forked from letsencrypt/boulder
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
wfe/features: Deprecate UseKvLimitsForNewOrder (letsencrypt#7765)
Default code paths that depended on this flag to be true. Part of letsencrypt#5545
- Loading branch information
1 parent
844334e
commit e5edb70
Showing
8 changed files
with
9 additions
and
165 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -628,90 +628,6 @@ func TestNewRegistrationBadKey(t *testing.T) { | |
test.AssertError(t, err, "Should have rejected authorization with short key") | ||
} | ||
|
||
func TestNewRegistrationRateLimit(t *testing.T) { | ||
_, _, ra, _, cleanUp := initAuthorities(t) | ||
defer cleanUp() | ||
|
||
// Specify a dummy rate limit policy that allows 1 registration per exact IP | ||
// match, and 2 per range. | ||
ra.rlPolicies = &dummyRateLimitConfig{ | ||
RegistrationsPerIPPolicy: ratelimit.RateLimitPolicy{ | ||
Threshold: 1, | ||
Window: config.Duration{Duration: 24 * 90 * time.Hour}, | ||
}, | ||
RegistrationsPerIPRangePolicy: ratelimit.RateLimitPolicy{ | ||
Threshold: 2, | ||
Window: config.Duration{Duration: 24 * 90 * time.Hour}, | ||
}, | ||
} | ||
|
||
// Create one registration for an IPv4 address | ||
mailto := "mailto:[email protected]" | ||
reg := &corepb.Registration{ | ||
Contact: []string{mailto}, | ||
ContactsPresent: true, | ||
Key: newAcctKey(t), | ||
InitialIP: parseAndMarshalIP(t, "7.6.6.5"), | ||
} | ||
// There should be no errors - it is within the RegistrationsPerIP rate limit | ||
_, err := ra.NewRegistration(ctx, reg) | ||
test.AssertNotError(t, err, "Unexpected error adding new IPv4 registration") | ||
test.AssertMetricWithLabelsEquals(t, ra.rlCheckLatency, prometheus.Labels{"limit": ratelimit.RegistrationsPerIP, "decision": ratelimits.Allowed}, 1) | ||
// There are no overrides for this IP, so the override usage gauge should | ||
// contain 0 entries with labels matching it. | ||
test.AssertMetricWithLabelsEquals(t, ra.rlOverrideUsageGauge, prometheus.Labels{"limit": ratelimit.RegistrationsPerIP, "override_key": "7.6.6.5"}, 0) | ||
|
||
// Create another registration for the same IPv4 address by changing the key | ||
reg.Key = newAcctKey(t) | ||
|
||
// There should be an error since a 2nd registration will exceed the | ||
// RegistrationsPerIP rate limit | ||
_, err = ra.NewRegistration(ctx, reg) | ||
test.AssertError(t, err, "No error adding duplicate IPv4 registration") | ||
test.AssertEquals(t, err.Error(), "too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/") | ||
test.AssertMetricWithLabelsEquals(t, ra.rlCheckLatency, prometheus.Labels{"limit": ratelimit.RegistrationsPerIP, "decision": ratelimits.Denied}, 1) | ||
|
||
// Create a registration for an IPv6 address | ||
reg.Key = newAcctKey(t) | ||
reg.InitialIP = parseAndMarshalIP(t, "2001:cdba:1234:5678:9101:1121:3257:9652") | ||
|
||
// There should be no errors - it is within the RegistrationsPerIP rate limit | ||
_, err = ra.NewRegistration(ctx, reg) | ||
test.AssertNotError(t, err, "Unexpected error adding a new IPv6 registration") | ||
test.AssertMetricWithLabelsEquals(t, ra.rlCheckLatency, prometheus.Labels{"limit": ratelimit.RegistrationsPerIP, "decision": ratelimits.Allowed}, 2) | ||
|
||
// Create a 2nd registration for the IPv6 address by changing the key | ||
reg.Key = newAcctKey(t) | ||
|
||
// There should be an error since a 2nd reg for the same IPv6 address will | ||
// exceed the RegistrationsPerIP rate limit | ||
_, err = ra.NewRegistration(ctx, reg) | ||
test.AssertError(t, err, "No error adding duplicate IPv6 registration") | ||
test.AssertEquals(t, err.Error(), "too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/") | ||
test.AssertMetricWithLabelsEquals(t, ra.rlCheckLatency, prometheus.Labels{"limit": ratelimit.RegistrationsPerIP, "decision": ratelimits.Denied}, 2) | ||
|
||
// Create a registration for an IPv6 address in the same /48 | ||
reg.Key = newAcctKey(t) | ||
reg.InitialIP = parseAndMarshalIP(t, "2001:cdba:1234:5678:9101:1121:3257:9653") | ||
|
||
// There should be no errors since two IPv6 addresses in the same /48 is | ||
// within the RegistrationsPerIPRange limit | ||
_, err = ra.NewRegistration(ctx, reg) | ||
test.AssertNotError(t, err, "Unexpected error adding second IPv6 registration in the same /48") | ||
test.AssertMetricWithLabelsEquals(t, ra.rlCheckLatency, prometheus.Labels{"limit": ratelimit.RegistrationsPerIPRange, "decision": ratelimits.Allowed}, 2) | ||
|
||
// Create a registration for yet another IPv6 address in the same /48 | ||
reg.Key = newAcctKey(t) | ||
reg.InitialIP = parseAndMarshalIP(t, "2001:cdba:1234:5678:9101:1121:3257:9654") | ||
|
||
// There should be an error since three registrations within the same IPv6 | ||
// /48 is outside of the RegistrationsPerIPRange limit | ||
_, err = ra.NewRegistration(ctx, reg) | ||
test.AssertError(t, err, "No error adding a third IPv6 registration in the same /48") | ||
test.AssertEquals(t, err.Error(), "too many registrations for this IP range: see https://letsencrypt.org/docs/rate-limits/") | ||
test.AssertMetricWithLabelsEquals(t, ra.rlCheckLatency, prometheus.Labels{"limit": ratelimit.RegistrationsPerIPRange, "decision": ratelimits.Denied}, 1) | ||
} | ||
|
||
func TestRegistrationsPerIPOverrideUsage(t *testing.T) { | ||
_, _, ra, _, cleanUp := initAuthorities(t) | ||
defer cleanUp() | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters