diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..405a9a9
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "_patch/go-ldap"]
+ path = _patch/go-ldap
+ url = https://github.com/levkohimins/go-ldap
diff --git a/_patch/go-ldap b/_patch/go-ldap
new file mode 160000
index 0000000..02e02ad
--- /dev/null
+++ b/_patch/go-ldap
@@ -0,0 +1 @@
+Subproject commit 02e02ad11329548a132277c6314e9b946e3ec84b
diff --git a/app/ipasso/main.go b/app/ipasso/main.go
new file mode 100644
index 0000000..18668ab
--- /dev/null
+++ b/app/ipasso/main.go
@@ -0,0 +1,164 @@
+package main
+
+import (
+ "encoding/json"
+ "errors"
+ "flag"
+ "fmt"
+ "git.thequux.com/thequux/ipasso/sso-proxy/backend"
+ "git.thequux.com/thequux/ipasso/util/startup"
+ "go.uber.org/zap"
+ htemplate "html/template"
+ "log"
+ "net"
+ "net/http"
+ "net/http/fcgi"
+ "os"
+ "strconv"
+ "strings"
+ "time"
+)
+
+var (
+ domain = flag.String("domain", "thequux.com", "The base domain to enable SSO for")
+ listen = flag.String("listen", "0.0.0.0:80", "The address to listen on")
+
+ datastore backend.Backend
+)
+
+var (
+ ErrNoExpiration = errors.New("Request missing expiration date; misconfigured reverse proxy?")
+)
+
+func main() {
+ flag.Parse()
+ development, err := zap.NewDevelopment()
+ if err != nil {
+ _, _ = fmt.Fprint(os.Stderr, "Failed to create logger", err)
+ os.Exit(1)
+ }
+ zap.ReplaceGlobals(development)
+ l := zap.L().Named("root")
+ startup.Logger.Run()
+
+ startup.PostFlags.Run()
+
+ initUserdata()
+
+ mux := http.NewServeMux()
+ mux.Handle("/env", http.HandlerFunc(dumpEnv))
+ l.Info("Starting")
+ listener, err := net.Listen("tcp", *listen)
+ if err != nil {
+ log.Fatalln("Failed to listen: ", err)
+ }
+ l.Info("Listening", zap.Stringer("addr", listener.Addr()))
+ log.Fatal(fcgi.Serve(listener, mux))
+}
+
+var envTemplate = htemplate.Must(htemplate.New("envdoc").Parse(`
+
+
+
+
+
+
+ Headers
+
+ {{- range $k,$v := .Headers }}
+
+ [{{ $k }}] |
+ {{ $v }} |
+
+ {{- end }}
+
+ Process Environment
+
+ {{- range $k,$v := .ProcessEnv }}
+
+ {{ $k }} |
+ {{ $v }} |
+
+ {{- end }}
+
+
+
+`))
+
+type envdocArgs struct {
+ Headers map[string]string
+ ProcessEnv map[string]string
+}
+
+func dumpEnv(w http.ResponseWriter, r *http.Request) {
+ var headers = map[string]string{}
+ for k, v := range r.Header {
+ headers[k] = strings.Join(v, "\n")
+ }
+ var args = envdocArgs{ProcessEnv: fcgi.ProcessEnv(r), Headers: headers}
+ w.Header().Set("Content-Type", "text/html")
+ w.WriteHeader(http.StatusOK)
+ if err := envTemplate.Execute(w, args); err != nil {
+ panic(err)
+ }
+}
+
+func loginKrb(w http.ResponseWriter, r *http.Request) {
+ // Uses information from the process environment; assumes that Apache has done a krb5 login
+ // The fact that we got here implies that the login succeeded
+ env := fcgi.ProcessEnv(r)
+ user := env["REMOTE_USER"]
+ uid := strings.Split(user, "@")[0]
+ expirationTxt, hasExpiration := env["GSS_SESSION_EXPIRATION"]
+ var expiration time.Time
+ if hasExpiration {
+ expInt, err := strconv.ParseInt(expirationTxt, 10, 64)
+ if err != nil {
+ // Invalid expiration date; bail
+ log.Printf("Invalid expiration date: %#v", expirationTxt)
+ w.WriteHeader(http.StatusInternalServerError)
+ } else {
+ expiration = time.Unix(expInt, 0)
+ }
+ } else {
+ log.Print(ErrNoExpiration)
+ ReportError(w, ErrNoExpiration)
+ return
+ }
+
+ SessionID, err := datastore.NewSessionID()
+ if err != nil {
+ ReportError(w, err)
+ return
+ }
+ ldapDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", uid, *ldapRootDN)
+ session := backend.Session{
+ SessionID: SessionID,
+ Expiration: expiration,
+ UserID: uid,
+ LdapDN: ldapDN,
+ }
+ sessionCache, err := buildSessionCache(&session)
+ if err != nil {
+ ReportError(w, err)
+ return
+ }
+ datastore.PutSession(session, sessionCache)
+}
+
+type RespErr struct {
+ Err string
+ Status string
+}
+
+func ReportError(w http.ResponseWriter, err error) {
+ w.Header().Set("Content-Type", "text/json")
+ w.WriteHeader(http.StatusInternalServerError)
+ js, err0 := json.Marshal(RespErr{Err: err.Error(), Status: "ERROR"})
+ if err0 != nil {
+ panic(err0)
+ }
+ _, _ = w.Write(js)
+}
diff --git a/app/ipasso/userdata.go b/app/ipasso/userdata.go
new file mode 100644
index 0000000..394e948
--- /dev/null
+++ b/app/ipasso/userdata.go
@@ -0,0 +1,191 @@
+package main
+
+import (
+ "errors"
+ "flag"
+ "git.thequux.com/thequux/ipasso/sso-proxy/backend"
+ "git.thequux.com/thequux/ipasso/util"
+ "git.thequux.com/thequux/ipasso/util/genpool"
+ "git.thequux.com/thequux/ipasso/util/startup"
+ "github.com/go-ldap/ldap/gssapi"
+ "github.com/go-ldap/ldap/v3"
+ "github.com/jcmturner/gokrb5/v8/config"
+ "go.uber.org/zap"
+ "math/rand"
+ "net/url"
+ "strings"
+)
+
+var (
+ ldapServerUrl = flag.String("ldap-url", "", "URL at which LDAP server can be reached")
+ ldapRootDN = flag.String("rootDN", "", "LDAP Root DN. Defaults to dc=host,dc=tld based on -domain")
+ keytab = flag.String("keytab", "ipasso.keytab", "Keytab file used to authenticate server")
+ krb5Principal = flag.String("krb5-principal", "", "Default kerberos principal; default HTTP/sso.")
+ krb5realm = flag.String("krb5-realm", "", "Kerberos realm. Default based on krb5 config")
+ krb5conf = flag.String("krb5-conf", util.GetEnvDefault("KRB5_CONFIG", "/etc/krb5.conf"), "Config file for kerberos")
+
+ gssapiClient *gssapi.Client
+
+ ldapServerPool []ldapServerHost
+ ldapPool genpool.Pool[ldap.Conn]
+)
+
+var (
+ ErrNoValidServer = errors.New("no valid server")
+ ldapRootLogger, ldapPoolLogger *zap.Logger
+)
+
+func init() {
+ startup.Logger.Add(func() {
+ ldapRootLogger = zap.L().Named("ldap")
+ ldapPoolLogger = ldapRootLogger.Named("pool")
+ })
+
+ startup.PostFlags.Add(func() {
+ serverUrl, err := url.Parse(*ldapServerUrl)
+ if err != nil {
+ ldapRootLogger.Fatal("Invalid LDAP server url", zap.String("url", *ldapServerUrl), zap.Error(err))
+ }
+ ldapServerPool = []ldapServerHost{
+ {
+ SPN: "ldap/" + serverUrl.Hostname(),
+ Url: *ldapServerUrl,
+ Weight: 1,
+ },
+ }
+
+ if *ldapRootDN == "" {
+ rootDnElements := make([]string, 0, 4)
+ for _, v := range strings.Split(*domain, ".") {
+ rootDnElements = append(rootDnElements, "dc="+v)
+ }
+ *ldapRootDN = strings.Join(rootDnElements, ",")
+ ldapRootLogger.Debug("Configured LDAP rootDN", zap.String("rootDN", *ldapRootDN))
+ }
+
+ krb5Config, err := config.Load(*krb5conf)
+ var realmSource string = ""
+ if err != nil {
+ ldapRootLogger.Warn("Failed to load config", zap.Error(err))
+ } else {
+ if *krb5realm == "" {
+ *krb5realm = krb5Config.LibDefaults.DefaultRealm
+ realmSource = *krb5conf
+ }
+ }
+ if *krb5realm == "" {
+ // default from domain
+ *krb5realm = strings.ToUpper(*domain)
+ realmSource = "domain"
+ }
+
+ if realmSource != "" {
+ ldapRootLogger.Debug("Configured KRB5 realm", zap.String("source", realmSource), zap.String("realm", *krb5realm))
+ }
+
+ if *krb5Principal == "" {
+ *krb5Principal = "HTTP/sso." + *domain
+ ldapRootLogger.Debug("Configured local kerberos principal", zap.String("principal", *krb5Principal))
+ }
+
+ gssapiClient, err = gssapi.NewClientWithKeytab(*krb5Principal, *krb5realm, *keytab, *krb5conf)
+ if err != nil {
+ ldapRootLogger.Fatal("Failed to initialize kerberos", zap.Error(err))
+ }
+
+ // Create the LDAP pool
+ ldapPool = genpool.NewPool[ldap.Conn](&ldapPoolManager{gssapiClient: gssapiClient}, 5)
+
+ // Test the pool...
+ conn, err := ldapPool.Get()
+ if err != nil {
+ ldapPoolLogger.Warn("Failed to connect to LDAP server at startup", zap.Error(err))
+ } else {
+ defer ldapPool.Put(conn)
+ whoami, err := conn.WhoAmI(nil)
+ if err != nil {
+ ldapPoolLogger.Warn("Failed to call whoami at startup", zap.Error(err))
+ }
+ ldapPoolLogger.Info("Successfully connected to LDAP", zap.String("authzId", whoami.AuthzID))
+ }
+ })
+}
+
+type (
+ ldapServerHost struct {
+ SPN string
+ Url string
+ Weight int
+ }
+
+ ldapPoolManager struct {
+ // TODO: Fill this with results from a SRV request...
+ gssapiClient *gssapi.Client
+ }
+)
+
+func selectServer() *ldapServerHost {
+ serverSet := ldapServerPool
+ var selectedServer *ldapServerHost
+ var weight = 0
+ for _, server := range serverSet {
+ if server.Weight <= 0 {
+ continue
+ }
+ weight += server.Weight
+ if rand.Intn(weight) < server.Weight {
+ server := server // copy the server object
+ selectedServer = &server
+ }
+ }
+ if weight > 0 && selectedServer == nil {
+ ldapPoolLogger.DPanic("Failed to select a server when one was on offer")
+ }
+ return selectedServer
+}
+
+func (l *ldapPoolManager) Destroy(conn *ldap.Conn) {
+ err := conn.Close()
+ if err != nil {
+ ldapPoolLogger.Warn("Failed to close LDAP connection",
+ zap.Error(err),
+ )
+ } else {
+ ldapPoolLogger.Debug("Closed ldap connection")
+ }
+}
+
+func (l *ldapPoolManager) Create() (*ldap.Conn, error) {
+
+ server := selectServer()
+ if server == nil {
+ return nil, ErrNoValidServer
+ }
+ conn, err := ldap.DialURL(server.Url)
+ if err != nil {
+ return nil, err
+ }
+ if err := conn.GSSAPIBind(l.gssapiClient, server.SPN, ""); err != nil {
+ return nil, err
+ }
+
+ return conn, nil
+}
+
+func (l *ldapPoolManager) Validate(conn *ldap.Conn) bool {
+ _, err := conn.WhoAmI([]ldap.Control{})
+ conn.Unbind()
+ return err == nil
+}
+
+func initUserdata() {
+
+ var err error
+ if err != nil {
+ panic(err)
+ }
+}
+
+func buildSessionCache(b *backend.Session) (backend.SessionCache, error) {
+ return backend.SessionCache{}, nil
+}
diff --git a/app/main.go b/app/main.go
deleted file mode 100644
index 5b0050e..0000000
--- a/app/main.go
+++ /dev/null
@@ -1,82 +0,0 @@
-package main
-
-import (
- "flag"
- htemplate "html/template"
- "log"
- "net"
- "net/http"
- "net/http/fcgi"
- "os"
- "strings"
-)
-
-var (
- domain = flag.String("domain", "thequux.com", "The base domain to enable SSO for")
- listen = flag.String("listen", "0.0.0.0:80", "The address to listen on")
-)
-
-func main() {
- flag.Parse()
-
- l := log.New(os.Stderr, "ipaSSO: ", log.Ldate|log.Ltime|log.Lshortfile)
-
- mux := http.NewServeMux()
- mux.Handle("/env", http.HandlerFunc(dumpEnv))
- l.Printf("Starting")
- listener, err := net.Listen("tcp", *listen)
- if err != nil {
- log.Fatalln("Failed to listen: ", err)
- }
- l.Println("Listening on", listener.Addr())
- log.Fatal(fcgi.Serve(listener, mux))
-}
-
-var envTemplate = htemplate.Must(htemplate.New("envdoc").Parse(`
-
-
-
-
-
-
- Headers
-
- {{- range $k,$v := .Headers }}
-
- [{{ $k }}] |
- {{ $v }} |
-
- {{- end }}
-
- Process Environment
-
- {{- range $k,$v := .ProcessEnv }}
-
- {{ $k }} |
- {{ $v }} |
-
- {{- end }}
-
-
-
-`))
-
-type envdocArgs struct {
- Headers map[string]string
- ProcessEnv map[string]string
-}
-
-func dumpEnv(w http.ResponseWriter, r *http.Request) {
- var headers = map[string]string{}
- for k, v := range r.Header {
- headers[k] = strings.Join(v, "\n")
- }
- var args = envdocArgs{ProcessEnv: fcgi.ProcessEnv(r), Headers: headers}
- w.Header().Set("Content-Type", "text/html")
- w.WriteHeader(http.StatusOK)
- if err := envTemplate.Execute(w, args); err != nil {
- panic(err)
- }
-}
diff --git a/go.mod b/go.mod
index 879b235..712145f 100644
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,28 @@
module git.thequux.com/thequux/ipasso
go 1.20
+
+replace github.com/go-ldap/ldap => ./_patch/go-ldap
+
+require (
+ github.com/go-ldap/ldap v3.0.3+incompatible
+ github.com/go-ldap/ldap/v3 v3.4.6
+ go.uber.org/zap v1.26.0
+)
+
+require (
+ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+ github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
+ github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
+ github.com/google/uuid v1.3.1 // indirect
+ github.com/hashicorp/go-uuid v1.0.3 // indirect
+ github.com/jcmturner/aescts/v2 v2.0.0 // indirect
+ github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
+ github.com/jcmturner/gofork v1.7.6 // indirect
+ github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
+ github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
+ github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+ go.uber.org/multierr v1.10.0 // indirect
+ golang.org/x/crypto v0.13.0 // indirect
+ golang.org/x/net v0.10.0 // indirect
+)
diff --git a/go.sum b/go.sum
index e69de29..0a5ba81 100644
--- a/go.sum
+++ b/go.sum
@@ -0,0 +1,101 @@
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
+github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
+github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
+github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
+github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
+go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
+go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/sso-proxy/backend/interface.go b/sso-proxy/backend/interface.go
new file mode 100644
index 0000000..174630a
--- /dev/null
+++ b/sso-proxy/backend/interface.go
@@ -0,0 +1,28 @@
+package backend
+
+import "time"
+
+// Session holds info about the logged-in user that won't change
+type Session struct {
+ SessionID string
+ Expiration time.Time
+ UserID string
+ LdapDN string
+}
+
+// SessionCache holds volatile information about the logged-in user
+type SessionCache struct {
+ Valid bool
+ Groups []string
+ DisplayName string
+ Email string
+}
+
+type Backend interface {
+ PutSession(session Session, cache SessionCache) error
+ GetSession(id string) (Session, *SessionCache, error)
+ EndSession(id string)
+ NewSessionID() (string, error)
+ DoMaintenance()
+ Ping() error
+}
diff --git a/util/genpool/genpool.go b/util/genpool/genpool.go
new file mode 100644
index 0000000..226b411
--- /dev/null
+++ b/util/genpool/genpool.go
@@ -0,0 +1,113 @@
+package genpool
+
+import "errors"
+
+var (
+ ErrPoolClosed = errors.New("pool already closed")
+)
+
+type getResp[Item interface{}] struct {
+ Item *Item
+ err error
+}
+
+type poolReq[Item interface{}] struct {
+ get chan<- getResp[Item]
+ ret *Item
+}
+
+type PoolManager[Item interface{}] interface {
+ Destroy(*Item)
+ Create() (*Item, error)
+ Validate(*Item) bool
+}
+
+type poolBackend[Item interface{}] struct {
+ manager PoolManager[Item]
+ pool []*Item
+}
+
+func (b *poolBackend[Item]) run(ch <-chan poolReq[Item]) {
+ defer func() {
+ for _, item := range b.pool {
+ b.manager.Destroy(item)
+ }
+ }()
+ for req := range ch {
+ if req.get != nil {
+ // fetch an item
+ for {
+ if len(b.pool) > 0 {
+ item := b.pool[len(b.pool)-1]
+ b.pool = b.pool[:len(b.pool)-1]
+ if b.manager.Validate(item) {
+ req.get <- getResp[Item]{
+ Item: item,
+ err: nil,
+ }
+ break
+ } else {
+ b.manager.Destroy(item)
+ }
+ } else {
+ // last item
+ item, err := b.manager.Create()
+ req.get <- getResp[Item]{
+ Item: item,
+ err: err,
+ }
+ break
+ }
+ }
+ }
+ if req.ret != nil {
+ // return an item to the pool
+ if cap(b.pool) > len(b.pool) {
+ b.pool = append(b.pool, req.ret)
+ } else {
+ b.manager.Destroy(req.ret)
+ }
+ }
+ }
+
+}
+
+type Pool[Item interface{}] struct {
+ req chan<- poolReq[Item]
+}
+
+func NewPool[Item interface{}](manager PoolManager[Item], capacity int) Pool[Item] {
+ cmdChan := make(chan poolReq[Item])
+ backend := poolBackend[Item]{
+ manager: manager,
+ pool: make([]*Item, 0, capacity),
+ }
+ go backend.run(cmdChan)
+ return Pool[Item]{
+ req: cmdChan,
+ }
+}
+
+func (p *Pool[Item]) Get() (*Item, error) {
+ retCh := make(chan getResp[Item])
+ p.req <- poolReq[Item]{
+ get: retCh,
+ }
+ item, ok := <-retCh
+ if ok {
+ return item.Item, item.err
+ } else {
+ return nil, ErrPoolClosed
+ }
+}
+
+func (p *Pool[Item]) Put(item *Item) {
+ p.req <- poolReq[Item]{
+ ret: item,
+ }
+}
+
+func (p *Pool[Item]) Close() {
+ close(p.req)
+ p.req = nil
+}
diff --git a/util/startup/startup.go b/util/startup/startup.go
new file mode 100644
index 0000000..7c99b80
--- /dev/null
+++ b/util/startup/startup.go
@@ -0,0 +1,31 @@
+package startup
+
+// Pre-defined queues...
+var (
+ Logger StartupQueue
+ PostFlags StartupQueue
+)
+
+type StartupQueue struct {
+ items []func()
+ hasRun bool
+}
+
+func (q *StartupQueue) Add(initFn ...func()) {
+ if q.hasRun {
+ panic("Added init function after startup")
+ }
+ for _, fn := range initFn {
+ q.items = append(q.items, fn)
+ }
+}
+
+func (q *StartupQueue) Run() {
+ if q.hasRun {
+ panic("Attempted to run init function twice")
+ }
+ q.hasRun = true
+ for _, fn := range q.items {
+ fn()
+ }
+}
diff --git a/util/util.go b/util/util.go
new file mode 100644
index 0000000..1b2a03d
--- /dev/null
+++ b/util/util.go
@@ -0,0 +1,12 @@
+package util
+
+import "os"
+
+func GetEnvDefault(name string, def string) string {
+ env, exist := os.LookupEnv(name)
+ if exist {
+ return env
+ } else {
+ return def
+ }
+}