Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

AAP-49133: Only consider first entry in comma-separated remote host headers for provisioning callback#16284

Open
chrismeyersfsu wants to merge 1 commit intoansible:develfrom
chrismeyersfsu:AAP-49133
Open

AAP-49133: Only consider first entry in comma-separated remote host headers for provisioning callback#16284
chrismeyersfsu wants to merge 1 commit intoansible:develfrom
chrismeyersfsu:AAP-49133

Conversation

@chrismeyersfsu
Copy link
Member

@chrismeyersfsu chrismeyersfsu commented Feb 13, 2026
edited
Loading

SUMMARY

Changes the provisioning callback host matching logic to only consider the first entry in comma-separated header values (e.g., X-Forwarded-For: client, proxy1, proxy2), rather than all entries.

Previously, get_remote_hosts from django-ansible-base would return every value in comma-separated headers, meaning intermediate proxy addresses could incorrectly match inventory hosts. This replaces that with a new get_first_remote_host_from_headers utility in awx.main.utils.proxy that only extracts the first (original client) entry from each header.

ISSUE TYPE
  • Bug, Docs Fix or other nominal change
COMPONENT NAME
  • API
ADDITIONAL INFORMATION

Adds unit tests for the new get_first_remote_host_from_headers and is_proxy_in_headers utility functions, and functional tests validating that only the first entry in comma-separated callback headers is matched against inventory hosts.

# Before: X-Forwarded-For: "client, proxy1, proxy2" would match against all three
# After: only "client" is used for host matching

@coderabbitai
Copy link

coderabbitai bot commented Feb 13, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Replaced host extraction in callback matching to use a new utility that returns only the first comma-separated entry from configured headers; added that utility and updated views to call it. Added unit and functional tests covering first-entry semantics and proxy header variations.

Changes

Cohort / File(s) Summary
Proxy utility + view change
awx/main/utils/proxy.py, awx/api/views/__init__.py		 Added get_first_remote_host_from_headers(request, headers) which extracts the first comma-separated value from configured headers; updated find_matching_hosts() to call this function instead of get_remote_hosts(), altering remote host extraction to prioritize the first header entry.
Unit tests for proxy utils
awx/main/tests/unit/utils/test_proxy.py		 Added extensive tests for get_first_remote_host_from_headers and is_proxy_in_headers, covering single-value headers, comma-separated values (with/without whitespace and trailing commas), multiple header occurrences, empty/missing headers, and empty header lists.
Functional tests for callback behavior
awx/main/tests/functional/api/test_job_template.py		 Added two tests in TestJobTemplateCallbackProxyIntegration validating that only the first entry in comma-separated remote-host headers is considered for inventory host matching, exercising different REMOTE_HOST_HEADERS and PROXY_IP_ALLOWED_LIST settings.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: modifying provisioning callback logic to only consider the first entry in comma-separated remote host headers.
Docstring Coverage ✅ Passed Docstring coverage is 90.48% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection ✅ Passed ✅ No merge conflicts detected when merging into devel
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@chrismeyersfsu
Change remote host finding logic
a5138f1 
* When the remote host header values contains a comma separated list,
  only consider the first entry. Previously we considered every item in
  the list.
@chrismeyersfsu chrismeyersfsu requested review from Copilot and fosterseth and removed request for Copilot and fosterseth February 13, 2026 19:32
@codecov
Copy link

codecov bot commented Feb 13, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.74%. Comparing base (7ccc14d) to head (a5138f1).
✅ All tests successful. No failed tests found.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@chrismeyersfsu chrismeyersfsu enabled auto-merge (rebase) February 13, 2026 21:47
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 13, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fosterseth fosterseth Awaiting requested review from fosterseth

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

component:api

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chrismeyersfsu