SA: Deprecate FasterRateLimit feature flag (letsencrypt#4210)

jsha · Daniel McCarney · commit 09ba859366fa · 2019-05-09T15:06:21.000-04:00
This makes the behavior behind that flag the default.
diff --git a/features/featureflag_string.go b/features/featureflag_string.go
diff --git a/features/features.go b/features/features.go
@@ -18,6 +18,7 @@ const (
 	TLSSNIRevalidation
 	AllowRenewalFirstRL
 	SetIssuedNamesRenewalBit
+	FasterRateLimit
 
 	//   Currently in-use features
 	// Check CAA and respect validationmethods parameter.
@@ -46,9 +47,6 @@ const (
 	// RemoveWFE2AccountID will remove the account ID from account objects returned
 	// from the new-account endpoint if enabled.
 	RemoveWFE2AccountID
-	// FasterRateLimit enables use of a separate table for counting the
-	// Certificates Per Name rate limit.
-	FasterRateLimit
 	// CheckRenewalFirst will check whether an issuance is a renewal before
 	// checking the "certificates per name" rate limit.
 	CheckRenewalFirst
diff --git a/sa/_db/migrations/20190101000000_AddRateLimitTable.sql b/sa/_db/migrations/20190101000000_AddRateLimitTable.sql
diff --git a/sa/rate_limits.go b/sa/rate_limits.go
@@ -5,7 +5,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/letsencrypt/boulder/features"
 	"github.com/weppos/publicsuffix-go/publicsuffix"
 	"golang.org/x/net/context"
 )
@@ -37,9 +36,6 @@ func (ssa *SQLStorageAuthority) addCertificatesPerName(
 	names []string,
 	timeToTheHour time.Time,
 ) error {
-	if !features.Enabled(features.FasterRateLimit) {
-		return nil
-	}
 	// De-duplicate the base domains.
 	baseDomainsMap := make(map[string]bool)
 	var qmarks []string
diff --git a/sa/rate_limits_test.go b/sa/rate_limits_test.go
@@ -2,25 +2,16 @@ package sa
 
 import (
 	"fmt"
-	"os"
-	"strings"
 	"testing"
 	"time"
 
-	"github.com/letsencrypt/boulder/features"
-
 	"golang.org/x/net/context"
 )
 
 func TestFasterRateLimit(t *testing.T) {
 	sa, _, cleanUp := initSA(t)
 	defer cleanUp()
 
-	if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") {
-		return
-	}
-	features.Set(map[string]bool{"FasterRateLimit": true})
-
 	aprilFirst, err := time.Parse(time.RFC3339, "2019-04-01T00:00:00Z")
 	if err != nil {
 		t.Fatal(err)
diff --git a/sa/sa.go b/sa/sa.go
@@ -20,7 +20,6 @@ import (
 	"github.com/letsencrypt/boulder/core"
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	berrors "github.com/letsencrypt/boulder/errors"
-	"github.com/letsencrypt/boulder/features"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -106,12 +105,8 @@ func NewSQLStorageAuthority(
 		parallelismPerRPC: parallelismPerRPC,
 	}
 
-	ssa.countCertificatesByName = ssa.countCertificatesByNameImpl
-	ssa.countCertificatesByExactName = ssa.countCertificatesByExactNameImpl
-	if features.Enabled(features.FasterRateLimit) {
-		ssa.countCertificatesByName = ssa.countCertificatesFaster
-		ssa.countCertificatesByExactName = ssa.countCertificatesFaster
-	}
+	ssa.countCertificatesByName = ssa.countCertificatesFaster
+	ssa.countCertificatesByExactName = ssa.countCertificatesFaster
 	ssa.getChallenges = ssa.getChallengesImpl
 
 	return ssa, nil
@@ -457,69 +452,6 @@ func ReverseName(domain string) string {
 	return strings.Join(labels, ".")
 }
 
-const countCertificatesSelect = `
-		 SELECT serial from issuedNames
-		 WHERE (reversedName = :reversedDomain OR
-			      reversedName LIKE CONCAT(:reversedDomain, ".%"))
-		 AND NOT renewal AND notBefore > :earliest AND notBefore <= :latest;`
-
-const countCertificatesExactSelect = `
-		 SELECT serial from issuedNames
-		 WHERE reversedName = :reversedDomain
-		 AND NOT renewal AND notBefore > :earliest AND notBefore <= :latest;`
-
-// countCertificatesByNames returns, for a single domain, the count of
-// certificates issued in the given time range for that domain and its
-// subdomains.
-func (ssa *SQLStorageAuthority) countCertificatesByNameImpl(
-	db dbSelector,
-	domain string,
-	earliest,
-	latest time.Time,
-) (int, error) {
-	return ssa.countCertificates(db, domain, earliest, latest, countCertificatesSelect)
-}
-
-// countCertificatesByExactNames returns, for a single domain, the count of
-// certificates issued in the given time range for that domain. In contrast to
-// countCertificatesByNames subdomains are NOT considered.
-func (ssa *SQLStorageAuthority) countCertificatesByExactNameImpl(
-	db dbSelector,
-	domain string,
-	earliest,
-	latest time.Time,
-) (int, error) {
-	return ssa.countCertificates(db, domain, earliest, latest, countCertificatesExactSelect)
-}
-
-// countCertificates returns, for a single domain, the count of certificate
-// issuances in the given time range for that domain using the
-// provided query assumed to be either `countCertificatesExactSelect`,
-// or `countCertificatesSelect`.
-func (ssa *SQLStorageAuthority) countCertificates(db dbSelector, domain string, earliest, latest time.Time, query string) (int, error) {
-	var serials []string
-	_, err := db.Select(
-		&serials,
-		query,
-		map[string]interface{}{
-			"reversedDomain": ReverseName(domain),
-			"earliest":       earliest,
-			"latest":         latest,
-		})
-	if err == sql.ErrNoRows {
-		return 0, nil
-	} else if err != nil {
-		return 0, err
-	}
-
-	// Deduplicate serials returning a count of unique serials
-	serialMap := make(map[string]struct{}, len(serials))
-	for _, s := range serials {
-		serialMap[s] = struct{}{}
-	}
-	return len(serialMap), nil
-}
-
 // GetCertificate takes a serial number and returns the corresponding
 // certificate, or error if it does not exist.
 func (ssa *SQLStorageAuthority) GetCertificate(ctx context.Context, serial string) (core.Certificate, error) {
diff --git a/sa/sa_test.go b/sa/sa_test.go
@@ -565,8 +565,9 @@ func TestCountCertificatesByNames(t *testing.T) {
 	cert, err := x509.ParseCertificate(certDER)
 	test.AssertNotError(t, err, "Couldn't parse example cert DER")
 
-	// Set the test clock's time to the time from the test certificate
-	clk.Add(-clk.Now().Sub(cert.NotBefore))
+	// Set the test clock's time to the time from the test certificate, plus an
+	// hour to account for rounding.
+	clk.Add(time.Hour - clk.Now().Sub(cert.NotBefore))
 	now := clk.Now()
 	yesterday := clk.Now().Add(-24 * time.Hour)
 	twoDaysAgo := clk.Now().Add(-48 * time.Hour)
@@ -2813,20 +2814,6 @@ func TestCountCertificatesRenewalBit(t *testing.T) {
 		}
 		return 0
 	}
-	countNameExact := func(t *testing.T, name string) int64 {
-		counts, err := sa.CountCertificatesByExactNames(
-			context.Background(),
-			[]string{name},
-			fc.Now().Add(-5*time.Hour),
-			fc.Now().Add(5*time.Hour))
-		test.AssertNotError(t, err, "Unexpected err from CountCertificatesByExactNames")
-		for _, elem := range counts {
-			if *elem.Name == name {
-				return *elem.Count
-			}
-		}
-		return 0
-	}
 
 	// Add the first certificate - it won't be considered a renewal.
 	issued := certA.NotBefore
@@ -2852,11 +2839,6 @@ func TestCountCertificatesRenewalBit(t *testing.T) {
 	// The count for the base domain should be 2 now: certA and certC.
 	// CertB should be ignored.
 	test.AssertEquals(t, countName(t, "not-example.com"), int64(2))
-
-	// The exact name count for the base domain should be 1: certA. CertB should
-	// be ignored as a renewal and CertC should be ignored because it isn't an
-	// exact match.
-	test.AssertEquals(t, countNameExact(t, "not-example.com"), int64(1))
 }
 
 func TestNewAuthorizations2(t *testing.T) {
diff --git a/test/config-next/sa.json b/test/config-next/sa.json
@@ -25,7 +25,6 @@
       ]
     },
     "features": {
-      "FasterRateLimit": true
     }
   },
 

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,6 @@`
`25`	`25`	`]`
`26`	`26`	`},`
`27`	`27`	`"features": {`
`28`		`- "FasterRateLimit": true`
`29`	`28`	`}`
`30`	`29`	`},`
`31`	`30`