out_oracle_log_analytics: Implement IMDS authentication, chunking #10990
+3,767
−556
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WalkthroughAdds a helper module for region/realm/timezone mapping, integrates IMDS + federation instance‑principal authentication with session keypair and token exchange/refresh, implements OCI request signing, payload batching/chunking and optional local dumping, updates build/tests, and exposes helper/config APIs. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant FB as Fluent Bit
participant CONF as oci_logan_conf
participant HELP as oci_logan_helper
participant PL as oci_logan
participant IMDS as OCI IMDS
participant FED as OCI Federation
participant LA as Oracle Log Analytics
rect rgb(250,250,255)
note over FB,CONF: Initialization & auth
FB->>CONF: flb_oci_logan_conf_create()
alt auth_type == instance_principal
CONF->>IMDS: fetch region, certs, keys
IMDS-->>CONF: region/certs/keys
CONF->>CONF: generate session RSA keypair
CONF->>CONF: create_federation_payload()
CONF->>FED: sign_and_send_federation_request(payload)
FED-->>CONF: federation token (JWT)
CONF->>CONF: decode JWT, set token expiry
else auth_type == config_file
CONF->>CONF: load credentials from config file
end
CONF-->>FB: initialized ctx
end
rect rgb(245,255,245)
note over FB,PL: Flush / Send logs
FB->>PL: cb_flush(chunk)
PL->>HELP: determine_realm_from_region / is_valid_timezone
PL->>PL: token_needs_refresh?
alt needs_refresh
PL->>CONF: sign_and_send_federation_request()
CONF-->>PL: refreshed token
end
PL->>PL: estimate payload size -> batch decisions
loop per batch
PL->>PL: calculate_content_sha256_b64(payload)
PL->>PL: sign_oci_request_with_security_token_for_logging(...)
PL->>LA: POST signed request
alt success
LA-->>PL: 2xx OK
PL->>PL: optional dump_payload_to_file()
else error
LA-->>PL: 4xx/5xx
PL->>PL: retry/diagnose
end
end
PL-->>FB: flush result
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Suggested reviewers
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
plugins/out_oracle_log_analytics/oci_logan_conf.c (1)
1576-1616: Free newly allocated IMDS resources
flb_oci_logan_conf_destroystill only releases the legacy fields. Everything added for IMDS/federation—ctx->imds.region,leaf_cert,leaf_key,intermediate_cert,tenancy_ocid,fingerprint,session_pubkey,session_privkey,ctx->session_key_pair,ctx->security_token.token, plusauth_type,payload_files_location, etc.— leaks on teardown. Please destroy each SDS/heap allocation andEVP_PKEY_free(ctx->session_key_pair)before freeingctx.
🧹 Nitpick comments (1)
plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
493-543: Remove stderr debug spamAll the
fprintf(stderr, ...)calls inside the timezone helpers will spam hundreds of lines per invocation and bypass Fluent Bit’s logging facilities. Please drop them or switch toflb_plg_debug/flb_plg_infoguarded by log level checks so normal runs stay clean.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (6)
plugins/out_oracle_log_analytics/CMakeLists.txt(1 hunks)plugins/out_oracle_log_analytics/oci_logan.c(33 hunks)plugins/out_oracle_log_analytics/oci_logan.h(5 hunks)plugins/out_oracle_log_analytics/oci_logan_conf.c(13 hunks)plugins/out_oracle_log_analytics/oci_logan_conf.h(1 hunks)plugins/out_oracle_log_analytics/oci_logan_helper.c(1 hunks)
🧰 Additional context used
🧬 Code graph analysis (5)
plugins/out_oracle_log_analytics/oci_logan.h (1)
plugins/out_oracle_log_analytics/oci_logan_helper.c (4)
is_valid_timezone(530-544)get_domain_suffix_for_realm(562-575)determine_realm_from_region(547-559)long_region_name(579-587)
plugins/out_oracle_log_analytics/oci_logan_conf.h (1)
plugins/out_oracle_log_analytics/oci_logan_conf.c (2)
create_federation_payload(793-830)sign_and_send_federation_request(1165-1311)
plugins/out_oracle_log_analytics/oci_logan.c (8)
src/flb_sds.c (6)
flb_sds_create_size(92-95)flb_sds_cat_safe(204-214)flb_sds_destroy(389-399)flb_sds_create(78-90)flb_sds_printf(336-387)flb_sds_create_len(58-76)src/flb_http_client.c (5)
flb_http_add_header(963-995)flb_http_client(814-859)flb_http_client_destroy(1688-1695)flb_http_allow_duplicated_headers(99-107)flb_http_buffer_size(872-883)plugins/out_oracle_log_analytics/oci_logan_conf.c (2)
create_federation_payload(793-830)sign_and_send_federation_request(1165-1311)include/fluent-bit/flb_mem.h (1)
flb_free(126-128)src/flb_upstream.c (1)
flb_upstream_conn_get(711-844)src/flb_log_event_decoder.c (3)
flb_log_event_decoder_init(99-116)flb_log_event_decoder_next(310-406)flb_log_event_decoder_destroy(147-179)src/flb_pack.c (1)
flb_msgpack_raw_to_json_sds(1026-1085)src/flb_mp.c (1)
flb_mp_count(43-46)
plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
src/flb_hash_table.c (4)
flb_hash_table_create(99-137)flb_hash_table_add(401-494)flb_hash_table_destroy(197-215)flb_hash_table_get(496-522)
plugins/out_oracle_log_analytics/oci_logan_conf.c (7)
src/flb_http_client.c (4)
flb_http_client(814-859)flb_http_add_header(963-995)flb_http_do(1572-1632)flb_http_client_destroy(1688-1695)src/flb_sds.c (5)
flb_sds_create_len(58-76)flb_sds_create_size(92-95)flb_sds_create(78-90)flb_sds_destroy(389-399)flb_sds_printf(336-387)plugins/out_oracle_log_analytics/oci_logan_helper.c (3)
determine_realm_from_region(547-559)get_domain_suffix_for_realm(562-575)long_region_name(579-587)include/fluent-bit/flb_mem.h (2)
flb_calloc(84-96)flb_free(126-128)src/flb_upstream.c (4)
flb_upstream_create(290-363)flb_upstream_conn_get(711-844)flb_upstream_conn_release(862-947)flb_upstream_destroy(656-698)src/flb_output.c (1)
flb_output_net_default(1059-1069)src/flb_utils.c (1)
flb_utils_url_split(1441-1534)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (30)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
- GitHub Check: PR - fuzzing test
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
- GitHub Check: pr-compile-centos-7
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
- GitHub Check: pr-compile-without-cxx (3.31.6)
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (2)
plugins/out_oracle_log_analytics/oci_logan_helper.c (2)
462-466: Previous issue has been resolved.The timezone hash value storage issue flagged in the previous review has been fixed. The code now correctly stores the full string including the null terminator using
sizeof("1").
488-490: CRITICAL: Uninitialized variables and unchecked hash lookup.This critical issue flagged in the previous review has NOT been fixed. The variables
out_bufandout_sizeare not initialized, and the return value fromflb_hash_table_getis not checked before dereferencingout_buf. This leads to undefined behavior and potential crashes when a timezone is not found in the hash table.Apply the fix from the previous review:
- void *out_buf; - size_t out_size; + void *out_buf = NULL; + size_t out_size = 0; + int ht_ret; @@ - flb_hash_table_get(oci_timezone_hash, lower_tz, strlen(lower_tz), - &out_buf, &out_size); + ht_ret = flb_hash_table_get(oci_timezone_hash, lower_tz, + strlen(lower_tz), &out_buf, &out_size); + if (ht_ret != 0) { + free(lower_tz); + return 0; + } @@ - fprintf(stderr, "is_oci_supported_timezone::out_buf->%s\n", - (char *) out_buf); - fflush(stderr); - free(lower_tz); - return ((out_buf != NULL ? (!strcmp(out_buf, "1") ? 1 : 0) : 0)); + free(lower_tz); + return (out_buf != NULL && strcmp((char *) out_buf, "1") == 0) ? 1 : 0;Also applies to: 519-527
🧹 Nitpick comments (1)
plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
445-476: Consider using consistent error codes.The initialization function returns different negative error codes (-2, -3), but the callers only check for non-zero. Consider documenting these error codes or simplifying to return 0 for success and -1 for any failure.
Example:
- return -2; + return -1; /* hash table creation failed */ @@ - return -3; + return -1; /* hash table population failed */
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
plugins/out_oracle_log_analytics/oci_logan_helper.c(1 hunks)
🧰 Additional context used
🧬 Code graph analysis (1)
plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
src/flb_hash_table.c (4)
flb_hash_table_create(99-137)flb_hash_table_add(401-494)flb_hash_table_destroy(197-215)flb_hash_table_get(496-522)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (30)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
- GitHub Check: pr-compile-without-cxx (3.31.6)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
- GitHub Check: pr-compile-centos-7
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
- GitHub Check: PR - fuzzing test
🔇 Additional comments (2)
plugins/out_oracle_log_analytics/oci_logan_helper.c (2)
547-575: LGTM: Realm and region helper functions are well-implemented.Both
determine_realm_from_regionandget_domain_suffix_for_realmproperly handle NULL inputs with sensible defaults ("oc1" and "oraclecloud.com" respectively) and include fallback values when lookups fail. The linear search approach is appropriate for these small static lookup tables.
478-484: LGTM: Cleanup function is correctly implemented.The cleanup function properly checks for NULL before destroying and sets the pointer to NULL afterward, preventing double-free issues.
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
plugins/out_oracle_log_analytics/oci_logan_conf.c (1)
1654-1689: Release IMDS/session resources inconf_destroy().
flb_oci_logan_conf_destroy()now owns several allocations (IMDS cert/key SDS, session key pair, security token, payload dump path,auth_type, etc.) but none of them are released here, so every plugin shutdown leaks OpenSSL keys, SDS buffers, and heap strings. Please free the new fields (useflb_sds_destroyfor SDS,flb_freefor plainmalloc/flb_malloc, andEVP_PKEY_freeforsession_key_pair) before freeingctx.if (ctx->u) { flb_upstream_destroy(ctx->u); } + if (ctx->session_key_pair) { + EVP_PKEY_free(ctx->session_key_pair); + } + if (ctx->security_token.token) { + flb_sds_destroy(ctx->security_token.token); + } + if (ctx->imds.region) { + flb_sds_destroy(ctx->imds.region); + } + if (ctx->imds.leaf_cert) { + flb_free(ctx->imds.leaf_cert); + } + if (ctx->imds.leaf_key) { + flb_sds_destroy(ctx->imds.leaf_key); + } + if (ctx->imds.intermediate_cert) { + flb_sds_destroy(ctx->imds.intermediate_cert); + } + if (ctx->imds.fingerprint) { + flb_sds_destroy(ctx->imds.fingerprint); + } + if (ctx->imds.session_pubkey) { + flb_free(ctx->imds.session_pubkey); + } + if (ctx->imds.session_privkey) { + flb_free(ctx->imds.session_privkey); + } + if (ctx->auth_type) { + flb_free(ctx->auth_type); + } + if (ctx->payload_files_location) { + flb_free(ctx->payload_files_location); + } + if (ctx->domain_suffix) { + flb_free(ctx->domain_suffix); + } + if (ctx->oci_la_timezone) { flb_sds_destroy(ctx->oci_la_timezone); }
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
plugins/out_oracle_log_analytics/oci_logan.h(5 hunks)plugins/out_oracle_log_analytics/oci_logan_conf.c(13 hunks)
🧰 Additional context used
🧬 Code graph analysis (2)
plugins/out_oracle_log_analytics/oci_logan.h (1)
plugins/out_oracle_log_analytics/oci_logan_helper.c (4)
is_valid_timezone(520-530)get_domain_suffix_for_realm(548-561)determine_realm_from_region(533-545)long_region_name(565-576)
plugins/out_oracle_log_analytics/oci_logan_conf.c (6)
src/flb_http_client.c (4)
flb_http_client(814-859)flb_http_add_header(963-995)flb_http_do(1572-1632)flb_http_client_destroy(1688-1695)src/flb_sds.c (6)
flb_sds_create_len(58-76)flb_sds_create_size(92-95)flb_sds_snprintf(405-428)flb_sds_create(78-90)flb_sds_destroy(389-399)flb_sds_printf(336-387)plugins/out_oracle_log_analytics/oci_logan_helper.c (3)
determine_realm_from_region(533-545)get_domain_suffix_for_realm(548-561)long_region_name(565-576)src/flb_upstream.c (4)
flb_upstream_create(290-363)flb_upstream_conn_get(711-844)flb_upstream_conn_release(862-947)flb_upstream_destroy(656-698)src/flb_output.c (1)
flb_output_net_default(1059-1069)src/flb_utils.c (1)
flb_utils_url_split(1441-1534)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (29)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
- GitHub Check: pr-compile-without-cxx (3.31.6)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
- GitHub Check: pr-compile-centos-7
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
- GitHub Check: PR - fuzzing test
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
plugins/out_oracle_log_analytics/oci_logan.h (1)
115-119: Use application/json as Content-TypeUploads are JSON; make the default consistent across signing/requests.
-#define FLB_OCI_HEADER_CONTENT_TYPE_VAL "application/octet-stream" +#define FLB_OCI_HEADER_CONTENT_TYPE_VAL "application/json"
♻️ Duplicate comments (17)
tests/runtime/out_oracle_log_analytics.c (2)
160-172: Verify fwrite() results to ensure files are valid- if (config_file) { - fwrite(config_content, 1, strlen(config_content), config_file); - fclose(config_file); - } + if (config_file) { + size_t written = fwrite(config_content, 1, strlen(config_content), config_file); + TEST_CHECK(written == strlen(config_content)); + fclose(config_file); + } @@ - if (key_file) { - fwrite(key_content, 1, strlen(key_content), key_file); - fclose(key_file); - } + if (key_file) { + size_t written = fwrite(key_content, 1, strlen(key_content), key_file); + TEST_CHECK(written == strlen(key_content)); + fclose(key_file); + }Also applies to: 167-172
72-75: Unset FLB_OCI_PLUGIN_UNDER_TEST to avoid state leakFirst test doesn't unset the flag; leaks into later tests.
flb_destroy(ctx); - unsetenv("TEST_IMDS_SUCCESS"); + unsetenv("FLB_OCI_PLUGIN_UNDER_TEST"); + unsetenv("TEST_IMDS_SUCCESS"); }plugins/out_oracle_log_analytics/oci_logan_conf.c (9)
162-166: Free SDS on empty content to avoid leak- if (content == NULL || flb_sds_len(content) == 0) { - return -1; - } + if (content == NULL || flb_sds_len(content) == 0) { + if (content) { flb_sds_destroy(content); } + return -1; + }
738-746: Error path: release partial IMDS allocations instead of NULLingAvoid leaks on failures after partial success.
- ctx->imds.fingerprint = NULL; - ctx->imds.intermediate_cert = NULL; - ctx->imds.leaf_cert = NULL; - ctx->imds.leaf_key = NULL; - ctx->imds.region = NULL; + if (ctx->imds.fingerprint) { flb_sds_destroy(ctx->imds.fingerprint); ctx->imds.fingerprint = NULL; } + if (ctx->imds.intermediate_cert) { flb_sds_destroy(ctx->imds.intermediate_cert); ctx->imds.intermediate_cert = NULL; } + if (ctx->imds.leaf_cert) { flb_free(ctx->imds.leaf_cert); ctx->imds.leaf_cert = NULL; } + if (ctx->imds.leaf_key) { flb_sds_destroy(ctx->imds.leaf_key); ctx->imds.leaf_key = NULL; } + if (ctx->imds.region) { flb_sds_destroy(ctx->imds.region); ctx->imds.region = NULL; }
754-769: Check OpenSSL allocations (<3.0) and free on failure#if OPENSSL_VERSION_NUMBER < 0x30000000L EVP_PKEY *pkey = EVP_PKEY_new(); BIGNUM *bn = BN_new(); RSA *rsa = RSA_new(); int rc; + if (!pkey || !bn || !rsa) { + if (rsa) { RSA_free(rsa); } + if (bn) { BN_free(bn); } + if (pkey){ EVP_PKEY_free(pkey); } + return NULL; + } + BN_set_word(bn, RSA_F4); rc = RSA_generate_key_ex(rsa, 2048, bn, NULL); if (rc != 1) { - RSA_free(rsa); - BN_free(bn); + RSA_free(rsa); + BN_free(bn); + EVP_PKEY_free(pkey); return NULL; }
1425-1426: Remove invalid Content-Length header additionflb_http_add_header rejects val_len=0 and client sets Content-Length.
- flb_http_add_header(client, "Content-Length", 14, NULL, 0);
1652-1656: Destroy ctx on host construction failure to avoid leakhost = construct_oci_host("loganalytics", ctx); if (!host) { flb_plg_error(ctx->ins, "failed to construct oci host"); - return NULL; + flb_oci_logan_conf_destroy(ctx); + return NULL; }
1958-1960: Fix log typo- flb_plg_info(ctx->ins, "security token expir e in %ld", exp); + flb_plg_info(ctx->ins, "security token expires at %ld", exp);
698-701: Free key_resp after extracting PEM to prevent leakkey_resp is copied into SDS; original should be destroyed.
size_t pem_len = (pem_end - pem_start) + strlen("-----END RSA PRIVATE KEY-----") + 1; ctx->imds.leaf_key = flb_sds_create_len(pem_start, pem_len); + flb_sds_destroy(key_resp);
420-453: Make region extraction robust; free tmp buffer on successHandle body‑only responses and release ‘region’.
- const char *body_start = strstr(response, "\r\n\r\n"); - if (!body_start) { - return NULL; - } - body_start += 4; + const char *body_start = strstr(response, "\r\n\r\n"); + if (body_start) { body_start += 4; } + else { body_start = response; } @@ - flb_sds_t lregion = flb_sds_create(region_value); + flb_sds_t lregion = flb_sds_create(region_value); if (!lregion) { free(region); return NULL; } - return lregion; + free(region); + return lregion;
1838-1847: Free proxy_host in destructorPrevent leak when proxy is configured.
if (ctx->u) { flb_upstream_destroy(ctx->u); } + if (ctx->proxy_host) { + flb_free(ctx->proxy_host); + }plugins/out_oracle_log_analytics/oci_logan.c (6)
556-563: Fix retry log conditionretry_error returns FLB_TRUE/FLB_FALSE, not FLB_RETRY.
- if (ret == FLB_RETRY) { + if (ret == FLB_TRUE) { flb_plg_error(ctx->ins, "HTTP %d: will retry", c->resp.status); } else { flb_plg_error(ctx->ins, "HTTP %d: non retryable error", c->resp.status); }
304-311: Sign and set Content-Type as application/jsonThe body is JSON; align signed header and request header.
- signing_str = add_header_and_signing(c, signing_str, - FLB_OCI_HEADER_CONTENT_TYPE, - sizeof(FLB_OCI_HEADER_CONTENT_TYPE) - 1, FLB_OCI_HEADER_CONTENT_TYPE_VAL, - sizeof(FLB_OCI_HEADER_CONTENT_TYPE_VAL) - 1); + signing_str = add_header_and_signing(c, signing_str, + FLB_OCI_HEADER_CONTENT_TYPE, + sizeof(FLB_OCI_HEADER_CONTENT_TYPE) - 1, + "application/json", strlen("application/json"));
739-743: Use application/json in token signing pathJSON payload requires application/json.
- flb_sds_printf(&string_to_sign, - "content-type: application/octet-stream\n"); + flb_sds_printf(&string_to_sign, + "content-type: application/json\n");
934-939: Set Content-Type application/json for JSON uploadsAvoid mismatched media type.
- if (payload && payload_size > 0) { - flb_http_add_header(client, "Content-Type", 12, - "application/octet-stream", 24); - } + if (payload && payload_size > 0) { + flb_http_add_header(client, "Content-Type", 12, + "application/json", 16); + }
2056-2059: Remove duplicate config_map entry for oci_la_log_set_idDuplicate keys cause confusion/override.
- { - FLB_CONFIG_MAP_STR, "oci_la_log_set_id", NULL, - 0, FLB_TRUE, offsetof(struct flb_oci_logan, oci_la_log_set_id), - ""},
1867-1871: Free record‑scoped log IDs after flush to avoid leaksOnly when created from record.
ret = flush_to_endpoint(ctx, out_buf, log_group_id, log_set_id); flb_sds_destroy(out_buf); - return ret; + if (ctx->oci_config_in_record == FLB_TRUE) { + if (log_group_id) { flb_sds_destroy(log_group_id); } + if (log_set_id) { flb_sds_destroy(log_set_id); } + } + return ret;
🧹 Nitpick comments (2)
plugins/out_oracle_log_analytics/oci_logan.h (2)
175-203: Remove duplicate includes (tidy‑up)Multiple includes are repeated.
#include <fluent-bit/flb_upstream.h> #include <fluent-bit/flb_sds.h> #include <fluent-bit/flb_record_accessor.h> -#include <fluent-bit/flb_hash_table.h> -#include <fluent-bit/flb_output_plugin.h> -#include <fluent-bit/flb_upstream.h> -#include <fluent-bit/flb_upstream_conn.h> -#include <fluent-bit/flb_http_client.h> -#include <fluent-bit/flb_log_event_decoder.h> -#include <fluent-bit/flb_hash_table.h> -#include <fluent-bit/flb_pack.h> -#include <fluent-bit/flb_crypto.h> -#include <fluent-bit/flb_base64.h> -#include <fluent-bit/flb_hash.h> -#include <fluent-bit/flb_sds.h> +#include <fluent-bit/flb_hash_table.h> +#include <fluent-bit/flb_output_plugin.h> +#include <fluent-bit/flb_upstream_conn.h> +#include <fluent-bit/flb_http_client.h> +#include <fluent-bit/flb_log_event_decoder.h> +#include <fluent-bit/flb_pack.h> +#include <fluent-bit/flb_crypto.h> +#include <fluent-bit/flb_base64.h> +#include <fluent-bit/flb_hash.h>
218-237: Unify IMDS field ownership (flb_sds_t vs malloc) to avoid future misusesession_pubkey/session_privkey are freed with free() elsewhere; they shouldn’t be typed as flb_sds_t.
Consider changing those to char* (or convert to SDS everywhere) and align alloc/free consistently across getters and destructor.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (8)
plugins/out_oracle_log_analytics/CMakeLists.txt(1 hunks)plugins/out_oracle_log_analytics/oci_logan.c(33 hunks)plugins/out_oracle_log_analytics/oci_logan.h(5 hunks)plugins/out_oracle_log_analytics/oci_logan_conf.c(6 hunks)plugins/out_oracle_log_analytics/oci_logan_conf.h(1 hunks)plugins/out_oracle_log_analytics/oci_logan_helper.c(1 hunks)tests/runtime/CMakeLists.txt(1 hunks)tests/runtime/out_oracle_log_analytics.c(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- tests/runtime/CMakeLists.txt
🧰 Additional context used
🧬 Code graph analysis (6)
plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
src/flb_hash_table.c (4)
flb_hash_table_create(99-137)flb_hash_table_add(401-494)flb_hash_table_destroy(197-215)flb_hash_table_get(496-522)
plugins/out_oracle_log_analytics/oci_logan_conf.h (1)
plugins/out_oracle_log_analytics/oci_logan_conf.c (2)
create_federation_payload(898-937)sign_and_send_federation_request(1344-1505)
plugins/out_oracle_log_analytics/oci_logan_conf.c (9)
plugins/out_oracle_log_analytics/oci_logan.c (2)
EVP_MD_CTX_new(27-30)EVP_MD_CTX_free(32-35)include/fluent-bit/flb_mem.h (2)
flb_free(126-128)flb_calloc(84-96)src/flb_sds.c (6)
flb_sds_destroy(389-399)flb_sds_create_len(58-76)flb_sds_create_size(92-95)flb_sds_snprintf(405-428)flb_sds_create(78-90)flb_sds_printf(336-387)src/flb_http_client.c (4)
flb_http_client(814-859)flb_http_add_header(963-995)flb_http_do(1572-1632)flb_http_client_destroy(1688-1695)plugins/out_oracle_log_analytics/oci_logan_helper.c (3)
determine_realm_from_region(533-545)get_domain_suffix_for_realm(548-561)long_region_name(565-577)src/flb_upstream.c (4)
flb_upstream_create(290-363)flb_upstream_conn_get(711-844)flb_upstream_conn_release(862-947)flb_upstream_destroy(656-698)include/fluent-bit/flb_output.h (1)
flb_output_config_map_set(1298-1321)src/flb_output.c (2)
flb_output_net_default(1059-1069)flb_output_upstream_set(1556-1647)src/flb_utils.c (1)
flb_utils_url_split(1441-1534)
plugins/out_oracle_log_analytics/oci_logan.c (8)
plugins/out_oracle_log_analytics/oci_logan_conf.c (4)
EVP_MD_CTX_new(43-46)EVP_MD_CTX_free(48-51)create_federation_payload(898-937)sign_and_send_federation_request(1344-1505)src/flb_sds.c (6)
flb_sds_create_size(92-95)flb_sds_cat_safe(204-214)flb_sds_destroy(389-399)flb_sds_create(78-90)flb_sds_printf(336-387)flb_sds_create_len(58-76)src/flb_http_client.c (5)
flb_http_add_header(963-995)flb_http_client(814-859)flb_http_client_destroy(1688-1695)flb_http_allow_duplicated_headers(99-107)flb_http_buffer_size(872-883)src/flb_upstream.c (1)
flb_upstream_conn_get(711-844)plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
is_valid_timezone(520-530)src/flb_log_event_decoder.c (2)
flb_log_event_decoder_init(99-116)flb_log_event_decoder_destroy(147-179)src/flb_pack.c (1)
flb_msgpack_raw_to_json_sds(1026-1085)src/flb_mp.c (1)
flb_mp_count(43-46)
plugins/out_oracle_log_analytics/oci_logan.h (1)
plugins/out_oracle_log_analytics/oci_logan_helper.c (4)
is_valid_timezone(520-530)get_domain_suffix_for_realm(548-561)determine_realm_from_region(533-545)long_region_name(565-577)
tests/runtime/out_oracle_log_analytics.c (1)
src/flb_lib.c (9)
flb_create(138-220)flb_service_set(647-673)flb_input(261-271)flb_destroy(223-258)flb_input_set(300-330)flb_output(274-284)flb_output_set(515-546)flb_start(914-925)flb_stop(942-985)
🪛 Gitleaks (8.28.0)
tests/runtime/out_oracle_log_analytics.c
[high] 132-158: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
(private-key)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (24)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
- GitHub Check: PR - fuzzing test
🔇 Additional comments (2)
plugins/out_oracle_log_analytics/oci_logan_conf.h (1)
35-37: Prototypes look goodNew federation APIs are well-scoped and const‑correct. No issues.
plugins/out_oracle_log_analytics/CMakeLists.txt (1)
2-5: Add helper to build: LGTMIncluding oci_logan_helper.c is correct.
edsiper
requested changes
Oct 7, 2025
There was a problem hiding this comment.
please adjust the code style https://github.com/fluent/fluent-bit/blob/master/CONTRIBUTING.md#coding-style (not only for my comments but in general)
There was a problem hiding this comment.
Actionable comments posted: 3
♻️ Duplicate comments (15)
plugins/out_oracle_log_analytics/oci_logan.c (6)
553-560: Fix retry logging condition.retry_error() returns FLB_TRUE/FLB_FALSE, not FLB_RETRY.
Apply:
- if (ret == FLB_RETRY) { + if (ret == FLB_TRUE) { flb_plg_error(ctx->ins, "HTTP %d: will retry", c->resp.status); } else { flb_plg_error(ctx->ins, "HTTP %d: non retryable error", c->resp.status); }
938-943: Send Content-Type: application/json.The request body is JSON, not octet-stream.
Apply:
- if (payload && payload_size > 0) { - flb_http_add_header(client, "Content-Type", 12, - "application/octet-stream", 24); - } + if (payload && payload_size > 0) { + flb_http_add_header(client, "Content-Type", 12, + "application/json", 16); + }
301-307: Set Content-Type to application/json for JSON uploads.Body is JSON; signing/header must match.
Apply:
- signing_str = add_header_and_signing(c, signing_str, - FLB_OCI_HEADER_CONTENT_TYPE, - sizeof(FLB_OCI_HEADER_CONTENT_TYPE) - 1, FLB_OCI_HEADER_CONTENT_TYPE_VAL, - sizeof(FLB_OCI_HEADER_CONTENT_TYPE_VAL) - 1); + signing_str = add_header_and_signing(c, signing_str, + FLB_OCI_HEADER_CONTENT_TYPE, + sizeof(FLB_OCI_HEADER_CONTENT_TYPE) - 1, + "application/json", + strlen("application/json"));
742-746: Use application/json in string-to-sign for token path.Content-Type must match actual request.
Apply:
- flb_sds_printf(&string_to_sign, - "content-type: application/octet-stream\n"); + flb_sds_printf(&string_to_sign, + "content-type: application/json\n");
1726-1882: Free record-scoped log IDs when oci_config_in_record=true.log_group_id/log_set_id created from records are never destroyed in send_batch_with_count error/success paths.
Apply:
@@ - if (ret != 0) { + if (ret != 0) { flb_log_event_decoder_destroy(&log_decoder); msgpack_sbuffer_destroy(&mp_sbuf); + if (ctx->oci_config_in_record == FLB_TRUE) { + if (log_group_id) { flb_sds_destroy(log_group_id); } + if (log_set_id) { flb_sds_destroy(log_set_id); } + } return FLB_ERROR; } @@ - ret = flush_to_endpoint(ctx, out_buf, log_group_id, log_set_id); + ret = flush_to_endpoint(ctx, out_buf, log_group_id, log_set_id); flb_sds_destroy(out_buf); - return ret; + if (ctx->oci_config_in_record == FLB_TRUE) { + if (log_group_id) { flb_sds_destroy(log_group_id); } + if (log_set_id) { flb_sds_destroy(log_set_id); } + } + return ret;
988-1029: Fix hash prefix: hex-encode raw SHA-256 digest, not base64 text.Current code hexes base64 chars, producing wrong filenames.
Apply:
- char *content_sha256; + unsigned char digest[SHA256_DIGEST_LENGTH]; @@ - payload_size = flb_sds_len(payload); - content_sha256 = calculate_content_sha256_b64(payload, payload_size); - if (!content_sha256) { - return; - } + payload_size = flb_sds_len(payload); + SHA256((unsigned char *) payload, payload_size, digest); @@ - for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { - sprintf(hash_in_hex + (i * 2), "%02x", content_sha256[i]); - } + for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { + sprintf(hash_in_hex + (i * 2), "%02x", digest[i]); + } @@ - flb_free(content_sha256); return; @@ - flb_plg_error(ctx->ins, "cant open file -> %s", filename); - flb_free(content_sha256); + flb_plg_error(ctx->ins, "cant open file -> %s", filename); return; @@ - flb_free(content_sha256);plugins/out_oracle_log_analytics/oci_logan_conf.c (9)
766-774: Error cleanup must free partially assigned IMDS fields (not only NULL them).Current code leaks on failure paths.
Apply:
- ctx->imds.fingerprint = NULL; - ctx->imds.intermediate_cert = NULL; - ctx->imds.leaf_cert = NULL; - ctx->imds.leaf_key = NULL; - ctx->imds.region = NULL; + if (ctx->imds.fingerprint) { + flb_sds_destroy(ctx->imds.fingerprint); + ctx->imds.fingerprint = NULL; + } + if (ctx->imds.intermediate_cert) { + flb_sds_destroy(ctx->imds.intermediate_cert); + ctx->imds.intermediate_cert = NULL; + } + if (ctx->imds.leaf_cert) { + flb_free(ctx->imds.leaf_cert); + ctx->imds.leaf_cert = NULL; + } + if (ctx->imds.leaf_key) { + flb_sds_destroy(ctx->imds.leaf_key); + ctx->imds.leaf_key = NULL; + } + if (ctx->imds.region) { + flb_sds_destroy(ctx->imds.region); + ctx->imds.region = NULL; + }
2015-2017: Fix typo in log message.“expir e” -> “expires at”.
Apply:
- flb_plg_info(ctx->ins, "security token expir e in %ld", exp); + flb_plg_info(ctx->ins, "security token expires at %ld", exp);
164-169: Free SDS on empty config file content to avoid leak.content is not destroyed when length is 0.
Apply:
- if (content == NULL || flb_sds_len(content) == 0) { - return -1; - } + if (content == NULL || flb_sds_len(content) == 0) { + if (content) { flb_sds_destroy(content); } + return -1; + }
1703-1707: Free ctx on host construction failure to avoid leak.On failure you return without destroying ctx.
Apply:
- if (!host) { - flb_plg_error(ctx->ins, "failed to construct oci host"); - return NULL; - } + if (!host) { + flb_plg_error(ctx->ins, "failed to construct oci host"); + flb_oci_logan_conf_destroy(ctx); + return NULL; + }
692-731: Leak: key_resp not destroyed on success path.After extracting the PEM block into ctx->imds.leaf_key, free key_resp.
Apply:
pem_len = (pem_end - pem_start) + strlen("-----END RSA PRIVATE KEY-----") + 1; ctx->imds.leaf_key = flb_sds_create_len(pem_start, pem_len); + flb_sds_destroy(key_resp);
781-801: OpenSSL<3: check allocations and free on failure (pkey/bn/rsa).Avoid NULL deref and leaks.
Apply:
#if OPENSSL_VERSION_NUMBER < 0x30000000L EVP_PKEY *pkey; BIGNUM *bn; RSA *rsa; int rc; pkey = EVP_PKEY_new(); bn = BN_new(); rsa = RSA_new(); + if (!pkey || !bn || !rsa) { + if (rsa) { RSA_free(rsa); } + if (bn) { BN_free(bn); } + if (pkey){ EVP_PKEY_free(pkey); } + return NULL; + } BN_set_word(bn, RSA_F4); rc = RSA_generate_key_ex(rsa, 2048, bn, NULL); if (rc != 1) { RSA_free(rsa); BN_free(bn); + EVP_PKEY_free(pkey); return NULL; } EVP_PKEY_assign_RSA(pkey, rsa); BN_free(bn); return pkey;
430-463: extract_region: handle headerless bodies and free temporary buffer on success.
- Treat full input as body when headers are absent.
- Free region before returning to prevent a leak.
Apply:
- body_start = strstr(response, "\r\n\r\n"); - if (!body_start) { - return NULL; - } - body_start += 4; + body_start = strstr(response, "\r\n\r\n"); + if (body_start) { + body_start += 4; + } + else { + /* No headers; treat entire input as body */ + body_start = response; + } @@ - lregion = flb_sds_create(region_value); - if (!lregion) { - free(region); - return NULL; - } - return lregion; + lregion = flb_sds_create(region_value); + if (!lregion) { + free(region); + return NULL; + } + free(region); + return lregion;
1828-1900: Complete destructor: free proxy_host as well.proxy_host allocated during proxy parsing isn’t released.
Apply:
if (ctx->u) { flb_upstream_destroy(ctx->u); } + if (ctx->proxy_host) { + flb_free(ctx->proxy_host); + }
1479-1480: Remove invalid manual Content-Length header.HTTP client sets Content-Length; adding with NULL value is rejected.
Apply:
- flb_http_add_header(client, "Content-Length", 14, NULL, 0);
🧹 Nitpick comments (2)
plugins/out_oracle_log_analytics/oci_logan_conf.c (1)
1934-1941: Gitleaks false-positive: obfuscate mock private key or guard with test-only macro.Hardcoded PEM markers trigger secret scanners. Wrap/test-gate or split the marker to avoid alerts.
Example obfuscation:
- return flb_sds_create("-----BEGIN RSA PRIVATE KEY-----\n" + return flb_sds_create("-----BEGIN RSA PRIV" "ATE KEY-----\n" @@ - "-----END RSA PRIVATE KEY-----"); + "-----END RSA PRIV" "ATE KEY-----");Alternatively, wrap mock_imds_request under a compile-time test guard (e.g., #ifdef FLB_HAVE_TESTS) or move fixtures into test files. The scanner flagged these regions (private-key).
plugins/out_oracle_log_analytics/oci_logan.c (1)
1768-1786: Consider exact-match between signed path and actual URI.You sign using an encoded URI but send the unencoded one. If ctx->uri or params ever need encoding, signatures can fail. Ensure both use the same encoded path.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
plugins/out_oracle_log_analytics/oci_logan.c(32 hunks)plugins/out_oracle_log_analytics/oci_logan_conf.c(6 hunks)plugins/out_oracle_log_analytics/oci_logan_helper.c(1 hunks)
🧰 Additional context used
🧬 Code graph analysis (3)
plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
src/flb_hash_table.c (4)
flb_hash_table_create(99-137)flb_hash_table_add(401-494)flb_hash_table_destroy(197-215)flb_hash_table_get(496-522)
plugins/out_oracle_log_analytics/oci_logan_conf.c (9)
plugins/out_oracle_log_analytics/oci_logan.c (2)
EVP_MD_CTX_new(27-30)EVP_MD_CTX_free(32-35)include/fluent-bit/flb_mem.h (2)
flb_free(126-128)flb_calloc(84-96)src/flb_sds.c (6)
flb_sds_destroy(389-399)flb_sds_create_len(58-76)flb_sds_create_size(92-95)flb_sds_snprintf(405-428)flb_sds_create(78-90)flb_sds_printf(336-387)src/flb_http_client.c (4)
flb_http_client(814-859)flb_http_add_header(963-995)flb_http_do(1572-1632)flb_http_client_destroy(1688-1695)plugins/out_oracle_log_analytics/oci_logan_helper.c (3)
determine_realm_from_region(533-546)get_domain_suffix_for_realm(549-563)long_region_name(567-580)src/flb_upstream.c (4)
flb_upstream_create(290-363)flb_upstream_conn_get(711-844)flb_upstream_conn_release(862-947)flb_upstream_destroy(656-698)include/fluent-bit/flb_output.h (1)
flb_output_config_map_set(1298-1321)src/flb_output.c (2)
flb_output_net_default(1059-1069)flb_output_upstream_set(1556-1647)src/flb_utils.c (1)
flb_utils_url_split(1441-1534)
plugins/out_oracle_log_analytics/oci_logan.c (9)
plugins/out_oracle_log_analytics/oci_logan_conf.c (4)
EVP_MD_CTX_new(43-46)EVP_MD_CTX_free(48-51)create_federation_payload(941-984)sign_and_send_federation_request(1396-1556)src/flb_sds.c (6)
flb_sds_create_size(92-95)flb_sds_cat_safe(204-214)flb_sds_destroy(389-399)flb_sds_create(78-90)flb_sds_printf(336-387)flb_sds_create_len(58-76)src/flb_http_client.c (5)
flb_http_add_header(963-995)flb_http_client(814-859)flb_http_client_destroy(1688-1695)flb_http_allow_duplicated_headers(99-107)flb_http_buffer_size(872-883)include/fluent-bit/flb_mem.h (1)
flb_free(126-128)src/flb_upstream.c (1)
flb_upstream_conn_get(711-844)plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
is_valid_timezone(520-530)src/flb_log_event_decoder.c (3)
flb_log_event_decoder_init(99-116)flb_log_event_decoder_next(310-406)flb_log_event_decoder_destroy(147-179)src/flb_pack.c (1)
flb_msgpack_raw_to_json_sds(1026-1085)src/flb_mp.c (1)
flb_mp_count(43-46)
🪛 Gitleaks (8.28.0)
plugins/out_oracle_log_analytics/oci_logan_conf.c
[high] 653-726: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
(private-key)
[high] 1934-1940: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
(private-key)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (80)
- GitHub Check: PR - container builds / Windows container images (2025)
- GitHub Check: PR - container builds / Windows container images (2022)
- GitHub Check: PR - packages build Linux / ubuntu/22.04 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/bookworm.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / ubuntu/24.04 package build and stage to S3
- GitHub Check: PR - packages build Linux / ubuntu/24.04.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/bookworm package build and stage to S3
- GitHub Check: PR - packages build Linux / raspbian/bookworm package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/trixie.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/trixie package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/8.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / ubuntu/22.04.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/10.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/buster package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/10 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/10.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/10.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/7 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/8 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/buster.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/bullseye package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/10 package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/8.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/9 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/9 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/9 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/bullseye.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/8 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/9.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/9.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/7.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/10 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/9.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / amazonlinux/2023 package build and stage to S3
- GitHub Check: PR - packages build Linux / amazonlinux/2023.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/8.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / amazonlinux/2 package build and stage to S3
- GitHub Check: PR - packages build Linux / amazonlinux/2.arm64v8 package build and stage to S3
- GitHub Check: PR - container builds / amd64/production container image build
- GitHub Check: PR - container builds / arm/v7/debug container image build
- GitHub Check: PR - container builds / arm64/production container image build
- GitHub Check: PR - container builds / amd64/debug container image build
- GitHub Check: PR - container builds / arm/v7/production container image build
- GitHub Check: PR - container builds / arm64/debug container image build
- GitHub Check: PR - packages build Windows / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
- GitHub Check: PR - packages build Windows / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
- GitHub Check: PR - packages build Windows / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
- GitHub Check: PR - packages build MacOS / call-build-macos-package (Apple Silicon macOS runner, macos-14, 3.31.6)
- GitHub Check: PR - packages build MacOS / call-build-macos-package (Intel macOS runner, macos-14-large, 3.31.6)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
- GitHub Check: PR - fuzzing test
- GitHub Check: pr-compile-centos-7
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
- GitHub Check: pr-compile-without-cxx (3.31.6)
- Added Oracle Instance Metadata Service (IMDS) authentication, certificate, and key retrieval
- Implemented log chunking for efficient data handling and transmission
- Added timezone support for accurate timestamp processing
- Enhanced credential parsing and metadata extraction
- Improved error handling and debug logging
Signed-off-by: rghouzra <[email protected]>
fixx size parameter in hash table addition
Signed-off-by: reda ghouzraf <[email protected]>
fix: improve error handling and cleanup
Signed-off-by: rghouzra <[email protected]>
replace cjson with jsmn
Signed-off-by: reda ghouzraf <[email protected]>
replace cjson include with jsmn
Signed-off-by: reda ghouzraf <[email protected]>
fix centos jobs failure
Signed-off-by: rghouzra <[email protected]>
update base64 encoding and improve error handling
Signed-off-by: rghouzra <[email protected]>
enhance openssl compatibility
Signed-off-by: rghouzra <[email protected]>
enhance openssl comptability
Signed-off-by: rghouzra <[email protected]>
improve error handling in federation handling
Signed-off-by: rghouzra <[email protected]>
refactor of ocid extraction logic
Signed-off-by: rghouzra <[email protected]>
feat: Add tests for oracle logan output plugin
Signed-off-by: rghouzra <[email protected]>
[out_oracle_log_analytics] update tenancy extraction in test mode
Signed-off-by: rghouzra <[email protected]>
[out_oracle_log_analytics] enhance test mode
Signed-off-by: rghouzra <[email protected]>
fix:improve error handling in test
Signed-off-by: rghouzra <[email protected]>
fix: enhance resource cleanup
Signed-off-by: rghouzra <[email protected]>
fix: add resource cleanup for leaf certificate
Signed-off-by: rghouzra <[email protected]>
fix: improve code formatting
Signed-off-by: rghouzra <[email protected]>
[out_oracle_log_analytics] refactor OCI_logan plugin code for clarity and consistency
Signed-off-by: rghouzra <[email protected]>
improve code formatting and line break
Signed-off-by: rghouzra <[email protected]>
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (13)
plugins/out_oracle_log_analytics/oci_logan.h (1)
218-230: Fix IMDS field type inconsistency to prevent crashes.Fields
leaf_cert,session_pubkey, andsession_privkeyare declared asflb_sds_tbut the destructor (oci_logan_conf.c lines 1839-1851) frees them with plainfree()instead offlb_sds_destroy(), and some code paths assign malloc'd strings. This type mismatch can cause crashes or leaks.Unify the type to plain
char*throughout, or ensure all allocations use SDS APIs and all frees useflb_sds_destroy(). For example:struct flb_oracle_imds { flb_sds_t region; - flb_sds_t leaf_cert; + char *leaf_cert; flb_sds_t leaf_key; flb_sds_t intermediate_cert; flb_sds_t tenancy_ocid; flb_sds_t fingerprint; - flb_sds_t session_pubkey; - flb_sds_t session_privkey; + char *session_pubkey; + char *session_privkey; struct flb_upstream *upstream; struct flb_output_instance *ins; };Then update the destructor in oci_logan_conf.c to consistently use
flb_free()for these fields.Based on learnings
tests/runtime/out_oracle_log_analytics.c (2)
74-75: Unset FLB_OCI_PLUGIN_UNDER_TEST to prevent test isolation issues.
FLB_OCI_PLUGIN_UNDER_TESTis set on line 21 but never unset, which can leak state into subsequent tests.Apply this diff:
flb_destroy(ctx); + unsetenv("FLB_OCI_PLUGIN_UNDER_TEST"); unsetenv("TEST_IMDS_SUCCESS"); }
131-158: Replace hardcoded private key with non-sensitive placeholder.The literal RSA private key triggers secret scanners and is unnecessary for testing. Replace with a clearly fake placeholder or load from a test fixture.
Apply this diff:
- char key_content[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIIEowIBAAKCAQEAy8Dbv8prpJ/0kKhlGeJYozo2t60EG8L0561g13R29LvMR5hy\n" - ... - "VDLq3cL2MQKmVPrmWCFKLJSXiKGmqYZmVXC7FqfJJrKqLdFQCZNf\n" - "-----END RSA PRIVATE KEY-----\n"; + /* Non-sensitive test key placeholder */ + char key_content[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "TEST_KEY_PLACEHOLDER_DO_NOT_USE_IN_PRODUCTION\n" + "-----END RSA PRIVATE KEY-----\n";plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
445-474: Make lazy timezone hash initialization thread-safe.Concurrent first-calls to
init_oci_timezone_hash()can race, causing memory leaks or double-destruction. Add double-checked locking with a mutex.Apply this diff:
+#include <pthread.h> + +static pthread_mutex_t oci_tz_lock = PTHREAD_MUTEX_INITIALIZER; + static int init_oci_timezone_hash(void) { int i; int ret; if (oci_timezone_hash != NULL) { return 0; } + + pthread_mutex_lock(&oci_tz_lock); + if (oci_timezone_hash != NULL) { + pthread_mutex_unlock(&oci_tz_lock); + return 0; + } oci_timezone_hash = flb_hash_table_create(FLB_HASH_TABLE_EVICT_NONE, 1024, -1); if (!oci_timezone_hash) { + pthread_mutex_unlock(&oci_tz_lock); return -2; } for (i = 0; oci_supported_timezones[i] != NULL; i++) { ret = flb_hash_table_add(oci_timezone_hash, oci_supported_timezones[i], strlen(oci_supported_timezones[i]), (void *) "1", sizeof("1")); if (ret < 0) { flb_hash_table_destroy(oci_timezone_hash); oci_timezone_hash = NULL; + pthread_mutex_unlock(&oci_tz_lock); return -3; } } + pthread_mutex_unlock(&oci_tz_lock); return 0; }plugins/out_oracle_log_analytics/oci_logan_conf.c (3)
421-463: Free temporary region buffer and handle body-only responses.The
regionbuffer allocated at line 448 is never freed on the success path, causing a memory leak. Additionally, the function doesn't handle responses without headers (body-only).Apply this diff:
flb_sds_t extract_region(const char *response) { const char *body_start; size_t len; char *region; const char *long_name; const char *region_value; flb_sds_t lregion; body_start = strstr(response, "\r\n\r\n"); - if (!body_start) { - return NULL; - } - - body_start += 4; + if (body_start) { + body_start += 4; + } + else { + /* No headers present: treat the full input as body */ + body_start = response; + } while (*body_start == '\n' || *body_start == '\r' || *body_start == ' ') { body_start++; } len = strlen(body_start); while (len > 0 && (body_start[len - 1] == '\n' || body_start[len - 1] == '\r' || body_start[len - 1] == ' ')) { len--; } region = malloc(len + 1); if (!region) { return NULL; } strncpy(region, body_start, len); region[len] = '\0'; long_name = long_region_name(region); region_value = long_name ? long_name : region; lregion = flb_sds_create(region_value); if (!lregion) { free(region); return NULL; } + free(region); return lregion; }
781-800: Check OpenSSL allocation results before use (OpenSSL <3.0).Lines 787-789 allocate
pkey,bn, andrsawithout NULL checks. If any allocation fails, subsequent operations will dereference NULL pointers, causing a crash.Apply this diff:
#if OPENSSL_VERSION_NUMBER < 0x30000000L EVP_PKEY *pkey = EVP_PKEY_new(); BIGNUM *bn = BN_new(); RSA *rsa = RSA_new(); int rc; + if (!pkey || !bn || !rsa) { + if (rsa) { RSA_free(rsa); } + if (bn) { BN_free(bn); } + if (pkey){ EVP_PKEY_free(pkey); } + return NULL; + } + BN_set_word(bn, RSA_F4); rc = RSA_generate_key_ex(rsa, 2048, bn, NULL); if (rc != 1) { RSA_free(rsa); BN_free(bn); + EVP_PKEY_free(pkey); return NULL; }
1479-1479: Remove invalid Content-Length header addition.
flb_http_add_headerwithval_len=0is invalid and silently fails. The HTTP client already manages Content-Length automatically.Apply this diff:
flb_http_add_header(client, "Date", 4, date_header, flb_sds_len(date_header)); flb_http_add_header(client, "Content-Type", 12, "application/json", 16); - flb_http_add_header(client, "Content-Length", 14, NULL, 0);plugins/out_oracle_log_analytics/oci_logan.c (6)
742-746: Use application/json for JSON payload signing.Line 744 signs with
content-type: application/octet-stream, but the payload is JSON. The signed Content-Type must match the actual request header.Apply this diff:
if (payload && payload_size > 0) { flb_sds_printf(&string_to_sign, - "content-type: application/octet-stream\n"); + "content-type: application/json\n"); flb_sds_printf(&string_to_sign, "content-length: %zu", payload_size); }
2064-2066: Remove duplicate oci_la_log_set_id config_map entry.The key
oci_la_log_set_idis defined at both lines 2048-2050 and lines 2064-2066. Remove the duplicate to avoid key override.Apply this diff:
- { - FLB_CONFIG_MAP_STR, "oci_la_log_set_id", NULL, - 0, FLB_TRUE, offsetof(struct flb_oci_logan, oci_la_log_set_id), - ""},Based on learnings
553-559: Fix retry condition check.
retry_error()returnsFLB_TRUE/FLB_FALSE, notFLB_RETRY. The condition at line 553 will never match, causing incorrect logging.Apply this diff:
- if (ret == FLB_RETRY) { + if (ret == FLB_TRUE) { flb_plg_error(ctx->ins, "HTTP %d: will retry", c->resp.status); } else { flb_plg_error(ctx->ins, "HTTP %d: non retryable error", c->resp.status); }
937-940: Set Content-Type to application/json for JSON uploads.The upload body is JSON, but line 939 sets
Content-Type: application/octet-stream. This mismatches the signed header and OCI API expectations.Apply this diff:
if (payload && payload_size > 0) { flb_http_add_header(client, "Content-Type", 12, - "application/octet-stream", 24); + "application/json", 16); }
301-307: Set Content-Type to application/json in signed headers (config_file path).The upload body is JSON. Line 304 signs and sets
Content-TypeusingFLB_OCI_HEADER_CONTENT_TYPE_VAL, which is likelyapplication/octet-stream. Change toapplication/jsonto match the payload format.Apply this diff:
signing_str = add_header_and_signing(c, signing_str, FLB_OCI_HEADER_CONTENT_TYPE, - sizeof(FLB_OCI_HEADER_CONTENT_TYPE) - - 1, FLB_OCI_HEADER_CONTENT_TYPE_VAL, - sizeof - (FLB_OCI_HEADER_CONTENT_TYPE_VAL) - - 1); + sizeof(FLB_OCI_HEADER_CONTENT_TYPE) - 1, + "application/json", 16);Alternatively, update
FLB_OCI_HEADER_CONTENT_TYPE_VALto"application/json"in the header file.
981-1027: Compute hex from raw SHA‑256 digest (not base64 string).Lines 1002-1004 hex-encode the base64 string returned by
calculate_content_sha256_b64, producing incorrect hash prefixes. Compute hex from the raw 32-byte digest instead.Apply this diff:
- char *content_sha256; + unsigned char digest[SHA256_DIGEST_LENGTH]; @@ payload_size = flb_sds_len(payload); - content_sha256 = calculate_content_sha256_b64(payload, payload_size); - if (!content_sha256) { - return; - } + SHA256((unsigned char *) payload, payload_size, digest); for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { - sprintf(hash_in_hex + (i * 2), "%02x", content_sha256[i]); + sprintf(hash_in_hex + (i * 2), "%02x", digest[i]); } @@ if (access(filename, F_OK) == 0) { flb_plg_debug(ctx->ins, "payload s already dumped to->%s", filename); - flb_free(content_sha256); return; } @@ fp = fopen(filename, "w"); if (!fp) { flb_plg_error(ctx->ins, "cant open file -> %s", filename); - flb_free(content_sha256); return; } fprintf(fp, "%s", payload); fclose(fp); - flb_free(content_sha256);
🧹 Nitpick comments (1)
plugins/out_oracle_log_analytics/oci_logan.h (1)
179-203: Remove duplicate includes.Several headers are included multiple times (flb_upstream.h at lines 180-181, flb_hash_table.h at lines 184-185, flb_sds.h at lines 189-190), creating unnecessary redundancy.
Apply this diff to remove duplicates:
#include <fluent-bit/flb_upstream.h> #include <fluent-bit/flb_sds.h> #include <fluent-bit/flb_record_accessor.h> #include <fluent-bit/flb_hash_table.h> #include <fluent-bit/flb_output_plugin.h> -#include <fluent-bit/flb_upstream.h> -#include <fluent-bit/flb_upstream_conn.h> -#include <fluent-bit/flb_http_client.h> -#include <fluent-bit/flb_log_event_decoder.h> -#include <fluent-bit/flb_hash_table.h> -#include <fluent-bit/flb_pack.h> -#include <fluent-bit/flb_crypto.h> -#include <fluent-bit/flb_base64.h> -#include <fluent-bit/flb_hash.h> -#include <fluent-bit/flb_sds.h> #include <monkey/mk_core/mk_list.h> #include <fluent-bit/flb_jsmn.h>
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (8)
plugins/out_oracle_log_analytics/CMakeLists.txt(1 hunks)plugins/out_oracle_log_analytics/oci_logan.c(32 hunks)plugins/out_oracle_log_analytics/oci_logan.h(5 hunks)plugins/out_oracle_log_analytics/oci_logan_conf.c(6 hunks)plugins/out_oracle_log_analytics/oci_logan_conf.h(1 hunks)plugins/out_oracle_log_analytics/oci_logan_helper.c(1 hunks)tests/runtime/CMakeLists.txt(1 hunks)tests/runtime/out_oracle_log_analytics.c(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- tests/runtime/CMakeLists.txt
🧰 Additional context used
🧬 Code graph analysis (6)
tests/runtime/out_oracle_log_analytics.c (2)
plugins/out_s3/s3.c (1)
setenv(57-60)src/flb_lib.c (9)
flb_create(138-220)flb_service_set(647-673)flb_input(261-271)flb_destroy(223-258)flb_input_set(300-330)flb_output(274-284)flb_output_set(515-546)flb_start(914-925)flb_stop(942-985)
plugins/out_oracle_log_analytics/oci_logan_helper.c (1)
src/flb_hash_table.c (4)
flb_hash_table_create(99-137)flb_hash_table_add(401-494)flb_hash_table_destroy(197-215)flb_hash_table_get(496-522)
plugins/out_oracle_log_analytics/oci_logan_conf.c (7)
include/fluent-bit/flb_mem.h (2)
flb_free(126-128)flb_calloc(84-96)src/flb_sds.c (4)
flb_sds_create_len(58-76)flb_sds_create_size(92-95)flb_sds_create(78-90)flb_sds_printf(336-387)src/flb_http_client.c (4)
flb_http_client(814-859)flb_http_add_header(963-995)flb_http_do(1572-1632)flb_http_client_destroy(1688-1695)plugins/out_oracle_log_analytics/oci_logan_helper.c (3)
determine_realm_from_region(533-546)get_domain_suffix_for_realm(549-563)long_region_name(567-580)src/flb_upstream.c (4)
flb_upstream_create(290-363)flb_upstream_conn_get(711-844)flb_upstream_conn_release(862-947)flb_upstream_destroy(656-698)src/flb_output.c (2)
flb_output_net_default(1059-1069)flb_output_upstream_set(1556-1647)src/flb_utils.c (1)
flb_utils_url_split(1441-1534)
plugins/out_oracle_log_analytics/oci_logan.h (1)
plugins/out_oracle_log_analytics/oci_logan_helper.c (4)
is_valid_timezone(520-530)get_domain_suffix_for_realm(549-563)determine_realm_from_region(533-546)long_region_name(567-580)
plugins/out_oracle_log_analytics/oci_logan.c (6)
plugins/out_oracle_log_analytics/oci_logan_conf.c (4)
EVP_MD_CTX_new(43-46)EVP_MD_CTX_free(48-51)create_federation_payload(941-984)sign_and_send_federation_request(1396-1555)src/flb_sds.c (6)
flb_sds_create_size(92-95)flb_sds_cat_safe(204-214)flb_sds_destroy(389-399)flb_sds_create(78-90)flb_sds_printf(336-387)flb_sds_create_len(58-76)src/flb_http_client.c (5)
flb_http_add_header(963-995)flb_http_client(814-859)flb_http_client_destroy(1688-1695)flb_http_allow_duplicated_headers(99-107)flb_http_buffer_size(872-883)src/flb_upstream.c (1)
flb_upstream_conn_get(711-844)src/flb_log_event_decoder.c (3)
flb_log_event_decoder_init(99-116)flb_log_event_decoder_next(310-406)flb_log_event_decoder_destroy(147-179)src/flb_pack.c (1)
flb_msgpack_raw_to_json_sds(1026-1085)
plugins/out_oracle_log_analytics/oci_logan_conf.h (1)
plugins/out_oracle_log_analytics/oci_logan_conf.c (2)
create_federation_payload(941-984)sign_and_send_federation_request(1396-1555)
🪛 Gitleaks (8.28.0)
tests/runtime/out_oracle_log_analytics.c
[high] 132-158: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
(private-key)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (80)
- GitHub Check: PR - container builds / Windows container images (2025)
- GitHub Check: PR - container builds / Windows container images (2022)
- GitHub Check: PR - packages build Linux / ubuntu/22.04 package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/9 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/bullseye package build and stage to S3
- GitHub Check: PR - packages build Linux / ubuntu/24.04.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/10.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/buster package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/9.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / ubuntu/24.04 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/bookworm package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/trixie package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/trixie.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/bookworm.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / raspbian/bookworm package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/10 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/bullseye.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / ubuntu/22.04.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / debian/buster.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/8 package build and stage to S3
- GitHub Check: PR - packages build Linux / almalinux/8.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/10.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/9.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/9 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/9.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/10.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/10 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/10 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/8.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/8 package build and stage to S3
- GitHub Check: PR - packages build Linux / rockylinux/9 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/7.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/8.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / centos/7 package build and stage to S3
- GitHub Check: PR - packages build Linux / amazonlinux/2023.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / amazonlinux/2 package build and stage to S3
- GitHub Check: PR - packages build Linux / amazonlinux/2.arm64v8 package build and stage to S3
- GitHub Check: PR - packages build Linux / amazonlinux/2023 package build and stage to S3
- GitHub Check: PR - container builds / arm64/debug container image build
- GitHub Check: PR - container builds / arm/v7/debug container image build
- GitHub Check: PR - container builds / arm64/production container image build
- GitHub Check: PR - container builds / arm/v7/production container image build
- GitHub Check: PR - container builds / amd64/production container image build
- GitHub Check: PR - container builds / amd64/debug container image build
- GitHub Check: PR - packages build Windows / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
- GitHub Check: PR - packages build Windows / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
- GitHub Check: PR - packages build Windows / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
- GitHub Check: PR - packages build MacOS / call-build-macos-package (Apple Silicon macOS runner, macos-14, 3.31.6)
- GitHub Check: PR - packages build MacOS / call-build-macos-package (Intel macOS runner, macos-14-large, 3.31.6)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
- GitHub Check: pr-compile-without-cxx (3.31.6)
- GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
- GitHub Check: pr-compile-centos-7
- GitHub Check: PR - fuzzing test
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
New Features
Enhancements
Tests