Merge "Revert "Fix Brocade FC SAN lookup MITM vulnerability""

cinder/tests/zonemanager/test_brcd_fc_san_lookup_service.py

@@ -42,8 +42,6 @@ _device_map_to_verify = {
         'initiator_port_wwn_list': ['10008c7cff523b01'],
         'target_port_wwn_list': ['20240002ac000a50']}}
 
-CONF = cfg.CONF
-
 
 class TestBrcdFCSanLookupService(brcd_lookup.BrcdFCSanLookupService,
                                  test.TestCase):
@@ -79,14 +77,16 @@ class TestBrcdFCSanLookupService(brcd_lookup.BrcdFCSanLookupService,
 
     @mock.patch.object(paramiko.hostkeys.HostKeys, 'load')
     def test_create_ssh_client(self, load_mock):
-        CONF.ssh_hosts_key_file = 'dummy_host_key_file'
+        mock_args = {}
-        CONF.strict_ssh_host_key_policy = True
+        mock_args['known_hosts_file'] = 'dummy_host_key_file'
-        ssh_client = self.create_ssh_client()
+        mock_args['missing_key_policy'] = paramiko.RejectPolicy()
+        ssh_client = self.create_ssh_client(**mock_args)
         self.assertEqual(ssh_client._host_keys_filename, 'dummy_host_key_file')
         self.assertTrue(isinstance(ssh_client._policy, paramiko.RejectPolicy))
-        CONF.strict_ssh_host_key_policy = False
+        mock_args = {}
-        ssh_client = self.create_ssh_client()
+        ssh_client = self.create_ssh_client(**mock_args)
-        self.assertTrue(isinstance(ssh_client._policy, paramiko.AutoAddPolicy))
+        self.assertIsNone(ssh_client._host_keys_filename)
+        self.assertTrue(isinstance(ssh_client._policy, paramiko.WarningPolicy))
 
     @mock.patch.object(brcd_lookup.BrcdFCSanLookupService,
                        'get_nameserver_info')

cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py

@@ -17,7 +17,6 @@
 #
 
 
-from oslo.config import cfg
 from oslo.utils import excutils
 import paramiko
 
@@ -31,8 +30,6 @@ from cinder.zonemanager.fc_san_lookup_service import FCSanLookupService
 
 LOG = logging.getLogger(__name__)
 
-CONF = cfg.CONF
-
 
 class BrcdFCSanLookupService(FCSanLookupService):
     """The SAN lookup service that talks to Brocade switches.
@@ -49,7 +46,7 @@ class BrcdFCSanLookupService(FCSanLookupService):
         super(BrcdFCSanLookupService, self).__init__(**kwargs)
         self.configuration = kwargs.get('configuration', None)
         self.create_configuration()
-        self.client = self.create_ssh_client()
+        self.client = self.create_ssh_client(**kwargs)
 
     def create_configuration(self):
         """Configuration specific to SAN context values."""
@@ -64,16 +61,16 @@ class BrcdFCSanLookupService(FCSanLookupService):
             self.fabric_configs = fabric_opts.load_fabric_configurations(
                 fabric_names)
 
-    def create_ssh_client(self):
+    def create_ssh_client(self, **kwargs):
         ssh_client = paramiko.SSHClient()
-        known_hosts_file = CONF.ssh_hosts_key_file
+        known_hosts_file = kwargs.get('known_hosts_file', None)
-        if not known_hosts_file:
+        if known_hosts_file is None:
-            raise exception.ParameterNotFound(param='ssh_hosts_key_file')
+            ssh_client.load_system_host_keys()
-        ssh_client.load_host_keys(known_hosts_file)
-        if CONF.strict_ssh_host_key_policy:
-            missing_key_policy = paramiko.RejectPolicy()
         else:
-            missing_key_policy = paramiko.AutoAddPolicy()
+            ssh_client.load_host_keys(known_hosts_file)
+        missing_key_policy = kwargs.get('missing_key_policy', None)
+        if missing_key_policy is None:
+            missing_key_policy = paramiko.WarningPolicy()
         ssh_client.set_missing_host_key_policy(missing_key_policy)
         return ssh_client