From: Jay S. Bryant Date: Tue, 2 Dec 2014 20:35:06 +0000 (-0600) Subject: Revert "Fix Brocade FC SAN lookup MITM vulnerability" X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=bb7b082c44679f53cd0afc289b624af4d8ea2890;p=openstack-build%2Fcinder-build.git Revert "Fix Brocade FC SAN lookup MITM vulnerability" This reverts commit ab4f57212683baec45d5b682bdd3952ff58249ed. The change is being reverted as it broke the Brocade FC SAN lookup functionality. The change uses configuration options from ssh_utils that are not initialized when the Brocade driver is run causing an exception to be thrown complaining that CONF.ssh_hosts_key_file is used before it is initialized. The right solution is to change the Brocade driver to use ssh_utils to make SSH connections. Conflicts: cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py Change-Id: I7814c3da9c0e6fcf3143969e74304a48cafcb3d1 Closes-bug: 1398488 (cherry-picked from commit 57103807c5e7fad7276f97ac82f8704f17f4b846) --- diff --git a/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py b/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py index 43aa1e12e..e138d452a 100644 --- a/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py +++ b/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py @@ -42,8 +42,6 @@ _device_map_to_verify = { 'initiator_port_wwn_list': ['10008c7cff523b01'], 'target_port_wwn_list': ['20240002ac000a50']}} -CONF = cfg.CONF - class TestBrcdFCSanLookupService(brcd_lookup.BrcdFCSanLookupService, test.TestCase): @@ -79,14 +77,16 @@ class TestBrcdFCSanLookupService(brcd_lookup.BrcdFCSanLookupService, @mock.patch.object(paramiko.hostkeys.HostKeys, 'load') def test_create_ssh_client(self, load_mock): - CONF.ssh_hosts_key_file = 'dummy_host_key_file' - CONF.strict_ssh_host_key_policy = True - ssh_client = self.create_ssh_client() + mock_args = {} + mock_args['known_hosts_file'] = 'dummy_host_key_file' + mock_args['missing_key_policy'] = paramiko.RejectPolicy() + ssh_client = self.create_ssh_client(**mock_args) self.assertEqual(ssh_client._host_keys_filename, 'dummy_host_key_file') self.assertTrue(isinstance(ssh_client._policy, paramiko.RejectPolicy)) - CONF.strict_ssh_host_key_policy = False - ssh_client = self.create_ssh_client() - self.assertTrue(isinstance(ssh_client._policy, paramiko.AutoAddPolicy)) + mock_args = {} + ssh_client = self.create_ssh_client(**mock_args) + self.assertIsNone(ssh_client._host_keys_filename) + self.assertTrue(isinstance(ssh_client._policy, paramiko.WarningPolicy)) @mock.patch.object(brcd_lookup.BrcdFCSanLookupService, 'get_nameserver_info') diff --git a/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py b/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py index 8c64cb178..b715e5337 100644 --- a/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py +++ b/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py @@ -17,7 +17,6 @@ # -from oslo.config import cfg import paramiko from cinder import exception @@ -31,8 +30,6 @@ from cinder.zonemanager.fc_san_lookup_service import FCSanLookupService LOG = logging.getLogger(__name__) -CONF = cfg.CONF - class BrcdFCSanLookupService(FCSanLookupService): """The SAN lookup service that talks to Brocade switches. @@ -49,7 +46,7 @@ class BrcdFCSanLookupService(FCSanLookupService): super(BrcdFCSanLookupService, self).__init__(**kwargs) self.configuration = kwargs.get('configuration', None) self.create_configuration() - self.client = self.create_ssh_client() + self.client = self.create_ssh_client(**kwargs) def create_configuration(self): """Configuration specific to SAN context values.""" @@ -64,16 +61,16 @@ class BrcdFCSanLookupService(FCSanLookupService): self.fabric_configs = fabric_opts.load_fabric_configurations( fabric_names) - def create_ssh_client(self): + def create_ssh_client(self, **kwargs): ssh_client = paramiko.SSHClient() - known_hosts_file = CONF.ssh_hosts_key_file - if not known_hosts_file: - raise exception.ParameterNotFound(param='ssh_hosts_key_file') - ssh_client.load_host_keys(known_hosts_file) - if CONF.strict_ssh_host_key_policy: - missing_key_policy = paramiko.RejectPolicy() + known_hosts_file = kwargs.get('known_hosts_file', None) + if known_hosts_file is None: + ssh_client.load_system_host_keys() else: - missing_key_policy = paramiko.AutoAddPolicy() + ssh_client.load_host_keys(known_hosts_file) + missing_key_policy = kwargs.get('missing_key_policy', None) + if missing_key_policy is None: + missing_key_policy = paramiko.WarningPolicy() ssh_client.set_missing_host_key_policy(missing_key_policy) return ssh_client