Support token and TLS for remote debugging

go-delve / delve

Delve is a debugger for the Go programming language.

MIT License

22.91k stars 2.14k forks source link

Support token and TLS for remote debugging #861

Open dlsniper opened 7 years ago

dlsniper commented 7 years ago

This is actually a suggestion / feature request.

I've just realized that it would be preferable to support TLS and token authentication for the debugger when running in the remote configuration in order to protect against possible issues.

What do you think?

aarzilli commented 7 years ago

Normally we are only listening on localhost so it should be ok, but sure, it could be useful.

justinclift commented 7 years ago

@dlsniper With an example use case of Gogland making use of this, what's the workflow you're thinking of?

I'm familiar with using SSL/TLS certs to auth against a server. The code itself isn't very complex... the tricky bit (for certs) is in making the workflow for generating the certs, adding them to config files, etc.

Using token's might be easier... it'd still need a user friendly workflow though. Now trying to think what that might be... :smile:

dlsniper commented 7 years ago

@justinclift it doesn't have to be mutual-TLS, just "normal" TLS should be ok. The point of TLS is to encrypt the data sent over not protect the endpoint itself.

The scenario I have in mind is where someone uses the ability to "remote debug" but instead of debugging a local application / container, tries to debug it over the internet from their datacenter / cloud provider .

As for the workflow itself:

On the server:

dlv --api-version=2 --listen=:43210 --backend=default --tls --token=someT0k3n exec ./buggyApp

On the client :

dlv --api-version=2 --backend=default --tls --token=someT0k3n connect 127.0.0.1:43210

I think this would have a minimal disruption for the user workflow and at the same time allow integrations to provide a simple UI to use these features.

justinclift commented 7 years ago

Yeah, that sounds like a decent workflow. For the TLS component itself, dlv would probably need an additional argument --tls-cert=foo.crt so it has something to use.

That'd be up to the user to provide. (?)

For a Gogland point of view, maybe auto generated by Goglang (or maybe upon some button press), with a message to the user along the lines of:

For secure remote debugging, please upload ~/path/to/gogland/generated/foo.crt to the
remote server, then add `--tls-cert=foo.crt` to the dlv command line:

  dlv --api-version=2 --listen=:43210 --backend=default --tls --tls-cert=foo.crt --token=someT0k3n exec ./buggyApp