Change remote host finding logic

* When the remote host header values contains a comma separated list, only consider the first entry. Previously we considered every item in the list.
2026-03-25 12:55:04 -02:30 · 2026-02-13 10:09:29 -05:00
parent 994a2b3c04
commit 08f1507f70
4 changed files with 289 additions and 2 deletions
--- a/awx/main/tests/functional/api/test_job_template.py
+++ b/awx/main/tests/functional/api/test_job_template.py
@@ -485,3 +485,47 @@ class TestJobTemplateCallbackProxyIntegration:
                    expect=400,
                    **headers
                )
+
+    @override_settings(REMOTE_HOST_HEADERS=['HTTP_X_FROM_THE_LOAD_BALANCER', 'REMOTE_ADDR', 'REMOTE_HOST'], PROXY_IP_ALLOWED_LIST=[])
+    def test_only_first_entry_in_comma_separated_header_is_considered(self, job_template, admin_user, post):
+        """
+        Test that only the first entry in a comma-separated header value is used for host matching.
+        This is important for X-Forwarded-For style headers where the format is "client, proxy1, proxy2".
+        Only the original client (first entry) should be matched against inventory hosts.
+        """
+        # Create host that matches the SECOND entry in the comma-separated list
+        job_template.inventory.hosts.create(name='second-host.example.com')
+
+        headers = {
+            # First entry is 'first-host.example.com', second is 'second-host.example.com'
+            # Only the first should be considered, so this should NOT match
+            'HTTP_X_FROM_THE_LOAD_BALANCER': 'first-host.example.com, second-host.example.com',
+            'REMOTE_ADDR': 'unrelated-addr',
+            'REMOTE_HOST': 'unrelated-host',
+        }
+
+        # Should return 400 because only 'first-host.example.com' is considered,
+        # and that host is NOT in the inventory
+        r = post(
+            url=reverse('api:job_template_callback', kwargs={'pk': job_template.pk}), data={'host_config_key': 'abcd'}, user=admin_user, expect=400, **headers
+        )
+        assert r.data['msg'] == 'No matching host could be found!'
+
+    @override_settings(REMOTE_HOST_HEADERS=['HTTP_X_FROM_THE_LOAD_BALANCER', 'REMOTE_ADDR', 'REMOTE_HOST'], PROXY_IP_ALLOWED_LIST=[])
+    def test_first_entry_in_comma_separated_header_matches(self, job_template, admin_user, post):
+        """
+        Test that the first entry in a comma-separated header value correctly matches an inventory host.
+        """
+        # Create host that matches the FIRST entry in the comma-separated list
+        job_template.inventory.hosts.create(name='first-host.example.com')
+
+        headers = {
+            # First entry is 'first-host.example.com', second is 'second-host.example.com'
+            # The first entry matches the inventory host
+            'HTTP_X_FROM_THE_LOAD_BALANCER': 'first-host.example.com, second-host.example.com',
+            'REMOTE_ADDR': 'unrelated-addr',
+            'REMOTE_HOST': 'unrelated-host',
+        }
+
+        # Should return 201 because 'first-host.example.com' is the first entry and matches
+        post(url=reverse('api:job_template_callback', kwargs={'pk': job_template.pk}), data={'host_config_key': 'abcd'}, user=admin_user, expect=201, **headers)