE_PRINCIPAL ||
+        ctx->atype == FLB_AZURE_AUTH_MANAGED_IDENTITY_SYSTEM ||
+        ctx->atype == FLB_AZURE_AUTH_MANAGED_IDENTITY_USER ||
+        ctx->atype == FLB_AZURE_AUTH_WORKLOAD_IDENTITY) {
+        pthread_mutex_destroy(&ctx->token_mutex);
+    }
+#endif
 
     azb_db_close(ctx);
     flb_free(ctx);