Plugins: allow override when allowing unsigned plugins (#28901)

* Plugins: allow override when allowing unsigned plugins

* Update pkg/plugins/plugins.go

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>

* Plugins: removed java-style setter

* Plugins: cleanup

* Update pkg/plugins/plugins.go

Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com>

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com>

pkg/plugins/plugins.go

@@ -40,6 +40,8 @@ var (
 	pluginScanningErrors map[string]*PluginError
 )
 
+type unsignedPluginConditionFunc = func(plugin *PluginBase) bool
+
 type PluginScanner struct {
 	pluginPath                    string
 	errors                        []error
@@ -48,6 +50,7 @@ type PluginScanner struct {
 	requireSigned                 bool
 	log                           log.Logger
 	plugins                       map[string]*PluginBase
+	allowUnsignedPluginsCondition unsignedPluginConditionFunc
 }
 
 type PluginManager struct {
@@ -55,6 +58,10 @@ type PluginManager struct {
 	Cfg                  *setting.Cfg          `inject:""`
 	log                  log.Logger
 	scanningErrors       []error
+
+	// AllowUnsignedPluginsCondition changes the policy for allowing unsigned plugins. Signature validation only runs when plugins are starting
+	// and running plugins will not be terminated if they violate the new policy.
+	AllowUnsignedPluginsCondition unsignedPluginConditionFunc
 }
 
 func init() {
@@ -193,6 +200,7 @@ func (pm *PluginManager) scan(pluginDir string, requireSigned bool) error {
 		requireSigned:                 requireSigned,
 		log:                           pm.log,
 		plugins:                       map[string]*PluginBase{},
+		allowUnsignedPluginsCondition: pm.AllowUnsignedPluginsCondition,
 	}
 
 	// 1st pass: Scan plugins, also mapping plugins to their respective directories
@@ -405,21 +413,13 @@ func (s *PluginScanner) validateSignature(plugin *PluginBase) *PluginError {
 
 	switch plugin.Signature {
 	case PluginSignatureUnsigned:
-		allowUnsigned := false
-		for _, plug := range s.cfg.PluginsAllowUnsigned {
-			if plug == plugin.Id {
-				allowUnsigned = true
-				break
-			}
-		}
-		if setting.Env != setting.Dev && !allowUnsigned {
+		if allowed := s.allowUnsigned(plugin); !allowed {
 			s.log.Debug("Plugin is unsigned", "id", plugin.Id)
 			s.errors = append(s.errors, fmt.Errorf("plugin %q is unsigned", plugin.Id))
 			return &PluginError{
 				ErrorCode: signatureMissing,
 			}
 		}
-
 		s.log.Warn("Running an unsigned backend plugin", "pluginID", plugin.Id, "pluginDir",
 			plugin.PluginDir)
 		return nil
@@ -440,6 +440,24 @@ func (s *PluginScanner) validateSignature(plugin *PluginBase) *PluginError {
 	}
 }
 
+func (s *PluginScanner) allowUnsigned(plugin *PluginBase) bool {
+	if s.allowUnsignedPluginsCondition != nil {
+		return s.allowUnsignedPluginsCondition(plugin)
+	}
+
+	if setting.Env == setting.Dev {
+		return true
+	}
+
+	for _, plug := range s.cfg.PluginsAllowUnsigned {
+		if plug == plugin.Id {
+			return true
+		}
+	}
+
+	return false
+}
+
 func ScanningErrors() []PluginError {
 	scanningErrs := make([]PluginError, 0)
 	for id, e := range pluginScanningErrors {