From 4d7123936d42279acab414ed0d6c88c8468f4f80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philipp=20H=C3=B6rist?= <philipp@hoerist.com>
Date: Tue, 5 Feb 2019 20:33:01 +0100
Subject: Support domain based name for GSSAPI

---
 nbxmpp/auth_nb.py  | 11 ++++++++---
 nbxmpp/protocol.py |  1 +
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/nbxmpp/auth_nb.py b/nbxmpp/auth_nb.py
index 38e79f2..cd7f8dd 100644
--- a/nbxmpp/auth_nb.py
+++ b/nbxmpp/auth_nb.py
@@ -24,7 +24,7 @@ See client_nb.py
 from __future__ import unicode_literals
 
 from .protocol import NS_SASL, NS_SESSION, NS_STREAMS, NS_BIND, NS_AUTH
-from .protocol import NS_STREAM_MGMT
+from .protocol import NS_STREAM_MGMT, NS_DOMAIN_BASED_NAME
 from .protocol import Node, NodeProcessed, isResultNode, Iq, Protocol, JID
 from .plugin import PlugIn
 import sys
@@ -124,6 +124,7 @@ class SASL(PlugIn):
         self.channel_binding = channel_binding
         self.enabled_auth_mechs = auth_mechs
         self.realm = None
+        self._domain_based_hostname = None
 
     def plugin(self, owner):
         if 'version' not in self._owner.Dispatcher.Stream._document_attrs:
@@ -189,6 +190,10 @@ class SASL(PlugIn):
             in feats.getTag('mechanisms', namespace=NS_SASL).getTags('mechanism')
         ) & self.enabled_auth_mechs
 
+        hostname = feats.getTag('hostname', namespace=NS_DOMAIN_BASED_NAME)
+        if hostname is not None:
+            self._domain_based_name = hostname.getData()
+
         # Password based authentication mechanism ordered by strength.
         # If the server supports a mechanism disable all weaker mechanisms.
         password_auth_mechs_strength = ['SCRAM-SHA-1-PLUS', 'SCRAM-SHA-1',
@@ -229,9 +234,9 @@ class SASL(PlugIn):
             raise NodeProcessed
         if 'GSSAPI' in self.mecs and have_kerberos:
             self.mecs.remove('GSSAPI')
+            hostname = self._domain_based_name or self._owner.xmpp_hostname
             try:
-                self.gss_vc = kerberos.authGSSClientInit('xmpp@' + \
-                    self._owner.xmpp_hostname)[1]
+                self.gss_vc = kerberos.authGSSClientInit('xmpp@%s' % hostname)[1]
                 kerberos.authGSSClientStep(self.gss_vc, '')
                 response = kerberos.authGSSClientResponse(self.gss_vc)
                 node=Node('auth', attrs={'xmlns': NS_SASL,
diff --git a/nbxmpp/protocol.py b/nbxmpp/protocol.py
index da71773..aa9410c 100644
--- a/nbxmpp/protocol.py
+++ b/nbxmpp/protocol.py
@@ -190,6 +190,7 @@ NS_HASHES_SHA3_512 = 'urn:xmpp:hash-function-text-names:sha3-512'
 NS_HASHES_BLAKE2B_256 = 'urn:xmpp:hash-function-text-names:id-blake2b256'
 NS_HASHES_BLAKE2B_512 = 'urn:xmpp:hash-function-text-names:id-blake2b512'
 NS_OPENPGP = 'urn:xmpp:openpgp:0'
+NS_DOMAIN_BASED_NAME = 'urn:xmpp:domain-based-name:1'
 
 #xmpp_stream_error_conditions = '''
 #bad-format --  --  -- The entity has sent XML that cannot be processed.
-- 
cgit v1.2.3