gssapi: use hostbased_service name type (#1167)

eltoder · web-flow · commit 85d7eed40637 · 2024-07-18T07:06:28.000-07:00
This is used by libpq and allows us to skip canonicalization of host
name, which was making a blocking DNS lookup.

Similarly, don't canonicalize host name for SSPI, since this is not done
by libpq.
diff --git a/asyncpg/protocol/coreproto.pxd b/asyncpg/protocol/coreproto.pxd
@@ -140,7 +140,7 @@ cdef class CoreProtocol:
     cdef _auth_password_message_sasl_continue(self, bytes server_response)
     cdef _auth_gss_init_gssapi(self)
     cdef _auth_gss_init_sspi(self, bint negotiate)
-    cdef _auth_gss_get_spn(self)
+    cdef _auth_gss_get_service(self)
     cdef _auth_gss_step(self, bytes server_response)
 
     cdef _write(self, buf)
diff --git a/asyncpg/protocol/coreproto.pyx b/asyncpg/protocol/coreproto.pyx
@@ -6,7 +6,6 @@
 
 
 import hashlib
-import socket
 
 
 include "scram.pyx"
@@ -728,8 +727,11 @@ cdef class CoreProtocol:
                 'use asyncpg with Kerberos/GSSAPI/SSPI authentication'
             ) from None
 
+        service_name, host = self._auth_gss_get_service()
         self.gss_ctx = gssapi.SecurityContext(
-            name=gssapi.Name(self._auth_gss_get_spn()), usage='initiate')
+            name=gssapi.Name(
+                f'{service_name}@{host}', gssapi.NameType.hostbased_service),
+            usage='initiate')
 
     cdef _auth_gss_init_sspi(self, bint negotiate):
         try:
@@ -740,22 +742,20 @@ cdef class CoreProtocol:
                 'use asyncpg with Kerberos/GSSAPI/SSPI authentication'
             ) from None
 
+        service_name, host = self._auth_gss_get_service()
         self.gss_ctx = sspilib.ClientSecurityContext(
-            target_name=self._auth_gss_get_spn(),
+            target_name=f'{service_name}/{host}',
             credential=sspilib.UserCredential(
                 protocol='Negotiate' if negotiate else 'Kerberos'))
 
-    cdef _auth_gss_get_spn(self):
+    cdef _auth_gss_get_service(self):
         service_name = self.con_params.krbsrvname or 'postgres'
-        # find the canonical name of the server host
         if isinstance(self.address, str):
             raise apg_exc.InternalClientError(
                 'GSSAPI/SSPI authentication is only supported for TCP/IP '
                 'connections')
 
-        host = self.address[0]
-        host_cname = socket.gethostbyname_ex(host)[0]
-        return f'{service_name}/{host_cname}'
+        return service_name, self.address[0]
 
     cdef _auth_gss_step(self, bytes server_response):
         cdef:
