Import of source code

12 files changed, 1082 insertions, 0 deletions

diff --git a/app/config.go b/app/config.go
new file mode 100644
index 0000000..6565863
--- /dev/null
+++ b/app/config.go
@@ -0,0 +1,70 @@
+package app
+
+import (
+        "log"
+        "time"
+
+        "code.crute.us/mcrute/golib/cli"
+        "code.crute.us/mcrute/golib/vault"
+        "github.com/spf13/cobra"
+)
+
+type GitHubOauthCreds struct {
+        ClientId     string `mapstructure:"client-id"`
+        ClientSecret string `mapstructure:"client-secret"`
+}
+
+type Config struct {
+        Bind                  []string
+        BindTLS               []string
+        Debug                 bool
+        TemplateGlob          string
+        TemplatePath          string
+        MongoDbUri            string
+        MongodbVaultPath      string
+        LogFile               string
+        TLSCacheDir           string
+        TrustedIPRanges       []string
+        ManagementIPRanges    []string
+        Hostnames             []string
+        DisableBackgroundJobs bool
+        RateLimit             time.Duration
+        RateLimitBurst        int
+        IssuerEndpoint        string
+        JWTAudience           string
+        AuthCookieDuration    time.Duration
+        GitHubOauthCreds      *GitHubOauthCreds
+}
+
+func NewConfigFromCmd(cmd *cobra.Command) Config {
+        f := cli.TolerantPflagSet{cmd.Flags()}
+
+        var githubOauth GitHubOauthCreds
+        oauthPath := f.MayGetString("github-oauth-vault-path")
+        err := vault.GetVaultKeyStruct(oauthPath, &githubOauth)
+        if err != nil {
+                log.Fatalf("Error getting %s from vault: %w", oauthPath, err)
+        }
+
+        return Config{
+                Bind:                  f.MayGetStringSlice("bind"),
+                BindTLS:               f.MayGetStringSlice("bind-tls"),
+                Debug:                 f.MayGetBool("debug"),
+                TemplateGlob:          f.MayGetString("template-glob"),
+                TemplatePath:          f.MayGetString("template-path"),
+                MongoDbUri:            f.MayGetString("mongodb-uri"),
+                MongodbVaultPath:      f.MayGetString("mongodb-vault-path"),
+                DisableBackgroundJobs: f.MayGetBool("disable-bg-jobs"),
+                TrustedIPRanges:       f.MayGetStringSlice("trusted-ip-ranges"),
+                ManagementIPRanges:    f.MayGetStringSlice("management-ip-ranges"),
+                Hostnames:             f.MayGetStringSlice("hostname"),
+                LogFile:               f.MayGetString("log-file"),
+                TLSCacheDir:           f.MayGetString("tls-cache-dir"),
+                RateLimit:             f.MayGetDuration("rate-limit"),
+                RateLimitBurst:        f.MayGetInt("rate-limit-burst"),
+                IssuerEndpoint:        f.MayGetString("issuer-endpoint"),
+                JWTAudience:           f.MayGetString("jwt-audience"),
+                AuthCookieDuration:    f.MayGetDuration("auth-cookie-duration"),
+                GitHubOauthCreds:      &githubOauth,
+        }
+}
diff --git a/app/controllers/api.go b/app/controllers/api.go
new file mode 100644
index 0000000..7beaa4c
--- /dev/null
+++ b/app/controllers/api.go
@@ -0,0 +1,6 @@
+package controllers
+
+const (
+        contentTypeV1 = "application/vnd.broker.v1+json" // Original type
+        contentTypeV2 = "application/vnd.broker.v2+json" // Start of migration to multi-cloud
+)
diff --git a/app/controllers/api_account_list.go b/app/controllers/api_account_list.go
new file mode 100644
index 0000000..f69db6a
--- /dev/null
+++ b/app/controllers/api_account_list.go
@@ -0,0 +1,109 @@
+package controllers
+
+import (
+        "context"
+        "net/http"
+
+        "code.crute.us/mcrute/cloud-identity-broker/app/middleware"
+        "code.crute.us/mcrute/cloud-identity-broker/app/models"
+
+        glecho "code.crute.us/mcrute/golib/echo"
+        "code.crute.us/mcrute/golib/echo/controller"
+        "github.com/labstack/echo/v4"
+)
+
+type jsonAccount struct {
+        Vendor               string `json:"vendor,omitempty"`
+        AccountNumber        int    `json:"account_number"`
+        ShortName            string `json:"short_name"`
+        Name                 string `json:"name"`
+        ConsoleUrl           string `json:"get_console_url,omitempty"`
+        ConsoleRedirectUrl   string `json:"console_redirect_url,omitempty"`
+        CredentialsUrl       string `json:"credentials_url"`
+        GlobalCredentialsUrl string `json:"global_credential_url,omitempty"`
+}
+
+func jsonAccountFromAccount(c echo.Context, a *models.Account) *jsonAccount {
+        return &jsonAccount{
+                AccountNumber:        a.AccountNumber,
+                ShortName:            a.ShortName,
+                Name:                 a.Name,
+                ConsoleUrl:           glecho.URLFor(c, "/api/account", a.ShortName, "console").String(),
+                ConsoleRedirectUrl:   glecho.URLFor(c, "/api/account", a.ShortName, "console").Query("redirect", "1").String(),
+                CredentialsUrl:       glecho.URLFor(c, "/api/account", a.ShortName, "credentials").String(),
+                GlobalCredentialsUrl: glecho.URLFor(c, "/api/account", a.ShortName, "credentials/global").String(),
+        }
+}
+
+type APIAccountListHandler struct {
+        store models.AccountStore
+}
+
+func NewAPIAccountListHandler(s models.AccountStore) echo.HandlerFunc {
+        al := &APIAccountListHandler{store: s}
+        h := &controller.ContentTypeNegotiatingHandler{
+                DefaultHandler: al.HandleV1,
+                Handlers: map[string]echo.HandlerFunc{
+                        contentTypeV1: al.HandleV1,
+                        contentTypeV2: al.HandleV2,
+                },
+        }
+        return h.Handle
+}
+
+// getAccountList returns the account list. This does the same work that
+// GetContext would do for most AWSAPI handlers but is a little different
+// because it deals with lists of accounts.
+//
+// Authorization of the account is handled within the store. The store will not
+// return accounts for which the user does not have access.
+func (h *APIAccountListHandler) getAccountList(c echo.Context) ([]*models.Account, error) {
+        principal, err := middleware.GetAuthorizedPrincipal(c)
+        if err != nil {
+                return nil, echo.ErrUnauthorized
+        }
+
+        accounts, err := h.store.ListForUser(context.Background(), principal)
+        if err != nil {
+                c.Logger().Errorf("Unable to load account list: %w", err)
+                return nil, echo.ErrInternalServerError
+        }
+
+        return accounts, nil
+}
+
+// HandleV1 returns a list of JSON account objects
+func (h *APIAccountListHandler) HandleV1(c echo.Context) error {
+        accounts, err := h.getAccountList(c)
+        if err != nil {
+                return err
+        }
+
+        out := []*jsonAccount{}
+        for _, a := range accounts {
+                ja := jsonAccountFromAccount(c, a)
+                ja.Vendor = "aws"
+                out = append(out, ja)
+        }
+
+        return c.JSON(http.StatusOK, out)
+}
+
+// HandleV2 returns a map of lists of account objects. the key to the map is
+// the short name of the cloud provider.
+func (h *APIAccountListHandler) HandleV2(c echo.Context) error {
+        accounts, err := h.getAccountList(c)
+        if err != nil {
+                return err
+        }
+
+        out := map[string][]*jsonAccount{
+                "aws": []*jsonAccount{},
+        }
+        for _, a := range accounts {
+                ja := jsonAccountFromAccount(c, a)
+                out["aws"] = append(out["aws"], ja)
+        }
+
+        return c.JSON(http.StatusOK, out)
+}
diff --git a/app/controllers/api_console_redirect.go b/app/controllers/api_console_redirect.go
new file mode 100644
index 0000000..701bbf3
--- /dev/null
+++ b/app/controllers/api_console_redirect.go
@@ -0,0 +1,63 @@
+package controllers
+
+import (
+        "net/http"
+
+        "code.crute.us/mcrute/golib/echo/controller"
+        "github.com/labstack/echo/v4"
+        "github.com/prometheus/client_golang/prometheus"
+        "github.com/prometheus/client_golang/prometheus/promauto"
+)
+
+var consoleAllowed = promauto.NewCounterVec(prometheus.CounterOpts{
+        Namespace: "aws_access", // Legacy Namespace
+        Name:      "broker_console_access_total",
+        Help:      "Total number of console logins allowed by broker",
+}, []string{"account"})
+
+type jsonConsoleUrl struct {
+        ConsoleURL string `json:"console_url"`
+}
+
+type APIConsoleRedirectHandler struct {
+        FederationIssuerEndpoint string
+        *AWSAPI
+}
+
+func NewAPIConsoleRedirectHandler(a *AWSAPI, fe string) echo.HandlerFunc {
+        al := &APIConsoleRedirectHandler{fe, a}
+        h := &controller.ContentTypeNegotiatingHandler{
+                DefaultHandler: al.Handle,
+                Handlers: map[string]echo.HandlerFunc{
+                        contentTypeV1: al.Handle,
+                },
+        }
+        return h.Handle
+}
+
+func (h *APIConsoleRedirectHandler) Handle(c echo.Context) error {
+        rc, err := h.GetContext(c) // Does all authorization checks
+        if err != nil {
+                return err
+        }
+
+        u, err := rc.AWS.GetFederationURL(rc.Principal.Username, h.FederationIssuerEndpoint)
+        if err != nil {
+                c.Logger().Errorf("Error fetching console URL: %w", err)
+                return echo.ErrBadRequest
+        }
+
+        c.Logger().Infof(
+                "Allowing '%s' to access account console '%s'",
+                rc.Principal.Username, rc.Account.Name,
+        )
+        consoleAllowed.With(prometheus.Labels{
+                "account": rc.Account.ShortName,
+        }).Inc()
+
+        if c.QueryParam("redirect") == "1" {
+                return c.Redirect(http.StatusFound, u)
+        } else {
+                return c.JSON(http.StatusOK, &jsonConsoleUrl{u})
+        }
+}
diff --git a/app/controllers/api_credentials.go b/app/controllers/api_credentials.go
new file mode 100644
index 0000000..1cefc07
--- /dev/null
+++ b/app/controllers/api_credentials.go
@@ -0,0 +1,76 @@
+package controllers
+
+import (
+        "net/http"
+        "time"
+
+        "code.crute.us/mcrute/cloud-identity-broker/cloud/aws"
+
+        "code.crute.us/mcrute/golib/echo/controller"
+        "github.com/labstack/echo/v4"
+        "github.com/prometheus/client_golang/prometheus"
+        "github.com/prometheus/client_golang/prometheus/promauto"
+)
+
+var credsAllowed = promauto.NewCounterVec(prometheus.CounterOpts{
+        Namespace: "aws_access", // Legacy namespace
+        Name:      "broker_cred_access_total",
+        Help:      "Total number of credential accesses allowed by broker",
+}, []string{"account", "region"})
+
+type jsonCredential struct {
+        AccessKeyId     *string    `json:"access_key"`
+        SecretAccessKey *string    `json:"secret_key"`
+        SessionToken    *string    `json:"session_token"`
+        Expiration      *time.Time `json:"expiration"`
+}
+
+type APICredentialsHandler struct {
+        *AWSAPI
+}
+
+func NewAPICredentialsHandler(a *AWSAPI) echo.HandlerFunc {
+        al := &APICredentialsHandler{a}
+        h := &controller.ContentTypeNegotiatingHandler{
+                DefaultHandler: al.Handle,
+                Handlers: map[string]echo.HandlerFunc{
+                        contentTypeV1: al.Handle,
+                },
+        }
+        return h.Handle
+}
+
+func (h *APICredentialsHandler) Handle(c echo.Context) error {
+        rc, err := h.GetContext(c) // Does authorization checks
+        if err != nil {
+                return err
+        }
+
+        region := c.Param("region")
+        creds, err := rc.AWS.AssumeRole(rc.Principal.Username, &region)
+        if err != nil {
+                if aws.IsRegionNotExist(err) {
+                        return echo.NotFoundHandler(c)
+                }
+                c.Logger().Errorf("Error retrieving credentials: %w", err)
+                return echo.ErrInternalServerError
+        }
+
+        c.Logger().Infof(
+                "Allowing '%s' to access account credential '%s'",
+                rc.Principal.Username, rc.Account.Name,
+        )
+        credsAllowed.With(prometheus.Labels{
+                "account": rc.Account.ShortName,
+                "region":  region,
+        }).Inc()
+
+        c.Response().Header().Set("Expires", creds.Expiration.Add(-5*time.Minute).Format(time.RFC1123))
+
+        return c.JSON(http.StatusOK, &jsonCredential{
+                AccessKeyId:     creds.AccessKeyId,
+                SecretAccessKey: creds.SecretAccessKey,
+                SessionToken:    creds.SessionToken,
+                Expiration:      creds.Expiration,
+        })
+}
diff --git a/app/controllers/api_region_list.go b/app/controllers/api_region_list.go
new file mode 100644
index 0000000..5bd1f7e
--- /dev/null
+++ b/app/controllers/api_region_list.go
@@ -0,0 +1,61 @@
+package controllers
+
+import (
+        "net/http"
+
+        glecho "code.crute.us/mcrute/golib/echo"
+        "code.crute.us/mcrute/golib/echo/controller"
+        "github.com/labstack/echo/v4"
+)
+
+type jsonRegion struct {
+        Name           string `json:"name"`
+        Enabled        bool   `json:"enabled"`
+        Default        bool   `json:"default"`
+        CredentialsURL string `json:"credentials_url,omitempty"`
+}
+
+type APIRegionListHandler struct {
+        *AWSAPI
+}
+
+func NewAPIRegionListHandler(a *AWSAPI) echo.HandlerFunc {
+        al := &APIRegionListHandler{a}
+        h := &controller.ContentTypeNegotiatingHandler{
+                DefaultHandler: al.Handle,
+                Handlers: map[string]echo.HandlerFunc{
+                        contentTypeV1: al.Handle,
+                },
+        }
+        return h.Handle
+}
+
+func (h *APIRegionListHandler) Handle(c echo.Context) error {
+        rc, err := h.GetContext(c) // Does authorization checks
+        if err != nil {
+                return err
+        }
+
+        regions, err := rc.AWS.GetRegionList()
+        if err != nil {
+                c.Logger().Errorf("Failed to load region list: %w", err)
+                return echo.ErrInternalServerError
+        }
+
+        out := make([]*jsonRegion, len(regions))
+
+        for i, r := range regions {
+                out[i] = &jsonRegion{
+                        Name:    r.Name,
+                        Enabled: r.Enabled,
+                        Default: rc.Account.DefaultRegion == r.Name,
+                }
+                if r.Enabled {
+                        out[i].CredentialsURL = glecho.URLFor(c,
+                                "/api/account", rc.Account.ShortName, "credentials", r.Name,
+                        ).String()
+                }
+        }
+
+        return c.JSON(http.StatusOK, out)
+}
diff --git a/app/controllers/aws.go b/app/controllers/aws.go
new file mode 100644
index 0000000..5b1765d
--- /dev/null
+++ b/app/controllers/aws.go
@@ -0,0 +1,52 @@
+package controllers
+
+import (
+        "context"
+
+        "code.crute.us/mcrute/cloud-identity-broker/app/middleware"
+        "code.crute.us/mcrute/cloud-identity-broker/app/models"
+        "code.crute.us/mcrute/cloud-identity-broker/cloud/aws"
+
+        "github.com/labstack/echo/v4"
+)
+
+type requestContext struct {
+        Account   *models.Account
+        Principal *models.User
+        AWS       aws.AWSClient
+}
+
+// AWSAPI is a capability that all handlers talking to the AWS APIs should use.
+// This capability does common permission checks and populates a request
+// context with user, account, and AWS API information.
+type AWSAPI struct {
+        Store models.AccountStore
+}
+
+// GetContext checks that the user is authenticated and is authorized to access
+// the requested AWS account. This should be the very first call in any handler
+// that will eventually call the AWS APIs. Errors returned from this method are
+// echo responses and can be returned directly to the client.
+func (h *AWSAPI) GetContext(c echo.Context) (*requestContext, error) {
+        principal, err := middleware.GetAuthorizedPrincipal(c)
+        if err != nil {
+                return nil, echo.ErrUnauthorized
+        }
+
+        account, err := h.Store.GetForUser(context.Background(), c.Param("account"), principal)
+        if err != nil {
+                return nil, echo.NotFoundHandler(c)
+        }
+
+        ac, err := aws.NewAWSClientFromAccount(account)
+        if err != nil {
+                c.Logger().Errorf("Error building AWS client: %w", err)
+                return nil, echo.ErrInternalServerError
+        }
+
+        return &requestContext{
+                Account:   account,
+                Principal: principal,
+                AWS:       ac,
+        }, nil
+}
diff --git a/app/controllers/basic.go b/app/controllers/basic.go
new file mode 100644
index 0000000..eff97e1
--- /dev/null
+++ b/app/controllers/basic.go
@@ -0,0 +1,17 @@
+package controllers
+
+import (
+        "net/http"
+
+        glecho "code.crute.us/mcrute/golib/echo"
+        "github.com/labstack/echo/v4"
+)
+
+func IndexHandler(c echo.Context) error {
+        return c.Render(http.StatusOK, "index.tpl", nil)
+}
+
+func LogoutHandler(c echo.Context) error {
+        glecho.DeleteAllCookies(c)
+        return c.Redirect(http.StatusFound, "/")
+}
diff --git a/app/middleware/auth.go b/app/middleware/auth.go
new file mode 100644
index 0000000..167d261
--- /dev/null
+++ b/app/middleware/auth.go
@@ -0,0 +1,212 @@
+package middleware
+
+import (
+        "context"
+        "fmt"
+        "net/http"
+        "strings"
+        "time"
+
+        "code.crute.us/mcrute/cloud-identity-broker/app/models"
+        "code.crute.us/mcrute/cloud-identity-broker/auth"
+        "code.crute.us/mcrute/cloud-identity-broker/auth/github"
+
+        "github.com/labstack/echo/v4"
+)
+
+// canRegisterUrls is an interface that identifies what about an HTTP router is
+// needed by this middleware. This mainly exists to work around the fact that
+// our server is actually a golib.EchoWrapper and not an echo.Echo.
+type canRegisterUrls interface {
+        GET(string, echo.HandlerFunc, ...echo.MiddlewareFunc) *echo.Route
+}
+
+const (
+        authPrincipalContextKey = "broker.AuthorizedPrincipal"
+        gitHubTokenCookie       = "github-token"
+        gitHubStateCookie       = "github-state"
+        oauthReturnUrl          = "/github-auth"
+)
+
+// GetAuthorizedPrincipal returns the user principal object from the request
+// context and casts it correctly. Will return error if there is no principal
+// or if the principal is of the incorrect type.
+//
+// Note that use of this function implies that AuthenticationMiddleware is used
+// somewhere in the stack before the handler calling this function is
+// dispatched.
+func GetAuthorizedPrincipal(c echo.Context) (*models.User, error) {
+        rp := c.Get(authPrincipalContextKey)
+        if rp == nil {
+                return nil, fmt.Errorf("No principal set in request")
+        }
+        principal, ok := rp.(*models.User)
+        if !ok {
+                return nil, fmt.Errorf("Principal in request is not of User type")
+        }
+        return principal, nil
+}
+
+type AuthenticationMiddleware struct {
+        Store          models.UserStore
+        JWTManager     *auth.JWTManager
+        GitHub         *github.GitHubAuthenticator
+        CookieDuration time.Duration
+}
+
+func (m *AuthenticationMiddleware) redirectToGitHubAuth(c echo.Context) error {
+        redir, state := m.GitHub.GetAuthRedirect()
+
+        c.SetCookie(&http.Cookie{
+                Name:     gitHubStateCookie,
+                Value:    state,
+                Path:     "/",
+                Secure:   true,
+                HttpOnly: true,
+                SameSite: http.SameSiteStrictMode,
+        })
+
+        return c.Redirect(http.StatusFound, redir)
+}
+
+// RegisterUrls registers the URLs required by this middleware and handler with an echo instance.
+//
+// This is here instead of in the web main because these paths are encoded in
+// the configuration for the GitHub application so changing them requires
+// addition changes to that configuration.
+func (m *AuthenticationMiddleware) RegisterUrls(e canRegisterUrls) {
+        e.GET(oauthReturnUrl, m.HandleCompleteLogin)
+}
+
+// Middleware does user authentication based on either an X-API-Key header,
+// Authorization header, or GitHub cookie depending on how the request is
+// phrased.
+//
+// If the request has either an X-API-Key or an Authorization Bearer header
+// then that must pass validation with the downstream validation logic.
+// Failures through this path are hard failures and the only way to re-try them
+// is to authenticate with a new token. The underlying assumption is that only
+// programmatic access goes through this path so redirecting to interactive
+// authentication is pointless.
+//
+// In the absence of those headers it's assumed that the user is interactive
+// and their auth cookie will be read and validated (by the exact same logic
+// that an API key is validated, they're the same format) but the failure case
+// here will redirect the user to GitHub for interactive auth.
+//
+// X-API-Key should be considered deprecated and the Authorization header with
+// a type of Bearer should be used instead. This is more in-line with Oauth 2
+// style authentication. However, for now this middleware continues to support
+// X-API-Key for to not break legacy API clients.
+func (m *AuthenticationMiddleware) Middleware(next echo.HandlerFunc) echo.HandlerFunc {
+        return func(c echo.Context) error {
+                token := c.Request().Header.Get("X-API-Key")
+                if token == "" {
+                        tp := strings.Split(c.Request().Header.Get(echo.HeaderAuthorization), " ")
+                        if len(tp) == 2 && tp[0] == "Bearer" {
+                                token = tp[1]
+                        }
+                }
+
+                // If an API key is specified this is a success or failure path. There
+                // is no option to authenticate to GitHub as would an interactive user.
+                if token != "" {
+                        u, err := m.JWTManager.Validate(token)
+                        if err != nil {
+                                c.Logger().Debugf("Error validating JWT: %w", err)
+                                return echo.ErrUnauthorized
+                        }
+                        c.Set(authPrincipalContextKey, u)
+                        return next(c)
+                }
+
+                // Kick them to GitHub auth if they have no auth cookie
+                authCookie, err := c.Cookie(gitHubTokenCookie)
+                if err != nil {
+                        return m.redirectToGitHubAuth(c)
+                }
+
+                // If they fail the check them bounce them through logout to remove
+                // their existing cookies which should then bounce them back through
+                // GitHub auth, which will eventually land them back here.
+                u, err := m.JWTManager.Validate(authCookie.Value)
+                if err != nil {
+                        c.Logger().Debugf("Error validating JWT: %w", err)
+                        return c.Redirect(http.StatusFound, "/logout")
+                }
+
+                c.Set(authPrincipalContextKey, u)
+                return next(c)
+        }
+}
+
+// HandleCompleteLogin handles the Oauth 2 code flow. It receives the auth code
+// and uses that to retrieve the auth token. This sets the user's auth cookie
+// to a authenticated JWT.
+//
+// This is redirected-to by the Oauth authorization server and should never be
+// hit directly by a user or script.
+func (m *AuthenticationMiddleware) HandleCompleteLogin(c echo.Context) error {
+        ctx := context.Background()
+
+        code, state := c.QueryParam("code"), c.QueryParam("state")
+        if code == "" || state == "" {
+                return echo.ErrBadRequest
+        }
+
+        ghState, err := c.Cookie(gitHubStateCookie)
+        if err != nil || ghState.Value == "" {
+                return echo.ErrBadRequest
+        }
+
+        if ghState.Value != state {
+                return echo.ErrBadRequest
+        }
+
+        token, err := m.GitHub.GetTokens(code)
+        if err != nil {
+                return echo.ErrBadRequest
+        }
+
+        user, err := m.GitHub.GetUsernameWithToken(token.AccessToken)
+        if err != nil {
+                c.Logger().Debugf("Error getting GitHub username with token: %w", err)
+                return echo.ErrUnauthorized
+        }
+
+        dbUser, err := m.Store.Get(ctx, user)
+        if err != nil {
+                c.Logger().Errorf("GitHub user %s does not have access to app", user)
+                return echo.ErrUnauthorized
+        }
+
+        jwt, sk, err := m.JWTManager.CreateForUser(dbUser)
+        if err != nil {
+                return echo.ErrInternalServerError
+        }
+
+        dbUser.AddKey(sk)
+        dbUser.GCKeys() // This is a convenient place to do it
+
+        dbUser.AddToken(&models.AuthToken{
+                Kind:         "github",
+                Token:        token.AccessToken,
+                RefreshToken: token.RefreshToken,
+        })
+
+        if err := m.Store.Put(ctx, dbUser); err != nil {
+                return echo.ErrInternalServerError
+        }
+
+        c.SetCookie(&http.Cookie{
+                Name:     gitHubTokenCookie,
+                Value:    jwt,
+                Path:     "/",
+                MaxAge:   int(m.CookieDuration.Seconds()),
+                Secure:   true,
+                HttpOnly: true,
+                SameSite: http.SameSiteStrictMode,
+        })
+
+        return c.Redirect(http.StatusFound, "/")
+}
diff --git a/app/models/account.go b/app/models/account.go
new file mode 100644
index 0000000..0ae1821
--- /dev/null
+++ b/app/models/account.go
@@ -0,0 +1,115 @@
+package models
+
+import (
+        "context"
+        "fmt"
+        "time"
+
+        "code.crute.us/mcrute/golib/db/mongodb"
+)
+
+const accountCol = "accounts"
+
+type AccountStore interface {
+        List(context.Context) ([]*Account, error)
+        ListForUser(context.Context, *User) ([]*Account, error)
+        Get(context.Context, string) (*Account, error)               // Error on not found
+        GetForUser(context.Context, string, *User) (*Account, error) // Error on not found
+        Put(context.Context, *Account) error
+        Delete(context.Context, *Account) error
+}
+
+type Account struct {
+        ShortName              string `bson:"_id"`
+        AccountType            string
+        AccountNumber          int
+        Name                   string
+        ConsoleSessionDuration time.Duration
+        VaultMaterial          string
+        DefaultRegion          string
+        Users                  []string
+}
+
+func (a *Account) ConsoleSessionDurationSecs() int64 {
+        return int64(a.ConsoleSessionDuration.Seconds())
+}
+
+func (a *Account) CanAccess(u *User) bool {
+        if u.IsAdmin {
+                return true
+        }
+        // Linear search should be fine for now, these lists are pretty small
+        for _, n := range a.Users {
+                if n == u.Username {
+                        return true
+                }
+        }
+        return false
+}
+
+type MongoDbAccountStore struct {
+        Db *mongodb.Mongo
+}
+
+// List returns all accounts in the system.
+func (s *MongoDbAccountStore) List(ctx context.Context) ([]*Account, error) {
+        var out []*Account
+        if err := s.Db.FindAll(ctx, accountCol, &out); err != nil {
+                return nil, err
+        }
+        return out, nil
+}
+
+// ListForUser returns all accounts for which the user has access. This is the
+// authorized version of List.
+//
+// Note this does not handle the case where a user is an admin but not
+// explicitly listed in the allowed users list for an account. For that case
+// just use List directly.
+func (s *MongoDbAccountStore) ListForUser(ctx context.Context, u *User) ([]*Account, error) {
+        var out []*Account
+        filter := mongodb.AnyInTopLevelArray("Users", u.Username)
+        if err := s.Db.FindAllByFilter(ctx, accountCol, filter, &out); err != nil {
+                return nil, err
+        }
+        return out, nil
+}
+
+func (s *MongoDbAccountStore) Get(ctx context.Context, id string) (*Account, error) {
+        var a Account
+        if err := s.Db.FindOneById(ctx, accountCol, id, &a); err != nil {
+                return nil, err
+        }
+        return &a, nil
+}
+
+// GetForUser returns an account if the user has access to this account,
+// otherwise it returns an error. This is the authorized version of Get.
+func (s *MongoDbAccountStore) GetForUser(ctx context.Context, id string, u *User) (*Account, error) {
+        a, err := s.Get(ctx, id)
+        if err != nil {
+                return nil, err
+        }
+
+        if !a.CanAccess(u) {
+                return nil, fmt.Errorf("User does not have access to account")
+        }
+
+        return a, nil
+}
+
+func (s *MongoDbAccountStore) Put(ctx context.Context, a *Account) error {
+        if err := s.Db.ReplaceOneById(ctx, accountCol, a.ShortName, a); err != nil {
+                return err
+        }
+        return nil
+}
+
+func (s *MongoDbAccountStore) Delete(ctx context.Context, a *Account) error {
+        if err := s.Db.DeleteOneById(ctx, accountCol, a.ShortName); err != nil {
+                return err
+        }
+        return nil
+}
+
+var _ AccountStore = (*MongoDbAccountStore)(nil)
diff --git a/app/models/session_key.go b/app/models/session_key.go
new file mode 100644
index 0000000..64ac7e0
--- /dev/null
+++ b/app/models/session_key.go
@@ -0,0 +1,202 @@
+package models
+
+import (
+        "crypto"
+        "crypto/ecdsa"
+        "crypto/elliptic"
+        "crypto/rand"
+        "crypto/x509"
+        "encoding/base64"
+        "encoding/hex"
+        "fmt"
+        "time"
+
+        "go.mongodb.org/mongo-driver/bson"
+)
+
+// SessionKey represents a public and sometimes private key-pair for a user
+// that will be stored on the user's record in the user store. These keys are
+// used for signing authentication JWTs.
+//
+// This object is designed to be serialized to BSON. Other serializations can
+// be added in the future as needed.
+//
+// There are two flavors of this record. A record with a private key (which
+// implies a public key) is a key that the service generated and is used by the
+// service to sign JWTs for the user. The private key is never given to the
+// user. The private key is only used in the CreateToken flow, never the Verify
+// flow. Currently (as of Nov 2021) the application sets a near-future NotAfter
+// date and these get garbage collected. It might be nice to re-use them in the
+// future for a while but it's not all that important.
+//
+// The other flavor of this key will have a public key but no private key.
+// These are service keys. Service keys are given to programmatic actors that
+// need to be able to mint their own JWTs for authentication to the service.
+// For these keys the client will construct their own JWT and sign it with the
+// private key and the service will validate the signature with the public key.
+// These keys (as of Nov 2021) do not expire, though they can be revoked.
+type SessionKey struct {
+        KeyId       string
+        Description string
+        Revoked     *time.Time
+        NotAfter    *time.Time
+        NotBefore   *time.Time
+        PublicKey   crypto.PublicKey
+        PrivateKey  *ecdsa.PrivateKey
+}
+
+func GenerateSessionKey(ttl time.Duration) (*SessionKey, error) {
+        pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+        if err != nil {
+                return nil, err
+        }
+
+        key := make([]byte, 8)
+        if _, err := rand.Read(key); err != nil {
+                return nil, err
+        }
+
+        now := time.Now()
+        notAfter := now.Add(ttl)
+
+        return &SessionKey{
+                KeyId:      hex.EncodeToString(key),
+                Revoked:    nil,
+                NotAfter:   &notAfter,
+                NotBefore:  &now,
+                PublicKey:  pk.Public(),
+                PrivateKey: pk,
+        }, nil
+}
+
+// IsGarbage checks to determine if a key is garbage that should be collected.
+// The definition of garbage is similar to the inversion of the definition of
+// vaild but revoked keys are not considered to be garbage since they may be
+// useful for auditing later. Also keys that are not yet valid are not garbage.
+func (s *SessionKey) IsGarbage() bool {
+        if s.Revoked != nil {
+                return false
+        }
+
+        if s.NotBefore != nil && s.NotBefore.Before(time.Now()) {
+                return false
+        }
+
+        if s.NotAfter != nil && s.NotAfter.After(time.Now()) {
+                return true
+        }
+
+        return false
+}
+
+// IsValid checks the various dates in the SessionKey to verify that they are
+// valid and in-range for use. This should be called before trusting this key
+// for any use.
+func (s *SessionKey) IsValid() bool {
+        if s.Revoked != nil {
+                return false
+        }
+
+        if s.NotBefore != nil && s.NotBefore.Before(time.Now()) {
+                return false
+        }
+
+        if s.NotAfter != nil && s.NotAfter.After(time.Now()) {
+                return false
+        }
+
+        return true
+}
+
+func (s *SessionKey) MarshalBSON() ([]byte, error) {
+        var err error
+        var pub, priv []byte
+
+        if s.PrivateKey != nil {
+                priv, err = x509.MarshalECPrivateKey(s.PrivateKey)
+                if err != nil {
+                        return nil, err
+                }
+        }
+
+        // If there's a private key and a public key set then just save the private
+        // key. The private key already contains a copy of the public key.
+        if s.PublicKey != nil && s.PrivateKey == nil {
+                pub, err = x509.MarshalPKIXPublicKey(s.PublicKey)
+                if err != nil {
+                        return nil, err
+                }
+        }
+
+        return bson.Marshal(struct {
+                KeyId      string
+                Revoked    *time.Time
+                NotAfter   *time.Time
+                NotBefore  *time.Time
+                PublicKey  string
+                PrivateKey string
+        }{
+                s.KeyId,
+                s.Revoked, s.NotAfter, s.NotBefore,
+                base64.StdEncoding.EncodeToString(pub),
+                base64.StdEncoding.EncodeToString(priv),
+        })
+}
+
+func (s *SessionKey) UnmarshalBSON(d []byte) error {
+        v := struct {
+                KeyId      string
+                Revoked    *time.Time
+                NotAfter   *time.Time
+                NotBefore  *time.Time
+                PublicKey  string
+                PrivateKey string
+        }{}
+        if err := bson.Unmarshal(d, &v); err != nil {
+                return err
+        }
+
+        s.KeyId = v.KeyId
+        s.Revoked = v.Revoked
+        s.NotAfter = v.NotAfter
+        s.NotBefore = v.NotBefore
+
+        if v.PrivateKey != "" {
+                privb, err := base64.StdEncoding.DecodeString(v.PrivateKey)
+                if err != nil {
+                        return err
+                }
+
+                priv, err := x509.ParseECPrivateKey(privb)
+                if err != nil {
+                        return err
+                }
+
+                s.PrivateKey = priv
+                s.PublicKey = priv.Public()
+        }
+
+        // If there was a private key then the public key was already set by
+        // decoding that private key. No need to do this a second time (also it's
+        // rather unlikely that both would be set).
+        if v.PublicKey != "" && s.PublicKey == nil {
+                pubb, err := base64.StdEncoding.DecodeString(v.PublicKey)
+                if err != nil {
+                        return err
+                }
+
+                pubp, err := x509.ParsePKIXPublicKey(pubb)
+                if err != nil {
+                        return err
+                }
+
+                pub, ok := pubp.(*ecdsa.PublicKey)
+                if !ok {
+                        return fmt.Errorf("Failed to convert public key to *ecdsa.PublicKey")
+                }
+
+                s.PublicKey = pub
+        }
+
+        return nil
+}
diff --git a/app/models/user.go b/app/models/user.go
new file mode 100644
index 0000000..0cbd92d
--- /dev/null
+++ b/app/models/user.go
@@ -0,0 +1,99 @@
+package models
+
+import (
+        "context"
+
+        "code.crute.us/mcrute/golib/db/mongodb"
+)
+
+const userCol = "users"
+
+type UserStore interface {
+        List(context.Context) ([]*User, error)
+        Get(context.Context, string) (*User, error) // Error on not found
+        Put(context.Context, *User) error
+        Delete(context.Context, *User) error
+}
+
+type AuthToken struct {
+        Kind         string
+        Token        string
+        RefreshToken string
+}
+
+type User struct {
+        Username   string `bson:"_id"`
+        IsAdmin    bool
+        IsService  bool
+        Keys       map[string]*SessionKey // kid  -> key
+        AuthTokens map[string]*AuthToken  // kind -> token
+}
+
+// GCKeys garbage collects keys that are no longer valid
+func (u *User) GCKeys() {
+        for k, v := range u.Keys {
+                if v.IsGarbage() {
+                        delete(u.Keys, k)
+                }
+        }
+}
+
+// GetKey returns a key for a key ID. It will only return valid keys.
+func (u *User) GetKey(kid string) *SessionKey {
+        if u.Keys != nil {
+                if k := u.Keys[kid]; k != nil && k.IsValid() {
+                        return k
+                }
+        }
+        return nil
+}
+
+func (u *User) AddKey(k *SessionKey) {
+        if u.Keys == nil {
+                u.Keys = map[string]*SessionKey{}
+        }
+        u.Keys[k.KeyId] = k
+}
+
+func (u *User) AddToken(t *AuthToken) {
+        if u.AuthTokens == nil {
+                u.AuthTokens = map[string]*AuthToken{}
+        }
+        u.AuthTokens[t.Kind] = t
+}
+
+type MongoDbUserStore struct {
+        Db *mongodb.Mongo
+}
+
+func (s *MongoDbUserStore) List(ctx context.Context) ([]*User, error) {
+        var out []*User
+        if err := s.Db.FindAll(ctx, userCol, &out); err != nil {
+                return nil, err
+        }
+        return out, nil
+}
+
+func (s *MongoDbUserStore) Get(ctx context.Context, username string) (*User, error) {
+        var u User
+        if err := s.Db.FindOneById(ctx, userCol, username, &u); err != nil {
+                return nil, err
+        }
+        return &u, nil
+}
+
+func (s *MongoDbUserStore) Put(ctx context.Context, u *User) error {
+        if err := s.Db.ReplaceOneById(ctx, userCol, u.Username, u); err != nil {
+                return err
+        }
+        return nil
+}
+
+func (s *MongoDbUserStore) Delete(ctx context.Context, u *User) error {
+        if err := s.Db.DeleteOneById(ctx, userCol, u.Username); err != nil {
+                return err
+        }
+        return nil
+}
+
+var _ UserStore = (*MongoDbUserStore)(nil)