Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate DisableLegacyLimitWrites & UseKvLimitsForNewOrder flags; remove code using certificatesPerName & newOrdersRL tables #7858

Draft
wants to merge 16 commits into
base: main
Choose a base branch
from
Draft

Deprecate DisableLegacyLimitWrites & UseKvLimitsForNewOrder flags; remove code using certificatesPerName & newOrdersRL tables #7858

wants to merge 16 commits into from

Conversation

jprenken
Copy link
Contributor

@jprenken jprenken commented Dec 3, 2024
edited
Loading

Remove code using certificatesPerName & newOrdersRL tables.

Deprecate DisableLegacyLimitWrites & UseKvLimitsForNewOrder flags.

Remove legacy ratelimit package.

Delete these RA test cases:

  • TestAuthzFailedRateLimitingNewOrder (rl: FailedAuthorizationsPerDomainPerAccount)
  • TestCheckCertificatesPerNameLimit (rl: CertificatesPerDomain)
  • TestCheckExactCertificateLimit (rl: CertificatesPerFQDNSet)
  • TestExactPublicSuffixCertLimit (rl: CertificatesPerDomain)

Rate limits in NewOrder are now enforced by the WFE, starting here:

boulder/wfe2/wfe.go

Line 781 in 5a9b4c4

refundLimits, err := wfe.checkNewAccountLimits(ctx, ip)

We collect a batch of transactions to check limits, check them all at once, go through and find which failed, and serve the failure with the Retry-After that's furthest in the future. All this code doesn't really need to be tested again; what needs to be tested is that we're returning the correct failure. That code is NewOrderLimitTransactions, and the ratelimits package's tests cover this.

Add a WFE test for the public suffix handling behavior, specifically, which did not have existing coverage outside the RA.

Some other RA rate limit tests were deleted earlier, in #7869.

Part of #7671.

@letsencrypt letsencrypt deleted a comment from Johnbtc-bbc44nba Dec 4, 2024
@jprenken jprenken marked this pull request as ready for review December 19, 2024 00:11
@jprenken jprenken requested a review from a team as a code owner December 19, 2024 00:11
@jprenken jprenken requested a review from jsha December 19, 2024 00:11
@github-actions GitHub Actions
Copy link
Contributor

@jprenken, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

@jprenken
Copy link
Contributor Author

IN-10906

@aarongable aarongable dismissed stale reviews from Johnbtc-bbc44nba December 19, 2024 17:29

spam

aarongable
aarongable reviewed Dec 19, 2024
View reviewed changes
Copy link
Contributor

@aarongable aarongable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few small nits, and one high-level question: can the PR description grow a paragraph describing how the deleted RA test cases are covered by WFE kv-limit test cases?

cmd/boulder-ra/main.go Outdated Show resolved Hide resolved
sa/proto/sa.proto Outdated Show resolved Hide resolved
sa/sa.go Outdated Show resolved Hide resolved
test/config-next/ra.json Show resolved Hide resolved
test/config/ra.json Outdated Show resolved Hide resolved
@jprenken jprenken marked this pull request as draft December 20, 2024 02:47
@jprenken
Copy link
Contributor Author

Just a few small nits, and one high-level question: can the PR description grow a paragraph describing how the deleted RA test cases are covered by WFE kv-limit test cases?

Addressed and added, thanks! I think there does need to be a replacement for TestExactPublicSuffixCertLimit, which I'll work up and add to this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarongable aarongable aarongable left review comments

@Johnbtc-bbc44nba Johnbtc-bbc44nba Johnbtc-bbc44nba approved these changes

@jsha jsha Awaiting requested review from jsha jsha is a code owner automatically assigned from letsencrypt/boulder-developers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jprenken @aarongable @Johnbtc-bbc44nba