SERVER-115281: Add build infrastructure to create MONGO_CONFIG_EXT_SIG_SECURE macro (#45420)

GitOrigin-RevId: aad7e28db6a27bfcbb157d5638cab9e4d2639e6e

.bazelrc

@@ -184,6 +184,7 @@ common --flag_alias=build_atlas=//bazel/config:build_atlas
 common --flag_alias=dtlto=//bazel/config:dtlto
 common --flag_alias=all_headers=//bazel/config:all_headers
 common --flag_alias=evg=//bazel/config:evg
+common --flag_alias=extensions_signature_verification_secure=//bazel/config:extensions_signature_verification_secure
 
 #############################################################################################################################
 # BUILD 'PROFILES' - this is the area to set up configurations of flags to be used by developers.
@@ -561,6 +562,7 @@ common:public-release --remote_cache_compression=false
 common:public-release --grpc_keepalive_time=0s
 common:public-release --legacy_important_outputs
 common:public-release --//bazel/config:release=True
+common:public-release --//bazel/config:extensions_signature_verification_secure=True
 
 --config=fission
 common:fission --fission=yes

bazel/config/BUILD.bazel

@@ -25,6 +25,7 @@ load(
     "dtlto",
     "dwarf_version",
     "evg",
+    "extensions_signature_verification_secure",
     "fsan",
     "gcov",
     "http_client",
@@ -2490,6 +2491,53 @@ selects.config_setting_group(
     ],
 )
 
+# --------------------------------------
+# extensions_signature_verification_secure options
+# --------------------------------------
+extensions_signature_verification_secure(
+    name = "extensions_signature_verification_secure",
+    # False by default to build the server locally with testing and bypass verification options.
+    # This flag does not affect if the server is built in secure mode when in release mode.
+    build_setting_default = False,
+)
+
+# These config settings are used to determined if the MONGO_CONFIG_EXT_SIG_SECURE pre-processor
+# macro is defined, to guard that no insecure extensions signature verification logic is compiled
+# into the server when it should not be.
+#
+# However, regardless of the value of the 'extensions_signature_verification_secure' flag,
+# the macro needs to always be defined in release mode, to ensure that insecure logic is never
+# compiled into the server in release mode.
+#
+# So, all these defined config setting are combinations of flag values of
+# 'extensions_signature_verification_secure' and 'release' where MONGO_CONFIG_EXT_SIG_SECURE
+# should be defined; or combinations where "release || extensions_signature_verification_secure"
+# evaluates to true.
+
+config_setting(
+    name = "extensions_signature_verification_secure_enabled_release",
+    flag_values = {
+        "//bazel/config:extensions_signature_verification_secure": "True",
+        "//bazel/config:release": "True",
+    },
+)
+
+config_setting(
+    name = "extensions_signature_verification_secure_disabled_release",
+    flag_values = {
+        "//bazel/config:extensions_signature_verification_secure": "False",
+        "//bazel/config:release": "True",
+    },
+)
+
+config_setting(
+    name = "extensions_signature_verification_secure_enabled_no_release",
+    flag_values = {
+        "//bazel/config:extensions_signature_verification_secure": "True",
+        "//bazel/config:release": "False",
+    },
+)
+
 # --------------------------------------
 # symbol reordering options
 # --------------------------------------

bazel/config/configs.bzl

@@ -830,3 +830,16 @@ coverage = rule(
     implementation = lambda ctx: coverage_provider(enabled = ctx.build_setting_value),
     build_setting = config.bool(flag = True),
 )
+
+# =========
+# extensions_signature_verification_secure
+# =========
+extensions_signature_verification_secure_provider = provider(
+    doc = "Builds the server in a secure-only mode for verifying extension signatures (no test keys or bypass allowed)",
+    fields = ["enabled"],
+)
+
+extensions_signature_verification_secure = rule(
+    implementation = lambda ctx: extensions_signature_verification_secure_provider(enabled = ctx.build_setting_value),
+    build_setting = config.bool(flag = True),
+)

src/mongo/BUILD.bazel

@@ -96,6 +96,21 @@ generate_config_header(
             "MONGO_CONFIG_ANTITHESIS": "1",
         },
         "//conditions:default": {},
+    }) | select({
+        # Standard / expected case for release.
+        "//bazel/config:extensions_signature_verification_secure_enabled_release": {
+            "MONGO_CONFIG_EXT_SIG_SECURE": "1",
+        },
+        # This case ensures that the macro is always defined in release mode,
+        # even if somehow 'extensions_signature_verification_secure' is false.
+        "//bazel/config:extensions_signature_verification_secure_disabled_release": {
+            "MONGO_CONFIG_EXT_SIG_SECURE": "1",
+        },
+        # This case is for compiling the server locally (not for release), but still in secure mode.
+        "//bazel/config:extensions_signature_verification_secure_enabled_no_release": {
+            "MONGO_CONFIG_EXT_SIG_SECURE": "1",
+        },
+        "//conditions:default": {},
     }),
     logfile = "mongo_config.log",
     output = "config.h",

src/mongo/config.h.in

@@ -138,4 +138,7 @@
 // Defined if the build is for antithesis
 @mongo_config_antithesis@
 
+// Defined if the build is in extensions signature verification secure mode
+@mongo_config_extensions_signature_verification_secure@
+
     // clang-format on

src/mongo/mongo_config_header.py

@@ -435,6 +435,7 @@ def get_config_header_substs():
         ("@mongo_config_disagg_storage@", "MONGO_CONFIG_DISAGG_STORAGE"),
         ("@mongo_config_dev_stacktrace@", "MONGO_CONFIG_DEV_STACKTRACE"),
         ("@mongo_config_antithesis@", "MONGO_CONFIG_ANTITHESIS"),
+        ("@mongo_config_extensions_signature_verification_secure@", "MONGO_CONFIG_EXT_SIG_SECURE"),
     )
     return config_header_substs