oauth2: generic client and server side auth implementation

[edsiper]

WIP --> This branch is under heavy development

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • OAuth2 support across inputs, outputs and HTTP client (token retrieval, auth methods, timeouts, auto-refresh, retry-on-401, Bearer handling).
  • OAuth2 JWT validation with JWKS-backed parsing/verification, issuer/audience/client checks and configurable JWKS refresh.
  • RSA signature verification and a VERIFY operation added to the crypto API.

• Bug Fixes / Improvements

  • More reliable token expiry handling, header reuse/reset and header removal; clearer HTTP/OAuth2 logging and retry behavior.

• Tests

  • New unit and runtime tests covering OAuth2 and JWT flows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds OAuth2 client and OAuth2‑JWT validation (JWKS fetch/cache, JWT parsing, RSA verification), integrates OAuth2 into HTTP client with retry-on-401, extends crypto API for RSA-from-components verification, wires config-map and properties for input/output plugins, and adds tests and build entries.

Changes

Cohort / File(s)	Summary
Crypto API & impl include/fluent-bit/flb_crypto.h, include/fluent-bit/flb_crypto_constants.h, src/flb_crypto.c	Added FLB_CRYPTO_OPERATION_VERIFY; new APIs flb_crypto_init_from_rsa_components, flb_crypto_verify, flb_crypto_verify_simple; implemented RSA public-key construction from modulus/exponent and signature verification with OpenSSL compatibility.
HTTP client (OAuth2) include/fluent-bit/flb_http_client.h, src/flb_http_client.c	Added base_header_len to flb_http_client, flb_http_remove_header(), and flb_http_do_with_oauth2() to fetch/apply Bearer tokens, handle token refresh and retry-on-401, reset headers and optionally recreate upstream.
OAuth2 core include/fluent-bit/flb_oauth2.h, src/flb_oauth2.c	New flb_oauth2_config and config map; constructors (flb_oauth2_create_from_config, flb_oauth2_create), flb_oauth2_destroy, token lifecycle/access APIs, locking, upstream setup, token caching with expires_at, and flb_oauth2_get_config_map.
OAuth2‑JWT subsystem include/fluent-bit/flb_oauth2_jwt.h, src/flb_oauth2_jwt.c, src/CMakeLists.txt	New JWT validation API and status codes, JWKS fetch & cache, JWT parse/claims types, RSA verification via crypto API, lifecycle (flb_oauth2_jwt_context_create/destroy, flb_oauth2_jwt_validate, etc.), and added flb_oauth2_jwt.c to TLS build.
Input plugin integration include/fluent-bit/flb_input.h, src/flb_input.c, plugins/in_http/http.h, plugins/in_http/http.c, plugins/in_http/http_config.c, plugins/in_http/http_prot.c	Added oauth2_jwt_config_map and oauth2_jwt_properties; apply config map, create JWT context on init, validate Authorization header on incoming requests and return 401 on validation failure.
Output plugin integration include/fluent-bit/flb_output.h, src/flb_output.c, plugins/out_http/http.h, plugins/out_http/http.c, plugins/out_http/http_conf.c	Added OAuth2 config/context fields to HTTP output, config-map entries for oauth2 settings, flb_output_oauth2_property_check, config-map wiring, and switched outbound requests to flb_http_do_with_oauth2() when enabled.
Token expiry field updates plugins/out_azure_kusto/azure_msiauth.c, plugins/out_stackdriver/gce_metadata.c, plugins/out_stackdriver/stackdriver.c	Replaced uses of expires with expires_at for token expiry handling; adjusted assignments/validations.
Build & tests tests/internal/CMakeLists.txt, tests/internal/oauth2.c, tests/internal/oauth2_jwt.c, tests/runtime/in_http.c	Added unit/runtime tests and mock servers exercising OAuth2 token flows and JWT/JWKS parsing/verification; added oauth2 test sources under TLS.
Output/input wiring & misc src/flb_output.c, tests/internal/input_chunk_routes.c, include/fluent-bit/flb_compat.h, .github/scripts/commit_prefix_check.py	Added oauth2_properties/config_map handling to outputs, initialized/cleaned oauth2_jwt_properties in tests, Windows strcasecmp alias and includes, and relaxed multi-prefix commit validation logic.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Client
    participant InHTTP as in_http Plugin
    participant JWTctx as flb_oauth2_jwt_ctx
    participant JWKS as JWKS Server
    participant Crypto as flb_crypto
    participant OutHTTP as flb_http_client
    participant OAuth2 as flb_oauth2

    Note over Client,InHTTP: Incoming request validation
    Client->>InHTTP: HTTP request (Authorization: Bearer ...)
    InHTTP->>JWTctx: flb_oauth2_jwt_validate(Authorization)
    JWTctx->>JWTctx: parse token, extract kid/alg/claims
    JWTctx->>JWTctx: check JWKS cache for kid
    alt JWKS miss/stale
        JWTctx->>JWKS: GET JWKS URL
        JWKS-->>JWTctx: JWKS JSON
        JWTctx->>JWTctx: parse & cache keys
    end
    JWTctx->>Crypto: build EVP_PKEY from modulus/exponent
    Crypto-->>JWTctx: verification result
    JWTctx-->>InHTTP: VALID / INVALID
    alt VALID
        InHTTP->>Client: 201 / process request
    else INVALID
        InHTTP->>Client: 401 Unauthorized
    end

    Note over OutHTTP,OAuth2: Outbound request with OAuth2
    OutHTTP->>OAuth2: request token (if needed)
    OAuth2-->>OutHTTP: access_token + expires_in
    OutHTTP->>OutHTTP: cache token (expires_at)
    OutHTTP->>OutHTTP: send request with Authorization: Bearer
    alt Upstream 401
        OutHTTP->>OAuth2: invalidate/refresh token
        OAuth2-->>OutHTTP: new token
        OutHTTP->>OutHTTP: retry request with refreshed token
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

• cosmo0920
• niedbalski
• patrick-stephens
• celalettin1286

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 9.48% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: implementing OAuth2 authentication for both client and server sides, which aligns with the substantial additions across crypto APIs, HTTP client/server integrations, JWT validation, and OAuth2 configuration throughout the changeset.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

tests/internal/oauth2.c (2)

52-58: Consider documenting buffer size assumption.

The snprintf will safely truncate if the formatted response exceeds MOCK_BODY_SIZE (1024 bytes). For test payloads, this is adequate, but consider adding a comment or assertion to make the assumption explicit.

---

367-367: Consider reducing test duration.

The sleep(2) makes this test take over 2 seconds to run. For faster test execution, consider using shorter expiry times (e.g., expires_in=1, refresh_skew=0 with sleep(1)) while still validating the refresh behavior.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b149f7 and 5cdafce.

📒 Files selected for processing (1)

• tests/internal/oauth2.c (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-17T18:45:02.283Z

Learnt from: edsiper
Repo: fluent/fluent-bit PR: 11286
File: src/flb_http_client.c:1657-1715
Timestamp: 2025-12-17T18:45:02.283Z
Learning: In the Fluent Bit OAuth2 implementation (src/flb_oauth2.c), the function flb_oauth2_get_access_token returns a pointer to the cached token stored in the OAuth2 context (ctx->access_token), not a new allocation. The OAuth2 context manages the token lifecycle, so callers must not free the returned token pointer.

Applied to files:

• tests/internal/oauth2.c

🧬 Code graph analysis (1)

tests/internal/oauth2.c (3)

src/flb_sds.c (2)

• flb_sds_create_size (92-95)
• flb_sds_create (78-90)

src/flb_oauth2.c (4)

• flb_oauth2_create_from_config (675-733)
• flb_oauth2_parse_json_response (317-411)
• flb_oauth2_get_access_token (847-871)
• flb_oauth2_destroy (735-761)

src/flb_config.c (1)

• flb_config_init (233-486)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)

• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COMPILER_STRICT_POINTER_TYPES=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
• GitHub Check: PR - fuzzing test
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-centos-7
• GitHub Check: pr-compile-without-cxx (3.31.6)

🔇 Additional comments (8)

tests/internal/oauth2.c (8)

101-104: Simple authorization check is adequate for test code.

The strstr approach will match latest_token anywhere in the request after the Authorization: header, which could theoretically produce false positives. For a mock test server, this is acceptable.

---

144-158: Blocking recv is acceptable for test server.

The socket is set to blocking mode, and recv is called in a bounded loop. If a client sends incomplete data, recv could block, but the loop has proper bounds and break conditions. For a test server with controlled clients, this is acceptable.

---

173-232: Well-structured server startup with proper error handling.

The server binds to loopback with dynamic port assignment, which is ideal for test isolation. Error paths properly clean up resources.

---

234-277: Excellent defensive programming for test reliability.

The platform-specific readiness check prevents race conditions on macOS where the server thread may not have entered its select() loop immediately after pthread_create returns. This is good practice for cross-platform test reliability.

---

279-287: Proper server shutdown sequence.

The use of shutdown() to wake blocking calls followed by pthread_join ensures clean thread termination. Since the server thread checks the stop flag every 200ms, pthread_join should complete quickly.

---

289-310: Helper function properly manages resources.

The OAuth2 config is correctly initialized, used to create the context, and then destroyed. Since flb_oauth2_create_from_config clones the config internally, this is safe.

---

312-329: Unit test correctly validates default value handling.

The test verifies that token_type defaults to "Bearer" and expires_in defaults to the constant when not present in the JSON response. Cleanup is properly handled.

---

331-377: Integration test thoroughly validates OAuth2 token lifecycle.

The test correctly verifies:

• Initial token fetch from server
• Cached token reuse
• Token refresh after expiry

The cleanup sequence properly destroys resources in the correct order.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

tests/internal/oauth2.c (2)

44-73: Consider bounds checking and error handling improvements.

The function has two minor robustness concerns:

1. Buffer overflow risk: If body is very large or malformed, snprintf may truncate but the calculation at line 56-62 doesn't verify the full response fits in buffer. While snprintf is safe from overruns, the response might be incomplete.

2. Silent send failures: When send() fails at line 68, the function silently breaks without logging. For a test mock server this is acceptable, but consider logging errors to aid debugging if send failures occur.

🔎 Suggested improvements

 static void compose_http_response(flb_sockfd_t fd, int status, const char *body)
 {
     char buffer[MOCK_BODY_SIZE];
     int body_len = 0;
     ssize_t sent = 0;
     ssize_t total = 0;
     ssize_t len;
 
     if (body != NULL) {
         body_len = strlen(body);
+        /* Ensure body + headers fit in buffer */
+        if (body_len > MOCK_BODY_SIZE - 200) {
+            printf("Warning: response body too large, truncating\n");
+        }
     }
 
     snprintf(buffer, sizeof(buffer),
              "HTTP/1.1 %d\r\n"
              "Content-Length: %d\r\n"
              "Content-Type: application/json\r\n"
              "Connection: close\r\n\r\n"
              "%s",
              status, body_len, body ? body : "");
 
     len = strlen(buffer);
     /* Ensure we send all data - loop until complete */
     while (total < len) {
         sent = send(fd, buffer + total, len - total, 0);
         if (sent <= 0) {
+            printf("Warning: send() failed: %d\n", errno);
             break;
         }
         total += sent;
     }
 }

---

177-287: Refactor duplicated Windows cleanup code.

The Windows WSACleanup cleanup block is duplicated six times across the error paths (lines 205-210, 224-229, 236-241, 250-255, 263-268, 277-282). This increases maintenance burden.

🔎 Refactor using goto for cleanup

 static int oauth2_mock_server_start(struct oauth2_mock_server *server, int expires_in,
                                     int resource_challenge)
 {
     int on = 1;
     struct sockaddr_in addr;
     socklen_t len;
 #ifdef _WIN32
     WSADATA wsa_data;
     int wsa_result;
 #endif
 
     memset(server, 0, sizeof(struct oauth2_mock_server));
     server->expires_in = expires_in;
     server->resource_challenge = resource_challenge;
 
 #ifdef _WIN32
     /* Initialize Winsock on Windows */
     wsa_result = WSAStartup(MAKEWORD(2, 2), &wsa_data);
     if (wsa_result != 0) {
         flb_errno();
         return -1;
     }
     server->wsa_initialized = 1;
 #endif
 
     server->listen_fd = socket(AF_INET, SOCK_STREAM, 0);
     if (server->listen_fd == FLB_INVALID_SOCKET) {
         flb_errno();
-#ifdef _WIN32
-        if (server->wsa_initialized) {
-            WSACleanup();
-            server->wsa_initialized = 0;
-        }
-#endif
-        return -1;
+        goto cleanup;
     }
 
     setsockopt(server->listen_fd, SOL_SOCKET, SO_REUSEADDR, (const char *)&on, sizeof(on));
 
     memset(&addr, 0, sizeof(addr));
     addr.sin_family = AF_INET;
     addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
     addr.sin_port = 0;
 
     if (bind(server->listen_fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
         flb_errno();
         flb_socket_close(server->listen_fd);
-#ifdef _WIN32
-        if (server->wsa_initialized) {
-            WSACleanup();
-            server->wsa_initialized = 0;
-        }
-#endif
-        return -1;
+        goto cleanup;
     }
 
     if (listen(server->listen_fd, 4) < 0) {
         flb_errno();
         flb_socket_close(server->listen_fd);
-#ifdef _WIN32
-        if (server->wsa_initialized) {
-            WSACleanup();
-            server->wsa_initialized = 0;
-        }
-#endif
-        return -1;
+        goto cleanup;
     }
 
     len = sizeof(addr);
     memset(&addr, 0, sizeof(addr));
     if (getsockname(server->listen_fd, (struct sockaddr *) &addr, &len) < 0) {
         flb_errno();
         flb_socket_close(server->listen_fd);
-#ifdef _WIN32
-        if (server->wsa_initialized) {
-            WSACleanup();
-            server->wsa_initialized = 0;
-        }
-#endif
-        return -1;
+        goto cleanup;
     }
 
     server->port = ntohs(addr.sin_port);
     if (server->port == 0) {
         flb_errno();
         flb_socket_close(server->listen_fd);
-#ifdef _WIN32
-        if (server->wsa_initialized) {
-            WSACleanup();
-            server->wsa_initialized = 0;
-        }
-#endif
-        return -1;
+        goto cleanup;
     }
 
     flb_net_socket_nonblocking(server->listen_fd);
 
     if (pthread_create(&server->thread, NULL, oauth2_mock_server_thread, server) != 0) {
         printf("pthread_create failed: %s\n", strerror(errno));
         flb_socket_close(server->listen_fd);
-#ifdef _WIN32
-        if (server->wsa_initialized) {
-            WSACleanup();
-            server->wsa_initialized = 0;
-        }
-#endif
-        return -1;
+        goto cleanup;
     }
     printf("server started on port %d\n", server->port);
     return 0;
+
+cleanup:
+#ifdef _WIN32
+    if (server->wsa_initialized) {
+        WSACleanup();
+        server->wsa_initialized = 0;
+    }
+#endif
+    return -1;
 }

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5cdafce and d071378.

📒 Files selected for processing (1)

• tests/internal/oauth2.c

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-17T18:45:02.283Z

Learnt from: edsiper
Repo: fluent/fluent-bit PR: 11286
File: src/flb_http_client.c:1657-1715
Timestamp: 2025-12-17T18:45:02.283Z
Learning: In the Fluent Bit OAuth2 implementation (src/flb_oauth2.c), the function flb_oauth2_get_access_token returns a pointer to the cached token stored in the OAuth2 context (ctx->access_token), not a new allocation. The OAuth2 context manages the token lifecycle, so callers must not free the returned token pointer.

Applied to files:

• tests/internal/oauth2.c

🧬 Code graph analysis (1)

tests/internal/oauth2.c (1)

src/flb_oauth2.c (5)

• flb_oauth2_create_from_config (675-733)
• flb_oauth2_config_destroy (207-223)
• flb_oauth2_parse_json_response (317-411)
• flb_oauth2_get_access_token (847-871)
• flb_oauth2_destroy (735-761)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)

• GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COMPILER_STRICT_POINTER_TYPES=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-without-cxx (3.31.6)
• GitHub Check: pr-compile-centos-7
• GitHub Check: PR - fuzzing test

🔇 Additional comments (8)

tests/internal/oauth2.c (8)

75-116: LGTM!

The mock handlers correctly implement token issuance and resource authorization logic for testing purposes. The authorization check is appropriately simple for a test mock server.

---

118-175: LGTM!

The server thread correctly implements a non-blocking accept loop with select, reliable request reading by making the client socket blocking, and proper cleanup. The routing logic is appropriately simple for test purposes.

---

289-332: LGTM!

The readiness check correctly handles the race condition where the server thread may not have started its accept loop yet. The platform-specific error handling for non-blocking connect is appropriate, and the retry logic with backoff is reasonable.

---

334-349: LGTM!

The server stop sequence is correct: setting the stop flag, shutting down the socket to wake blocked operations, joining the thread, and cleaning up resources. Windows-specific WSA cleanup is properly handled.

---

351-372: LGTM!

The OAuth2 context creation correctly initializes the config structure, passes it to the library, and cleans up the config afterward. The refresh_skew parameter is properly forwarded.

---

393-439: LGTM!

The test correctly exercises token caching and refresh behavior. The test logic is sound:

1. Initial token fetch and cache verification
2. Waiting for token expiry (with sleep(2))
3. Refresh verification

The macOS-specific readiness check at lines 410-417 properly handles the thread startup race condition. The sleep(2) makes the test slightly slow but is acceptable for an integration test that needs to verify time-based token expiry.

---

441-445: LGTM!

The test list correctly registers both test cases.

---

374-391: No issue with partial initialization.

The stack-allocated context is safely initialized via memset(&ctx, 0, sizeof(ctx)), which zeros all fields. The flb_oauth2_parse_json_response function and oauth2_reset_state only access fields that are either zero-initialized or protected by NULL checks. The cleanup with flb_sds_destroy is correct since the parse function creates new tokens and the context takes ownership of them.