Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gssapi: use hostbased_service name type #1167

Merged
merged 1 commit into from
Jul 18, 2024
Merged

gssapi: use hostbased_service name type #1167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion asyncpg/protocol/coreproto.pxd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ cdef class CoreProtocol:
cdef _auth_password_message_sasl_continue(self, bytes server_response)
cdef _auth_gss_init_gssapi(self)
cdef _auth_gss_init_sspi(self, bint negotiate)
cdef _auth_gss_get_spn(self)
cdef _auth_gss_get_service(self)
cdef _auth_gss_step(self, bytes server_response)

cdef _write(self, buf)
Expand Down
16 changes: 8 additions & 8 deletions asyncpg/protocol/coreproto.pyx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@


import hashlib
import socket


include "scram.pyx"
Expand Down Expand Up @@ -728,8 +727,11 @@ cdef class CoreProtocol:
'use asyncpg with Kerberos/GSSAPI/SSPI authentication'
) from None

service_name, host = self._auth_gss_get_service()
self.gss_ctx = gssapi.SecurityContext(
name=gssapi.Name(self._auth_gss_get_spn()), usage='initiate')
name=gssapi.Name(
f'{service_name}@{host}', gssapi.NameType.hostbased_service),
usage='initiate')

cdef _auth_gss_init_sspi(self, bint negotiate):
try:
Expand All @@ -740,22 +742,20 @@ cdef class CoreProtocol:
'use asyncpg with Kerberos/GSSAPI/SSPI authentication'
) from None

service_name, host = self._auth_gss_get_service()
self.gss_ctx = sspilib.ClientSecurityContext(
target_name=self._auth_gss_get_spn(),
target_name=f'{service_name}/{host}',
credential=sspilib.UserCredential(
protocol='Negotiate' if negotiate else 'Kerberos'))

cdef _auth_gss_get_spn(self):
cdef _auth_gss_get_service(self):
service_name = self.con_params.krbsrvname or 'postgres'
# find the canonical name of the server host
if isinstance(self.address, str):
raise apg_exc.InternalClientError(
'GSSAPI/SSPI authentication is only supported for TCP/IP '
'connections')

host = self.address[0]
host_cname = socket.gethostbyname_ex(host)[0]
return f'{service_name}/{host_cname}'
return service_name, self.address[0]

cdef _auth_gss_step(self, bytes server_response):
cdef:
Expand Down
Loading