Integ test bloat

[maddeleine]

Security issue notifications

If you discover a potential security issue in s2n we ask that you notify
AWS Security via our vulnerability reporting page. Please do not create a public github issue.

Problem:

Our integ tests are bloated, especially in the test_happy_path file. Having so many parameters can lead us to combinatorially increasing the amount of tests running, but not necessarily increasing actual coverage.
For example, we often test s2n against itself in the integ tests. However, the command line of s2nc/d won't change for some of the parameters we have, like protocol. The user doesn't have much control over what protocol gets negotiated ---which is a good thing-- but it means that any test between s2n and s2n that purports to negotiate sslv3, tls10, tls11 and tls12 will be running the same test over and over.

Solution:

I don't know what the solution here is. I kind of want to say "don't use s2n as a provider against itself" but that's probably not a good solution. We can minimally remove some of the tests that don't actually increase test coverage.

It would be kind of cool if we had some type of solution that checked that each parameter combo produced unique command line output. That might be a little over-engineered though.

[jmayclin]

To figure out what test cases are being run, pytest can be run in a collect-only mode

uv run pytest --provider-version openssl-3.0 --best-effort-NOT-FOR-CI -x -rpfs --collect-only -q > collected.txt

This can then be parsed with a little awk script.

awk -F'::' '{print $1}' collected.txt | sort | uniq -c | sort -nr

By removing a few of the certs from our ALL_TEST_CERTS list, we can achieve a significant reduction in tests cases

diff --git a/tests/integrationv2/configuration.py b/tests/integrationv2/configuration.py
index e343373d5..683246c1d 100644
--- a/tests/integrationv2/configuration.py
+++ b/tests/integrationv2/configuration.py
@@ -41,17 +41,10 @@ ALL_TEST_CURVES = [
 
 # List of all certificates that will be tested.
 ALL_TEST_CERTS = [
-    Certificates.RSA_1024_SHA256,
-    Certificates.RSA_1024_SHA384,
-    Certificates.RSA_1024_SHA512,
     Certificates.RSA_2048_SHA256,
     Certificates.RSA_2048_SHA384,
     Certificates.RSA_2048_SHA512,
-    Certificates.RSA_3072_SHA256,
     Certificates.RSA_3072_SHA384,
-    Certificates.RSA_3072_SHA512,
-    Certificates.RSA_4096_SHA256,
-    Certificates.RSA_4096_SHA384,
     Certificates.RSA_4096_SHA512,
     Certificates.ECDSA_256,
     Certificates.ECDSA_384,

Before the reduction

  12308 test_signature_algorithms.py
   8840 test_happy_path.py
   8701 test_buffered_send.py
   7664 test_session_resumption.py
   6925 test_version_negotiation.py
   4159 test_external_psk.py
   3964 test_early_data.py
   3504 test_cross_compatibility.py
   1682 test_client_authentication.py
   1320 test_dynamic_record_sizes.py
   1220 test_renegotiate.py
   1220 test_npn.py
    576 test_ocsp.py
    457 test_hello_retry_requests.py
    253 test_record_padding.py
    175 test_sslyze.py
     88 test_sni_match.py
     72 test_fragmentation.py
     28 test_renegotiate_apache.py
     15 test_pq_handshake.py
      8 test_serialization.py
      7 test_key_update.py
      1 test_well_known_endpoints.py
      1 test_sslv2_client_hello.py
      1 63188/443728 tests collected (380540 deselected) in 21.82s

After the reduction

   8701 test_buffered_send.py
   5504 test_signature_algorithms.py
   4052 test_happy_path.py
   3506 test_session_resumption.py
   3145 test_version_negotiation.py
   2647 test_external_psk.py
   1990 test_early_data.py
   1682 test_client_authentication.py
   1656 test_cross_compatibility.py
   1220 test_renegotiate.py
   1220 test_npn.py
    606 test_dynamic_record_sizes.py
    576 test_ocsp.py
    253 test_record_padding.py
    226 test_hello_retry_requests.py
    105 test_sslyze.py
     88 test_sni_match.py
     72 test_fragmentation.py
     28 test_renegotiate_apache.py
     15 test_pq_handshake.py
      8 test_serialization.py
      7 test_key_update.py
      1 test_well_known_endpoints.py
      1 test_sslv2_client_hello.py
      1 37309/290645 tests collected (253336 deselected) in 14.32s

This is a 40.9% reduction in collected tests cases. I expect there isn't a one-to-one relationship between collected cases and test runtime, but I would expect the reduction in test runtime to be significant.

[jmayclin]

Alternate solution:

1. Keep ALL_TEST_CERTS as is
2. only test_happy_path.py will use ALL_TEST_CERTS (preserve coverage)
3. all other tests will use MINIMAL_TEST_CERTS
4. add ECDSA_521 to MINIMAL_TEST_CERTS to ensure coverage over all key types.

[johubertj]

After making the above changes:

   9781 test_buffered_send.py
   8840 test_happy_path.py
   2588 test_signature_algorithms.py
   1999 test_external_psk.py
   1724 test_session_resumption.py
   1682 test_client_authentication.py
   1525 test_version_negotiation.py
   1275 test_renegotiate.py
   1275 test_npn.py
   1144 test_early_data.py
    864 test_cross_compatibility.py
    576 test_ocsp.py
    300 test_dynamic_record_sizes.py
    271 test_record_padding.py
    127 test_hello_retry_requests.py
     88 test_sni_match.py
     75 test_sslyze.py
     72 test_fragmentation.py
     28 test_renegotiate_apache.py
     15 test_pq_handshake.py
      8 test_serialization.py
      7 test_key_update.py
      1 test_well_known_endpoints.py
      1 test_sslv2_client_hello.py
      1 34266/290490 tests collected (256224 deselected) in 12.03s

[johubertj]

Resolved in #5161