Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate DisableLegacyLimitWrites & UseKvLimitsForNewOrder flags; remove code using certificatesPerName & newOrdersRL tables #7858

Merged
merged 19 commits into from
Jan 10, 2025

Conversation

jprenken
Copy link
Contributor

@jprenken jprenken commented Dec 3, 2024

Remove code using certificatesPerName & newOrdersRL tables.

Deprecate DisableLegacyLimitWrites & UseKvLimitsForNewOrder flags.

Remove legacy ratelimit package.

Delete these RA test cases:

  • TestAuthzFailedRateLimitingNewOrder (rl: FailedAuthorizationsPerDomainPerAccount)
  • TestCheckCertificatesPerNameLimit (rl: CertificatesPerDomain)
  • TestCheckExactCertificateLimit (rl: CertificatesPerFQDNSet)
  • TestExactPublicSuffixCertLimit (rl: CertificatesPerDomain)

Rate limits in NewOrder are now enforced by the WFE, starting here:

refundLimits, err := wfe.checkNewAccountLimits(ctx, ip)

We collect a batch of transactions to check limits, check them all at once, go through and find which one(s) failed, and serve the failure with the Retry-After that's furthest in the future. All this code doesn't really need to be tested again; what needs to be tested is that we're returning the correct failure. That code is NewOrderLimitTransactions, and the ratelimits package's tests cover this.

The public suffix handling behavior is tested by TestFQDNsToETLDsPlusOne:

func TestFQDNsToETLDsPlusOne(t *testing.T) {

Some other RA rate limit tests were deleted earlier, in #7869.

Part of #7671.

@letsencrypt letsencrypt deleted a comment Dec 4, 2024
@jprenken jprenken marked this pull request as ready for review December 19, 2024 00:11
@jprenken jprenken requested a review from a team as a code owner December 19, 2024 00:11
@jprenken jprenken requested a review from jsha December 19, 2024 00:11
Copy link
Contributor

@jprenken, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

@jprenken
Copy link
Contributor Author

IN-10906

@aarongable aarongable dismissed stale reviews from ghost December 19, 2024 17:29

spam

Copy link
Contributor

@aarongable aarongable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few small nits, and one high-level question: can the PR description grow a paragraph describing how the deleted RA test cases are covered by WFE kv-limit test cases?

cmd/boulder-ra/main.go Outdated Show resolved Hide resolved
sa/proto/sa.proto Outdated Show resolved Hide resolved
sa/sa.go Outdated Show resolved Hide resolved
test/config-next/ra.json Show resolved Hide resolved
test/config/ra.json Outdated Show resolved Hide resolved
@jprenken jprenken marked this pull request as draft December 20, 2024 02:47
@jprenken
Copy link
Contributor Author

jprenken commented Dec 20, 2024

Just a few small nits, and one high-level question: can the PR description grow a paragraph describing how the deleted RA test cases are covered by WFE kv-limit test cases?

Addressed and added, thanks! I've added an explanation of test coverage to this PR's description.

@jprenken jprenken marked this pull request as ready for review January 4, 2025 00:54
@jprenken jprenken requested a review from aarongable January 4, 2025 00:55
aarongable
aarongable previously approved these changes Jan 6, 2025
@jprenken jprenken requested a review from aarongable January 8, 2025 07:12
@aarongable aarongable requested a review from a team January 9, 2025 23:57
@@ -1189,11 +1068,6 @@ func (ra *RegistrationAuthorityImpl) issueCertificateOuter(
// errors from this function to the Subscriber, spends against these limit are
// best effort.
func (ra *RegistrationAuthorityImpl) countCertificateIssued(ctx context.Context, regId int64, orderDomains []string, isRenewal bool) {
if ra.limiter == nil || ra.txnBuilder == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This deletion should be accompanied by adding a check in NewRegistrationAuthorityImpl that neither of these fields is nil.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(which can happen as a followup)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(also as a followup) If we aren't already we should "require" the relevant configuration fields.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made #7951

@beautifulentropy beautifulentropy self-requested a review January 10, 2025 20:38
@jprenken jprenken merged commit e4668b4 into main Jan 10, 2025
18 checks passed
@jprenken jprenken deleted the drop-tables branch January 10, 2025 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants