From 0a4f6b6813ad2a3b5f0df04b7e1f535218d4db63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= <jan.kundrat@cesnet.cz>
Date: Wed, 25 Sep 2024 19:50:19 +0200
Subject: [PATCH] don't propagate hostnames to PAM

...because auditd would try to resolve them via DNS, synchronously and
with a 5-sec timeout. Since our reverse proxy would typically pass some
pseudo-random string to us, let's just temporarily disable this
mechanism for now.

Bug: https://github.com/CESNET/rousette/issues/11
Change-Id: Ifb2b17f799baffff86556aa00020b05164df40e5
---
 src/auth/Http.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/auth/Http.cpp b/src/auth/Http.cpp
index ec5130a..4c18048 100644
--- a/src/auth/Http.cpp
+++ b/src/auth/Http.cpp
@@ -15,11 +15,12 @@
 
 namespace rousette::auth {
 
-void authorizeRequest(const Nacm& nacm, sysrepo::Session& sess, const nghttp2::asio_http2::server::request& req)
+void authorizeRequest(const Nacm& nacm, sysrepo::Session& sess, [[maybe_unused]] const nghttp2::asio_http2::server::request& req)
 {
     std::string nacmUser;
     if (auto authHeader = http::getHeaderValue(req.header(), "authorization")) {
-        nacmUser = rousette::auth::authenticate_pam(*authHeader, http::peer_from_request(req));
+        // FIXME: propagate the remote host to PAM/auditd safely, https://github.com/CESNET/rousette/issues/11
+        nacmUser = rousette::auth::authenticate_pam(*authHeader, std::nullopt);
     } else {
         nacmUser = ANONYMOUS_USER;
     }