hannes · February 17, 2015 10:47
diff --git a/.htaccess b/.htaccess
 RewriteEngine On
 RewriteBase /
 RewriteRule ^.*$ proxy.php
diff --git a/proxy.php b/proxy.php
 <?php

 define("SALT", "something");
 define("DIR", "/tmp/kproxy");

 function auth() {
 	header('WWW-Authenticate: Basic realm="SurfSara Kerberos Proxy"');
    header('HTTP/1.0 401 Unauthorized');
    die('Unauthorized');
 }

 if (!isset($_SERVER['PHP_AUTH_USER'])) {
   auth();
 }

 $fwdurl = "head05.hathi.surfsara.nl". $_SERVER['REQUEST_URI'];
 $user = strtolower($_SERVER['PHP_AUTH_USER']);
 $pass = $_SERVER['PHP_AUTH_PW'];

 $userhash = md5(SALT.$user);
 $reqid = uniqid();
 $ticketfile = DIR."/".$userhash."-".$reqid.".ticket";
 $cryptfile =  DIR."/".$userhash.".ticket.encrypted";
 $pwfile =     DIR."/".$userhash."-".$reqid.".password";

 $returncode = 0;
 $usableticket = false;

 putenv("GNUPGHOME=".DIR."/.gnupg");
 file_put_contents($pwfile, $pass);

 if (file_exists($cryptfile)) {
 	passthru("cat $pwfile | gpg --yes --batch --passphrase-fd 0 --output $ticketfile --decrypt $cryptfile", $returncode);
 	// incorrect pw was provided and gpg failed to decrypt
 	if ($returncode) { 
 		unlink($pwfile);
 		auth();
 	}
 	// if the ticket has expired, this will fail
 	passthru("klist -s -c $ticketfile", $returncode);
 	$usableticket = !$returncode;
 }

 if (!$usableticket) {
 	passthru("cat $pwfile | kinit $user -c $ticketfile > /dev/null", $returncode);
 	if ($returncode) {
 		unlink($pwfile);
 		auth();
 	}
 	passthru("cat $pwfile | gpg --yes --batch --passphrase-fd 0 --output $cryptfile --symmetric $ticketfile", $returncode);
 }

 unlink($pwfile);
 putenv("KRB5CCNAME=$ticketfile");

 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $fwdurl);
 curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
 curl_setopt($ch, CURLOPT_USERPWD, ":");
 curl_setopt($ch, CURLOPT_ENCODING , "gzip");
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

 $page = curl_exec($ch);
 unlink($ticketfile);

 header("Content-Type: " . curl_getinfo($ch, CURLINFO_CONTENT_TYPE));
 print($page);
 curl_close($ch);
	<?php

	define("SALT", "something");
	define("DIR", "/tmp/kproxy");

	function auth() {
	header('WWW-Authenticate: Basic realm="SurfSara Kerberos Proxy"');
	header('HTTP/1.0 401 Unauthorized');
	die('Unauthorized');
	}

	if (!isset($_SERVER['PHP_AUTH_USER'])) {
	auth();
	}

	$fwdurl = "head05.hathi.surfsara.nl". $_SERVER['REQUEST_URI'];
	$user = strtolower($_SERVER['PHP_AUTH_USER']);
	$pass = $_SERVER['PHP_AUTH_PW'];

	$userhash = md5(SALT.$user);
	$reqid = uniqid();
	$ticketfile = DIR."/".$userhash."-".$reqid.".ticket";
	$cryptfile = DIR."/".$userhash.".ticket.encrypted";
	$pwfile = DIR."/".$userhash."-".$reqid.".password";

	$returncode = 0;
	$usableticket = false;

	putenv("GNUPGHOME=".DIR."/.gnupg");
	file_put_contents($pwfile, $pass);

	if (file_exists($cryptfile)) {
	passthru("cat $pwfile \| gpg --yes --batch --passphrase-fd 0 --output $ticketfile --decrypt $cryptfile", $returncode);
	// incorrect pw was provided and gpg failed to decrypt
	if ($returncode) {
	unlink($pwfile);
	auth();
	}
	// if the ticket has expired, this will fail
	passthru("klist -s -c $ticketfile", $returncode);
	$usableticket = !$returncode;
	}

	if (!$usableticket) {
	passthru("cat $pwfile \| kinit $user -c $ticketfile > /dev/null", $returncode);
	if ($returncode) {
	unlink($pwfile);
	auth();
	}
	passthru("cat $pwfile \| gpg --yes --batch --passphrase-fd 0 --output $cryptfile --symmetric $ticketfile", $returncode);
	}

	unlink($pwfile);
	putenv("KRB5CCNAME=$ticketfile");

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $fwdurl);
	curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
	curl_setopt($ch, CURLOPT_USERPWD, ":");
	curl_setopt($ch, CURLOPT_ENCODING , "gzip");
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

	$page = curl_exec($ch);
	unlink($ticketfile);

	header("Content-Type: " . curl_getinfo($ch, CURLINFO_CONTENT_TYPE));
	print($page);
	curl_close($ch);