From 7bcd00c97b2c6710820dea9e124c38ecf153a99a Mon Sep 17 00:00:00 2001
From: TQ Hirsch <thequux@thequux.com>
Date: Tue, 24 Oct 2023 22:15:58 +0200
Subject: [PATCH] Started LDAP support

---
 .gitmodules                    |   3 +
 _patch/go-ldap                 |   1 +
 app/ipasso/main.go             | 164 ++++++++++++++++++++++++++++
 app/ipasso/userdata.go         | 191 +++++++++++++++++++++++++++++++++
 app/main.go                    |  82 --------------
 go.mod                         |  25 +++++
 go.sum                         | 101 +++++++++++++++++
 sso-proxy/backend/interface.go |  28 +++++
 util/genpool/genpool.go        | 113 +++++++++++++++++++
 util/startup/startup.go        |  31 ++++++
 util/util.go                   |  12 +++
 11 files changed, 669 insertions(+), 82 deletions(-)
 create mode 100644 .gitmodules
 create mode 160000 _patch/go-ldap
 create mode 100644 app/ipasso/main.go
 create mode 100644 app/ipasso/userdata.go
 delete mode 100644 app/main.go
 create mode 100644 sso-proxy/backend/interface.go
 create mode 100644 util/genpool/genpool.go
 create mode 100644 util/startup/startup.go
 create mode 100644 util/util.go

diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..405a9a9
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "_patch/go-ldap"]
+	path = _patch/go-ldap
+	url = https://github.com/levkohimins/go-ldap
diff --git a/_patch/go-ldap b/_patch/go-ldap
new file mode 160000
index 0000000..02e02ad
--- /dev/null
+++ b/_patch/go-ldap
@@ -0,0 +1 @@
+Subproject commit 02e02ad11329548a132277c6314e9b946e3ec84b
diff --git a/app/ipasso/main.go b/app/ipasso/main.go
new file mode 100644
index 0000000..18668ab
--- /dev/null
+++ b/app/ipasso/main.go
@@ -0,0 +1,164 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"flag"
+	"fmt"
+	"git.thequux.com/thequux/ipasso/sso-proxy/backend"
+	"git.thequux.com/thequux/ipasso/util/startup"
+	"go.uber.org/zap"
+	htemplate "html/template"
+	"log"
+	"net"
+	"net/http"
+	"net/http/fcgi"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+)
+
+var (
+	domain = flag.String("domain", "thequux.com", "The base domain to enable SSO for")
+	listen = flag.String("listen", "0.0.0.0:80", "The address to listen on")
+
+	datastore backend.Backend
+)
+
+var (
+	ErrNoExpiration = errors.New("Request missing expiration date; misconfigured reverse proxy?")
+)
+
+func main() {
+	flag.Parse()
+	development, err := zap.NewDevelopment()
+	if err != nil {
+		_, _ = fmt.Fprint(os.Stderr, "Failed to create logger", err)
+		os.Exit(1)
+	}
+	zap.ReplaceGlobals(development)
+	l := zap.L().Named("root")
+	startup.Logger.Run()
+
+	startup.PostFlags.Run()
+
+	initUserdata()
+
+	mux := http.NewServeMux()
+	mux.Handle("/env", http.HandlerFunc(dumpEnv))
+	l.Info("Starting")
+	listener, err := net.Listen("tcp", *listen)
+	if err != nil {
+		log.Fatalln("Failed to listen: ", err)
+	}
+	l.Info("Listening", zap.Stringer("addr", listener.Addr()))
+	log.Fatal(fcgi.Serve(listener, mux))
+}
+
+var envTemplate = htemplate.Must(htemplate.New("envdoc").Parse(`
+<!DOCTYPE html>
+<html>
+  <head>
+  <style>
+    pre { margin: 0 1ex; }
+  </style>
+  </head>
+  <body>
+    <h1>Headers</h1>
+	<table>
+	  {{- range $k,$v := .Headers }}
+      <tr>
+		<td><pre>[{{ $k }}]</pre></td>
+		<td><pre>{{ $v }}</pre></td>
+      </tr>
+      {{- end }}
+	</table>
+    <h1>Process Environment</h1>
+	<table>
+	  {{- range $k,$v := .ProcessEnv }}
+      <tr>
+		<td><pre>{{ $k }}</pre></td>
+		<td><pre>{{ $v }}</pre></td>
+      </tr>
+      {{- end }}
+	</table>
+  </body>
+</html>
+`))
+
+type envdocArgs struct {
+	Headers    map[string]string
+	ProcessEnv map[string]string
+}
+
+func dumpEnv(w http.ResponseWriter, r *http.Request) {
+	var headers = map[string]string{}
+	for k, v := range r.Header {
+		headers[k] = strings.Join(v, "\n")
+	}
+	var args = envdocArgs{ProcessEnv: fcgi.ProcessEnv(r), Headers: headers}
+	w.Header().Set("Content-Type", "text/html")
+	w.WriteHeader(http.StatusOK)
+	if err := envTemplate.Execute(w, args); err != nil {
+		panic(err)
+	}
+}
+
+func loginKrb(w http.ResponseWriter, r *http.Request) {
+	// Uses information from the process environment; assumes that Apache has done a krb5 login
+	// The fact that we got here implies that the login succeeded
+	env := fcgi.ProcessEnv(r)
+	user := env["REMOTE_USER"]
+	uid := strings.Split(user, "@")[0]
+	expirationTxt, hasExpiration := env["GSS_SESSION_EXPIRATION"]
+	var expiration time.Time
+	if hasExpiration {
+		expInt, err := strconv.ParseInt(expirationTxt, 10, 64)
+		if err != nil {
+			// Invalid expiration date; bail
+			log.Printf("Invalid expiration date: %#v", expirationTxt)
+			w.WriteHeader(http.StatusInternalServerError)
+		} else {
+			expiration = time.Unix(expInt, 0)
+		}
+	} else {
+		log.Print(ErrNoExpiration)
+		ReportError(w, ErrNoExpiration)
+		return
+	}
+
+	SessionID, err := datastore.NewSessionID()
+	if err != nil {
+		ReportError(w, err)
+		return
+	}
+	ldapDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", uid, *ldapRootDN)
+	session := backend.Session{
+		SessionID:  SessionID,
+		Expiration: expiration,
+		UserID:     uid,
+		LdapDN:     ldapDN,
+	}
+	sessionCache, err := buildSessionCache(&session)
+	if err != nil {
+		ReportError(w, err)
+		return
+	}
+	datastore.PutSession(session, sessionCache)
+}
+
+type RespErr struct {
+	Err    string
+	Status string
+}
+
+func ReportError(w http.ResponseWriter, err error) {
+	w.Header().Set("Content-Type", "text/json")
+	w.WriteHeader(http.StatusInternalServerError)
+	js, err0 := json.Marshal(RespErr{Err: err.Error(), Status: "ERROR"})
+	if err0 != nil {
+		panic(err0)
+	}
+	_, _ = w.Write(js)
+}
diff --git a/app/ipasso/userdata.go b/app/ipasso/userdata.go
new file mode 100644
index 0000000..394e948
--- /dev/null
+++ b/app/ipasso/userdata.go
@@ -0,0 +1,191 @@
+package main
+
+import (
+	"errors"
+	"flag"
+	"git.thequux.com/thequux/ipasso/sso-proxy/backend"
+	"git.thequux.com/thequux/ipasso/util"
+	"git.thequux.com/thequux/ipasso/util/genpool"
+	"git.thequux.com/thequux/ipasso/util/startup"
+	"github.com/go-ldap/ldap/gssapi"
+	"github.com/go-ldap/ldap/v3"
+	"github.com/jcmturner/gokrb5/v8/config"
+	"go.uber.org/zap"
+	"math/rand"
+	"net/url"
+	"strings"
+)
+
+var (
+	ldapServerUrl = flag.String("ldap-url", "", "URL at which LDAP server can be reached")
+	ldapRootDN    = flag.String("rootDN", "", "LDAP Root DN. Defaults to dc=host,dc=tld based on -domain")
+	keytab        = flag.String("keytab", "ipasso.keytab", "Keytab file used to authenticate server")
+	krb5Principal = flag.String("krb5-principal", "", "Default kerberos principal; default HTTP/sso.<domain>")
+	krb5realm     = flag.String("krb5-realm", "", "Kerberos realm. Default based on krb5 config")
+	krb5conf      = flag.String("krb5-conf", util.GetEnvDefault("KRB5_CONFIG", "/etc/krb5.conf"), "Config file for kerberos")
+
+	gssapiClient *gssapi.Client
+
+	ldapServerPool []ldapServerHost
+	ldapPool       genpool.Pool[ldap.Conn]
+)
+
+var (
+	ErrNoValidServer               = errors.New("no valid server")
+	ldapRootLogger, ldapPoolLogger *zap.Logger
+)
+
+func init() {
+	startup.Logger.Add(func() {
+		ldapRootLogger = zap.L().Named("ldap")
+		ldapPoolLogger = ldapRootLogger.Named("pool")
+	})
+
+	startup.PostFlags.Add(func() {
+		serverUrl, err := url.Parse(*ldapServerUrl)
+		if err != nil {
+			ldapRootLogger.Fatal("Invalid LDAP server url", zap.String("url", *ldapServerUrl), zap.Error(err))
+		}
+		ldapServerPool = []ldapServerHost{
+			{
+				SPN:    "ldap/" + serverUrl.Hostname(),
+				Url:    *ldapServerUrl,
+				Weight: 1,
+			},
+		}
+
+		if *ldapRootDN == "" {
+			rootDnElements := make([]string, 0, 4)
+			for _, v := range strings.Split(*domain, ".") {
+				rootDnElements = append(rootDnElements, "dc="+v)
+			}
+			*ldapRootDN = strings.Join(rootDnElements, ",")
+			ldapRootLogger.Debug("Configured LDAP rootDN", zap.String("rootDN", *ldapRootDN))
+		}
+
+		krb5Config, err := config.Load(*krb5conf)
+		var realmSource string = ""
+		if err != nil {
+			ldapRootLogger.Warn("Failed to load config", zap.Error(err))
+		} else {
+			if *krb5realm == "" {
+				*krb5realm = krb5Config.LibDefaults.DefaultRealm
+				realmSource = *krb5conf
+			}
+		}
+		if *krb5realm == "" {
+			// default from domain
+			*krb5realm = strings.ToUpper(*domain)
+			realmSource = "domain"
+		}
+
+		if realmSource != "" {
+			ldapRootLogger.Debug("Configured KRB5 realm", zap.String("source", realmSource), zap.String("realm", *krb5realm))
+		}
+
+		if *krb5Principal == "" {
+			*krb5Principal = "HTTP/sso." + *domain
+			ldapRootLogger.Debug("Configured local kerberos principal", zap.String("principal", *krb5Principal))
+		}
+
+		gssapiClient, err = gssapi.NewClientWithKeytab(*krb5Principal, *krb5realm, *keytab, *krb5conf)
+		if err != nil {
+			ldapRootLogger.Fatal("Failed to initialize kerberos", zap.Error(err))
+		}
+
+		// Create the LDAP pool
+		ldapPool = genpool.NewPool[ldap.Conn](&ldapPoolManager{gssapiClient: gssapiClient}, 5)
+
+		// Test the pool...
+		conn, err := ldapPool.Get()
+		if err != nil {
+			ldapPoolLogger.Warn("Failed to connect to LDAP server at startup", zap.Error(err))
+		} else {
+			defer ldapPool.Put(conn)
+			whoami, err := conn.WhoAmI(nil)
+			if err != nil {
+				ldapPoolLogger.Warn("Failed to call whoami at startup", zap.Error(err))
+			}
+			ldapPoolLogger.Info("Successfully connected to LDAP", zap.String("authzId", whoami.AuthzID))
+		}
+	})
+}
+
+type (
+	ldapServerHost struct {
+		SPN    string
+		Url    string
+		Weight int
+	}
+
+	ldapPoolManager struct {
+		// TODO: Fill this with results from a SRV request...
+		gssapiClient *gssapi.Client
+	}
+)
+
+func selectServer() *ldapServerHost {
+	serverSet := ldapServerPool
+	var selectedServer *ldapServerHost
+	var weight = 0
+	for _, server := range serverSet {
+		if server.Weight <= 0 {
+			continue
+		}
+		weight += server.Weight
+		if rand.Intn(weight) < server.Weight {
+			server := server // copy the server object
+			selectedServer = &server
+		}
+	}
+	if weight > 0 && selectedServer == nil {
+		ldapPoolLogger.DPanic("Failed to select a server when one was on offer")
+	}
+	return selectedServer
+}
+
+func (l *ldapPoolManager) Destroy(conn *ldap.Conn) {
+	err := conn.Close()
+	if err != nil {
+		ldapPoolLogger.Warn("Failed to close LDAP connection",
+			zap.Error(err),
+		)
+	} else {
+		ldapPoolLogger.Debug("Closed ldap connection")
+	}
+}
+
+func (l *ldapPoolManager) Create() (*ldap.Conn, error) {
+
+	server := selectServer()
+	if server == nil {
+		return nil, ErrNoValidServer
+	}
+	conn, err := ldap.DialURL(server.Url)
+	if err != nil {
+		return nil, err
+	}
+	if err := conn.GSSAPIBind(l.gssapiClient, server.SPN, ""); err != nil {
+		return nil, err
+	}
+
+	return conn, nil
+}
+
+func (l *ldapPoolManager) Validate(conn *ldap.Conn) bool {
+	_, err := conn.WhoAmI([]ldap.Control{})
+	conn.Unbind()
+	return err == nil
+}
+
+func initUserdata() {
+
+	var err error
+	if err != nil {
+		panic(err)
+	}
+}
+
+func buildSessionCache(b *backend.Session) (backend.SessionCache, error) {
+	return backend.SessionCache{}, nil
+}
diff --git a/app/main.go b/app/main.go
deleted file mode 100644
index 5b0050e..0000000
--- a/app/main.go
+++ /dev/null
@@ -1,82 +0,0 @@
-package main
-
-import (
-	"flag"
-	htemplate "html/template"
-	"log"
-	"net"
-	"net/http"
-	"net/http/fcgi"
-	"os"
-	"strings"
-)
-
-var (
-	domain = flag.String("domain", "thequux.com", "The base domain to enable SSO for")
-	listen = flag.String("listen", "0.0.0.0:80", "The address to listen on")
-)
-
-func main() {
-	flag.Parse()
-
-	l := log.New(os.Stderr, "ipaSSO: ", log.Ldate|log.Ltime|log.Lshortfile)
-
-	mux := http.NewServeMux()
-	mux.Handle("/env", http.HandlerFunc(dumpEnv))
-	l.Printf("Starting")
-	listener, err := net.Listen("tcp", *listen)
-	if err != nil {
-		log.Fatalln("Failed to listen: ", err)
-	}
-	l.Println("Listening on", listener.Addr())
-	log.Fatal(fcgi.Serve(listener, mux))
-}
-
-var envTemplate = htemplate.Must(htemplate.New("envdoc").Parse(`
-<!DOCTYPE html>
-<html>
-  <head>
-  <style>
-    pre { margin: 0 1ex; }
-  </style>
-  </head>
-  <body>
-    <h1>Headers</h1>
-	<table>
-	  {{- range $k,$v := .Headers }}
-      <tr>
-		<td><pre>[{{ $k }}]</pre></td>
-		<td><pre>{{ $v }}</pre></td>
-      </tr>
-      {{- end }}
-	</table>
-    <h1>Process Environment</h1>
-	<table>
-	  {{- range $k,$v := .ProcessEnv }}
-      <tr>
-		<td><pre>{{ $k }}</pre></td>
-		<td><pre>{{ $v }}</pre></td>
-      </tr>
-      {{- end }}
-	</table>
-  </body>
-</html>
-`))
-
-type envdocArgs struct {
-	Headers    map[string]string
-	ProcessEnv map[string]string
-}
-
-func dumpEnv(w http.ResponseWriter, r *http.Request) {
-	var headers = map[string]string{}
-	for k, v := range r.Header {
-		headers[k] = strings.Join(v, "\n")
-	}
-	var args = envdocArgs{ProcessEnv: fcgi.ProcessEnv(r), Headers: headers}
-	w.Header().Set("Content-Type", "text/html")
-	w.WriteHeader(http.StatusOK)
-	if err := envTemplate.Execute(w, args); err != nil {
-		panic(err)
-	}
-}
diff --git a/go.mod b/go.mod
index 879b235..712145f 100644
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,28 @@
 module git.thequux.com/thequux/ipasso
 
 go 1.20
+
+replace github.com/go-ldap/ldap => ./_patch/go-ldap
+
+require (
+	github.com/go-ldap/ldap v3.0.3+incompatible
+	github.com/go-ldap/ldap/v3 v3.4.6
+	go.uber.org/zap v1.26.0
+)
+
+require (
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
+	github.com/google/uuid v1.3.1 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
+	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
+	github.com/jcmturner/gofork v1.7.6 // indirect
+	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
+	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
+	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
+	golang.org/x/crypto v0.13.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+)
diff --git a/go.sum b/go.sum
index e69de29..0a5ba81 100644
--- a/go.sum
+++ b/go.sum
@@ -0,0 +1,101 @@
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
+github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
+github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
+github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
+github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
+go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
+go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/sso-proxy/backend/interface.go b/sso-proxy/backend/interface.go
new file mode 100644
index 0000000..174630a
--- /dev/null
+++ b/sso-proxy/backend/interface.go
@@ -0,0 +1,28 @@
+package backend
+
+import "time"
+
+// Session holds info about the logged-in user that won't change
+type Session struct {
+	SessionID  string
+	Expiration time.Time
+	UserID     string
+	LdapDN     string
+}
+
+// SessionCache holds volatile information about the logged-in user
+type SessionCache struct {
+	Valid       bool
+	Groups      []string
+	DisplayName string
+	Email       string
+}
+
+type Backend interface {
+	PutSession(session Session, cache SessionCache) error
+	GetSession(id string) (Session, *SessionCache, error)
+	EndSession(id string)
+	NewSessionID() (string, error)
+	DoMaintenance()
+	Ping() error
+}
diff --git a/util/genpool/genpool.go b/util/genpool/genpool.go
new file mode 100644
index 0000000..226b411
--- /dev/null
+++ b/util/genpool/genpool.go
@@ -0,0 +1,113 @@
+package genpool
+
+import "errors"
+
+var (
+	ErrPoolClosed = errors.New("pool already closed")
+)
+
+type getResp[Item interface{}] struct {
+	Item *Item
+	err  error
+}
+
+type poolReq[Item interface{}] struct {
+	get chan<- getResp[Item]
+	ret *Item
+}
+
+type PoolManager[Item interface{}] interface {
+	Destroy(*Item)
+	Create() (*Item, error)
+	Validate(*Item) bool
+}
+
+type poolBackend[Item interface{}] struct {
+	manager PoolManager[Item]
+	pool    []*Item
+}
+
+func (b *poolBackend[Item]) run(ch <-chan poolReq[Item]) {
+	defer func() {
+		for _, item := range b.pool {
+			b.manager.Destroy(item)
+		}
+	}()
+	for req := range ch {
+		if req.get != nil {
+			// fetch an item
+			for {
+				if len(b.pool) > 0 {
+					item := b.pool[len(b.pool)-1]
+					b.pool = b.pool[:len(b.pool)-1]
+					if b.manager.Validate(item) {
+						req.get <- getResp[Item]{
+							Item: item,
+							err:  nil,
+						}
+						break
+					} else {
+						b.manager.Destroy(item)
+					}
+				} else {
+					// last item
+					item, err := b.manager.Create()
+					req.get <- getResp[Item]{
+						Item: item,
+						err:  err,
+					}
+					break
+				}
+			}
+		}
+		if req.ret != nil {
+			// return an item to the pool
+			if cap(b.pool) > len(b.pool) {
+				b.pool = append(b.pool, req.ret)
+			} else {
+				b.manager.Destroy(req.ret)
+			}
+		}
+	}
+
+}
+
+type Pool[Item interface{}] struct {
+	req chan<- poolReq[Item]
+}
+
+func NewPool[Item interface{}](manager PoolManager[Item], capacity int) Pool[Item] {
+	cmdChan := make(chan poolReq[Item])
+	backend := poolBackend[Item]{
+		manager: manager,
+		pool:    make([]*Item, 0, capacity),
+	}
+	go backend.run(cmdChan)
+	return Pool[Item]{
+		req: cmdChan,
+	}
+}
+
+func (p *Pool[Item]) Get() (*Item, error) {
+	retCh := make(chan getResp[Item])
+	p.req <- poolReq[Item]{
+		get: retCh,
+	}
+	item, ok := <-retCh
+	if ok {
+		return item.Item, item.err
+	} else {
+		return nil, ErrPoolClosed
+	}
+}
+
+func (p *Pool[Item]) Put(item *Item) {
+	p.req <- poolReq[Item]{
+		ret: item,
+	}
+}
+
+func (p *Pool[Item]) Close() {
+	close(p.req)
+	p.req = nil
+}
diff --git a/util/startup/startup.go b/util/startup/startup.go
new file mode 100644
index 0000000..7c99b80
--- /dev/null
+++ b/util/startup/startup.go
@@ -0,0 +1,31 @@
+package startup
+
+// Pre-defined queues...
+var (
+	Logger    StartupQueue
+	PostFlags StartupQueue
+)
+
+type StartupQueue struct {
+	items  []func()
+	hasRun bool
+}
+
+func (q *StartupQueue) Add(initFn ...func()) {
+	if q.hasRun {
+		panic("Added init function after startup")
+	}
+	for _, fn := range initFn {
+		q.items = append(q.items, fn)
+	}
+}
+
+func (q *StartupQueue) Run() {
+	if q.hasRun {
+		panic("Attempted to run init function twice")
+	}
+	q.hasRun = true
+	for _, fn := range q.items {
+		fn()
+	}
+}
diff --git a/util/util.go b/util/util.go
new file mode 100644
index 0000000..1b2a03d
--- /dev/null
+++ b/util/util.go
@@ -0,0 +1,12 @@
+package util
+
+import "os"
+
+func GetEnvDefault(name string, def string) string {
+	env, exist := os.LookupEnv(name)
+	if exist {
+		return env
+	} else {
+		return def
+	}
+}