Add feature flag to disable pending authz reuse

letsencrypt · Nov 21, 2024 · a14add0 · a14add0
1 parent 8bf13a9
commit a14add0
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 5 deletions.
diff --git a/features/features.go b/features/features.go
@@ -111,6 +111,12 @@ type Config struct {
 	// accounting. This catches and denies spikes of requests much more
 	// reliably.
 	IncrementRateLimits bool
+
+	// NoPendingAuthzReuse causes the RA to only select already-validated authzs
+	// to attach to a newly created order. This preserves important client-facing
+	// functionality (valid authz reuse) while letting us simplify our code by
+	// removing pending authz reuse.
+	NoPendingAuthzReuse bool
 }
 
 var fMu = new(sync.RWMutex)

diff --git a/ra/ra.go b/ra/ra.go
@@ -2554,12 +2554,22 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 	// from expiring.
 	authzExpiryCutoff := ra.clk.Now().AddDate(0, 0, 1)
 
-	getAuthReq := &sapb.GetAuthorizationsRequest{
-		RegistrationID: newOrder.RegistrationID,
-		ValidUntil:     timestamppb.New(authzExpiryCutoff),
-		DnsNames:       newOrder.DnsNames,
+	var existingAuthz *sapb.Authorizations
+	if features.Get().NoPendingAuthzReuse {
+		getAuthReq := &sapb.GetValidAuthorizationsRequest{
+			RegistrationID: newOrder.RegistrationID,
+			ValidUntil:     timestamppb.New(authzExpiryCutoff),
+			DnsNames:       newOrder.DnsNames,
+		}
+		existingAuthz, err = ra.SA.GetValidAuthorizations2(ctx, getAuthReq)
+	} else {
+		getAuthReq := &sapb.GetAuthorizationsRequest{
+			RegistrationID: newOrder.RegistrationID,
+			ValidUntil:     timestamppb.New(authzExpiryCutoff),
+			DnsNames:       newOrder.DnsNames,
+		}
+		existingAuthz, err = ra.SA.GetAuthorizations2(ctx, getAuthReq)
 	}
-	existingAuthz, err := ra.SA.GetAuthorizations2(ctx, getAuthReq)
 	if err != nil {
 		return nil, err
 	}

diff --git a/sa/saro.go b/sa/saro.go
@@ -722,6 +722,8 @@ func authzModelMapToPB(m map[string]authzModel) (*sapb.Authorizations, error) {
 // the given account for all given identifiers. If both a valid and pending
 // authorization exist only the valid one will be returned. Currently only dns
 // identifiers are supported.
+//
+// Deprecated: Use GetValidAuthorizations2, as we stop pending authz reuse.
 func (ssa *SQLStorageAuthorityRO) GetAuthorizations2(ctx context.Context, req *sapb.GetAuthorizationsRequest) (*sapb.Authorizations, error) {
 	if core.IsAnyNilOrZero(req, req.RegistrationID, req.DnsNames, req.ValidUntil) {
 		return nil, errIncompleteRequest