From c1d30b3cac0ec8236addb37ccc2c911a2f5a7713 Mon Sep 17 00:00:00 2001
From: Eduardo Olivares <eolivare@redhat.com>
Date: Thu, 28 Apr 2022 09:49:36 +0200
Subject: [PATCH] Bump paramiko version

Most tobiko tests are failing on RHEL9 environments due to ssh auth
issues. It was found that with newer paramiko version the issues
do not occur.

There is an open issue[1] in Paramiko starting from 2.9.2 (which allows
to connect to new servers like the one of RHEL 9) but in the while it
brakes the support for the old CirrOS image server (image version 5.2).

To keep support for old version we now uses disable_algorithms[1] option
when creating an SSH connection to CirrOS images. The workaround has
been documented in the Paramiko project page [2]

[1] https://github.com/paramiko/paramiko/issues/1961
[2] https://github.com/rhevm-qe-automation/python-rrmngmnt/pull/149/files#diff-7b3ed02bc73dc06b7db906cf97aa91dec2b2eb21f2d92bc5caa761df5bbc168f

Change-Id: I301c18a832a05ddfd331bddd7ad2bc839205ad2d
---
 lower-constraints.txt              |  2 +-
 requirements.txt                   |  2 +-
 tobiko/openstack/glance/_image.py  |  1 +
 tobiko/openstack/glance/config.py  |  8 +++++++-
 tobiko/openstack/stacks/_centos.py |  1 +
 tobiko/openstack/stacks/_cirros.py |  4 ++++
 tobiko/openstack/stacks/_fedora.py |  1 +
 tobiko/openstack/stacks/_nova.py   | 31 ++++++++++++++++++------------
 tobiko/openstack/stacks/_redhat.py |  1 +
 tobiko/openstack/stacks/_ubuntu.py |  1 +
 tobiko/shell/ssh/_client.py        |  3 +++
 upper-constraints.txt              |  2 +-
 12 files changed, 41 insertions(+), 16 deletions(-)

diff --git a/lower-constraints.txt b/lower-constraints.txt
index 599590fd6..2e5ad9af3 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -10,7 +10,7 @@ netaddr==0.8.0
 neutron-lib==2.7.0
 oslo.config==8.4.0
 oslo.log==4.4.0
-paramiko==2.7.2
+paramiko==2.9.2
 pbr==5.5.1
 psutil==5.8.0
 pytest===6.2.5
diff --git a/requirements.txt b/requirements.txt
index f579e9ceb..d3bcc4146 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,7 +10,7 @@ netaddr>=0.8.0                  # BSD
 neutron-lib>=2.7.0              # Apache-2.0
 oslo.config>=8.4.0              # Apache-2.0
 oslo.log>=4.4.0                 # Apache-2.0
-paramiko>=2.7.2                 # LGPLv2.1
+paramiko>=2.9.2                # LGPLv2.1
 pbr>=5.5.1                      # Apache-2.0
 psutil>=5.8.0                   # BSD
 python-dateutil>=2.8.0          # Apache-2.0
diff --git a/tobiko/openstack/glance/_image.py b/tobiko/openstack/glance/_image.py
index 9c49a398b..ea33eac26 100644
--- a/tobiko/openstack/glance/_image.py
+++ b/tobiko/openstack/glance/_image.py
@@ -87,6 +87,7 @@ class GlanceImageFixture(_client.HasGlanceClientMixin, tobiko.SharedFixture):
     image_name: typing.Optional[str] = None
     username: typing.Optional[str] = None
     password: typing.Optional[str] = None
+    disabled_algorithms: typing.Optional[typing.Dict[str, typing.Any]] = None
     image = None
     wait_interval = 5.
 
diff --git a/tobiko/openstack/glance/config.py b/tobiko/openstack/glance/config.py
index 369cf7995..d30a2aa50 100644
--- a/tobiko/openstack/glance/config.py
+++ b/tobiko/openstack/glance/config.py
@@ -65,7 +65,13 @@ def get_images_options():
              cfg.FloatOpt('connection_timeout',
                           default=None,
                           help=("Default " + name +
-                                " SSH connection timeout (seconds)")), ]
+                                " SSH connection timeout (seconds)")),
+             cfg.DictOpt('disabled_algorithms',
+                         default=None,
+                         help=("Allow to disable SSH auth algorithms"
+                               "in order to SSH to old servers like"
+                               "CirrOS ones")),
+             ]
         )]
 
     return options
diff --git a/tobiko/openstack/stacks/_centos.py b/tobiko/openstack/stacks/_centos.py
index f5db7b421..d0bc2af89 100644
--- a/tobiko/openstack/stacks/_centos.py
+++ b/tobiko/openstack/stacks/_centos.py
@@ -35,6 +35,7 @@ class CentosImageFixture(glance.URLGlanceImageFixture):
     username = CONF.tobiko.centos.username or 'centos'
     password = CONF.tobiko.centos.password
     connection_timeout = CONF.tobiko.centos.connection_timeout or 800.
+    disabled_algorithms = CONF.tobiko.centos.disabled_algorithms
 
 
 CENTOS7_IMAGE_URL = (
diff --git a/tobiko/openstack/stacks/_cirros.py b/tobiko/openstack/stacks/_cirros.py
index cff92909e..70ab65caa 100644
--- a/tobiko/openstack/stacks/_cirros.py
+++ b/tobiko/openstack/stacks/_cirros.py
@@ -49,6 +49,10 @@ class CirrosImageFixture(glance.URLGlanceImageFixture):
     username = CONF.tobiko.cirros.username or 'cirros'
     password = CONF.tobiko.cirros.password or 'gocubsgo'
     connection_timeout = CONF.tobiko.cirros.connection_timeout or 200.
+    disabled_algorithms = CONF.tobiko.cirros.disabled_algorithms or {
+        #: disabled_algorithms is required to connect to CirrOS servers
+        # when using recent Paramiko versions (>= 2.9.2)
+        'pubkeys': ['rsa-sha2-256', 'rsa-sha2-512']}
 
 
 class CirrosFlavorStackFixture(_nova.FlavorStackFixture):
diff --git a/tobiko/openstack/stacks/_fedora.py b/tobiko/openstack/stacks/_fedora.py
index c420bffcf..924036d52 100644
--- a/tobiko/openstack/stacks/_fedora.py
+++ b/tobiko/openstack/stacks/_fedora.py
@@ -38,6 +38,7 @@ class FedoraBaseImageFixture(glance.URLGlanceImageFixture):
     username = CONF.tobiko.fedora.username or 'fedora'
     password = CONF.tobiko.fedora.password
     connection_timeout = CONF.tobiko.fedora.connection_timeout or 800.
+    disabled_algorithms = CONF.tobiko.fedora.disabled_algorithms
 
 
 class FedoraImageFixture(FedoraBaseImageFixture,
diff --git a/tobiko/openstack/stacks/_nova.py b/tobiko/openstack/stacks/_nova.py
index 9e00deaaa..948752910 100644
--- a/tobiko/openstack/stacks/_nova.py
+++ b/tobiko/openstack/stacks/_nova.py
@@ -130,6 +130,10 @@ class ServerStackFixture(heat.HeatStackFixture, abc.ABC):
     def connection_timeout(self) -> tobiko.Seconds:
         return self.image_fixture.connection_timeout
 
+    @property
+    def disabled_algorithms(self) -> typing.Dict[str, typing.Any]:
+        return self.image_fixture.disabled_algorithms
+
     flavor_stack: tobiko.RequiredFixture[FlavorStackFixture]
 
     @property
@@ -165,14 +169,19 @@ class ServerStackFixture(heat.HeatStackFixture, abc.ABC):
         return bool(self.floating_network)
 
     @property
-    def ssh_client(self) -> ssh.SSHClientFixture:
-        return ssh.ssh_client(host=self.ip_address,
-                              username=self.username,
-                              password=self.password,
-                              connection_timeout=self.connection_timeout)
+    def ssh_client_parameters(self) -> typing.Dict[str, typing.Any]:
+        return dict(host=self.ip_address,
+                    username=self.username,
+                    password=self.password,
+                    connection_timeout=self.connection_timeout,
+                    disabled_algorithms=self.disabled_algorithms)
 
     @property
-    def peer_ssh_client(self) -> typing.Optional[ssh.SSHClientFixture]:
+    def ssh_client(self) -> ssh.SSHClientFixture:
+        return ssh.ssh_client(**self.ssh_client_parameters)
+
+    @property
+    def peer_ssh_client(self) -> ssh.SSHClientType:
         """Nearest SSH client to an host that can see server fixed IPs ports
 
         """
@@ -473,12 +482,10 @@ class PeerServerStackFixture(ServerStackFixture, abc.ABC):
     peer_stack: tobiko.RequiredFixture[ServerStackFixture]
 
     @property
-    def ssh_client(self) -> ssh.SSHClientFixture:
-        return ssh.ssh_client(host=self.ip_address,
-                              username=self.username,
-                              password=self.password,
-                              connection_timeout=self.connection_timeout,
-                              proxy_jump=self.peer_ssh_client)
+    def ssh_client_parameters(self) -> typing.Dict[str, typing.Any]:
+        parameters = super().ssh_client_parameters
+        parameters.update(proxy_jump=self.peer_ssh_client)
+        return parameters
 
     @property
     def peer_ssh_client(self) -> ssh.SSHClientFixture:
diff --git a/tobiko/openstack/stacks/_redhat.py b/tobiko/openstack/stacks/_redhat.py
index 15e8140e5..b63d81110 100644
--- a/tobiko/openstack/stacks/_redhat.py
+++ b/tobiko/openstack/stacks/_redhat.py
@@ -71,6 +71,7 @@ class RhelImageFixture(glance.URLGlanceImageFixture):
     username = CONF.tobiko.rhel.username or 'cloud-user'
     password = CONF.tobiko.rhel.password
     connection_timeout = CONF.tobiko.rhel.connection_timeout
+    disabled_algorithms = CONF.tobiko.rhel.disabled_algorithms
 
 
 class RedHatFlavorStackFixture(_centos.CentosFlavorStackFixture):
diff --git a/tobiko/openstack/stacks/_ubuntu.py b/tobiko/openstack/stacks/_ubuntu.py
index 51954add1..6c691b039 100644
--- a/tobiko/openstack/stacks/_ubuntu.py
+++ b/tobiko/openstack/stacks/_ubuntu.py
@@ -44,6 +44,7 @@ class UbuntuMinimalImageFixture(glance.URLGlanceImageFixture):
     username = CONF.tobiko.ubuntu.username or 'ubuntu'
     password = CONF.tobiko.ubuntu.password or 'ununtu'
     connection_timeout = CONF.tobiko.ubuntu.connection_timeout or 600.
+    disabled_algorithms = CONF.tobiko.ubuntu.disabled_algorithms
 
 
 IPERF3_SERVICE_FILE = """
diff --git a/tobiko/shell/ssh/_client.py b/tobiko/shell/ssh/_client.py
index d6363e811..0f1015671 100644
--- a/tobiko/shell/ssh/_client.py
+++ b/tobiko/shell/ssh/_client.py
@@ -151,6 +151,9 @@ SSH_CONNECT_PARAMETERS = {
 
     #: Command to be executed to open proxy sock
     'proxy_command': str,
+
+    #: Allow to disable some algorithms for old servers
+    'disabled_algorithms': dict
 }
 
 
diff --git a/upper-constraints.txt b/upper-constraints.txt
index 54d3dd8ca..83caa4236 100644
--- a/upper-constraints.txt
+++ b/upper-constraints.txt
@@ -281,7 +281,7 @@ ovs===2.16.0
 ovsdbapp===1.13.0
 packaging===21.3
 pact===1.12.0
-paramiko===2.8.1
+paramiko===2.10.4
 passlib===1.7.4
 Paste===3.5.0
 PasteDeploy===2.1.1