Skip to content

Commit

Permalink
gssapi: use hostbased_service name type (#1167)
Browse files Browse the repository at this point in the history 
This is used by libpq and allows us to skip canonicalization of host
name, which was making a blocking DNS lookup.

Similarly, don't canonicalize host name for SSPI, since this is not done
by libpq.
  • Loading branch information
@eltoder
eltoder committed Jul 18, 2024
1 parent 98aebf1 commit 85d7eed
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 9 deletions.
2 changes: 1 addition & 1 deletion asyncpg/protocol/coreproto.pxd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ cdef class CoreProtocol:
cdef _auth_password_message_sasl_continue(self, bytes server_response)
cdef _auth_gss_init_gssapi(self)
cdef _auth_gss_init_sspi(self, bint negotiate)
cdef _auth_gss_get_spn(self)
cdef _auth_gss_get_service(self)
cdef _auth_gss_step(self, bytes server_response)

cdef _write(self, buf)
Expand Down
16 changes: 8 additions & 8 deletions asyncpg/protocol/coreproto.pyx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@


import hashlib
import socket


include "scram.pyx"
Expand Down Expand Up @@ -728,8 +727,11 @@ cdef class CoreProtocol:
'use asyncpg with Kerberos/GSSAPI/SSPI authentication'
) from None

service_name, host = self._auth_gss_get_service()
self.gss_ctx = gssapi.SecurityContext(
name=gssapi.Name(self._auth_gss_get_spn()), usage='initiate')
name=gssapi.Name(
f'{service_name}@{host}', gssapi.NameType.hostbased_service),
usage='initiate')

cdef _auth_gss_init_sspi(self, bint negotiate):
try:
Expand All @@ -740,22 +742,20 @@ cdef class CoreProtocol:
'use asyncpg with Kerberos/GSSAPI/SSPI authentication'
) from None

service_name, host = self._auth_gss_get_service()
self.gss_ctx = sspilib.ClientSecurityContext(
target_name=self._auth_gss_get_spn(),
target_name=f'{service_name}/{host}',
credential=sspilib.UserCredential(
protocol='Negotiate' if negotiate else 'Kerberos'))

cdef _auth_gss_get_spn(self):
cdef _auth_gss_get_service(self):
service_name = self.con_params.krbsrvname or 'postgres'
# find the canonical name of the server host
if isinstance(self.address, str):
raise apg_exc.InternalClientError(
'GSSAPI/SSPI authentication is only supported for TCP/IP '
'connections')

host = self.address[0]
host_cname = socket.gethostbyname_ex(host)[0]
return f'{service_name}/{host_cname}'
return service_name, self.address[0]

cdef _auth_gss_step(self, bytes server_response):
cdef:
Expand Down

0 comments on commit 85d7eed

Please sign in to comment.