Revert "Trust proxy headers for host provision callback"

This reverts commit 49e3971cd577127705fc0fd1d3b4ab7e3a3c3c2b.
2024-10-26 16:25:06 +03:00 · 2024-06-17 12:29:17 -04:00 · 2024-06-17 12:29:17 -04:00 · b93aa20362
commit b93aa20362
parent 4bbfc8a946
2 changed files with 7 additions and 13 deletions
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@ -36,7 +36,6 @@ from ansible_base.lib.utils.models import get_all_field_names
 from ansible_base.lib.utils.requests import get_remote_host
 from ansible_base.rbac.models import RoleEvaluation, RoleDefinition
 from ansible_base.rbac.permission_registry import permission_registry
-from ansible_base.jwt_consumer.common.util import validate_x_trusted_proxy_header

 # AWX
 from awx.main.models import UnifiedJob, UnifiedJobTemplate, User, Role, Credential, WorkflowJobTemplateNode, WorkflowApprovalTemplate
@ -154,21 +153,13 @@ class APIView(views.APIView):
        Store the Django REST Framework Request object as an attribute on the
        normal Django request, store time the request started.
        """
-        is_trusted_proxy = False
-
        self.time_started = time.time()
        if getattr(settings, 'SQL_DEBUG', False):
            self.queries_before = len(connection.queries)

-        if 'HTTP_X_TRUSTED_PROXY' in request.META:
-            if validate_x_trusted_proxy_header(request.META['HTTP_X_TRUSTED_PROXY']):
-                is_trusted_proxy = True
-            else:
-                logger.warning("Request appeared to be a trusted upstream proxy but failed to provide a matching shared secret.")
-
        # If there are any custom headers in REMOTE_HOST_HEADERS, make sure
        # they respect the allowed proxy list
-        if not is_trusted_proxy and all(
+        if all(
            [
                settings.PROXY_IP_ALLOWED_LIST,
                request.environ.get('REMOTE_ADDR') not in settings.PROXY_IP_ALLOWED_LIST,
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@ -61,7 +61,6 @@ import pytz
 from wsgiref.util import FileWrapper

 # django-ansible-base
-from ansible_base.lib.utils.requests import get_remote_hosts
 from ansible_base.rbac.models import RoleEvaluation, ObjectRole
 from ansible_base.resource_registry.shared_types import OrganizationType, TeamType, UserType

@ -2771,8 +2770,12 @@ class JobTemplateCallback(GenericAPIView):
        host for the current request.
        """
        # Find the list of remote host names/IPs to check.
-
-        remote_hosts = set(get_remote_hosts(self.request))
+        remote_hosts = set()
+        for header in settings.REMOTE_HOST_HEADERS:
+            for value in self.request.META.get(header, '').split(','):
+                value = value.strip()
+                if value:
+                    remote_hosts.add(value)
        # Add the reverse lookup of IP addresses.
        for rh in list(remote_hosts):
            try: