public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed
* debuginfod Credential Helper RFC
@ 2022-07-26 22:50 Daniel Thornburgh
  2022-07-28 16:23 ` Mark Wielaard
  0 siblings, 1 reply; 10+ messages in thread
From: Daniel Thornburgh @ 2022-07-26 22:50 UTC (permalink / raw)
  To: elfutils-devel

Hello elfutils-devel@

I'm working on a use case for debuginfod (in LLVM) that needs a solution
for authentication and authorization of users when accessing source and
debug information. I've put together a short RFC for how this might work,
based on how git and Docker CLIs handle credentials. It should be fairly
straightforward to implement and to generalize to new credential types.

Please take a look; it'd be good to have a consensus on how this should
work across interested debuginfod implementations before moving forward
towards implementation.

-- 
debuginfod Credential Helper RFCBackground

debuginfod is a simple HTTP-based protocol allowing clients to obtain debug
information from servers. The de-facto standard includes environment
variables for pointing clients at available debuginfod servers, but it
includes no mechanism to provide credentials.

This approach works well for fully open-source projects, but debuginfod is
also particuarly useful for the highly-stripped binaries and constrained
environments found in the embedded space. There, it’s common for licensing
constraints to require access to source and debug information to be
restricted to specific users.
Proposal

debuginfod clients could support a new DEBUGINFOD_CREDENTIAL_HELPER environment
variable. This would provide a command that a debuginfod client could run
to obtain credentials to supply to the server, much like Git or Docker
credential helpers do.

No modifications are proposed to generic debuginfod server implementations,
since specific authentication and authorization decisions are usually quite
domain-specific, and it’s fairly easy to write or configure a custom
debuginfod server to make them.

The proposal also omits any mechanism for the client to interactively
prompt the user for their credentials or to retrieve them from storage;
this is left to the credential helper.
Protocol

The behavior of the credential helpers broadly follows the example set by
Git and Docker.

The DEBUGINFOD_CREDENTIAL_HELPER environment variable contains a string
indicating the command to run. If the string begins with an absolute path,
the command is the verbatim string. Otherwise, the command is the string
prepended with debuginfod-credential-.

Once interpreted, the given command is executed in the shell with one
additional argument to indicate the operation type. This is always get.

The helper reads a description of the requested credential from stdin and
writes a description of the found credential to stdout. Errors may be
reported to stderr.
Credential Format

Credential requests and found credentials are both broadly described using
Git credential helpers’ input/output format
<https://git-scm.com/docs/git-credential#IOFMT>, with some modifications.

Only the http and https protocols are supported, since debuginfod only
operates over HTTP(S).

The url attribute is unsupported; URL components must instead be passed
separately.

An added bearer attribute can supply OAuth2 bearer tokens
<https://www.rfc-editor.org/rfc/rfc6750.html> in Base64
<https://datatracker.ietf.org/doc/html/rfc4648#section-4>. This attribute
is mutually exclusive with username and password.

Daniel Thornburgh | dthorn@google.com

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2022-08-09 18:13 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-26 22:50 debuginfod Credential Helper RFC Daniel Thornburgh
2022-07-28 16:23 ` Mark Wielaard
2022-07-28 17:47   ` Daniel Thornburgh
2022-07-29 18:58     ` Mark Wielaard
2022-07-29 21:08       ` Daniel Thornburgh
2022-08-02 20:36         ` Daniel Thornburgh
2022-08-04 17:02           ` Mark Wielaard
2022-08-04 18:04             ` Daniel Thornburgh
2022-08-08 20:41               ` Frank Ch. Eigler
2022-08-09 18:13                 ` Daniel Thornburgh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).