fluent · edsiper · Dec 17, 2025 · Dec 17, 2025 · Dec 17, 2025 · Dec 17, 2025
@@ -183,14 +183,19 @@ def validate_commit(commit):
     umbrella_prefixes = {"lib:"}
 
     # If more than one non-build prefix is inferred AND the subject is not an umbrella
-    # prefix, require split commits.
+    # prefix, check if the subject prefix is in the expected list. If it is, allow it
+    # (because the corresponding file exists). Only reject if it's not in the expected list
+    # or if it's an umbrella prefix that doesn't match.
     if len(non_build_prefixes) > 1 and subj_lower not in umbrella_prefixes:
-        expected_list = sorted(expected)
-        expected_str = ", ".join(expected_list)
-        return False, (
-            f"Subject prefix '{subject_prefix}' does not match files changed.\n"
-            f"Expected one of: {expected_str}"
-        )
+        # If subject prefix is in expected list, it's valid (the corresponding file exists)
+        if subj_lower not in expected_lower:
+            expected_list = sorted(expected)
+            expected_str = ", ".join(expected_list)
+            return False, (
+                f"Subject prefix '{subject_prefix}' does not match files changed.\n"
+                f"Expected one of: {expected_str}"
+            )
+        # Subject prefix is in expected list, so it's valid - no need to check further
 
     # Subject prefix must be one of the expected ones
     if subj_lower not in expected_lower:

@@ -62,6 +62,7 @@
  */
 #define timezone _timezone
 #define tzname _tzname
+#define strcasecmp _stricmp
 #define strncasecmp _strnicmp
 #define timegm _mkgmtime
 
@@ -138,6 +139,7 @@ static inline int usleep(LONGLONG usec)
 #include <arpa/inet.h>
 #include <libgen.h>
 #include <dlfcn.h>
+#include <strings.h>
 
 #define FLB_DIRCHAR '/'
 #endif
@@ -148,33 +150,33 @@ static inline int usleep(LONGLONG usec)
 
 #ifdef FLB_ENFORCE_ALIGNMENT
 
-/* Please do not modify these functions without a very solid understanding of 
+/* Please do not modify these functions without a very solid understanding of
  * the reasoning behind.
  *
  * These functions deliverately abuse the volatile qualifier in order to prevent
- * the compiler from mistakenly optimizing the memory accesses into a singled 
- * DWORD read (which in some architecture and compiler combinations it does regardless 
+ * the compiler from mistakenly optimizing the memory accesses into a singled
+ * DWORD read (which in some architecture and compiler combinations it does regardless
  * of the flags).
- * 
- * The reason why we decided to include this is that according to PR 9096, 
- * when the linux kernel is built and configured to pass through memory alignment 
- * exceptions rather than remediate them fluent-bit generates one while accessing a 
- * packed field in the msgpack wire format (which we cannot modify due to interoperability 
+ *
+ * The reason why we decided to include this is that according to PR 9096,
+ * when the linux kernel is built and configured to pass through memory alignment
+ * exceptions rather than remediate them fluent-bit generates one while accessing a
+ * packed field in the msgpack wire format (which we cannot modify due to interoperability
  * reasons).
- * 
- * Because of this, a potential patch using memcpy was suggested, however, this patch did 
- * not yield consistent machine code accross architecture and compiler versions with most 
+ *
+ * Because of this, a potential patch using memcpy was suggested, however, this patch did
+ * not yield consistent machine code accross architecture and compiler versions with most
  * of them still generating optimized misaligned memory access instructions.
- * 
+ *
  * Keep in mind that these functions transform a single memory read into seven plus a few
- * writes as this was the only way to prevent the compiler from mistakenly optimizing the 
+ * writes as this was the only way to prevent the compiler from mistakenly optimizing the
  * operations.
- * 
- * In most cases, FLB_ENFORCE_ALIGNMENT should not be enabled and the operating system 
- * kernel should be left to handle these scenarios, however, this option is present for 
- * those users who deliverately and knowingly choose to set up their operating system in 
+ *
+ * In most cases, FLB_ENFORCE_ALIGNMENT should not be enabled and the operating system
+ * kernel should be left to handle these scenarios, however, this option is present for
+ * those users who deliverately and knowingly choose to set up their operating system in
  * a way that requires it.
- * 
+ *
  */
 
 #if FLB_BYTE_ORDER == FLB_LITTLE_ENDIAN

@@ -54,48 +54,73 @@ int flb_crypto_transform(struct flb_crypto *context,
                          unsigned char *output_buffer,
                          size_t *output_length);
 
-int flb_crypto_sign(struct flb_crypto *context, 
-                    unsigned char *input_buffer, 
+int flb_crypto_sign(struct flb_crypto *context,
+                    unsigned char *input_buffer,
                     size_t input_length,
-                    unsigned char *output_buffer, 
+                    unsigned char *output_buffer,
                     size_t *output_length);
 
-int flb_crypto_encrypt(struct flb_crypto *context, 
-                       unsigned char *input_buffer, 
+int flb_crypto_encrypt(struct flb_crypto *context,
+                       unsigned char *input_buffer,
                        size_t input_length,
-                       unsigned char *output_buffer, 
+                       unsigned char *output_buffer,
                        size_t *output_length);
 
-int flb_crypto_decrypt(struct flb_crypto *context, 
-                       unsigned char *input_buffer, 
+int flb_crypto_decrypt(struct flb_crypto *context,
+                       unsigned char *input_buffer,
                        size_t input_length,
-                       unsigned char *output_buffer, 
+                       unsigned char *output_buffer,
                        size_t *output_length);
 
-int flb_crypto_sign_simple(int key_type,    
+int flb_crypto_sign_simple(int key_type,
                            int padding_type,
                            int digest_algorithm,
                            unsigned char *key,
-                           size_t key_length, 
-                           unsigned char *input_buffer, 
+                           size_t key_length,
+                           unsigned char *input_buffer,
                            size_t input_length,
-                           unsigned char *output_buffer, 
+                           unsigned char *output_buffer,
                            size_t *output_length);
 
 int flb_crypto_encrypt_simple(int padding_type,
                               unsigned char *key,
-                              size_t key_length, 
-                              unsigned char *input_buffer, 
+                              size_t key_length,
+                              unsigned char *input_buffer,
                               size_t input_length,
-                              unsigned char *output_buffer, 
+                              unsigned char *output_buffer,
                               size_t *output_length);
 
 int flb_crypto_decrypt_simple(int padding_type,
                               unsigned char *key,
-                              size_t key_length, 
-                              unsigned char *input_buffer, 
+                              size_t key_length,
+                              unsigned char *input_buffer,
                               size_t input_length,
-                              unsigned char *output_buffer, 
+                              unsigned char *output_buffer,
                               size_t *output_length);
 
+int flb_crypto_init_from_rsa_components(struct flb_crypto *context,
+                                        int padding_type,
+                                        int digest_algorithm,
+                                        unsigned char *modulus_bytes,
+                                        size_t modulus_len,
+                                        unsigned char *exponent_bytes,
+                                        size_t exponent_len);
+
+int flb_crypto_verify(struct flb_crypto *context,
+                      unsigned char *data,
+                      size_t data_length,
+                      unsigned char *signature,
+                      size_t signature_length);
+
+int flb_crypto_verify_simple(int padding_type,
+                             int digest_algorithm,
+                             unsigned char *modulus_bytes,
+                             size_t modulus_len,
+                             unsigned char *exponent_bytes,
+                             size_t exponent_len,
+                             unsigned char *data,
+                             size_t data_length,
+                             unsigned char *signature,
+                             size_t signature_length);
+
 #endif
@@ -52,5 +52,6 @@
 #define FLB_CRYPTO_OPERATION_SIGN     1
 #define FLB_CRYPTO_OPERATION_ENCRYPT  2
 #define FLB_CRYPTO_OPERATION_DECRYPT  3
+#define FLB_CRYPTO_OPERATION_VERIFY   4
 
 #endif
@@ -222,6 +222,7 @@ struct flb_http_client {
     int method;
     int flags;
     int header_len;
+    int base_header_len;
     int header_size;
     char *header_buf;
 
@@ -261,6 +262,8 @@ struct flb_http_client {
     void *cb_ctx;
 };
 
+struct flb_oauth2;
+
 struct flb_http_client_ng {
     struct cfl_list         sessions;
 
@@ -377,6 +380,8 @@ int flb_http_proxy_auth(struct flb_http_client *c,
                         const char *user, const char *passwd);
 int flb_http_bearer_auth(struct flb_http_client *c,
                         const char *token);
+int flb_http_remove_header(struct flb_http_client *c,
+                          const char *key, size_t key_len);
 int flb_http_set_keepalive(struct flb_http_client *c);
 int flb_http_set_content_encoding_gzip(struct flb_http_client *c);
 int flb_http_set_content_encoding_zstd(struct flb_http_client *c);
@@ -397,6 +402,8 @@ int flb_http_get_response_data(struct flb_http_client *c, size_t bytes_consumed)
 int flb_http_do_request(struct flb_http_client *c, size_t *bytes);
 
 int flb_http_do(struct flb_http_client *c, size_t *bytes);
+int flb_http_do_with_oauth2(struct flb_http_client *c, size_t *bytes,
+                            struct flb_oauth2 *oauth2);
 int flb_http_client_proxy_connect(struct flb_connection *u_conn);
 void flb_http_client_destroy(struct flb_http_client *c);
 int flb_http_buffer_size(struct flb_http_client *c, size_t size);

@@ -471,6 +471,9 @@ struct flb_input_instance {
     struct mk_list *net_config_map;
     struct mk_list net_properties;
 
+    struct mk_list *oauth2_jwt_config_map;
+    struct mk_list oauth2_jwt_properties;
+
     flb_pipefd_t notification_channel;
 
     /* Keep a reference to the original context this instance belongs to */

@@ -21,11 +21,35 @@
 #define FLB_OAUTH2_H
 
 #include <fluent-bit/flb_info.h>
+#include <fluent-bit/flb_config_map.h>
 #include <fluent-bit/flb_sds.h>
+#include <fluent-bit/flb_lock.h>
 #include <fluent-bit/tls/flb_tls.h>
 
-#define FLB_OAUTH2_PORT          "443"
-#define FLB_OAUTH2_HTTP_ENCODING "application/x-www-form-urlencoded"
+#define FLB_OAUTH2_PORT              "443"
+#define FLB_OAUTH2_HTTP_ENCODING     "application/x-www-form-urlencoded"
+#define FLB_OAUTH2_DEFAULT_SKEW_SECS 60
+#define FLB_OAUTH2_DEFAULT_EXPIRES   300
+
+enum flb_oauth2_auth_method {
+    FLB_OAUTH2_AUTH_METHOD_BASIC = 0,
+    FLB_OAUTH2_AUTH_METHOD_POST  = 1
+};
+
+struct flb_oauth2_config {
+    int enabled;
+    flb_sds_t token_url;
+    flb_sds_t client_id;
+    flb_sds_t client_secret;
+    flb_sds_t scope;
+    flb_sds_t audience;
+
+    enum flb_oauth2_auth_method auth_method;
+
+    int refresh_skew;
+    int timeout;
+    int connect_timeout;
+};
 
 struct flb_oauth2 {
     flb_sds_t auth_url;
@@ -36,9 +60,14 @@ struct flb_oauth2 {
     flb_sds_t port;
     flb_sds_t uri;
 
-    /* Token times set by the caller */
-    time_t issued;
-    time_t expires;
+    /* Configuration */
+    struct flb_oauth2_config cfg;
+
+    /* Internal state */
+    int payload_manual;
+    flb_lock_t lock;
+    time_t expires_at;
+    int refresh_skew;
 
     /* Token info after successful auth */
     flb_sds_t access_token;
@@ -58,17 +87,27 @@ struct flb_oauth2 {
 
 struct flb_oauth2 *flb_oauth2_create(struct flb_config *config,
                                      const char *auth_url, int expire_sec);
+struct flb_oauth2 *flb_oauth2_create_from_config(
+                                struct flb_config *config,
+                                const struct flb_oauth2_config *cfg);
 void flb_oauth2_destroy(struct flb_oauth2 *ctx);
+void flb_oauth2_config_destroy(struct flb_oauth2_config *cfg);
 int flb_oauth2_token_len(struct flb_oauth2 *ctx);
 void flb_oauth2_payload_clear(struct flb_oauth2 *ctx);
 int flb_oauth2_payload_append(struct flb_oauth2 *ctx,
                               const char *key_str, int key_len,
                               const char *val_str, int val_len);
 char *flb_oauth2_token_get_ng(struct flb_oauth2 *ctx);
 char *flb_oauth2_token_get(struct flb_oauth2 *ctx);
+int flb_oauth2_get_access_token(struct flb_oauth2 *ctx,
+                                flb_sds_t *token_out,
+                                int force_refresh);
+void flb_oauth2_invalidate_token(struct flb_oauth2 *ctx);
 int flb_oauth2_token_expired(struct flb_oauth2 *ctx);
 
 int flb_oauth2_parse_json_response(const char *json_data, size_t json_size,
                         struct flb_oauth2 *ctx);
 
+struct mk_list *flb_oauth2_get_config_map(struct flb_config *config);
+
 #endif