SERVER-90184 Only load included SASL plugins on Windows

GitOrigin-RevId: a6c0787658de3b23a00da7750c660f79c6cd8d1b
2024-11-21 12:39:08 +01:00 · 2024-03-13 18:27:22 +00:00 · 2024-03-13 18:27:22 +00:00 · f31a55b83d
commit f31a55b83d
parent 153e4272d2
8 changed files with 92 additions and 1 deletions
--- a/buildscripts/resmokeconfig/suites/sasl_windows_cyrussasl.yml
+++ b/buildscripts/resmokeconfig/suites/sasl_windows_cyrussasl.yml
@ -0,0 +1,11 @@
+test_kind: js_test
+
+selector:
+  roots:
+    - src/mongo/db/modules/*/jstests/sasl/sasl_plugins.js
+
+# sasl tests start their own mongod's.
+executor:
+  config:
+    shell_options:
+      nodb: ""
--- a/etc/evergreen_yml_components/definitions.yml
+++ b/etc/evergreen_yml_components/definitions.yml
@ -2559,6 +2559,12 @@ functions:
        args:
          - "./src/evergreen/external_auth_oidc_teardown.sh"

+    - command: subprocess.exec
+      params:
+        binary: bash
+        args:
+          - "./src/evergreen/sasl_windows_cyrussasl_teardown.sh"
+
  "do scons setup":
    - command: manifest.load
    - *f_expansions_write
--- a/etc/evergreen_yml_components/tasks/resmoke/server_divisions/clusters_and_integrations/tasks.yml
+++ b/etc/evergreen_yml_components/tasks/resmoke/server_divisions/clusters_and_integrations/tasks.yml
@ -1447,6 +1447,20 @@ tasks:
      - func: "do setup"
      - func: "run tests"

+  - <<: *task_template
+    name: sasl_windows_cyrussasl
+    tags: ["assigned_to_jira_team_server_security", "sasl", "experimental"]
+    commands:
+      - func: "f_expansions_write"
+      - func: "do setup"
+      - func: "f_expansions_write"
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - "src/evergreen/sasl_windows_cyrussasl_setup.sh"
+      - func: "run tests"
+
  - <<: *gen_task_template
    name: sharding_auth_audit_gen
    tags:
--- a/etc/evergreen_yml_components/variants/windows/test_dev_master_branch_only.yml
+++ b/etc/evergreen_yml_components/variants/windows/test_dev_master_branch_only.yml
@ -181,4 +181,4 @@ buildvariants:
      - name: .encrypt .patch_build
      - name: .sasl .patch_build
      - name: external_auth_aws
-      - name: external_auth_oidc
+      - name: sasl_windows_cyrussasl
--- a/etc/evergreen_yml_components/variants/windows/test_release.yml
+++ b/etc/evergreen_yml_components/variants/windows/test_release.yml
@ -117,3 +117,4 @@ buildvariants:
      - name: external_auth_windows
        distros:
          - windows-2016-dc
+      - name: sasl_windows_cyrussasl
--- a/evergreen/sasl_windows_cyrussasl_setup.sh
+++ b/evergreen/sasl_windows_cyrussasl_setup.sh
@ -0,0 +1,18 @@
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
+. "$DIR/prelude.sh"
+
+readonly k_cyrussasl_plugin_filename="cyrus_sasl_windows_test_plugin.dll"
+readonly k_cyrussasl_plugin_dir="/cygdrive/c/CMU/bin/sasl2"
+
+plugin_path="$(find . -name "*${k_cyrussasl_plugin_filename}")"
+
+if [[ -z "$plugin_path" ]]; then
+  echo >&2 "Could not find ${k_cyrussasl_plugin_filename} from path '$(pwd)' !"
+  exit 1
+fi
+
+echo "Configuring CyrusSASL plugin .dll from '$plugin_path'"
+
+mkdir -p "$k_cyrussasl_plugin_dir"
+
+cp "$plugin_path" "$k_cyrussasl_plugin_dir"
--- a/evergreen/sasl_windows_cyrussasl_teardown.sh
+++ b/evergreen/sasl_windows_cyrussasl_teardown.sh
@ -0,0 +1,18 @@
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
+. "$DIR/prelude.sh"
+
+if [ "${task_name}" != "sasl_windows_cyrussasl" ]; then
+  exit 0
+fi
+
+echo "Cleaning up Windows CyrusSASL Test Artifacts"
+
+readonly k_cyrussasl_default_dir_root="/cygdrive/c/CMU"
+
+if [[ ! -d "$k_cyrussasl_default_dir_root" ]]; then
+  echo "Could not find $k_cyrussasl_default_dir_root to cleanup..."
+  exit 0
+fi
+
+rm -rf "$k_cyrussasl_default_dir_root"
+echo "Deleted $k_cyrussasl_default_dir_root from host"
--- a/src/mongo/client/cyrus_sasl_client_session.cpp
+++ b/src/mongo/client/cyrus_sasl_client_session.cpp
@ -123,6 +123,28 @@ int saslClientLogSwallow(void* context, int priority, const char* message) noexc
    return SASL_OK;  // do nothing
 }

+/**
+ * Implements the Cyrus SASL default_verifyfile_cb interface registered in the
+ * Cyrus SASL library to verify, and then accept or reject, the loading of
+ * plugin libraries from the target directory.
+ *
+ * On Windows environments, disable loading of plugin files.
+ */
+int saslClientVerifyPluginFile(void*, const char*, sasl_verify_type_t type) {
+
+    if (type != SASL_VRFY_PLUGIN) {
+        return SASL_OK;
+    }
+
+#ifdef _WIN32
+    return SASL_CONTINUE;  // A non-SASL_OK response indicates to Cyrus SASL that it
+                           // should not load a file. This effectively disables
+                           // loading plugins from path on Windows.
+#else
+    return SASL_OK;
+#endif
+}
+
 /**
 * Initializes the client half of the SASL library, but is effectively a no-op if the client
 * application has already done it.
@ -139,6 +161,7 @@ MONGO_INITIALIZER_WITH_PREREQUISITES(CyrusSaslClientContext,
 (InitializerContext* context) {
    static sasl_callback_t saslClientGlobalCallbacks[] = {
        {SASL_CB_LOG, SaslCallbackFn(saslClientLogSwallow), nullptr /* context */},
+        {SASL_CB_VERIFYFILE, SaslCallbackFn(saslClientVerifyPluginFile), nullptr /*context*/},
        {SASL_CB_LIST_END}};

    // If the client application has previously called sasl_client_init(), the callbacks passed