fluent-plugin-kusto 0.0.1.beta

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 90834d37833dc31d3a1aaa3f3de064ee260f9c619753857be060c2e48ba4a79c
+  data.tar.gz: 854001eaf38c3065262d2fd4abdb20c14e95af65ba8f08418825ddf6ac56ad94
+SHA512:
+  metadata.gz: 66e9089d652413b6a405dc49fafa2fb3fe5399461dd18fdd87025293790dc8d92c9fcf4b8122937f2c06ec766ea43a48716dce499a61c6d298ad03f23299d5c0
+  data.tar.gz: 93e5fb41d9e4a76a5a34bad266abf596161f24143b1763d27a3378cf7f22afb87601f0a23b80775bb5cb75dc52b9876f6077f35ba59ae6dd3f19182790e32e68

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gemspec
+gem 'fiddle'
+gem 'mocha'
+gem 'ostruct'

data/LICENSE

@@ -0,0 +1,21 @@
+    MIT License
+
+    Copyright (c) Microsoft Corporation.
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE

data/README.md

@@ -0,0 +1,201 @@
+# fluent-plugin-kusto
+
+[Fluentd](https://fluentd.org/) output plugin for ingesting logs and data into [Azure Data Explorer (Kusto)](https://azure.microsoft.com/en-us/services/data-explorer/).
+
+## Overview
+
+This plugin allows you to send data from Fluentd to Azure Data Explorer (Kusto) using Azure Blob Storage and Queue for scalable, reliable ingestion. It supports both buffered and non-buffered modes, handles authentication via Azure AD or Managed Identity, and provides robust error handling and logging.
+
+## Requirements
+
+- Ruby 2.5 or later  
+  Check version (Windows/Linux):
+  ```bash
+  ruby --version
+  ```
+  Install on Ubuntu/Linux:
+  ```bash
+  sudo apt-get install ruby-full
+  ```
+  Install on Windows (using RubyInstaller):
+  [Download RubyInstaller](https://rubyinstaller.org/)
+  [Official Ruby installation guide](https://www.ruby-lang.org/en/documentation/installation/)
+
+- Fluentd v1.0 or later  
+  Check version (Windows/Linux):
+  ```bash
+  fluentd --version
+  ```
+  Install on Ubuntu/Linux:
+  ```bash
+  gem install fluentd
+  ```
+  Install on Windows (in Command Prompt after Ruby is installed):
+  ```cmd
+  gem install fluentd
+  ```
+  [Official Fluentd installation guide](https://docs.fluentd.org/installation)
+
+
+## Installation
+
+### RubyGems
+
+```sh
+$ gem install fluent-plugin-kusto --pre
+```
+
+### Bundler
+
+Add the following line to your Gemfile:
+
+```ruby
+gem "fluent-plugin-kusto", "~> 0.0.1.beta"
+```
+
+**Note:** This is a beta release. Use the `--pre` flag with gem install or specify the beta version in your Gemfile.
+
+And then execute:
+
+```sh
+$ bundle
+```
+
+## Azure Data Explorer (Kusto) Prerequisites
+The _Kusto_ output plugin lets you ingest your logs into an [Azure Data Explorer](https://azure.microsoft.com/en-us/services/data-explorer/) cluster, using the [Queued Ingestion](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/api/netfx/about-kusto-ingest#queued-ingestion) mechanism.
+
+## Ingest into Azure Data Explorer: create a Kusto cluster and database
+
+Create an Azure Data Explorer cluster in one of the following ways:
+
+* [Create a free-tier cluster](https://dataexplorer.azure.com/freecluster)
+* [Create a fully featured cluster](https://docs.microsoft.com/en-us/azure/data-explorer/create-cluster-database-portal)
+
+## Create an Azure registered application
+
+FluentD uses the Azure application's credentials to ingest data into your cluster.
+
+* [Register an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application)
+* [Add a client secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)
+* [Authorize the app in your database](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/management/access-control/principals-and-identity-providers#azure-ad-tenants)
+
+## Create a Managed Identity in Azure
+
+- **System-assigned Managed Identity:**
+  - [Enable system-assigned managed identity](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-enable-system-assigned-managed-identity)
+
+- **User-assigned Managed Identity:**
+  - [Create and assign user-assigned managed identity](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-create-user-assigned-managed-identity)
+
+- **Grant Permissions:**
+  - [Assign permissions to managed identity for Azure Data Explorer](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/access-control/principals-and-identity-providers)
+
+## Workload Identity Authentication
+
+- [Follow workload_identity.md](workload_identity.md)
+
+## Create a database
+
+To create a new database in your Azure Data Explorer cluster, use the following KQL command:
+
+```kql
+.create database <database_name>
+```
+
+## Create a table
+
+Fluent Bit ingests the event data into Kusto in a JSON format. By default, the table includes 3 properties:
+
+* `record` - the actual event payload.
+* `tag` - the event tag.
+* `timestamp` - the event timestamp.
+
+A table with the expected schema must exist in order for data to be ingested properly.
+
+```kql
+.create table <table_name> (tag:string, timestamp:datetime, record:dynamic)
+```
+
+## Configuration parameters
+
+| Key                                    | Description                                                                                                                                                                                                                                                             | Default                        |
+| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| `tenant_id`                            | The tenant/domain ID of the Azure Active Directory (AAD) registered application. Required if `managed_identity_client_id` isn't set.                                                                                                                                    | _none_                         |
+| `client_id`                            | The client ID of the AAD registered application. Required if `managed_identity_client_id` isn't set.                                                                                                                                                                    | _none_                         |
+| `client_secret`                        | The client secret of the AAD registered application ([App Secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret)). Required if `managed_identity_client_id` isn't set. | _none_                         |
+| `managed_identity_client_id`           | The managed identity ID to authenticate with. Set to `SYSTEM` for system-assigned managed identity, or set to the MI client ID (`GUID`) for user-assigned managed identity. Required if `tenant_id`, `client_id`, and `client_secret` aren't set.                       | _none_                         |
+| `endpoint`                   | The cluster's endpoint, usually in the form `https://cluster_name.region.kusto.windows.net`                                                                                                                                                            | _none_                         |
+| `database_name`                        | The database name.                                                                                                                                                                                                                                                      | _none_                         |
+| `table_name`                           | The table name.                                                                                                                                                                                                                                                         | _none_                         |
+| `compression_enabled`                  | If enabled, sends compressed HTTP payload (gzip) to Kusto.                                                                                                                                                                                                              | `true`                         |
+| `workers`                              | The number of [workers](../../../administration/multithreading#outputs) to perform flush operations for this output.                                                                                                                                                    | `0`                            |
+| `buffered`                    | Enable buffering into disk before ingesting into Azure Kusto. If `buffered` is `true`, buffered mode is activated. If `false`, non-buffered mode is used.                                                                                                               | `true`                        |
+| `delayed`                              | If `true`, enables delayed commit for buffer chunks. Only supported in buffered mode (`buffered` must be `true`). If `buffered` is `false`, delayed commit is not available.                                                     | `false`                        |
+| `azure_cloud`                          | Azure cloud environment. E.g., `AzureCloud`, `AzureChinaCloud`, `AzureUSGovernmentCloud`, `AzureGermanCloud`.                                                                                                                    | `AzureCloud`                   |
+| `chunk_keys` (buffer section)          | Only in buffered mode. Keys to use for chunking the buffer. Possible values: `tag`, `time`, or a combination such as `["tag", "time"]`. Controls how data is grouped and flushed.                                               | `["time"]`                    |
+| `timekey` (buffer section)             | Only in buffered mode. Time interval for buffer chunking. Possible values: integer seconds (e.g., `60`, `3600`, `86400`).                                                                                                         | `86400` (1 day)                |
+| `timekey_wait` (buffer section)        | Only in buffered mode. Wait time before flushing a timekey chunk after its time window closes. Possible values: duration string (e.g., `30s`, `5m`).                                                                             | `30s`                           |
+| `timekey_use_utc` (buffer section)     | Only in buffered mode. Use UTC for timekey chunking. Possible values: `true`, `false`.                                                                                                                                           | `true`                          |
+| `flush_at_shutdown` (buffer section)   | Only in buffered mode. Flush buffer at shutdown. Possible values: `true`, `false`.                                                                                                                                               | `true`                          |
+| `retry_max_times` (buffer section)     | Only in buffered mode. Maximum number of retry attempts for buffer flush. Possible values: integer (e.g., `5`, `10`).                                                                                                            | `5`                             |
+| `retry_wait` (buffer section)          | Only in buffered mode. Wait time between buffer flush retries. Possible values: duration string (e.g., `1s`, `10s`).                                                                                                             | `1s`                            |
+| `overflow_action` (buffer section)     | Only in buffered mode. Action to take when buffer overflows. Possible values: `block`, `drop_oldest_chunk`, `throw_exception`.                                                            | `block`                         |
+| `chunk_limit_size` (buffer section)    | Only in buffered mode. Maximum size per buffer chunk. Possible values: size string (e.g., `256m`, `1g`).                                                                                                                         | `256m`                          |
+| `total_limit_size` (buffer section)    | Only in buffered mode. Maximum total buffer size. Possible values: size string (e.g., `2g`, `10g`).                                                                                                                              | `2g`                            |
+| `flush_mode` (buffer section)          | Only in buffered mode. Buffer flush mode. Possible values: `interval`, `immediate`, `lazy`.                                                                                               | `interval`                      |
+| `flush_interval` (buffer section)      | Only in buffered mode. Interval for buffer flush. Possible values: duration string (e.g., `10s`, `1m`).                                                                                                                          | `10s`                           |
+| `logger_path`                           | Optional. File path for plugin log output. If not set, logs are written to stdout.                                                                                                                      | stdout(terminal)                        |
+| `auth_type`                            | The authentication type to use. Possible values: `aad`, `user_managed_identity`, `system_managed_identity`,`workload_identity`.                                                                                                                                                                                                                                     | `aad`                        |
+| `workload_identity_client_id`              | The client ID for Azure Workload Identity authentication. Required if using workload identity for authentication.                                                                                                               | _none_                         |
+| `workload_identity_tenant_id`              | The tenant ID for Azure Workload Identity authentication. Required if using workload identity for authentication.                                                                                                               | _none_                         |
+| `workload_identity_token_file`             | The file path to the token file for Azure Workload Identity authentication. Required if using workload identity for authentication.                                                                                             | `/var/run/secrets/azure/tokens/azure-identity-token`                        |
+
+## Sample Configuration
+
+```conf
+<system>
+  workers 1
+</system>
+<match test.kusto>
+  @type kusto
+  @log_level debug
+  buffered true
+  delayed false
+  endpoint https://yourcluster.region.kusto.windows.net
+  database_name your-db
+  table_name your-table
+  tenant_id <your-tenant-id>
+  client_id <your-client-id>
+  managed_identity_client_id SYSTEM
+  compression_enabled true
+  azure_cloud AzureCloud
+  logger_path /var/log/azure-kusto-fluentd.log
+  <buffer>
+    @type memory
+    # To chunk by tag only:
+    # chunk_keys tag
+    # To chunk by tag and time:
+    # chunk_keys tag,time
+    timekey 1m
+    timekey_wait 30s
+    timekey_use_utc true
+    flush_at_shutdown true
+    retry_max_times 5
+    retry_wait 1s
+    overflow_action block
+    chunk_limit_size 256m
+    total_limit_size 2g
+    flush_mode interval
+    flush_interval 10s
+  </buffer>
+</match>
+```
+
+# Fluentd Azure Data Explorer (Kusto) Output Plugin Architecture
+![Architecture](architecture.png)
+
+This diagram shows the main components and data flow for the plugin, including configuration, error handling, token management, and Azure resource interactions.
+
+## Copyright
+
+* License: Apache License, Version 2.0

data/lib/fluent/plugin/auth/aad_tokenprovider.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+# AadTokenProvider handles acquiring and refreshing Azure Active Directory tokens for Kusto ingestion.
+#
+# Responsibilities:
+# - Build and send token requests to Azure AD endpoint
+# - Cache and refresh tokens as needed
+# - Support client credentials flow for authentication
+require 'json'
+require 'openssl'
+require 'base64'
+require 'time'
+require 'net/http'
+require 'uri'
+require_relative '../kusto_error_handler'
+require_relative 'tokenprovider_base'
+
+class AadTokenProvider < AbstractTokenProvider
+  def initialize(outconfiguration)
+    super(outconfiguration)
+    token_request_params_set
+  end
+
+  # Use get_token from base class for token retrieval
+
+  private
+
+  def setup_config(outconfiguration)
+    @client_id = outconfiguration.client_app_id
+    @client_secret = outconfiguration.client_app_secret
+    @tenant_id = outconfiguration.tenant_id
+    @aad_uri = outconfiguration.aad_endpoint
+    @resource = outconfiguration.kusto_endpoint
+    @database_name = outconfiguration.database_name
+    @table_name = outconfiguration.table_name
+    @azure_cloud = outconfiguration.azure_cloud
+    @managed_identity_client_id = outconfiguration.managed_identity_client_id
+  end
+
+  def token_request_params_set
+    @token_request_uri = "#{@aad_uri}/#{@tenant_id}/oauth2/v2.0/token"
+    @scope = "#{@resource}/.default"
+  end
+
+  def fetch_token
+    response = post_token_request
+    {
+      access_token: response['access_token'],
+      expires_in: response['expires_in']
+    }
+  end
+
+  def post_token_request
+    headers = header
+    max_retries = 10
+    retries = 0
+    uri = URI.parse(@token_request_uri)
+    form_data = URI.encode_www_form(
+      'grant_type' => 'client_credentials',
+      'client_id' => @client_id,
+      'client_secret' => @client_secret,
+      'scope' => @scope
+    )
+    while retries < max_retries
+      begin
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = (uri.scheme == 'https')
+        request = Net::HTTP::Post.new(uri.request_uri, headers)
+        request.body = form_data
+
+        response = http.request(request)
+        return JSON.parse(response.body) if [200, 201].include?(response.code.to_i)
+
+        begin
+          error_json = JSON.parse(response.body)
+          kusto_error_type = KustoErrorHandler.extract_kusto_error_type(error_json)
+          error = KustoErrorHandler.from_kusto_error_type(
+            kusto_error_type,
+            error_json['error_description'] || error_json['message'] || response.body
+          )
+          if error.permanent_error?
+            @logger.error("Permanent error encountered, not retrying. #{error.message}")
+            raise error
+          end
+        rescue JSON::ParserError
+          @logger.error("Failed to parse error response: #{response.body}")
+          raise "Permanent error while authenticating with AAD: #{response.body}"
+        end
+      end
+      retries += 1
+      @logger.error(
+        "Error while authenticating with AAD ('#{@aad_uri}'), retrying in 10 seconds. " \
+        "Attempt #{retries}/#{max_retries}"
+      )
+      sleep 10
+    end
+    raise "Failed to authenticate with AAD after #{max_retries} attempts."
+  end
+
+  def header
+    {
+      'Content-Type' => 'application/x-www-form-urlencoded'
+    }
+  end
+end

data/lib/fluent/plugin/auth/azcli_tokenprovider.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'time'
+require 'open3'
+require 'shellwords'
+require_relative 'tokenprovider_base'
+
+class AzCliTokenProvider < AbstractTokenProvider
+  def initialize(outconfiguration)
+    super(outconfiguration)
+    @resource = outconfiguration.kusto_endpoint
+  end
+
+  # Use get_token from base class for token retrieval
+
+  def fetch_token
+    token = acquire_token(@resource)
+    raise "No valid Azure CLI token found for resource: #{@resource}" unless token
+
+    {
+      access_token: token['accessToken'],
+      expires_in: (Time.parse(token['expiresOn']) - Time.now).to_i
+    }
+  end
+
+  def acquire_token(resource)
+    az_cli = locate_azure_cli
+    # Properly escape the Azure CLI executable path to prevent command injection
+    escaped_az_cli = Shellwords.escape(az_cli)
+    escaped_resource = Shellwords.escape(resource)
+    cmd = [escaped_az_cli, 'account', 'get-access-token', '--resource', escaped_resource, '--output', 'json']
+    stdout, stderr, status = Open3.capture3(*cmd)
+    raise "Failed to acquire Azure CLI token: #{stderr.strip}" if !status.success? && !status.success?
+
+    JSON.parse(stdout)
+  rescue Errno::ENOENT
+    raise "Azure CLI not found. Please install Azure CLI and run 'az login'."
+  end
+
+  def locate_azure_cli
+    exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
+    ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
+      exts.each do |ext|
+        exe = File.join(path, "az#{ext}")
+        return exe if File.executable?(exe) && !File.directory?(exe)
+      end
+    end
+    raise "Azure CLI executable 'az' not found in PATH."
+  end
+end

data/lib/fluent/plugin/auth/mi_tokenprovider.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+# ManagedIdentityTokenProvider handles acquiring and refreshing Azure Managed Identity tokens for Kusto ingestion.
+#
+# Responsibilities:
+# - Build and send token requests to Azure IMDS endpoint
+# - Cache and refresh tokens as needed
+# - Support both system-assigned and user-assigned managed identities
+
+require 'net/http'
+require 'uri'
+require 'json'
+require 'erb'
+require_relative 'tokenprovider_base'
+
+class ManagedIdentityTokenProvider < AbstractTokenProvider
+  IMDS_TOKEN_ACQUIRE_URL = 'http://169.254.169.254/metadata/identity/oauth2/token'
+
+  def initialize(outconfiguration)
+    super(outconfiguration)
+    token_request_params_set(outconfiguration)
+  end
+
+  # Use get_token from base class for token retrieval
+
+  private
+
+  def setup_config(outconfiguration)
+    @resource = outconfiguration.kusto_endpoint
+    @managed_identity_client_id = outconfiguration.managed_identity_client_id
+    val = @managed_identity_client_id.to_s.strip
+    @use_system_assigned = (val.upcase == 'SYSTEM')
+    @use_user_assigned = !val.empty? && val.upcase != 'SYSTEM'
+  end
+
+  def append_header(name, value)
+    "#{name}=#{value}"
+  end
+
+  def token_request_params_set(_outconfiguration)
+    token_acquire_url = IMDS_TOKEN_ACQUIRE_URL.dup + '?' + append_header('resource',
+                                                                         ERB::Util.url_encode(outconfiguration.kusto_endpoint)) + '&' + append_header(
+                                                                           'api-version', '2018-02-01'
+                                                                         )
+    unless @object_id.nil?
+      token_acquire_url = (token_acquire_url + '&' + append_header('object_id',
+                                                                   ERB::Util.url_encode(@object_id)))
+    end
+    unless @msi_res_id.nil?
+      token_acquire_url = (token_acquire_url + '&' + append_header('msi_res_id',
+                                                                   ERB::Util.url_encode(@msi_res_id)))
+    end
+    URI.parse(token_acquire_url)
+    return unless @use_user_assigned
+
+    (token_acquire_url + '&' + append_header('client_id',
+                                             ERB::Util.url_encode(@managed_identity_client_id)))
+  end
+
+  def fetch_token
+    response = post_token_request
+    {
+      access_token: response['access_token'],
+      expires_in: response['expires_in']
+    }
+  end
+
+  def post_token_request
+    headers = { 'Metadata' => 'true' }
+    max_retries = 2
+    retries = 0
+    uri = URI.parse(@token_acquire_url)
+    while retries < max_retries
+      begin
+        http = Net::HTTP.new(uri.host, uri.port)
+        request = Net::HTTP::Get.new(uri.request_uri, headers)
+        response = http.request(request)
+        return JSON.parse(response.body) if response.code.to_i == 200
+
+        @logger.error("Failed to get managed identity token: #{response.code} #{response.body}")
+      rescue StandardError => e
+        @logger.error("Error while requesting managed identity token: #{e.message}")
+      end
+      retries += 1
+      @logger.error(
+        "Retrying managed identity token request in 10 seconds. Attempt #{retries}/#{max_retries}"
+      )
+      sleep 10
+    end
+    raise "Failed to get managed identity token after #{max_retries} attempts."
+  end
+end

data/lib/fluent/plugin/auth/tokenprovider_base.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'logger'
+
+# AbstractTokenProvider defines the interface and shared logic for all token providers.
+class AbstractTokenProvider
+  def initialize(outconfiguration)
+    @logger = setup_logger(outconfiguration)
+    setup_config(outconfiguration)
+    @token_state = { access_token: nil, expiry_time: nil, token_details_mutex: Mutex.new }
+  end
+
+  # Abstract method: must be implemented by subclasses to fetch a new token.
+  def fetch_token
+    raise NotImplementedError, 'Subclasses must implement fetch_token'
+  end
+
+  # Public method to get a valid token, refreshing if needed.
+  def get_token
+    @token_state[:token_details_mutex].synchronize do
+      if saved_token_need_refresh?
+        @logger.info("Refreshing token. Previous expiry: #{@token_state[:expiry_time]}")
+        refresh_saved_token
+        @logger.info("New token expiry: #{@token_state[:expiry_time]}")
+      end
+      @token_state[:access_token]
+    end
+  end
+
+  private
+
+  def setup_logger(outconfiguration)
+    outconfiguration.logger || Logger.new($stdout)
+  end
+
+  def setup_config(_outconfiguration)
+    # To be optionally overridden by subclasses
+  end
+
+  def saved_token_need_refresh?
+    @token_state[:access_token].nil? || @token_state[:expiry_time].nil? || @token_state[:expiry_time] <= Time.now
+  end
+
+  def refresh_saved_token
+    token_response = fetch_token
+    @token_state[:access_token] = token_response[:access_token]
+    @token_state[:expiry_time] = get_token_expiry_time(token_response[:expires_in])
+  end
+
+  def get_token_expiry_time(expires_in_seconds)
+    if expires_in_seconds.nil? || expires_in_seconds.to_i <= 0
+      Time.now + 3540 # Default to 59 minutes if expires_in is not provided or invalid
+    else
+      Time.now + expires_in_seconds.to_i - 1
+    end
+  end
+end

data/lib/fluent/plugin/auth/wif_tokenprovider.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'uri'
+require 'json'
+require_relative 'tokenprovider_base'
+
+class WorkloadIdentity < AbstractTokenProvider
+  DEFAULT_TOKEN_FILE = '/var/run/secrets/azure/tokens/azure-identity-token'
+  AZURE_OAUTH2_TOKEN_ENDPOINT = 'https://login.microsoftonline.com/%<tenant_id>s/oauth2/v2.0/token'
+
+  # Use get_token from base class for token retrieval
+
+  private
+
+  def setup_config(outconfiguration)
+    @client_id = outconfiguration.workload_identity_client_id
+    @tenant_id = outconfiguration.workload_identity_tenant_id
+    @token_file = outconfiguration.workload_identity_token_file_path || DEFAULT_TOKEN_FILE
+    @kusto_endpoint = outconfiguration.kusto_endpoint
+    @scope = "#{@kusto_endpoint}/.default"
+  end
+
+  def fetch_token
+    response = acquire_workload_identity_token
+    {
+      access_token: response['access_token'],
+      expires_in: response['expires_in']
+    }
+  end
+
+  def acquire_workload_identity_token
+    oidc_token = File.read(@token_file).strip
+    uri = URI.parse(format(AZURE_OAUTH2_TOKEN_ENDPOINT, tenant_id: @tenant_id))
+    req = Net::HTTP::Post.new(uri)
+    req.set_form_data(
+      'grant_type' => 'client_credentials',
+      'client_id' => @client_id,
+      'scope' => @scope,
+      'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+      'client_assertion' => oidc_token
+    )
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    res = http.request(req)
+    raise "Failed to get access token: #{res.code} #{res.body}" unless res.is_a?(Net::HTTPSuccess)
+
+    JSON.parse(res.body)
+  end
+end