diff --git a/buildscripts/resmokelib/config.py b/buildscripts/resmokelib/config.py index c223bf3cdfc..693c2ac8266 100644 --- a/buildscripts/resmokelib/config.py +++ b/buildscripts/resmokelib/config.py @@ -217,6 +217,8 @@ DEFAULTS = { "load_all_extensions": False, # Avoids running hooks as part of the suite. "no_hooks": False, + # Avoids performing signature verification on test extensions at load time. + "skip_extensions_signature_verification": False, } _SuiteOptions = collections.namedtuple( @@ -869,3 +871,6 @@ NO_HOOKS = False # Whether ASAN (AddressSanitizer) is enabled, determined by the presence of ASAN_OPTIONS. IS_ASAN = bool(os.environ.get("ASAN_OPTIONS")) + +# Skips signature verification for extensions loaded into the server. This option has no effect on release builds. +SKIP_EXTENSIONS_SIGNATURE_VERIFICATION = False diff --git a/buildscripts/resmokelib/configure_resmoke.py b/buildscripts/resmokelib/configure_resmoke.py index 89eb84b823e..1905229a959 100644 --- a/buildscripts/resmokelib/configure_resmoke.py +++ b/buildscripts/resmokelib/configure_resmoke.py @@ -248,6 +248,9 @@ def _validate_config(parser: argparse.ArgumentParser): if not sys.platform.startswith("linux") and _config.LOAD_ALL_EXTENSIONS: parser.error("--loadAllExtensions is only supported on Linux") + if not sys.platform.startswith("linux") and _config.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION: + parser.error("--skipExtensionsSignatureVerification is only supported on Linux") + # Ranges through param specs and checks that they are valid parameter declarations. for param_type in config_fuzzer_params: _validate_params_spec(parser, config_fuzzer_params[param_type]) @@ -828,6 +831,9 @@ flags in common: {common_set} _config.SANITY_CHECK = config.pop("sanity_check") _config.PAUSE_AFTER_POPULATE = config.pop("pause_after_populate") _config.LOAD_ALL_EXTENSIONS = config.pop("load_all_extensions") + _config.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION = config.pop( + "skip_extensions_signature_verification" + ) _config.NO_HOOKS = config.pop("no_hooks") _config.HANG_ANALYZER_HOOK_TIMEOUT = config.pop("hang_analyzer_hook_timeout") diff --git a/buildscripts/resmokelib/extensions/add_extensions_signature_pub_key_path.py b/buildscripts/resmokelib/extensions/add_extensions_signature_pub_key_path.py index 7aa2f8b66b3..9b4aedd7e52 100644 --- a/buildscripts/resmokelib/extensions/add_extensions_signature_pub_key_path.py +++ b/buildscripts/resmokelib/extensions/add_extensions_signature_pub_key_path.py @@ -7,9 +7,16 @@ from buildscripts.resmokelib.extensions.constants import ( def add_extensions_signature_pub_key_path( + skip_extensions_signature_verification, + config, mongod_options: Dict, mongos_options: Optional[Dict] = None, ): + # We omit providing the extension signature public key path parameter if we intend to skip signature verification. + # This signals to the server in insecure mode to skip validating extension signatures at load time. + if skip_extensions_signature_verification or config.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION: + return + EXTENSIONS_SIGNATURE_PUB_KEY_PATH_PARAM = "extensionsSignaturePublicKeyPath" mongod_options[EXTENSIONS_SIGNATURE_PUB_KEY_PATH_PARAM] = TEST_PUBLIC_KEY_PATH diff --git a/buildscripts/resmokelib/run/__init__.py b/buildscripts/resmokelib/run/__init__.py index 570f34ab51b..4401aec4d6b 100644 --- a/buildscripts/resmokelib/run/__init__.py +++ b/buildscripts/resmokelib/run/__init__.py @@ -2135,6 +2135,13 @@ class RunPlugin(PluginInterface): help="Loads all available test extensions in the server upon startup.", ) + mongodb_server_options.add_argument( + "--skipExtensionsSignatureVerification", + dest="skip_extensions_signature_verification", + action="store_true", + help="Skips extensions signature verification at load time during server startup.", + ) + internal_options = parser.add_argument_group( title=_INTERNAL_OPTIONS_TITLE, description=( diff --git a/buildscripts/resmokelib/testing/fixtures/fixturelib.py b/buildscripts/resmokelib/testing/fixtures/fixturelib.py index f8b1171adda..fa8bbb916e6 100644 --- a/buildscripts/resmokelib/testing/fixtures/fixturelib.py +++ b/buildscripts/resmokelib/testing/fixtures/fixturelib.py @@ -191,3 +191,4 @@ class _FixtureConfig(object): self.NOOP_MONGO_D_S_PROCESSES = config.NOOP_MONGO_D_S_PROCESSES self.CONFIG_FUZZER_ENCRYPTION_OPTS = config.CONFIG_FUZZER_ENCRYPTION_OPTS self.LOAD_ALL_EXTENSIONS = config.LOAD_ALL_EXTENSIONS + self.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION = config.SKIP_EXTENSIONS_SIGNATURE_VERIFICATION diff --git a/buildscripts/resmokelib/testing/fixtures/replicaset.py b/buildscripts/resmokelib/testing/fixtures/replicaset.py index 8cfb23a7632..893d9f8a1d5 100644 --- a/buildscripts/resmokelib/testing/fixtures/replicaset.py +++ b/buildscripts/resmokelib/testing/fixtures/replicaset.py @@ -80,6 +80,7 @@ class ReplicaSetFixture(interface.ReplFixture, interface._DockerComposeInterface hide_initial_sync_node_from_conn_string=False, launch_mongot=False, load_all_extensions=False, + skip_extensions_signature_verification=False, router_endpoint_for_mongot: Optional[int] = None, disagg_base_config=None, use_priority_ports=False, @@ -102,7 +103,9 @@ class ReplicaSetFixture(interface.ReplFixture, interface._DockerComposeInterface logger=self.logger, mongod_options=self.mongod_options, ) - add_extensions_signature_pub_key_path(self.mongod_options) + add_extensions_signature_pub_key_path( + skip_extensions_signature_verification, self.config, self.mongod_options + ) # Automatically download and configure mongot-extension if needed. if "mongot-extension" in self.mongod_options.get("loadExtensions", ""): diff --git a/buildscripts/resmokelib/testing/fixtures/shardedcluster.py b/buildscripts/resmokelib/testing/fixtures/shardedcluster.py index dc83d0f3d22..1622e56a87e 100644 --- a/buildscripts/resmokelib/testing/fixtures/shardedcluster.py +++ b/buildscripts/resmokelib/testing/fixtures/shardedcluster.py @@ -52,6 +52,7 @@ class ShardedClusterFixture(interface.Fixture, interface._DockerComposeInterface random_migrations=False, launch_mongot=False, load_all_extensions=False, + skip_extensions_signature_verification=False, set_cluster_parameter=None, inject_catalog_metadata=None, shard_replset_name_prefix="shard-rs", @@ -87,8 +88,10 @@ class ShardedClusterFixture(interface.Fixture, interface._DockerComposeInterface mongos_options=self.mongos_options, ) add_extensions_signature_pub_key_path( - mongod_options=self.mongod_options, - mongos_options=self.mongos_options, + skip_extensions_signature_verification, + self.config, + self.mongod_options, + self.mongos_options, ) # Automatically download and configure mongot-extension if needed. diff --git a/buildscripts/resmokelib/testing/fixtures/standalone.py b/buildscripts/resmokelib/testing/fixtures/standalone.py index 28d972887ce..c2069fa492d 100644 --- a/buildscripts/resmokelib/testing/fixtures/standalone.py +++ b/buildscripts/resmokelib/testing/fixtures/standalone.py @@ -40,6 +40,7 @@ class MongoDFixture(interface.Fixture, interface._DockerComposeInterface): port: Optional[int] = None, launch_mongot: bool = False, load_all_extensions: bool = False, + skip_extensions_signature_verification=False, use_priority_port: bool = False, ): """Initialize MongoDFixture with different options for the mongod process. @@ -73,7 +74,9 @@ class MongoDFixture(interface.Fixture, interface._DockerComposeInterface): logger=self.logger, mongod_options=self.mongod_options, ) - add_extensions_signature_pub_key_path(self.mongod_options) + add_extensions_signature_pub_key_path( + skip_extensions_signature_verification, self.config, self.mongod_options + ) # Automatically download and configure mongot-extension if needed. if "mongot-extension" in self.mongod_options.get("loadExtensions", ""):