From a80ae622f6c9f97140d747a3de161f042f5e8634 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 16 Jan 2018 10:54:42 -0500
Subject: [PATCH] Skip SMMs without a stored certificate

If something happens to have the right ip, but no stored certificate
because it's not discovered, it was used as a data source if the
addpolicy was lax.  Harden the flow by skipping unverifiable parts
of the chain.
---
 confluent_server/confluent/discovery/core.py | 22 ++++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/confluent_server/confluent/discovery/core.py b/confluent_server/confluent/discovery/core.py
index 82894060..8abfb017 100644
--- a/confluent_server/confluent/discovery/core.py
+++ b/confluent_server/confluent/discovery/core.py
@@ -681,16 +681,20 @@ def get_chained_smm_name(nodename, cfg, handler, nl=None, checkswitch=True):
         if len(nl) != 1:
             raise exc.InvalidArgumentException('Multiple enclosures trying to '
                                                'extend a single enclosure')
-        cd = cfg.get_node_attributes(nodename, 'hardwaremanagement.manager')
+        cd = cfg.get_node_attributes(nodename, ['hardwaremanagement.manager',
+                                                'pubkeys.tls_hardwaremanager'])
         smmaddr = cd[nodename]['hardwaremanagement.manager']['value']
-        cv = util.TLSCertVerifier(
-            cfg, nodename, 'pubkeys.tls_hardwaremanager').verify_cert
-        for fprint in get_smm_neighbor_fingerprints(smmaddr, cv):
-            if util.cert_matches(fprint, mycert):
-                # a trusted chain member vouched for the cert
-                # so it's validated
-                return nl[0], True
-        # advance down the chain by one and try again
+        pkey = cd.get[nodename].get('pubkeys.tls_hardwaremanager', {}).get(
+            'value', None)
+        if pkey:
+            cv = util.TLSCertVerifier(
+                cfg, nodename, 'pubkeys.tls_hardwaremanager').verify_cert
+            for fprint in get_smm_neighbor_fingerprints(smmaddr, cv):
+                if util.cert_matches(fprint, mycert):
+                    # a trusted chain member vouched for the cert
+                    # so it's validated
+                    return nl[0], True
+            # advance down the chain by one and try again
         nodename = nl[0]
         nl = list(cfg.filter_node_attributes(
             'enclosure.extends=' + nodename))