Setup Caddy Webserver for testing/CI

[cmb69]

Description

PR #10669 introduced the Caddy Webserver to be able to run the few test cases we have for HTTP/2 Server push. This is used in CI for several jobs, but not for Windows, so I thought I'll have a look. Since I found no further documentation in the code base, I looked at the implementation, and found:

php-src/.github/actions/setup-caddy/action.yml

Lines 10 to 12 in 332e9a4

	gh release -R caddyserver/caddy download --pattern 'caddy_*_linux_amd64.tar.gz' -O - | sudo tar -xz -C /usr/bin caddy
	sudo chmod +x /usr/bin/caddy
	sudo caddy start --config ext/curl/tests/Caddyfile

Okay, on Windows we're using Chocolatey for some setup, so I checked whether they provide the Caddy Webserver, and found https://community.chocolatey.org/packages/caddy. Unfortunately, they apparently do not provide a way to use a custom Caddyfile, which is required for our test suite.

So I downloaded Caddy Webserver manually, and started it in an elevated shell. A message box popped up asking whether I want to install the local certificate into the trust store; clicked okay. Then I tried a request using curl, but that failed (CRYPT_E_NO_REVOCATION_CHECK). Took me a while to realize that the import into the trust store hadn't actually worked. So finally copy/pasted the local certificate into a cacert.pem file downloaded from the curl Website, and then pointing to this file (curl --cacert). That still did not work for my system curl, which uses Schannel, but fine with our own curl build.

To be able to run the tests, I've then added a respective curl.cainfo option to php.ini, and finally could run the tests.

It might not be worth to integrate this for our Windows CI jobs (after all, there are only 4 tests requiring Caddy Webserver, and HTTP/2 push might be obsolete), but maybe a few lines of documentation would make sense, so (Windows) developers who want/need to look into this don't need to figure out how to setup a test environment for these tests themselves. As I understand it, README files in the test directories are no longer desired; would some documentation in the docs/ folder be more appropriate?

[Ayesh]

Windows runners have gh installed as well, so with powershell, we can do something similar to how we do download and run Caddy on Linux. I tried with a separate setup-windows job only on Windows like this (with an action input declared at the top of the setup-windows action:

    - shell: pwsh
      if: inputs.arch == 'WINDOWS'
      env:
        GH_TOKEN: ${{ github.token }}
      run: |
        gh release -R caddyserver/caddy download --pattern 'caddy_*_windows_amd64.zip' --output caddy.zip
        Expand-Archive -Path caddy.zip -DestinationPath ./build/caddy -Force
        ./build/caddy/caddy.exe start --config ext/curl/tests/Caddyfile
      continue-on-error: true

This seems to download and start, but like you experienced, installing the certificate into Windows root store requires the confirmation, and it times out because it requires hitting Yes on the prompt in the non-interactive GH runner.

From what I see, the only way to do this without admin permissions is to:

1. Generate and sign out own root CA for localhost (doable cross-platform with openssl)
2. Turn off auto-https on Caddy, and set the root or intermediate CA key/cert for localhost in the Caddyfile.
3. When running tests, in addition to checking if Caddy is running, also set the new CA at curl.cainfo.

We can perhaps shorten this generating a root ca and adding the key and the cert to php-src. This will probably trigger some secret scanners too.

That said, Caddy and Curl seem to be on-par with new client and server HTTPS features, and it will be really cool if we could test them on Windows as well.

[bukka]

I don't think this is wort it. As said, the server push is obsolete - disabled in chrome and also recently removed from nginx. So unless we add some other test requiring caddy, then there's not much point to also support this test on Windows...