From f2a5ccd47720a930ebe962a1e041713de2b499b2 Mon Sep 17 00:00:00 2001 From: Samantha Date: Fri, 27 Sep 2024 18:10:01 -0400 Subject: [PATCH 1/2] SA: Add feature flag DisableLegacyLimitWrites --- features/features.go | 5 +++++ sa/sa.go | 10 ++++++---- test/config-next/sa.json | 3 ++- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/features/features.go b/features/features.go index 262ce0933cf..ec0ad5e9b83 100644 --- a/features/features.go +++ b/features/features.go @@ -117,6 +117,11 @@ type Config struct { // to be the authoritative source of rate limiting information for // new-account callers and disables the legacy rate limiting checks. UseKvLimitsForNewAccount bool + + // DisableLegacyLimitWrites when enabled, disables writes to the newOrdersRL + // table at new-order time. This flag should only be used in conjunction with + // UseKvLimitsForNewOrder. + DisableLegacyLimitWrites bool } var fMu = new(sync.RWMutex) diff --git a/sa/sa.go b/sa/sa.go index be87d471a19..e27ed5a148c 100644 --- a/sa/sa.go +++ b/sa/sa.go @@ -616,10 +616,12 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb return nil, fmt.Errorf("casting error in NewOrderAndAuthzs") } - // Increment the order creation count - err = addNewOrdersRateLimit(ctx, ssa.dbMap, req.NewOrder.RegistrationID, ssa.clk.Now().Truncate(time.Minute)) - if err != nil { - return nil, err + if !features.Get().DisableLegacyLimitWrites { + // Increment the order creation count + err = addNewOrdersRateLimit(ctx, ssa.dbMap, req.NewOrder.RegistrationID, ssa.clk.Now().Truncate(time.Minute)) + if err != nil { + return nil, err + } } return order, nil diff --git a/test/config-next/sa.json b/test/config-next/sa.json index ed1eae2f4d9..5afcf09153b 100644 --- a/test/config-next/sa.json +++ b/test/config-next/sa.json @@ -50,7 +50,8 @@ "healthCheckInterval": "4s", "features": { "MultipleCertificateProfiles": true, - "TrackReplacementCertificatesARI": true + "TrackReplacementCertificatesARI": true, + "DisableLegacyLimitWrites": true } }, "syslog": { From aba2c28d82ad226c213ceca7e2602003c64791a4 Mon Sep 17 00:00:00 2001 From: Samantha Date: Fri, 27 Sep 2024 18:31:46 -0400 Subject: [PATCH 2/2] Add certificatesPerName and fqdnSets --- features/features.go | 8 +++++--- sa/sa.go | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/features/features.go b/features/features.go index ec0ad5e9b83..f7b0f71f1bd 100644 --- a/features/features.go +++ b/features/features.go @@ -118,9 +118,11 @@ type Config struct { // new-account callers and disables the legacy rate limiting checks. UseKvLimitsForNewAccount bool - // DisableLegacyLimitWrites when enabled, disables writes to the newOrdersRL - // table at new-order time. This flag should only be used in conjunction with - // UseKvLimitsForNewOrder. + // DisableLegacyLimitWrites when enabled, disables writes to: + // - the newOrdersRL table at new-order time, and + // - the certificatesPerName table at finalize time. + // + // This flag should only be used in conjunction with UseKvLimitsForNewOrder. DisableLegacyLimitWrites bool } diff --git a/sa/sa.go b/sa/sa.go index e27ed5a148c..ffbec0f13a0 100644 --- a/sa/sa.go +++ b/sa/sa.go @@ -380,7 +380,7 @@ func (ssa *SQLStorageAuthority) AddCertificate(ctx context.Context, req *sapb.Ad _, rlTransactionErr := db.WithTransaction(ctx, ssa.dbMap, func(tx db.Executor) (interface{}, error) { // Add to the rate limit table, but only for new certificates. Renewals // don't count against the certificatesPerName limit. - if !isRenewal { + if !isRenewal && !features.Get().DisableLegacyLimitWrites { timeToTheHour := parsedCertificate.NotBefore.Round(time.Hour) err := ssa.addCertificatesPerName(ctx, tx, parsedCertificate.DNSNames, timeToTheHour) if err != nil {