SERVER-115615 Add --skipExtensionsSignatureVerification option to resmoke (#47164)

GitOrigin-RevId: 6c07b62c63b275d3357b887923291445fb9e1134

buildscripts/resmokelib/config.py

@@ -217,6 +217,8 @@ DEFAULTS = {
     "load_all_extensions": False,
     # Avoids running hooks as part of the suite.
     "no_hooks": False,
+    # Avoids performing signature verification on test extensions at load time.
+    "skip_extensions_signature_verification": False,
 }
 
 _SuiteOptions = collections.namedtuple(
@@ -869,3 +871,6 @@ NO_HOOKS = False
 
 # Whether ASAN (AddressSanitizer) is enabled, determined by the presence of ASAN_OPTIONS.
 IS_ASAN = bool(os.environ.get("ASAN_OPTIONS"))
+
+# Skips signature verification for extensions loaded into the server. This option has no effect on release builds.
+SKIP_EXTENSIONS_SIGNATURE_VERIFICATION = False

buildscripts/resmokelib/configure_resmoke.py

@@ -248,6 +248,9 @@ def _validate_config(parser: argparse.ArgumentParser):
     if not sys.platform.startswith("linux") and _config.LOAD_ALL_EXTENSIONS:
         parser.error("--loadAllExtensions is only supported on Linux")
 
+    if not sys.platform.startswith("linux") and _config.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION:
+        parser.error("--skipExtensionsSignatureVerification is only supported on Linux")
+
     # Ranges through param specs and checks that they are valid parameter declarations.
     for param_type in config_fuzzer_params:
         _validate_params_spec(parser, config_fuzzer_params[param_type])
@@ -828,6 +831,9 @@ flags in common: {common_set}
     _config.SANITY_CHECK = config.pop("sanity_check")
     _config.PAUSE_AFTER_POPULATE = config.pop("pause_after_populate")
     _config.LOAD_ALL_EXTENSIONS = config.pop("load_all_extensions")
+    _config.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION = config.pop(
+        "skip_extensions_signature_verification"
+    )
     _config.NO_HOOKS = config.pop("no_hooks")
     _config.HANG_ANALYZER_HOOK_TIMEOUT = config.pop("hang_analyzer_hook_timeout")
 

buildscripts/resmokelib/extensions/add_extensions_signature_pub_key_path.py

@@ -7,9 +7,16 @@ from buildscripts.resmokelib.extensions.constants import (
 
 
 def add_extensions_signature_pub_key_path(
+    skip_extensions_signature_verification,
+    config,
     mongod_options: Dict,
     mongos_options: Optional[Dict] = None,
 ):
+    # We omit providing the extension signature public key path parameter if we intend to skip signature verification.
+    # This signals to the server in insecure mode to skip validating extension signatures at load time.
+    if skip_extensions_signature_verification or config.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION:
+        return
+
     EXTENSIONS_SIGNATURE_PUB_KEY_PATH_PARAM = "extensionsSignaturePublicKeyPath"
     mongod_options[EXTENSIONS_SIGNATURE_PUB_KEY_PATH_PARAM] = TEST_PUBLIC_KEY_PATH
 

buildscripts/resmokelib/run/__init__.py

@@ -2135,6 +2135,13 @@ class RunPlugin(PluginInterface):
             help="Loads all available test extensions in the server upon startup.",
         )
 
+        mongodb_server_options.add_argument(
+            "--skipExtensionsSignatureVerification",
+            dest="skip_extensions_signature_verification",
+            action="store_true",
+            help="Skips extensions signature verification at load time during server startup.",
+        )
+
         internal_options = parser.add_argument_group(
             title=_INTERNAL_OPTIONS_TITLE,
             description=(

buildscripts/resmokelib/testing/fixtures/fixturelib.py

@@ -191,3 +191,4 @@ class _FixtureConfig(object):
         self.NOOP_MONGO_D_S_PROCESSES = config.NOOP_MONGO_D_S_PROCESSES
         self.CONFIG_FUZZER_ENCRYPTION_OPTS = config.CONFIG_FUZZER_ENCRYPTION_OPTS
         self.LOAD_ALL_EXTENSIONS = config.LOAD_ALL_EXTENSIONS
+        self.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION = config.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION

buildscripts/resmokelib/testing/fixtures/replicaset.py

@@ -80,6 +80,7 @@ class ReplicaSetFixture(interface.ReplFixture, interface._DockerComposeInterface
         hide_initial_sync_node_from_conn_string=False,
         launch_mongot=False,
         load_all_extensions=False,
+        skip_extensions_signature_verification=False,
         router_endpoint_for_mongot: Optional[int] = None,
         disagg_base_config=None,
         use_priority_ports=False,
@@ -102,7 +103,9 @@ class ReplicaSetFixture(interface.ReplFixture, interface._DockerComposeInterface
                 logger=self.logger,
                 mongod_options=self.mongod_options,
             )
-            add_extensions_signature_pub_key_path(self.mongod_options)
+            add_extensions_signature_pub_key_path(
+                skip_extensions_signature_verification, self.config, self.mongod_options
+            )
 
         # Automatically download and configure mongot-extension if needed.
         if "mongot-extension" in self.mongod_options.get("loadExtensions", ""):

buildscripts/resmokelib/testing/fixtures/shardedcluster.py

@@ -52,6 +52,7 @@ class ShardedClusterFixture(interface.Fixture, interface._DockerComposeInterface
         random_migrations=False,
         launch_mongot=False,
         load_all_extensions=False,
+        skip_extensions_signature_verification=False,
         set_cluster_parameter=None,
         inject_catalog_metadata=None,
         shard_replset_name_prefix="shard-rs",
@@ -87,8 +88,10 @@ class ShardedClusterFixture(interface.Fixture, interface._DockerComposeInterface
                 mongos_options=self.mongos_options,
             )
             add_extensions_signature_pub_key_path(
-                mongod_options=self.mongod_options,
-                mongos_options=self.mongos_options,
+                skip_extensions_signature_verification,
+                self.config,
+                self.mongod_options,
+                self.mongos_options,
             )
 
         # Automatically download and configure mongot-extension if needed.

buildscripts/resmokelib/testing/fixtures/standalone.py

@@ -40,6 +40,7 @@ class MongoDFixture(interface.Fixture, interface._DockerComposeInterface):
         port: Optional[int] = None,
         launch_mongot: bool = False,
         load_all_extensions: bool = False,
+        skip_extensions_signature_verification=False,
         use_priority_port: bool = False,
     ):
         """Initialize MongoDFixture with different options for the mongod process.
@@ -73,7 +74,9 @@ class MongoDFixture(interface.Fixture, interface._DockerComposeInterface):
                 logger=self.logger,
                 mongod_options=self.mongod_options,
             )
-            add_extensions_signature_pub_key_path(self.mongod_options)
+            add_extensions_signature_pub_key_path(
+                skip_extensions_signature_verification, self.config, self.mongod_options
+            )
 
         # Automatically download and configure mongot-extension if needed.
         if "mongot-extension" in self.mongod_options.get("loadExtensions", ""):