PYTHON-2192 - Use krb5's canonicalization algorithm

2020-06-24 12:00:49 -07:00 · 2020-06-24 12:00:49 -07:00 · e608ff4166
commit e608ff4166
parent a90f80436c
2 changed files with 16 additions and 1 deletions
--- a/.evergreen/run-enterprise-auth-tests.sh
+++ b/.evergreen/run-enterprise-auth-tests.sh
@ -18,6 +18,7 @@ if [ ${PLATFORM} != "Java" ]; then
    if [ "Windows_NT" = "$OS" ]; then
        echo "Setting GSSAPI_PASS"
        export GSSAPI_PASS=${SASL_PASS}
+        export GSSAPI_CANONICALIZE="true"
    else
        # BUILD-3830
        touch ${PROJECT_DIRECTORY}/.evergreen/krb5.conf.empty
--- a/pymongo/auth.py
+++ b/pymongo/auth.py
@ -375,6 +375,20 @@ def _auth_key(nonce, username, password):
    return _unicode(md5hash.hexdigest())


+def _canonicalize_hostname(hostname):
+    """Canonicalize hostname following MIT-krb5 behavior."""
+    # https://github.com/krb5/krb5/blob/d406afa363554097ac48646a29249c04f498c88e/src/util/k5test.py#L505-L520
+    af, socktype, proto, canonname, sockaddr = socket.getaddrinfo(
+        hostname, None, 0, 0, socket.IPPROTO_TCP, socket.AI_CANONNAME)[0]
+
+    try:
+        name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
+    except socket.gaierror:
+        return canonname.lower()
+
+    return name[0].lower()
+
+
 def _authenticate_gssapi(credentials, sock_info):
    """Authenticate using GSSAPI.
    """
@ -390,7 +404,7 @@ def _authenticate_gssapi(credentials, sock_info):
        # the security context. See RFC 4752, Section 3.1, first paragraph.
        host = sock_info.address[0]
        if props.canonicalize_host_name:
-            host = socket.getfqdn(host)
+            host = _canonicalize_hostname(host)
        service = props.service_name + '@' + host
        if props.service_realm is not None:
            service = service + '@' + props.service_realm