Cleanup 'CheckRenewalExemptionAtWFE' feature flag

fixes: letsencrypt#7511
ldlb9527 · Aug 27, 2024 · 8a94dc6 · 8a94dc6
1 parent da7865c
commit 8a94dc6
Show file tree

Hide file tree

Showing 7 changed files with 5 additions and 24 deletions.
diff --git a/features/features.go b/features/features.go
@@ -89,16 +89,6 @@ type Config struct {
 	//     allowed to be empty.
 	MultipleCertificateProfiles bool
 
-	// CheckRenewalExemptionAtWFE when enabled, triggers the following behavior:
-	//  - WFE.NewOrder: checks if the order is a renewal and if so skips checks
-	//    for NewOrdersPerAccount and NewOrdersPerDomain limits.
-	//  - RA.NewOrderAndAuthzs: skips checks for legacy NewOrdersPerAccount and
-	//    NewOrdersPerDomain limits if the WFE indicates that the order is a
-	//    renewal.
-	//
-	// TODO(#7511): Remove this feature flag.
-	CheckRenewalExemptionAtWFE bool
-
 	// CheckIdentifiersPaused checks if any of the identifiers in the order are
 	// currently paused at NewOrder time. If any are paused, an error is
 	// returned to the Subscriber indicating that the order cannot be processed

diff --git a/ra/ra.go b/ra/ra.go
@@ -1638,9 +1638,7 @@ func (ra *RegistrationAuthorityImpl) checkCertificatesPerFQDNSetLimit(ctx contex
 
 func (ra *RegistrationAuthorityImpl) checkNewOrderLimits(ctx context.Context, names []string, regID int64, isRenewal bool) error {
 	newOrdersPerAccountLimits := ra.rlPolicies.NewOrdersPerAccount()
-	// TODO(#7511): Remove the feature flag check.
-	skipCheck := features.Get().CheckRenewalExemptionAtWFE && isRenewal
-	if newOrdersPerAccountLimits.Enabled() && !skipCheck {
+	if newOrdersPerAccountLimits.Enabled() && !isRenewal {
 		started := ra.clk.Now()
 		err := ra.checkNewOrdersPerAccountLimit(ctx, regID, names, newOrdersPerAccountLimits)
 		elapsed := ra.clk.Since(started)
@@ -1654,7 +1652,7 @@ func (ra *RegistrationAuthorityImpl) checkNewOrderLimits(ctx context.Context, na
 	}
 
 	certNameLimits := ra.rlPolicies.CertificatesPerName()
-	if certNameLimits.Enabled() && !skipCheck {
+	if certNameLimits.Enabled() && !isRenewal {
 		started := ra.clk.Now()
 		err := ra.checkCertificatesPerNameLimit(ctx, names, certNameLimits, regID)
 		elapsed := ra.clk.Since(started)

diff --git a/ratelimits/bucket.go b/ratelimits/bucket.go
@@ -8,7 +8,6 @@ import (
 	"strings"
 
 	"github.com/letsencrypt/boulder/core"
-	"github.com/letsencrypt/boulder/features"
 )
 
 // ErrInvalidCost indicates that the cost specified was < 0.
@@ -505,8 +504,7 @@ func (builder *TransactionBuilder) NewOrderLimitTransactions(regId int64, names
 	}
 
 	var transactions []Transaction
-	// TODO(#7511) Remove this feature flag check.
-	if features.Get().CheckRenewalExemptionAtWFE && !isRenewal {
+	if !isRenewal {
 		txn, err := builder.ordersPerAccountTransaction(regId)
 		if err != nil {
 			return nil, makeTxnError(err, NewOrdersPerAccount)
@@ -520,8 +518,7 @@ func (builder *TransactionBuilder) NewOrderLimitTransactions(regId int64, names
 	}
 	transactions = append(transactions, txns...)
 
-	// TODO(#7511) Remove this feature flag check.
-	if features.Get().CheckRenewalExemptionAtWFE && !isRenewal {
+	if !isRenewal {
 		txns, err := builder.certificatesPerDomainCheckOnlyTransactions(regId, names)
 		if err != nil {
 			return nil, makeTxnError(err, CertificatesPerDomain)

diff --git a/test/config-next/ra.json b/test/config-next/ra.json
@@ -130,7 +130,6 @@
 		},
 		"features": {
 			"AsyncFinalize": true,
-			"CheckRenewalExemptionAtWFE": true,
 			"UseKvLimitsForNewOrder": true,
 			"UseKvLimitsForNewAccount": true
 		},

diff --git a/test/config-next/wfe2.json b/test/config-next/wfe2.json
@@ -129,7 +129,6 @@
 		"features": {
 			"ServeRenewalInfo": true,
 			"TrackReplacementCertificatesARI": true,
-			"CheckRenewalExemptionAtWFE": true,
 			"CheckIdentifiersPaused": true,
 			"UseKvLimitsForNewOrder": true,
 			"UseKvLimitsForNewAccount": true

diff --git a/wfe2/wfe.go b/wfe2/wfe.go
@@ -2356,8 +2356,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
 	}
 
 	var isRenewal bool
-	// TODO(#7511) Remove this feature flag check.
-	if features.Get().CheckRenewalExemptionAtWFE && !isARIRenewal {
+	if !isARIRenewal {
 		// The Subscriber does not have an ARI exemption. However, we can check
 		// if the order is a renewal, and thus exempt from the NewOrdersPerAccount
 		// and CertificatesPerDomain limits.

diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go
@@ -437,7 +437,6 @@ func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock, requestSigner) {
 	var unpauseLifetime time.Duration
 	var unpauseURL string
 	if os.Getenv("BOULDER_CONFIG_DIR") == "test/config-next" {
-		features.Set(features.Config{CheckRenewalExemptionAtWFE: true})
 		unpauseSigner, err = unpause.NewJWTSigner(cmd.HMACKeyConfig{KeyFile: "../test/secrets/sfe_unpause_key"})
 		test.AssertNotError(t, err, "making unpause signer")
 		unpauseLifetime = time.Hour * 24 * 14