Changes to name the configuration property "query" instead of "params" as in other implementations

emasab · emasab · commit 7d356de928d0 · 2025-09-25T17:58:42.000+02:00
and to make it optional if the default endpoint is overridden.
diff --git a/src/rdkafka_conf.c b/src/rdkafka_conf.c
@@ -3940,6 +3940,38 @@ char **rd_kafka_conf_kv_split(const char **input, size_t incnt, size_t *cntp) {
         return out;
 }
 
+/**
+ * @brief Get value for the config param corresponding to \p key in
+ *        \p config, using \p pairs_sep for splitting it
+ *        into key-value pairs and '=' for splitting keys and values.
+ */
+char *rd_kafka_conf_kv_get(const char *config,
+                           const char *key,
+                           const char pairs_sep) {
+        size_t i, config_pair_cnt, config_key_value_cnt;
+        char *ret = NULL;
+        char **config_key_values;
+        if (!config)
+                return NULL;
+
+        char **config_pairs =
+            rd_string_split(config, pairs_sep, rd_true, &config_pair_cnt);
+
+        config_key_values =
+            rd_kafka_conf_kv_split((const char **)config_pairs, config_pair_cnt,
+                                   &config_key_value_cnt);
+        for (i = 0; i < config_key_value_cnt / 2; i += 2) {
+                char *config_key = config_key_values[i];
+                if (!rd_strcmp(config_key, key)) {
+                        ret = rd_strdup(config_key_values[i + 1]);
+                        break;
+                }
+        }
+        rd_free(config_key_values);
+        rd_free(config_pairs);
+        return ret;
+}
+
 const char *
 rd_kafka_conf_finalize_oauthbearer_oidc_grant_type(rd_kafka_conf_t *conf) {
         switch (conf->sasl.oauthbearer.grant_type) {
@@ -4066,17 +4098,24 @@ const char *rd_kafka_conf_finalize_oauthbearer_oidc(rd_kafka_conf_t *conf) {
                        "`sasl.oauthbearer.method=oidc` are "
                        "mutually exclusive";
 
-        if (conf->sasl.oauthbearer.metadata_authentication.type ==
-                RD_KAFKA_SASL_OAUTHBEARER_METADATA_AUTHENTICATION_TYPE_AZURE_IMDS &&
-            !conf->sasl.oauthbearer.token_endpoint_url) {
-                conf->sasl.oauthbearer.token_endpoint_url =
-                    RD_KAFKA_SASL_OAUTHBEARER_METADATA_AUTHENTICATION_URL_AZURE_IMDS;
-        }
-
         if (!conf->sasl.oauthbearer.token_endpoint_url) {
-                return "`sasl.oauthbearer.token.endpoint.url` "
-                       "is mandatory when "
-                       "`sasl.oauthbearer.method=oidc` is set";
+                const char *errstr =
+                    "`sasl.oauthbearer.token.endpoint.url` "
+                    "is mandatory when "
+                    "`sasl.oauthbearer.method=oidc` is set";
+                if (conf->sasl.oauthbearer.metadata_authentication.type ==
+                    RD_KAFKA_SASL_OAUTHBEARER_METADATA_AUTHENTICATION_TYPE_AZURE_IMDS) {
+                        char *query = rd_kafka_conf_kv_get(
+                            conf->sasl.oauthbearer_config, "query", ',');
+                        if (!query)
+                                return "`sasl.oauthbearer.token.endpoint.url` "
+                                       "is mandatory for Azure IMDS "
+                                       "authentication "
+                                       "when `query` isn't set";
+                        rd_free(query);
+                } else {
+                        return errstr;
+                }
         }
 
         if (conf->sasl.oauthbearer.metadata_authentication.type ==
diff --git a/src/rdkafka_conf.h b/src/rdkafka_conf.h
@@ -372,7 +372,6 @@ struct rd_kafka_conf_s {
                         struct {
                                 rd_kafka_oauthbearer_metadata_authentication_type_t
                                     type;
-                                const char *query;
                         } metadata_authentication;
 
 
@@ -699,6 +698,9 @@ struct rd_kafka_topic_conf_s {
 
 char **rd_kafka_conf_kv_split(const char **input, size_t incnt, size_t *cntp);
 
+char *
+rd_kafka_conf_kv_get(const char *config, const char *key, const char pairs_sep);
+
 void rd_kafka_anyconf_destroy(int scope, void *conf);
 
 rd_bool_t rd_kafka_conf_is_modified(const rd_kafka_conf_t *conf,
diff --git a/src/rdkafka_sasl_oauthbearer_oidc.c b/src/rdkafka_sasl_oauthbearer_oidc.c
@@ -1024,8 +1024,9 @@ void rd_kafka_oidc_token_metadata_azure_imds_refresh_cb(
 
         struct curl_slist *headers = NULL;
 
-        char *token_endpoint_url = NULL;
-        char *sub                = NULL;
+        const char *token_endpoint_url_initial = NULL;
+        char *token_endpoint_url               = NULL;
+        char *sub                              = NULL;
 
         size_t extension_cnt;
         size_t extension_key_value_cnt = 0;
@@ -1034,45 +1035,39 @@ void rd_kafka_oidc_token_metadata_azure_imds_refresh_cb(
 
         char **extensions            = NULL;
         char **extension_key_value   = NULL;
+        char *query                  = NULL;
         static char *headers_array[] = {"Metadata: true"};
 
         if (rd_kafka_terminating(rk))
                 return;
 
-        if (rk->rk_conf.sasl.oauthbearer_config &&
-            !rk->rk_conf.sasl.oauthbearer.metadata_authentication.query) {
-                size_t i, oauthbearer_config_cnt;
-                char **config_pairs =
-                    rd_string_split(rk->rk_conf.sasl.oauthbearer_config, ',',
-                                    rd_true, &oauthbearer_config_cnt);
-                for (i = 0; i < oauthbearer_config_cnt; i++) {
-                        char *config_pair = config_pairs[i];
-                        char *query_pos   = strstr(config_pair, "query=");
-                        if (query_pos == config_pair) {
-                                rk->rk_conf.sasl.oauthbearer
-                                    .metadata_authentication.query =
-                                    query_pos + strlen("query=");
-                                break;
-                        }
+        if (rk->rk_conf.sasl.oauthbearer_config)
+                query = rd_kafka_conf_kv_get(
+                    rk->rk_conf.sasl.oauthbearer_config, "query", ',');
+        token_endpoint_url_initial =
+            rk->rk_conf.sasl.oauthbearer.token_endpoint_url;
+        if (!token_endpoint_url_initial)
+                token_endpoint_url_initial =
+                    RD_KAFKA_SASL_OAUTHBEARER_METADATA_AUTHENTICATION_URL_AZURE_IMDS;
+        if (query && *query) {
+                token_endpoint_url = rd_http_get_params_append(
+                    token_endpoint_url_initial, query);
+
+                if (token_endpoint_url == NULL) {
+                        rd_snprintf(
+                            set_token_errstr, sizeof(set_token_errstr),
+                            "Failed to append params \"%s\" to token endpoint "
+                            "URL \"%s\"",
+                            query,
+                            rk->rk_conf.sasl.oauthbearer.token_endpoint_url);
+                        rd_kafka_log(rk, LOG_ERR, "OIDC", "%s",
+                                     set_token_errstr);
+                        rd_kafka_oauthbearer_set_token_failure(
+                            rk, set_token_errstr);
+                        goto done;
                 }
-                if (!rk->rk_conf.sasl.oauthbearer.metadata_authentication.query)
-                        rk->rk_conf.sasl.oauthbearer.metadata_authentication
-                            .query = "";
-        }
-
-        token_endpoint_url = rd_http_get_params_append(
-            rk->rk_conf.sasl.oauthbearer.token_endpoint_url,
-            rk->rk_conf.sasl.oauthbearer.metadata_authentication.query);
-        if (token_endpoint_url == NULL) {
-                rd_snprintf(
-                    set_token_errstr, sizeof(set_token_errstr),
-                    "Failed to append params \"%s\" to token endpoint "
-                    "URL \"%s\"",
-                    rk->rk_conf.sasl.oauthbearer.metadata_authentication.query,
-                    rk->rk_conf.sasl.oauthbearer.token_endpoint_url);
-                rd_kafka_log(rk, LOG_ERR, "OIDC", "%s", set_token_errstr);
-                rd_kafka_oauthbearer_set_token_failure(rk, set_token_errstr);
-                goto done;
+        } else {
+                token_endpoint_url = rd_strdup(token_endpoint_url_initial);
         }
 
         herr = rd_http_get_json(rk, token_endpoint_url, headers_array, 1,
@@ -1120,6 +1115,7 @@ void rd_kafka_oidc_token_metadata_azure_imds_refresh_cb(
         RD_IF_FREE(extensions, rd_free);
         RD_IF_FREE(extension_key_value, rd_free);
         RD_IF_FREE(token_endpoint_url, rd_free);
+        RD_IF_FREE(query, rd_free);
 }
 
 /**
