From 7634f8653238e1b51ed7d55ec1daad82a8730e62 Mon Sep 17 00:00:00 2001
From: Andrew Hopkins <andhop@amazon.com>
Date: Thu, 13 Jul 2023 00:32:28 -0700
Subject: [PATCH] Add build cache for AWS-LC

---
 .github/matrix.py    | 46 ++++++++++++++++++++++++++++++--------------
 scripts/build-ssl.sh | 35 +++++++++++++++++++--------------
 2 files changed, 53 insertions(+), 28 deletions(-)

diff --git a/.github/matrix.py b/.github/matrix.py
index da7d143f7a003..cba94f0418b08 100755
--- a/.github/matrix.py
+++ b/.github/matrix.py
@@ -27,28 +27,44 @@
 def clean_ssl(ssl):
     return ssl.replace("_VERSION", "").lower()
 
-
-@functools.lru_cache(5)
-def determine_latest_openssl(ssl):
+def get_all_github_tags(url):
     headers = {}
     if environ.get("GITHUB_TOKEN") is not None:
         headers["Authorization"] = "token {}".format(environ.get("GITHUB_TOKEN"))
-    request = urllib.request.Request(
-        "https://api.github.com/repos/openssl/openssl/tags", headers=headers
-    )
+    request = urllib.request.Request(url, headers=headers)
     try:
-      openssl_tags = urllib.request.urlopen(request)
+        tags = urllib.request.urlopen(request)
     except:
-      return "OPENSSL_VERSION=failed_to_detect"
-    tags = json.loads(openssl_tags.read().decode("utf-8"))
+        return None
+    tags = json.loads(tags.read().decode("utf-8"))
+    return [tag['name'] for tag in tags]
+
+@functools.lru_cache(5)
+def determine_latest_openssl(ssl):
+    tags = get_all_github_tags("https://api.github.com/repos/openssl/openssl/tags")
+    if not tags:
+        return "OPENSSL_VERSION=failed_to_detect"
     latest_tag = ""
     for tag in tags:
-        name = tag["name"]
-        if "openssl-" in name:
-            if name > latest_tag:
-                latest_tag = name
+        if "openssl-" in tag:
+            if tag > latest_tag:
+                latest_tag = tag
     return "OPENSSL_VERSION={}".format(latest_tag[8:])
 
+def aws_lc_version_string_to_num(version_string):
+    return tuple(map(int, version_string[1:].split('.')))
+
+def aws_lc_version_valid(version_string):
+    return re.match('^v[0-9]+(\.[0-9]+)*$', version_string)
+
+@functools.lru_cache(5)
+def determine_latest_aws_lc(ssl):
+    tags = get_all_github_tags("https://api.github.com/repos/aws/aws-lc/tags")
+    if not tags:
+        return "AWS_LC_VERSION=failed_to_detect"
+    valid_tags = list(filter(aws_lc_version_valid, tags))
+    latest_tag = max(valid_tags, key=aws_lc_version_string_to_num)
+    return "AWS_LC_VERSION={}".format(latest_tag[1:])
 
 @functools.lru_cache(5)
 def determine_latest_libressl(ssl):
@@ -177,13 +193,13 @@ def get_asan_flags(cc):
         "OPENSSL_VERSION=1.1.1s",
         "QUICTLS=yes",
         # "BORINGSSL=yes",
-        'AWS_LC=yes',
     ]
 
     if "haproxy-" not in ref_name:
         ssl_versions = ssl_versions + [
             "OPENSSL_VERSION=latest",
             "LIBRESSL_VERSION=latest",
+            'AWS_LC_VERSION=latest',
         ]
 
     for ssl in ssl_versions:
@@ -197,6 +213,8 @@ def get_asan_flags(cc):
             ssl = determine_latest_libressl(ssl)
         if "OPENSSL" in ssl and "latest" in ssl:
             ssl = determine_latest_openssl(ssl)
+        if "AWS_LC" in ssl and "latest" in ssl:
+            ssl = determine_latest_aws_lc(ssl)
 
         matrix.append(
             {
diff --git a/scripts/build-ssl.sh b/scripts/build-ssl.sh
index 70b9f418f5f2e..6564f1c178483 100755
--- a/scripts/build-ssl.sh
+++ b/scripts/build-ssl.sh
@@ -87,13 +87,25 @@ download_boringssl () {
 }
 
 download_aws_lc () {
-    if [ ! -d "download-cache/aws-lc" ]; then
-        git clone --depth=1 https://github.com/aws/aws-lc.git download-cache/aws-lc
-    else
-       (
-        cd download-cache/aws-lc
-        git pull
-       )
+    if [ ! -f "download-cache/aws-lc-${AWS_LC_VERSION}.tar.gz" ]; then
+      mkdir -p download-cache
+        wget -O "download-cache/aws-lc-${AWS_LC_VERSION}.tar.gz" \
+          "https://github.com/aws/aws-lc/archive/refs/tags/v${AWS_LC_VERSION}.tar.gz"
+    fi
+}
+
+build_aws_lc () {
+    if [ "$(cat ${HOME}/opt/.aws_lc-version)" != "${AWS_LC_VERSION}" ]; then
+        tar zxf "download-cache/aws-lc-${AWS_LC_VERSION}.tar.gz"
+        (
+            cd "aws-lc-${AWS_LC_VERSION}/"
+           	mkdir -p build
+           	cd build
+           	cmake  -GNinja -DCMAKE_BUILD_TYPE=release -DBUILD_SHARED_LIBS=1 -DDISABLE_GO=1 -DDISABLE_PERL=1 \
+           	  -DBUILD_TESTING=0 -DCMAKE_INSTALL_PREFIX=${HOME}/opt ..
+           	ninja install
+        )
+        echo "${AWS_LC_VERSION}" > "${HOME}/opt/.aws_lc-version"
     fi
 }
 
@@ -143,14 +155,9 @@ if [ ! -z ${BORINGSSL+x} ]; then
 	)
 fi
 
-if [ ! -z ${AWS_LC+x} ]; then
+if [ ! -z ${AWS_LC_VERSION+x} ]; then
 	download_aws_lc
-  cd download-cache/aws-lc
-  if [ -d build ]; then rm -rf build; fi
-	mkdir build
-	cd build
-	cmake  -GNinja -DCMAKE_BUILD_TYPE=release -DBUILD_SHARED_LIBS=1 -DDISABLE_GO=1 -DDISABLE_PERL=1 -DBUILD_TESTING=0 -DCMAKE_INSTALL_PREFIX=${HOME}/opt ..
-	ninja install
+  build_aws_lc
 fi
 
 if [ ! -z ${QUICTLS+x} ]; then