don't propagate hostnames to PAM

...because auditd would try to resolve them via DNS, synchronously and with a 5-sec timeout. Since our reverse proxy would typically pass some pseudo-random string to us, let's just temporarily disable this mechanism for now. Bug: #11 Change-Id: Ifb2b17f799baffff86556aa00020b05164df40e5
CESNET · Sep 25, 2024 · 0a4f6b6 · 0a4f6b6
1 parent f7460d3
commit 0a4f6b6
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/auth/Http.cpp b/src/auth/Http.cpp
@@ -15,11 +15,12 @@
 
 namespace rousette::auth {
 
-void authorizeRequest(const Nacm& nacm, sysrepo::Session& sess, const nghttp2::asio_http2::server::request& req)
+void authorizeRequest(const Nacm& nacm, sysrepo::Session& sess, [[maybe_unused]] const nghttp2::asio_http2::server::request& req)
 {
     std::string nacmUser;
     if (auto authHeader = http::getHeaderValue(req.header(), "authorization")) {
-        nacmUser = rousette::auth::authenticate_pam(*authHeader, http::peer_from_request(req));
+        // FIXME: propagate the remote host to PAM/auditd safely, https://github.com/CESNET/rousette/issues/11
+        nacmUser = rousette::auth::authenticate_pam(*authHeader, std::nullopt);
     } else {
         nacmUser = ANONYMOUS_USER;
     }