hannes/.htaccess

## .htaccess
RewriteEngine On
RewriteBase /
RewriteRule ^.*$ proxy.php

## proxy.php
<?php

define("SALT", "something");
define("DIR", "/tmp/kproxy");

function auth() {
	header('WWW-Authenticate: Basic realm="SurfSara Kerberos Proxy"');
    header('HTTP/1.0 401 Unauthorized');
    die('Unauthorized');
}

if (!isset($_SERVER['PHP_AUTH_USER'])) {
   auth();
}

$fwdurl = "head05.hathi.surfsara.nl". $_SERVER['REQUEST_URI'];
$user = strtolower($_SERVER['PHP_AUTH_USER']);
$pass = $_SERVER['PHP_AUTH_PW'];

$userhash = md5(SALT.$user);
$reqid = uniqid();
$ticketfile = DIR."/".$userhash."-".$reqid.".ticket";
$cryptfile =  DIR."/".$userhash.".ticket.encrypted";
$pwfile =     DIR."/".$userhash."-".$reqid.".password";

$returncode = 0;
$usableticket = false;

putenv("GNUPGHOME=".DIR."/.gnupg");
file_put_contents($pwfile, $pass);

if (file_exists($cryptfile)) {
	passthru("cat $pwfile | gpg --yes --batch --passphrase-fd 0 --output $ticketfile --decrypt $cryptfile", $returncode);
	// incorrect pw was provided and gpg failed to decrypt
	if ($returncode) {
		unlink($pwfile);
		auth();
	}
	// if the ticket has expired, this will fail
	passthru("klist -s -c $ticketfile", $returncode);
	$usableticket = !$returncode;
}

if (!$usableticket) {
	passthru("cat $pwfile | kinit $user -c $ticketfile > /dev/null", $returncode);
	if ($returncode) {
		unlink($pwfile);
		auth();
	}
	passthru("cat $pwfile | gpg --yes --batch --passphrase-fd 0 --output $cryptfile --symmetric $ticketfile", $returncode);
}

unlink($pwfile);
putenv("KRB5CCNAME=$ticketfile");

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $fwdurl);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
curl_setopt($ch, CURLOPT_USERPWD, ":");
curl_setopt($ch, CURLOPT_ENCODING , "gzip");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$page = curl_exec($ch);
unlink($ticketfile);

header("Content-Type: " . curl_getinfo($ch, CURLINFO_CONTENT_TYPE));
print($page);
curl_close($ch);
	<?php

	define("SALT", "something");
	define("DIR", "/tmp/kproxy");

	function auth() {
	header('WWW-Authenticate: Basic realm="SurfSara Kerberos Proxy"');
	header('HTTP/1.0 401 Unauthorized');
	die('Unauthorized');
	}

	if (!isset($_SERVER['PHP_AUTH_USER'])) {
	auth();
	}

	$fwdurl = "head05.hathi.surfsara.nl". $_SERVER['REQUEST_URI'];
	$user = strtolower($_SERVER['PHP_AUTH_USER']);
	$pass = $_SERVER['PHP_AUTH_PW'];

	$userhash = md5(SALT.$user);
	$reqid = uniqid();
	$ticketfile = DIR."/".$userhash."-".$reqid.".ticket";
	$cryptfile = DIR."/".$userhash.".ticket.encrypted";
	$pwfile = DIR."/".$userhash."-".$reqid.".password";

	$returncode = 0;
	$usableticket = false;

	putenv("GNUPGHOME=".DIR."/.gnupg");
	file_put_contents($pwfile, $pass);

	if (file_exists($cryptfile)) {
	passthru("cat $pwfile \| gpg --yes --batch --passphrase-fd 0 --output $ticketfile --decrypt $cryptfile", $returncode);
	// incorrect pw was provided and gpg failed to decrypt
	if ($returncode) {
	unlink($pwfile);
	auth();
	}
	// if the ticket has expired, this will fail
	passthru("klist -s -c $ticketfile", $returncode);
	$usableticket = !$returncode;
	}

	if (!$usableticket) {
	passthru("cat $pwfile \| kinit $user -c $ticketfile > /dev/null", $returncode);
	if ($returncode) {
	unlink($pwfile);
	auth();
	}
	passthru("cat $pwfile \| gpg --yes --batch --passphrase-fd 0 --output $cryptfile --symmetric $ticketfile", $returncode);
	}

	unlink($pwfile);
	putenv("KRB5CCNAME=$ticketfile");

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $fwdurl);
	curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
	curl_setopt($ch, CURLOPT_USERPWD, ":");
	curl_setopt($ch, CURLOPT_ENCODING , "gzip");
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

	$page = curl_exec($ch);
	unlink($ticketfile);

	header("Content-Type: " . curl_getinfo($ch, CURLINFO_CONTENT_TYPE));
	print($page);
	curl_close($ch);