Skip to content

Deprecate DisableLegacyLimitWrites & UseKvLimitsForNewOrder flags; remove code using certificatesPerName & newOrdersRL tables#7858

Merged
jprenken merged 19 commits intomainfrom
drop-tables
Jan 10, 2025
Merged

Deprecate DisableLegacyLimitWrites & UseKvLimitsForNewOrder flags; remove code using certificatesPerName & newOrdersRL tables#7858
jprenken merged 19 commits intomainfrom
drop-tables

Conversation

@jprenken
Copy link
Contributor

@jprenken jprenken commented Dec 3, 2024
edited
Loading

Remove code using certificatesPerName & newOrdersRL tables.

Deprecate DisableLegacyLimitWrites & UseKvLimitsForNewOrder flags.

Remove legacy ratelimit package.

Delete these RA test cases:

  • TestAuthzFailedRateLimitingNewOrder (rl: FailedAuthorizationsPerDomainPerAccount)
  • TestCheckCertificatesPerNameLimit (rl: CertificatesPerDomain)
  • TestCheckExactCertificateLimit (rl: CertificatesPerFQDNSet)
  • TestExactPublicSuffixCertLimit (rl: CertificatesPerDomain)

Rate limits in NewOrder are now enforced by the WFE, starting here:

boulder/wfe2/wfe.go

Line 781 in 5a9b4c4

refundLimits, err := wfe.checkNewAccountLimits(ctx, ip)

We collect a batch of transactions to check limits, check them all at once, go through and find which one(s) failed, and serve the failure with the Retry-After that's furthest in the future. All this code doesn't really need to be tested again; what needs to be tested is that we're returning the correct failure. That code is NewOrderLimitTransactions, and the ratelimits package's tests cover this.

The public suffix handling behavior is tested by TestFQDNsToETLDsPlusOne:

boulder/ratelimits/utilities_test.go

Line 9 in 5a9b4c4

func TestFQDNsToETLDsPlusOne(t *testing.T) {

Some other RA rate limit tests were deleted earlier, in #7869.

Part of #7671.

@letsencrypt letsencrypt deleted a comment Dec 4, 2024
@jprenken jprenken marked this pull request as ready for review December 19, 2024 00:11
@jprenken jprenken requested a review from a team as a code owner December 19, 2024 00:11
@jprenken jprenken requested a review from jsha December 19, 2024 00:11
@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2024

@jprenken, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

@jprenken
Copy link
Contributor Author

jprenken commented Dec 19, 2024

IN-10906

@aarongable aarongable dismissed stale reviews from ghost December 19, 2024 17:29

spam

aarongable
aarongable reviewed Dec 19, 2024
View reviewed changes
Copy link
Contributor

@aarongable aarongable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few small nits, and one high-level question: can the PR description grow a paragraph describing how the deleted RA test cases are covered by WFE kv-limit test cases?

@jprenken jprenken marked this pull request as draft December 20, 2024 02:47
@jprenken
Copy link
Contributor Author

jprenken commented Dec 20, 2024
edited
Loading

Just a few small nits, and one high-level question: can the PR description grow a paragraph describing how the deleted RA test cases are covered by WFE kv-limit test cases?

Addressed and added, thanks! I've added an explanation of test coverage to this PR's description.

@jprenken jprenken marked this pull request as ready for review January 4, 2025 00:54
@jprenken jprenken requested a review from aarongable January 4, 2025 00:55
aarongable
aarongable previously approved these changes Jan 6, 2025
View reviewed changes
@jprenken jprenken requested a review from aarongable January 8, 2025 07:12
@aarongable aarongable requested a review from a team January 9, 2025 23:57
jsha
jsha approved these changes Jan 10, 2025
View reviewed changes
ra/ra.go
// errors from this function to the Subscriber, spends against these limit are
// best effort.
func (ra *RegistrationAuthorityImpl) countCertificateIssued(ctx context.Context, regId int64, orderDomains []string, isRenewal bool) {
if ra.limiter == nil || ra.txnBuilder == nil {
Copy link
Contributor

@jsha jsha Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This deletion should be accompanied by adding a check in NewRegistrationAuthorityImpl that neither of these fields is nil.

Copy link
Contributor

@jsha jsha Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(which can happen as a followup)

Copy link
Member

@beautifulentropy beautifulentropy Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(also as a followup) If we aren't already we should "require" the relevant configuration fields.

Copy link
Contributor Author

@jprenken jprenken Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made #7951

@beautifulentropy beautifulentropy self-requested a review January 10, 2025 20:38
@jprenken jprenken merged commit e4668b4 into main Jan 10, 2025
18 checks passed
@jprenken jprenken deleted the drop-tables branch January 10, 2025 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsha jsha jsha approved these changes

@beautifulentropy beautifulentropy beautifulentropy approved these changes

@aarongable aarongable aarongable approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jprenken @jsha @aarongable @beautifulentropy