TLS Anvil Server Tests in Nightly CI

[FAlbertDev]

(Refers to #3444)
This adds TLS Anvil server tests to Botan's nightly CI. Unfortunately, a current bug of the origin TLS-Anvil repo required me to create a fork and work around it (I already created an issue for the TLS-Anvil repo). Until the bug is fixed, the CI script uses my fork.
The job's workflow is the following:

1. Build Botan and TLS-Anvil
2. Run the script src/scripts/ci/ci_tlsanvil_test.py to setup and start a botan tls_server and the TLS-Anvil process. The TLS-Anvil process tests the server by playing a client (repeatedly) connecting to the server. TLS-Anvil creates a TestSuiteResults folder for storing the results with additional test information.
3. The TestSuiteResults folder and the TLS-Anvil log files are uploaded as an artifact, so we can analyze them if necessary.
4. The script src/scripts/ci/ci_tlsanvil_check.py checks if the tests are successful, i.e., if the results in TestSuiteResults meet our expectations. Currently, some tests fail. I will look into these together with @reneme after his holidays. Until then, I allowed the respective tests to fail.

An example workflow execution with failing tests (without deactivating the currently failing tests) is here. When allowing the tests to fail, the workflow looks like this. Since the tests take around 1.5h, they are only executed nightly.
I also plan to add the TLS-Anvil client tests in a future PR.

[coveralls]

coverage: 91.703% (-0.02%) from 91.719% when pulling 4fb301b on FAlbertDev:ci/tls-anvil into 8c72bab on randombit:master.

[randombit]

Thanks for setting this up @FAlbertDev, I'll be happy when this is part of our test coverage.

I have a few minor comments/questions but overall looks very good.

[randombit]

keygen with RSA defaults to 3072 bits since that is ~~ 128 bit security level, but for testing this is just some needless computational overhead - let's generate 2048 bit instead since that is still sufficient and may save a bit of test time.

[FAlbertDev]

Seems to be not significantly faster with 2048 bit. Won't hurt, though.

[randombit]

The runners we get have 2 cores - would it make sense / be possible to use 2-3 handshakes in parallel here?

[FAlbertDev]

Yeah, parallel handshakes would be great. However, I run TLS-Anvil against the ./botan tls_server process, which only allows one connection at a time.

[randombit]

Could we use tls_http_server instead?

[randombit]

Maybe instead a single option --test-target= which could take on any of client, server, or client,server?

[randombit]

TBH I don't know if this even works in GH Actions but should this be something like

make -j$(nproc)

so the build scales to using all (and only) the number of cores available?

[FAlbertDev]

It seems to work 👍

[randombit]

This cache key seems wrong since we are using gcc to build

I think if we use the linux-gcc-x86_64-static key, then we can share caches with this build and the normal static library GCC CI build.

[FAlbertDev]

Thanks for your review, @randombit! I addressed your suggestions in ba484ec :)

[reneme]

Nice! Just a few general remarks below. Detailed review will need to come later.

[reneme]

If we need a fork, maybe it should live under @randombit's GitHub account. Similarly to the boringssl fork we maintain for BoGo.

[reneme]

(I'm guessing you hope to get rid of the fork after your upstream issue is fixed)

[FAlbertDev]

(I'm guessing you hope to get rid of the fork after your upstream issue is fixed)

True. In fact, the same hour you wrote this comment, the issue was fixed ;)

[reneme]

Maybe configure and build botan in the ci_tlsanvil_test.py instead?

[reneme]

Please set this inside the ci_tlsanvil_test.py script, if possible. Rationale: We try to keep the CI YAML files as "dumb" as possible and move as much of the configuration and tool-intricacies into the dedicated scripts.

[reneme]

As a general remark: At one point we should spin-off some internal Utilities python module that we can reuse across the internal python machinery. As a center piece this will likely include a convenience wrapper around subprocess.run and/or subprocess.Popen. No idea, how many scripts already have a copy of run_commend(). 🤡

[FAlbertDev]

Yeah. But we need to evaluate if an additional abstraction layer is worth it. I think, in this case, the calls are slim enough.

[FAlbertDev]

My current state for this PR:
I'm currently working on the usage of the tls_http_server instead of tls_server to speed up the tests by parallelization. Some test results are currently inconsistent between both CLI modules (probably because of a small issue with the tls_http_server). I'll investigate this and will probably open another PR addressing this issue after understanding the underlying problem.
Also, I need to implement your suggestions, @reneme, and redirect the checkout of TLS-Anvil to the origin repo, which is fixed now.

[FAlbertDev]

Do we need a separate cache key because we build with --with-boost?

[randombit]

Oh probably so - maybe best to just use a new unique cache id for each job and let the cache management system sort it out rather than trying to share caches and causing conflicts and cache misses if/when the configuration of different jobs changes over time.

[randombit]

Also: if we use a unique target here (eg anvil) we can install boost in setup_gh_actions.sh as a side effect of setting up the build agent, rather than having an explicit install of boost later on in the yaml

[FAlbertDev]

Done. (see a589ed2)

Thanks for your feedback!

[FAlbertDev]

I applied your suggestions (109f2e4). However, this PR should only be merged after #3660 is merged.

[randombit]

LGTM. Only remaining comment from me would be please squash before merging.

[FAlbertDev]

please squash before merging

Done.