in_forward: Fix user authentication mechanism to align Fluentd behavior

Signed-off-by: Hiroshi Hatake <[email protected]>

Author: cosmo0920

plugins/in_forward/fw.c

@@ -333,6 +333,15 @@ static int in_fw_init(struct flb_input_instance *ins,
         return -1;
     }
 
+    /* Users-only configuration must be rejected unless a (possibly empty) shared key is enabled. */
+    if (mk_list_size(&ctx->users) > 0 &&
+        ctx->shared_key == NULL &&
+        ctx->empty_shared_key == FLB_FALSE) {
+        flb_plg_error(ctx->ins, "security.users is set but no shared_key or empty_shared_key");
+        fw_config_destroy(ctx);
+        return -1;
+    }
+
     flb_input_downstream_set(ctx->downstream, ctx->ins);
 
     flb_net_socket_nonblocking(ctx->downstream->server_fd);

plugins/in_forward/fw_conn.c

@@ -142,7 +142,18 @@ struct fw_conn *fw_conn_add(struct flb_connection *connection, struct flb_in_fw_
     }
 
     conn->handshake_status = FW_HANDSHAKE_ESTABLISHED;
-    if (ctx->shared_key != NULL) {
+    /*
+     * Always force the secure-forward handshake when:
+     *  - a shared key is configured, or
+     *  - empty_shared_key is enabled (empty string shared key), or
+     *  - user authentication is configured (users > 0).
+     *
+     * This closes the gap where "users-only" previously skipped authentication entirely.
+     */
+    conn->handshake_status = FW_HANDSHAKE_ESTABLISHED; /* default */
+    if (ctx->shared_key != NULL ||
+        ctx->empty_shared_key == FLB_TRUE ||
+        mk_list_size(&ctx->users) > 0) {
         conn->handshake_status = FW_HANDSHAKE_HELO;
         helo = flb_calloc(1, sizeof(struct flb_in_fw_helo));
         if (!helo) {