From 57103807c5e7fad7276f97ac82f8704f17f4b846 Mon Sep 17 00:00:00 2001
From: "Jay S. Bryant" <jsbryant@us.ibm.com>
Date: Tue, 2 Dec 2014 14:35:06 -0600
Subject: [PATCH] Revert "Fix Brocade FC SAN lookup MITM vulnerability"

This reverts commit ab4f57212683baec45d5b682bdd3952ff58249ed.

The change is being reverted as it broke the Brocade FC SAN lookup
functionality.  The change uses configuration options from
ssh_utils that are not initialized when the Brocade driver is
run causing an exception to be thrown complaining that
CONF.ssh_hosts_key_file is used before it is initialized.

The right solution is to change the Brocade driver to use ssh_utils to
make SSH connections.

Conflicts:

	cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py

Change-Id: I7814c3da9c0e6fcf3143969e74304a48cafcb3d1
Closes-bug: 1398488
---
 .../test_brcd_fc_san_lookup_service.py        | 16 +++++++-------
 .../brocade/brcd_fc_san_lookup_service.py     | 21 ++++++++-----------
 2 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py b/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py
index 43aa1e12e37..e138d452a02 100644
--- a/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py
+++ b/cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py
@@ -42,8 +42,6 @@ _device_map_to_verify = {
         'initiator_port_wwn_list': ['10008c7cff523b01'],
         'target_port_wwn_list': ['20240002ac000a50']}}
 
-CONF = cfg.CONF
-
 
 class TestBrcdFCSanLookupService(brcd_lookup.BrcdFCSanLookupService,
                                  test.TestCase):
@@ -79,14 +77,16 @@ class TestBrcdFCSanLookupService(brcd_lookup.BrcdFCSanLookupService,
 
     @mock.patch.object(paramiko.hostkeys.HostKeys, 'load')
     def test_create_ssh_client(self, load_mock):
-        CONF.ssh_hosts_key_file = 'dummy_host_key_file'
-        CONF.strict_ssh_host_key_policy = True
-        ssh_client = self.create_ssh_client()
+        mock_args = {}
+        mock_args['known_hosts_file'] = 'dummy_host_key_file'
+        mock_args['missing_key_policy'] = paramiko.RejectPolicy()
+        ssh_client = self.create_ssh_client(**mock_args)
         self.assertEqual(ssh_client._host_keys_filename, 'dummy_host_key_file')
         self.assertTrue(isinstance(ssh_client._policy, paramiko.RejectPolicy))
-        CONF.strict_ssh_host_key_policy = False
-        ssh_client = self.create_ssh_client()
-        self.assertTrue(isinstance(ssh_client._policy, paramiko.AutoAddPolicy))
+        mock_args = {}
+        ssh_client = self.create_ssh_client(**mock_args)
+        self.assertIsNone(ssh_client._host_keys_filename)
+        self.assertTrue(isinstance(ssh_client._policy, paramiko.WarningPolicy))
 
     @mock.patch.object(brcd_lookup.BrcdFCSanLookupService,
                        'get_nameserver_info')
diff --git a/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py b/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py
index 26c5a6d948a..9a43551db90 100644
--- a/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py
+++ b/cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py
@@ -17,7 +17,6 @@
 #
 
 
-from oslo.config import cfg
 from oslo.utils import excutils
 import paramiko
 
@@ -31,8 +30,6 @@ from cinder.zonemanager.fc_san_lookup_service import FCSanLookupService
 
 LOG = logging.getLogger(__name__)
 
-CONF = cfg.CONF
-
 
 class BrcdFCSanLookupService(FCSanLookupService):
     """The SAN lookup service that talks to Brocade switches.
@@ -49,7 +46,7 @@ class BrcdFCSanLookupService(FCSanLookupService):
         super(BrcdFCSanLookupService, self).__init__(**kwargs)
         self.configuration = kwargs.get('configuration', None)
         self.create_configuration()
-        self.client = self.create_ssh_client()
+        self.client = self.create_ssh_client(**kwargs)
 
     def create_configuration(self):
         """Configuration specific to SAN context values."""
@@ -64,16 +61,16 @@ class BrcdFCSanLookupService(FCSanLookupService):
             self.fabric_configs = fabric_opts.load_fabric_configurations(
                 fabric_names)
 
-    def create_ssh_client(self):
+    def create_ssh_client(self, **kwargs):
         ssh_client = paramiko.SSHClient()
-        known_hosts_file = CONF.ssh_hosts_key_file
-        if not known_hosts_file:
-            raise exception.ParameterNotFound(param='ssh_hosts_key_file')
-        ssh_client.load_host_keys(known_hosts_file)
-        if CONF.strict_ssh_host_key_policy:
-            missing_key_policy = paramiko.RejectPolicy()
+        known_hosts_file = kwargs.get('known_hosts_file', None)
+        if known_hosts_file is None:
+            ssh_client.load_system_host_keys()
         else:
-            missing_key_policy = paramiko.AutoAddPolicy()
+            ssh_client.load_host_keys(known_hosts_file)
+        missing_key_policy = kwargs.get('missing_key_policy', None)
+        if missing_key_policy is None:
+            missing_key_policy = paramiko.WarningPolicy()
         ssh_client.set_missing_host_key_policy(missing_key_policy)
         return ssh_client