Hello elfutils-devel@ I'm working on a use case for debuginfod (in LLVM) that needs a solution for authentication and authorization of users when accessing source and debug information. I've put together a short RFC for how this might work, based on how git and Docker CLIs handle credentials. It should be fairly straightforward to implement and to generalize to new credential types.
Please take a look; it'd be good to have a consensus on how this should work across interested debuginfod implementations before moving forward towards implementation. -- debuginfod Credential Helper RFCBackground debuginfod is a simple HTTP-based protocol allowing clients to obtain debug information from servers. The de-facto standard includes environment variables for pointing clients at available debuginfod servers, but it includes no mechanism to provide credentials. This approach works well for fully open-source projects, but debuginfod is also particuarly useful for the highly-stripped binaries and constrained environments found in the embedded space. There, it’s common for licensing constraints to require access to source and debug information to be restricted to specific users. Proposal debuginfod clients could support a new DEBUGINFOD_CREDENTIAL_HELPER environment variable. This would provide a command that a debuginfod client could run to obtain credentials to supply to the server, much like Git or Docker credential helpers do. No modifications are proposed to generic debuginfod server implementations, since specific authentication and authorization decisions are usually quite domain-specific, and it’s fairly easy to write or configure a custom debuginfod server to make them. The proposal also omits any mechanism for the client to interactively prompt the user for their credentials or to retrieve them from storage; this is left to the credential helper. Protocol The behavior of the credential helpers broadly follows the example set by Git and Docker. The DEBUGINFOD_CREDENTIAL_HELPER environment variable contains a string indicating the command to run. If the string begins with an absolute path, the command is the verbatim string. Otherwise, the command is the string prepended with debuginfod-credential-. Once interpreted, the given command is executed in the shell with one additional argument to indicate the operation type. This is always get. The helper reads a description of the requested credential from stdin and writes a description of the found credential to stdout. Errors may be reported to stderr. Credential Format Credential requests and found credentials are both broadly described using Git credential helpers’ input/output format <https://git-scm.com/docs/git-credential#IOFMT>, with some modifications. Only the http and https protocols are supported, since debuginfod only operates over HTTP(S). The url attribute is unsupported; URL components must instead be passed separately. An added bearer attribute can supply OAuth2 bearer tokens <https://www.rfc-editor.org/rfc/rfc6750.html> in Base64 <https://datatracker.ietf.org/doc/html/rfc4648#section-4>. This attribute is mutually exclusive with username and password. Daniel Thornburgh | dth...@google.com
