Signing: allow unsigned plugin in dev mode (#24242)

pkg/plugins/plugins.go

@@ -282,9 +282,12 @@ func (scanner *PluginScanner) loadPlugin(pluginJsonFilePath string) error {
 	pluginCommon.PluginDir = filepath.Dir(pluginJsonFilePath)
 	pluginCommon.PluginDir = filepath.Dir(pluginJsonFilePath)
 
 
 	// For the time being, we choose to only require back-end plugins to be signed
 	// For the time being, we choose to only require back-end plugins to be signed
+	// NOTE: the state is calculated again for when setting metadata on the object
 	if pluginCommon.Backend && scanner.requireSigned {
 	if pluginCommon.Backend && scanner.requireSigned {
-		scanner.log.Debug("Plugin signature required, validating", "pluginID", pluginCommon.Id,
-			"pluginDir", pluginCommon.PluginDir)
+		sig := GetPluginSignatureState(&pluginCommon)
+		if sig != PluginSignatureValid {
+			scanner.log.Debug("Invalid Plugin Signature", "pluginID", pluginCommon.Id, "pluginDir", pluginCommon.PluginDir, "state", sig)
+			if sig == PluginSignatureUnsigned {
 				allowUnsigned := false
 				allowUnsigned := false
 				for _, plug := range scanner.cfg.PluginsAllowUnsigned {
 				for _, plug := range scanner.cfg.PluginsAllowUnsigned {
 					if plug == pluginCommon.Id {
 					if plug == pluginCommon.Id {
@@ -292,10 +295,12 @@ func (scanner *PluginScanner) loadPlugin(pluginJsonFilePath string) error {
 						break
 						break
 					}
 					}
 				}
 				}
-		if sig := GetPluginSignatureState(&pluginCommon); sig != PluginSignatureValid && !allowUnsigned {
-			switch sig {
-			case PluginSignatureUnsigned:
+				if setting.Env != setting.DEV && !allowUnsigned {
 					return fmt.Errorf("plugin %q is unsigned", pluginCommon.Id)
 					return fmt.Errorf("plugin %q is unsigned", pluginCommon.Id)
+				}
+				scanner.log.Warn("Running an unsigned backend plugin", "pluginID", pluginCommon.Id, "pluginDir", pluginCommon.PluginDir)
+			} else {
+				switch sig {
 				case PluginSignatureInvalid:
 				case PluginSignatureInvalid:
 					return fmt.Errorf("plugin %q has an invalid signature", pluginCommon.Id)
 					return fmt.Errorf("plugin %q has an invalid signature", pluginCommon.Id)
 				case PluginSignatureModified:
 				case PluginSignatureModified:
@@ -305,6 +310,7 @@ func (scanner *PluginScanner) loadPlugin(pluginJsonFilePath string) error {
 				}
 				}
 			}
 			}
 		}
 		}
+	}
 
 
 	pluginGoType, exists := PluginTypes[pluginCommon.Type]
 	pluginGoType, exists := PluginTypes[pluginCommon.Type]
 	if !exists {
 	if !exists {

pkg/plugins/plugins_test.go

@@ -18,15 +18,18 @@ import (
 func TestPluginManager_Init(t *testing.T) {
 func TestPluginManager_Init(t *testing.T) {
 	origRootPath := setting.StaticRootPath
 	origRootPath := setting.StaticRootPath
 	origRaw := setting.Raw
 	origRaw := setting.Raw
+	origEnv := setting.Env
 	t.Cleanup(func() {
 	t.Cleanup(func() {
 		setting.StaticRootPath = origRootPath
 		setting.StaticRootPath = origRootPath
 		setting.Raw = origRaw
 		setting.Raw = origRaw
+		setting.Env = origEnv
 	})
 	})
 
 
 	var err error
 	var err error
 	setting.StaticRootPath, err = filepath.Abs("../../public/")
 	setting.StaticRootPath, err = filepath.Abs("../../public/")
 	require.NoError(t, err)
 	require.NoError(t, err)
 	setting.Raw = ini.Empty()
 	setting.Raw = ini.Empty()
+	setting.Env = setting.PROD
 
 
 	t.Run("Base case", func(t *testing.T) {
 	t.Run("Base case", func(t *testing.T) {
 		pm := &PluginManager{
 		pm := &PluginManager{