From f31a55b83da73d30aa344305af93a3a317c31115 Mon Sep 17 00:00:00 2001
From: Adam Rayner <adam.rayner@mongodb.com>
Date: Wed, 13 Mar 2024 18:27:22 +0000
Subject: [PATCH] SERVER-90184 Only load included SASL plugins on Windows

GitOrigin-RevId: a6c0787658de3b23a00da7750c660f79c6cd8d1b
---
 .../suites/sasl_windows_cyrussasl.yml         | 11 +++++++++
 etc/evergreen_yml_components/definitions.yml  |  6 +++++
 .../clusters_and_integrations/tasks.yml       | 14 +++++++++++
 .../windows/test_dev_master_branch_only.yml   |  2 +-
 .../variants/windows/test_release.yml         |  1 +
 evergreen/sasl_windows_cyrussasl_setup.sh     | 18 +++++++++++++++
 evergreen/sasl_windows_cyrussasl_teardown.sh  | 18 +++++++++++++++
 .../client/cyrus_sasl_client_session.cpp      | 23 +++++++++++++++++++
 8 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 buildscripts/resmokeconfig/suites/sasl_windows_cyrussasl.yml
 create mode 100644 evergreen/sasl_windows_cyrussasl_setup.sh
 create mode 100644 evergreen/sasl_windows_cyrussasl_teardown.sh

diff --git a/buildscripts/resmokeconfig/suites/sasl_windows_cyrussasl.yml b/buildscripts/resmokeconfig/suites/sasl_windows_cyrussasl.yml
new file mode 100644
index 00000000000..0c1cf6fc6ce
--- /dev/null
+++ b/buildscripts/resmokeconfig/suites/sasl_windows_cyrussasl.yml
@@ -0,0 +1,11 @@
+test_kind: js_test
+
+selector:
+  roots:
+    - src/mongo/db/modules/*/jstests/sasl/sasl_plugins.js
+
+# sasl tests start their own mongod's.
+executor:
+  config:
+    shell_options:
+      nodb: ""
diff --git a/etc/evergreen_yml_components/definitions.yml b/etc/evergreen_yml_components/definitions.yml
index 860f2b45788..bc668bd71cf 100644
--- a/etc/evergreen_yml_components/definitions.yml
+++ b/etc/evergreen_yml_components/definitions.yml
@@ -2559,6 +2559,12 @@ functions:
         args:
           - "./src/evergreen/external_auth_oidc_teardown.sh"
 
+    - command: subprocess.exec
+      params:
+        binary: bash
+        args:
+          - "./src/evergreen/sasl_windows_cyrussasl_teardown.sh"
+
   "do scons setup":
     - command: manifest.load
     - *f_expansions_write
diff --git a/etc/evergreen_yml_components/tasks/resmoke/server_divisions/clusters_and_integrations/tasks.yml b/etc/evergreen_yml_components/tasks/resmoke/server_divisions/clusters_and_integrations/tasks.yml
index 8a072b60045..47faf58af77 100644
--- a/etc/evergreen_yml_components/tasks/resmoke/server_divisions/clusters_and_integrations/tasks.yml
+++ b/etc/evergreen_yml_components/tasks/resmoke/server_divisions/clusters_and_integrations/tasks.yml
@@ -1447,6 +1447,20 @@ tasks:
       - func: "do setup"
       - func: "run tests"
 
+  - <<: *task_template
+    name: sasl_windows_cyrussasl
+    tags: ["assigned_to_jira_team_server_security", "sasl", "experimental"]
+    commands:
+      - func: "f_expansions_write"
+      - func: "do setup"
+      - func: "f_expansions_write"
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - "src/evergreen/sasl_windows_cyrussasl_setup.sh"
+      - func: "run tests"
+
   - <<: *gen_task_template
     name: sharding_auth_audit_gen
     tags:
diff --git a/etc/evergreen_yml_components/variants/windows/test_dev_master_branch_only.yml b/etc/evergreen_yml_components/variants/windows/test_dev_master_branch_only.yml
index 5c041a177ed..29e7721d1ab 100644
--- a/etc/evergreen_yml_components/variants/windows/test_dev_master_branch_only.yml
+++ b/etc/evergreen_yml_components/variants/windows/test_dev_master_branch_only.yml
@@ -181,4 +181,4 @@ buildvariants:
       - name: .encrypt .patch_build
       - name: .sasl .patch_build
       - name: external_auth_aws
-      - name: external_auth_oidc
+      - name: sasl_windows_cyrussasl
diff --git a/etc/evergreen_yml_components/variants/windows/test_release.yml b/etc/evergreen_yml_components/variants/windows/test_release.yml
index dabb2866392..3821f050358 100644
--- a/etc/evergreen_yml_components/variants/windows/test_release.yml
+++ b/etc/evergreen_yml_components/variants/windows/test_release.yml
@@ -117,3 +117,4 @@ buildvariants:
       - name: external_auth_windows
         distros:
           - windows-2016-dc
+      - name: sasl_windows_cyrussasl
diff --git a/evergreen/sasl_windows_cyrussasl_setup.sh b/evergreen/sasl_windows_cyrussasl_setup.sh
new file mode 100644
index 00000000000..149bb563325
--- /dev/null
+++ b/evergreen/sasl_windows_cyrussasl_setup.sh
@@ -0,0 +1,18 @@
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
+. "$DIR/prelude.sh"
+
+readonly k_cyrussasl_plugin_filename="cyrus_sasl_windows_test_plugin.dll"
+readonly k_cyrussasl_plugin_dir="/cygdrive/c/CMU/bin/sasl2"
+
+plugin_path="$(find . -name "*${k_cyrussasl_plugin_filename}")"
+
+if [[ -z "$plugin_path" ]]; then
+  echo >&2 "Could not find ${k_cyrussasl_plugin_filename} from path '$(pwd)' !"
+  exit 1
+fi
+
+echo "Configuring CyrusSASL plugin .dll from '$plugin_path'"
+
+mkdir -p "$k_cyrussasl_plugin_dir"
+
+cp "$plugin_path" "$k_cyrussasl_plugin_dir"
diff --git a/evergreen/sasl_windows_cyrussasl_teardown.sh b/evergreen/sasl_windows_cyrussasl_teardown.sh
new file mode 100644
index 00000000000..60e65055643
--- /dev/null
+++ b/evergreen/sasl_windows_cyrussasl_teardown.sh
@@ -0,0 +1,18 @@
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
+. "$DIR/prelude.sh"
+
+if [ "${task_name}" != "sasl_windows_cyrussasl" ]; then
+  exit 0
+fi
+
+echo "Cleaning up Windows CyrusSASL Test Artifacts"
+
+readonly k_cyrussasl_default_dir_root="/cygdrive/c/CMU"
+
+if [[ ! -d "$k_cyrussasl_default_dir_root" ]]; then
+  echo "Could not find $k_cyrussasl_default_dir_root to cleanup..."
+  exit 0
+fi
+
+rm -rf "$k_cyrussasl_default_dir_root"
+echo "Deleted $k_cyrussasl_default_dir_root from host"
diff --git a/src/mongo/client/cyrus_sasl_client_session.cpp b/src/mongo/client/cyrus_sasl_client_session.cpp
index 6345eb9a9a5..e3400ffc69c 100644
--- a/src/mongo/client/cyrus_sasl_client_session.cpp
+++ b/src/mongo/client/cyrus_sasl_client_session.cpp
@@ -123,6 +123,28 @@ int saslClientLogSwallow(void* context, int priority, const char* message) noexc
     return SASL_OK;  // do nothing
 }
 
+/**
+ * Implements the Cyrus SASL default_verifyfile_cb interface registered in the
+ * Cyrus SASL library to verify, and then accept or reject, the loading of
+ * plugin libraries from the target directory.
+ *
+ * On Windows environments, disable loading of plugin files.
+ */
+int saslClientVerifyPluginFile(void*, const char*, sasl_verify_type_t type) {
+
+    if (type != SASL_VRFY_PLUGIN) {
+        return SASL_OK;
+    }
+
+#ifdef _WIN32
+    return SASL_CONTINUE;  // A non-SASL_OK response indicates to Cyrus SASL that it
+                           // should not load a file. This effectively disables
+                           // loading plugins from path on Windows.
+#else
+    return SASL_OK;
+#endif
+}
+
 /**
  * Initializes the client half of the SASL library, but is effectively a no-op if the client
  * application has already done it.
@@ -139,6 +161,7 @@ MONGO_INITIALIZER_WITH_PREREQUISITES(CyrusSaslClientContext,
 (InitializerContext* context) {
     static sasl_callback_t saslClientGlobalCallbacks[] = {
         {SASL_CB_LOG, SaslCallbackFn(saslClientLogSwallow), nullptr /* context */},
+        {SASL_CB_VERIFYFILE, SaslCallbackFn(saslClientVerifyPluginFile), nullptr /*context*/},
         {SASL_CB_LIST_END}};
 
     // If the client application has previously called sasl_client_init(), the callbacks passed