feat: PFS and AEAD detection. Lambda debugging.

.hadolint.yml

@@ -0,0 +1,8 @@
+ignored:
+  # "Multiple consecutive `RUN` instructions. Consider consolidation."
+  # We've learned to love the layer cache. Considered and disregarded.
+  - DL3059
+
+trustedRegistries:
+  - docker.io
+  - ghcr.io

.vscode/launch.json

@@ -0,0 +1,17 @@
+{
+  // Use IntelliSense to learn about possible attributes.
+  // Hover to view descriptions of existing attributes.
+  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Debug Go running inside Lambda container",
+      "type": "go",
+      "request": "attach",
+      "mode": "remote",
+      "port": 42424,
+      "host": "localhost",
+      "showLog": true
+    }
+  ]
+}

Makefile

@@ -184,7 +184,7 @@ build: tidy
 ## build-lambda: [build]* Builds the Lambda function with current ARCH for local development.
 build-lambda: tidy
 	@ $(HEADER) "=====> Building Lambda function..."
-	CGO_ENABLED=0 GOOS=linux $(GO) build -a -trimpath -ldflags="-s -w" -tags lambda.norpc -o localdev/var-runtime/bootstrap .
+	CGO_ENABLED=0 GOOS=linux $(GO) build -gcflags="all=-N -l" -tags lambda.norpc -o localdev/var-runtime/bootstrap .
 
 .PHONY: build-lambda-prod
 ## build-lambda-prod: [build]* Builds the Lambda function for deployment.

cmd/http.go

@@ -96,9 +96,9 @@ var httpCmd = &cobra.Command{
 		}
 
 		t := NewTable("HTTP Version", "Supported")
-		t.Row("1.1", displayBool(result.HTTP11))
-		t.Row("2", displayBool(result.HTTP2))
-		t.Row("3", displayBool(result.HTTP3))
+		t.Row("1.1", displayBool(result.HTTP11, fEmoji))
+		t.Row("2", displayBool(result.HTTP2, fEmoji))
+		t.Row("3", displayBool(result.HTTP3, fEmoji))
 
 		fmt.Println(t.Render())
 	},

cmd/root.go

@@ -31,6 +31,7 @@ var (
 
 	fJSON    bool
 	fQuiet   bool
+	fEmoji   bool
 	fVerbose int
 	fTimeout int
 
@@ -63,7 +64,18 @@ var (
 
 func init() {
 	rootCmd.PersistentFlags().BoolVarP(
-		&fJSON, "json", "j", false, "Output as JSON.",
+		&fEmoji,
+		"emoji",
+		"E",
+		parseFlagAsBool("DST_OUTPUT_EMOJI"),
+		"(DST_OUTPUT_EMOJI) Use emoji in tabular output for boolean values.",
+	)
+	rootCmd.PersistentFlags().BoolVarP(
+		&fJSON,
+		"json",
+		"j",
+		parseFlagAsBool("DST_OUTPUT_JSON"),
+		"(DST_OUTPUT_JSON) Output as JSON.",
 	)
 	rootCmd.PersistentFlags().BoolVarP(
 		&fQuiet, "quiet", "q", false, "Disable all logging output.",

cmd/tls.go

@@ -86,25 +86,43 @@ var tlsCmd = &cobra.Command{
 			os.Exit(0)
 		}
 
-		t := NewTable("TLS Version", "Cipher Suites", "Strength")
+		t := NewTable("TLS Version", "Cipher Suites", "Strength", "PFS", "AEAD")
 
 		for i := range result.TLSConnections {
 			tlsConnection := result.TLSConnections[i]
 
 			for j := range tlsConnection.CipherSuites {
 				cipher := tlsConnection.CipherSuites[j]
 
-				if tlsConnection.Version == "TLS v1.3" {
-					cipher.IANAName = "(Standardized 1.3 suites)"
-				}
+				// if tlsConnection.VersionID == httptls.VersionTLS13 {
+				// 	cipher.IANAName = "(Standardized 1.3 suites)"
+				// }
 
 				if j == 0 && i == 0 {
-					t.Row(tlsConnection.Version, cipher.IANAName, cipher.Strength)
+					t.Row(
+						tlsConnection.Version,
+						cipher.IANAName,
+						cipher.Strength,
+						displayBool(cipher.IsPFS, fEmoji),
+						displayBool(cipher.IsAEAD, fEmoji),
+					)
 				} else if j == 0 {
 					t.Row("", "", "")
-					t.Row(tlsConnection.Version, cipher.IANAName, cipher.Strength)
+					t.Row(
+						tlsConnection.Version,
+						cipher.IANAName,
+						cipher.Strength,
+						displayBool(cipher.IsPFS, fEmoji),
+						displayBool(cipher.IsAEAD, fEmoji),
+					)
 				} else {
-					t.Row("", cipher.IANAName, cipher.Strength)
+					t.Row(
+						"",
+						cipher.IANAName,
+						cipher.Strength,
+						displayBool(cipher.IsPFS, fEmoji),
+						displayBool(cipher.IsAEAD, fEmoji),
+					)
 				}
 			}
 		}

cmd/utils.go

@@ -110,10 +110,26 @@ func NewTable(headers ...string) *table.Table {
 		Headers(headers...)
 }
 
-func displayBool(b bool) string {
+func displayBool(b, useEmoji bool) string {
+	yes := "YES"
+	no := "NO"
+
+	if useEmoji {
+		yes = "✅"
+		no = "❌"
+	}
+
 	if b {
-		return "YES"
+		return yes
+	}
+
+	return no
+}
+
+func parseFlagAsBool(env string) bool {
+	if os.Getenv(env) == "true" {
+		return true
 	}
 
-	return "NO"
+	return false
 }

docs/localdev.md

@@ -2,34 +2,62 @@
 
 ## Prerequisites
 
-* [Docker Desktop](https://docker.com/desktop)
+* A *nix environment (e.g., Linux, macOS)
+* [Docker Desktop]
+  * [Recommended settings](https://github.com/northwood-labs/macos-for-development/wiki/Docker-Desktop#recommended-settings)
+* [Bash] 5.x shell
+  * [Recommended settings](https://github.com/skyzyx/bash-mac/blob/master/RECOMMENDED_SETTINGS.md)
+* [Go]
+* [Hugo]
+* [Homebrew] (macOS)
+  * `export HOMEBREW_CASK_OPTS="--no-quarantine"`
 * An HTTP client (Recommendations:)
   * [RapidAPI](https://paw.cloud) (formerly _Paw_)
   * [Insomnia](https://insomnia.rest)
 
+### Platform notes
+
+* **macOS** — Set up your environment with [Homebrew] as documented, which will include the [Xcode CLI Tools].
+* **Linux** — Install your platform's standard developer tools. This is different for different families of Linux distributions.
+* **Windows** — Run Linux via [Windows Subsystem for Linux v2][WSL2] (WSL2).
+
+## Exposed ports
+
+When running as a Lambda function for local development, Docker exposes certain ports on your host machine.
+
+| Port    | Description                                                                                                                 |
+|---------|-----------------------------------------------------------------------------------------------------------------------------|
+| `1313`  | Localhost endpoint for the website ([Hugo]). Returns HTML.                                                                  |
+| `6379`  | [Valkey] cache server. Redis 7.2-compatible.                                                                                |
+| `8080`  | Localhost endpoint for the local Lambda service that works the way real Lambda will work. (Compatible with documented API.) |
+| `9000`  | Direct local Lambda function interface (low-level [RIE] interface for protocol debugging).                                  |
+| `42424` | [Delve] debugging protocol for Go.                                                                                          |
+
 ## Start backend services
 
-First, login to `ghcr.io`.
+1. [Generate a new _Personal Access Token_](https://github.com/settings/tokens/new?description=DevSecTools%20localdev&scopes=read:packages&default_expires_at=90), with `read:packages` scope. Save it to your password manager.
 
-```bash
-echo -n "${GHCR_TOKEN}" | docker login ghcr.io -u "${GHCR_USER}" --password-stdin
-```
+1. Then, login to `ghcr.io`. This token is represented by `GHCR_TOKEN`. Your GitHub username is represented by `GHCR_USER`.
 
-The local versions of backend services run as containers. From the root of the repository:
+    ```bash
+    echo -n "${GHCR_TOKEN}" | docker login ghcr.io -u "${GHCR_USER}" --password-stdin
+    ```
 
-```bash
-make build-lambda
-cd localdev
-docker compose up
-```
+1. The local versions of backend services run as containers. From the root of the repository:
 
-The very first time you run `docker compose up`, the Docker images will need to build. Subsequent runs will leverage the cached completed image.
+    ```bash
+    make build-lambda
+    cd localdev
+    docker compose up
+    ```
 
-When you are done, terminate the containers.
+    The very first time you run `docker compose up`, the Docker images will need to build. Subsequent runs will leverage the cached completed image. Any time the `Dockerfile` or `docker-compose.yml` are changed, it is a good idea to explicitly run `docker compose up --build`.
 
-```bash
-docker compose down
-```
+1. When you are done, terminate the containers.
+
+    ```bash
+    docker compose down
+    ```
 
 Operating Docker Desktop and Docker Compose is outside the scope of these instructions, but you can read the documentation for yourself.
 
@@ -88,11 +116,11 @@ For local testing, the CLI exposes a very simple HTTP/1.1 server at <http://loca
 devsec-tools serve
 ```
 
-Re-read _Lambda server_ (above) to get a better understanding of how this works, but think of it like a reverse-proxy to your Lambda environment.
+Re-read _Lambda server_ (above) to get a better understanding of how this works, but think of it like a reverse-proxy to your Lambda environment. This is the endpoint that you, the developer, make requests to.
 
 ## Endpoints
 
-When launching the local web server, it will tell you which HTTP methods and endpoints are available. It exposes both `GET` and `POST`, as appropriate.
+When launching the local web server, it will tell you which HTTP methods and endpoints are available. It exposes both `GET` and `POST` HTTP methods.
 
 ### GET
 
@@ -115,4 +143,28 @@ Content-Type: application/json; charset=utf-8
 {"url":"https://apple.com"}
 ```
 
+## Start frontend services
+
+All of this exists in the [devsec-ui](https://github.com/northwood-labs/devsec-ui) repository. See that project for further instructions.
+
+## Delve: Go debugger (:42424)
+
+You may find that you need to run your debugger against the compiled Lambda function code running inside of our Docker container. If you followed the instructions above, then it should all be setup and ready to go for you.
+
+* The Lambda function has been compiled with debugging data.
+* The Docker container has been built with a copy of `dlv`.
+* The Docker Compose definition has been configured to expose the port to the host.
+* If you use [VS Code], we have the debugger definitions stored in this repository.
+* There are [Delve integrations for other IDEs](https://github.com/go-delve/delve/blob/master/Documentation/EditorIntegration.md) and tools as well.
+
+[Bash]: https://github.com/skyzyx/bash-mac
+[Delve]: https://github.com/go-delve/delve
+[Docker Desktop]: https://docker.com/desktop
+[Go]: https://go.dev
+[Homebrew]: https://github.com/northwood-labs/macos-for-development/wiki
+[Hugo]: https://gohugo.io
+[RIE]: https://github.com/aws/aws-lambda-runtime-interface-emulator
 [Valkey]: https://valkey.io
+[VS Code]: https://github.com/northwood-labs/macos-for-development/wiki/VS-Code
+[WSL2]: https://learn.microsoft.com/en-us/windows/wsl/install
+[Xcode CLI Tools]: https://github.com/northwood-labs/macos-for-development/wiki/Installing-the-Xcode-CLI-Tools

localdev/Dockerfile-lambda

@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:1
 FROM golang:1-alpine AS go-installer
 
+# Download the AWS Lambda Runtime Interface Emulator
 RUN go install github.com/northwood-labs/download-asset@latest
 RUN --mount=type=secret,id=github_token \
     GITHUB_TOKEN="$(cat /run/secrets/github_token)" \
@@ -15,6 +16,9 @@ RUN --mount=type=secret,id=github_token \
 
 RUN mv /usr/local/bin/aws-lambda-rie* /usr/local/bin/aws-lambda-rie
 
+# Build Delve for debugging
+RUN go install -ldflags "-s -w -extldflags '-static'" github.com/go-delve/delve/cmd/dlv@latest
+
 #-------------------------------------------------------------------------------
 
 # syntax=docker/dockerfile:1
@@ -23,8 +27,11 @@ FROM ghcr.io/northwood-labs/lambda-provided-al2023@sha256:2b947c7c1e18392ce6b1b3
 # docker images --digests ghcr.io/northwood-labs/lambda-provided-al2023 --format '{{ .Digest }}'
 
 COPY --from=go-installer /usr/local/bin/aws-lambda-rie /usr/local/bin/aws-lambda-rie
+COPY --from=go-installer /go/bin/dlv /dlv
 COPY lambda-entrypoint.sh /entrypoint.sh
 
 RUN chmod 0755 /usr/local/bin/aws-lambda-rie /entrypoint.sh
 
+EXPOSE 42424
+
 ENTRYPOINT ["/entrypoint.sh"]

localdev/README.md

@@ -0,0 +1 @@
+See docs/localdev.md for instructions.