Skip to content

Commit

Permalink
Add feature flag to disable pending authz reuse (#7836)
Browse files Browse the repository at this point in the history
Pending authz reuse is a nice-to-have feature because it allows us to
create fewer rows in the authz database table when creating new orders.
However, stats show that less than 2% of authorizations that we attach
to new orders are reused pending authzs. And as we move towards using a
more streamlined database schema to store our orders, authorizations,
and validation attempts, disabling pending authz reuse will greatly
simplify our database schema and code.

CPS Compliance Review: our CPS does not speak to whether or not we reuse
pending authorizations for new orders.
IN-10859 tracks enabling this flag in prod

Part of #7715
  • Loading branch information
aarongable authored Dec 6, 2024
1 parent 27e65f3 commit 95e5f87
Show file tree
Hide file tree
Showing 6 changed files with 291 additions and 175 deletions.
6 changes: 6 additions & 0 deletions features/features.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,12 @@ type Config struct {
// and pause issuance for each (account, hostname) pair that repeatedly
// fails validation.
AutomaticallyPauseZombieClients bool

// NoPendingAuthzReuse causes the RA to only select already-validated authzs
// to attach to a newly created order. This preserves important client-facing
// functionality (valid authz reuse) while letting us simplify our code by
// removing pending authz reuse.
NoPendingAuthzReuse bool
}

var fMu = new(sync.RWMutex)
Expand Down
20 changes: 15 additions & 5 deletions ra/ra.go
Original file line number Diff line number Diff line change
Expand Up @@ -2562,12 +2562,22 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
// from expiring.
authzExpiryCutoff := ra.clk.Now().AddDate(0, 0, 1)

getAuthReq := &sapb.GetAuthorizationsRequest{
RegistrationID: newOrder.RegistrationID,
ValidUntil: timestamppb.New(authzExpiryCutoff),
DnsNames: newOrder.DnsNames,
var existingAuthz *sapb.Authorizations
if features.Get().NoPendingAuthzReuse {
getAuthReq := &sapb.GetValidAuthorizationsRequest{
RegistrationID: newOrder.RegistrationID,
ValidUntil: timestamppb.New(authzExpiryCutoff),
DnsNames: newOrder.DnsNames,
}
existingAuthz, err = ra.SA.GetValidAuthorizations2(ctx, getAuthReq)
} else {
getAuthReq := &sapb.GetAuthorizationsRequest{
RegistrationID: newOrder.RegistrationID,
ValidUntil: timestamppb.New(authzExpiryCutoff),
DnsNames: newOrder.DnsNames,
}
existingAuthz, err = ra.SA.GetAuthorizations2(ctx, getAuthReq)
}
existingAuthz, err := ra.SA.GetAuthorizations2(ctx, getAuthReq)
if err != nil {
return nil, err
}
Expand Down
Loading

0 comments on commit 95e5f87

Please sign in to comment.