From 8a94dc664a087c23bbec8333e5c3785c8317d9fb Mon Sep 17 00:00:00 2001 From: ldlb <53563191+ldlb9527@users.noreply.github.com> Date: Tue, 27 Aug 2024 11:26:57 +0800 Subject: [PATCH] Cleanup 'CheckRenewalExemptionAtWFE' feature flag fixes: #7511 --- features/features.go | 10 ---------- ra/ra.go | 6 ++---- ratelimits/bucket.go | 7 ++----- test/config-next/ra.json | 1 - test/config-next/wfe2.json | 1 - wfe2/wfe.go | 3 +-- wfe2/wfe_test.go | 1 - 7 files changed, 5 insertions(+), 24 deletions(-) diff --git a/features/features.go b/features/features.go index 262ce0933cf..904eff0f157 100644 --- a/features/features.go +++ b/features/features.go @@ -89,16 +89,6 @@ type Config struct { // allowed to be empty. MultipleCertificateProfiles bool - // CheckRenewalExemptionAtWFE when enabled, triggers the following behavior: - // - WFE.NewOrder: checks if the order is a renewal and if so skips checks - // for NewOrdersPerAccount and NewOrdersPerDomain limits. - // - RA.NewOrderAndAuthzs: skips checks for legacy NewOrdersPerAccount and - // NewOrdersPerDomain limits if the WFE indicates that the order is a - // renewal. - // - // TODO(#7511): Remove this feature flag. - CheckRenewalExemptionAtWFE bool - // CheckIdentifiersPaused checks if any of the identifiers in the order are // currently paused at NewOrder time. If any are paused, an error is // returned to the Subscriber indicating that the order cannot be processed diff --git a/ra/ra.go b/ra/ra.go index 513f2d4444f..48a2a8073ea 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -1638,9 +1638,7 @@ func (ra *RegistrationAuthorityImpl) checkCertificatesPerFQDNSetLimit(ctx contex func (ra *RegistrationAuthorityImpl) checkNewOrderLimits(ctx context.Context, names []string, regID int64, isRenewal bool) error { newOrdersPerAccountLimits := ra.rlPolicies.NewOrdersPerAccount() - // TODO(#7511): Remove the feature flag check. - skipCheck := features.Get().CheckRenewalExemptionAtWFE && isRenewal - if newOrdersPerAccountLimits.Enabled() && !skipCheck { + if newOrdersPerAccountLimits.Enabled() && !isRenewal { started := ra.clk.Now() err := ra.checkNewOrdersPerAccountLimit(ctx, regID, names, newOrdersPerAccountLimits) elapsed := ra.clk.Since(started) @@ -1654,7 +1652,7 @@ func (ra *RegistrationAuthorityImpl) checkNewOrderLimits(ctx context.Context, na } certNameLimits := ra.rlPolicies.CertificatesPerName() - if certNameLimits.Enabled() && !skipCheck { + if certNameLimits.Enabled() && !isRenewal { started := ra.clk.Now() err := ra.checkCertificatesPerNameLimit(ctx, names, certNameLimits, regID) elapsed := ra.clk.Since(started) diff --git a/ratelimits/bucket.go b/ratelimits/bucket.go index ce91e1e0057..edac7e7d044 100644 --- a/ratelimits/bucket.go +++ b/ratelimits/bucket.go @@ -8,7 +8,6 @@ import ( "strings" "github.com/letsencrypt/boulder/core" - "github.com/letsencrypt/boulder/features" ) // ErrInvalidCost indicates that the cost specified was < 0. @@ -505,8 +504,7 @@ func (builder *TransactionBuilder) NewOrderLimitTransactions(regId int64, names } var transactions []Transaction - // TODO(#7511) Remove this feature flag check. - if features.Get().CheckRenewalExemptionAtWFE && !isRenewal { + if !isRenewal { txn, err := builder.ordersPerAccountTransaction(regId) if err != nil { return nil, makeTxnError(err, NewOrdersPerAccount) @@ -520,8 +518,7 @@ func (builder *TransactionBuilder) NewOrderLimitTransactions(regId int64, names } transactions = append(transactions, txns...) - // TODO(#7511) Remove this feature flag check. - if features.Get().CheckRenewalExemptionAtWFE && !isRenewal { + if !isRenewal { txns, err := builder.certificatesPerDomainCheckOnlyTransactions(regId, names) if err != nil { return nil, makeTxnError(err, CertificatesPerDomain) diff --git a/test/config-next/ra.json b/test/config-next/ra.json index 31eed6ec39e..45d03529e1a 100644 --- a/test/config-next/ra.json +++ b/test/config-next/ra.json @@ -130,7 +130,6 @@ }, "features": { "AsyncFinalize": true, - "CheckRenewalExemptionAtWFE": true, "UseKvLimitsForNewOrder": true, "UseKvLimitsForNewAccount": true }, diff --git a/test/config-next/wfe2.json b/test/config-next/wfe2.json index 3fbdef462ee..3403f2cc043 100644 --- a/test/config-next/wfe2.json +++ b/test/config-next/wfe2.json @@ -129,7 +129,6 @@ "features": { "ServeRenewalInfo": true, "TrackReplacementCertificatesARI": true, - "CheckRenewalExemptionAtWFE": true, "CheckIdentifiersPaused": true, "UseKvLimitsForNewOrder": true, "UseKvLimitsForNewAccount": true diff --git a/wfe2/wfe.go b/wfe2/wfe.go index 7620954e749..4085d499107 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -2356,8 +2356,7 @@ func (wfe *WebFrontEndImpl) NewOrder( } var isRenewal bool - // TODO(#7511) Remove this feature flag check. - if features.Get().CheckRenewalExemptionAtWFE && !isARIRenewal { + if !isARIRenewal { // The Subscriber does not have an ARI exemption. However, we can check // if the order is a renewal, and thus exempt from the NewOrdersPerAccount // and CertificatesPerDomain limits. diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go index 3179a9f047d..ec2797b39d9 100644 --- a/wfe2/wfe_test.go +++ b/wfe2/wfe_test.go @@ -437,7 +437,6 @@ func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock, requestSigner) { var unpauseLifetime time.Duration var unpauseURL string if os.Getenv("BOULDER_CONFIG_DIR") == "test/config-next" { - features.Set(features.Config{CheckRenewalExemptionAtWFE: true}) unpauseSigner, err = unpause.NewJWTSigner(cmd.HMACKeyConfig{KeyFile: "../test/secrets/sfe_unpause_key"}) test.AssertNotError(t, err, "making unpause signer") unpauseLifetime = time.Hour * 24 * 14