From 85d7eed40637e7cad73a44ed2439ffeb2a8dc1c2 Mon Sep 17 00:00:00 2001 From: Eugene Toder Date: Thu, 18 Jul 2024 10:06:28 -0400 Subject: [PATCH] gssapi: use hostbased_service name type (#1167) This is used by libpq and allows us to skip canonicalization of host name, which was making a blocking DNS lookup. Similarly, don't canonicalize host name for SSPI, since this is not done by libpq. --- asyncpg/protocol/coreproto.pxd | 2 +- asyncpg/protocol/coreproto.pyx | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/asyncpg/protocol/coreproto.pxd b/asyncpg/protocol/coreproto.pxd index 8a398de9..f6a0b08f 100644 --- a/asyncpg/protocol/coreproto.pxd +++ b/asyncpg/protocol/coreproto.pxd @@ -140,7 +140,7 @@ cdef class CoreProtocol: cdef _auth_password_message_sasl_continue(self, bytes server_response) cdef _auth_gss_init_gssapi(self) cdef _auth_gss_init_sspi(self, bint negotiate) - cdef _auth_gss_get_spn(self) + cdef _auth_gss_get_service(self) cdef _auth_gss_step(self, bytes server_response) cdef _write(self, buf) diff --git a/asyncpg/protocol/coreproto.pyx b/asyncpg/protocol/coreproto.pyx index fd65327b..4ef438cd 100644 --- a/asyncpg/protocol/coreproto.pyx +++ b/asyncpg/protocol/coreproto.pyx @@ -6,7 +6,6 @@ import hashlib -import socket include "scram.pyx" @@ -728,8 +727,11 @@ cdef class CoreProtocol: 'use asyncpg with Kerberos/GSSAPI/SSPI authentication' ) from None + service_name, host = self._auth_gss_get_service() self.gss_ctx = gssapi.SecurityContext( - name=gssapi.Name(self._auth_gss_get_spn()), usage='initiate') + name=gssapi.Name( + f'{service_name}@{host}', gssapi.NameType.hostbased_service), + usage='initiate') cdef _auth_gss_init_sspi(self, bint negotiate): try: @@ -740,22 +742,20 @@ cdef class CoreProtocol: 'use asyncpg with Kerberos/GSSAPI/SSPI authentication' ) from None + service_name, host = self._auth_gss_get_service() self.gss_ctx = sspilib.ClientSecurityContext( - target_name=self._auth_gss_get_spn(), + target_name=f'{service_name}/{host}', credential=sspilib.UserCredential( protocol='Negotiate' if negotiate else 'Kerberos')) - cdef _auth_gss_get_spn(self): + cdef _auth_gss_get_service(self): service_name = self.con_params.krbsrvname or 'postgres' - # find the canonical name of the server host if isinstance(self.address, str): raise apg_exc.InternalClientError( 'GSSAPI/SSPI authentication is only supported for TCP/IP ' 'connections') - host = self.address[0] - host_cname = socket.gethostbyname_ex(host)[0] - return f'{service_name}/{host_cname}' + return service_name, self.address[0] cdef _auth_gss_step(self, bytes server_response): cdef: