Remove CAA-rechecking dead code (#7606)
This code path was a safety net to ensure that CAA got rechecked if the authorization was going to expire less than 30d+7h from now, i.e. if the authorization had originally been checked more than 7h ago. The metrics show that, as expected, this code path has not been executed in living memory, because all situations in which it might be hit instead hit the preceding `if staleCAA` clause.
This commit is contained in:
Aaron Gable
GitHub
parent
a3e99432bb
commit
6a634a4bd2
22
ra/ra.go
22
ra/ra.go
|
|
@ -120,7 +120,6 @@ type RegistrationAuthorityImpl struct {
|
|||
newRegCounter prometheus.Counter
|
||||
recheckCAACounter prometheus.Counter
|
||||
newCertCounter *prometheus.CounterVec
|
||||
recheckCAAUsedAuthzLifetime prometheus.Counter
|
||||
authzAges *prometheus.HistogramVec
|
||||
orderAges *prometheus.HistogramVec
|
||||
inflightFinalizes prometheus.Gauge
|
||||
|
|
@ -196,12 +195,6 @@ func NewRegistrationAuthorityImpl(
|
|||
})
|
||||
stats.MustRegister(recheckCAACounter)
|
||||
|
||||
recheckCAAUsedAuthzLifetime := prometheus.NewCounter(prometheus.CounterOpts{
|
||||
Name: "recheck_caa_used_authz_lifetime",
|
||||
Help: "A counter times the old codepath was used for CAA recheck time",
|
||||
})
|
||||
stats.MustRegister(recheckCAAUsedAuthzLifetime)
|
||||
|
||||
newCertCounter := prometheus.NewCounterVec(prometheus.CounterOpts{
|
||||
Name: "new_certificates",
|
||||
Help: "A counter of new certificates including the certificate profile name and hexadecimal certificate profile hash",
|
||||
|
|
@ -281,7 +274,6 @@ func NewRegistrationAuthorityImpl(
|
|||
recheckCAACounter: recheckCAACounter,
|
||||
newCertCounter: newCertCounter,
|
||||
revocationReasonCounter: revocationReasonCounter,
|
||||
recheckCAAUsedAuthzLifetime: recheckCAAUsedAuthzLifetime,
|
||||
authzAges: authzAges,
|
||||
orderAges: orderAges,
|
||||
inflightFinalizes: inflightFinalizes,
|
||||
|
|
@ -863,13 +855,6 @@ func (ra *RegistrationAuthorityImpl) checkAuthorizationsCAA(
|
|||
// Set the recheck time to 7 hours ago.
|
||||
caaRecheckAfter := now.Add(caaRecheckDuration)
|
||||
|
||||
// Set a CAA recheck time based on the assumption of a 30 day authz
|
||||
// lifetime. This has been deprecated in favor of a new check based
|
||||
// off the Validated time stored in the database, but we want to check
|
||||
// both for a time and increment a stat if this code path is hit for
|
||||
// compliance safety.
|
||||
caaRecheckTime := now.Add(ra.authorizationLifetime).Add(caaRecheckDuration)
|
||||
|
||||
for _, name := range names {
|
||||
authz := authzs[name]
|
||||
if authz == nil {
|
||||
|
|
@ -883,13 +868,6 @@ func (ra *RegistrationAuthorityImpl) checkAuthorizationsCAA(
|
|||
} else if staleCAA {
|
||||
// Ensure that CAA is rechecked for this name
|
||||
recheckAuthzs = append(recheckAuthzs, authz)
|
||||
} else if authz.Expires.Before(caaRecheckTime) {
|
||||
// Ensure that CAA is rechecked for this name
|
||||
recheckAuthzs = append(recheckAuthzs, authz)
|
||||
// This codepath should not be used, but is here as a safety
|
||||
// net until the new codepath is proven. Increment metric if
|
||||
// it is used.
|
||||
ra.recheckCAAUsedAuthzLifetime.Add(1)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1896,10 +1896,6 @@ func TestRecheckCAADates(t *testing.T) {
|
|||
err = ra.checkAuthorizationsCAA(context.Background(), Registration.Id, []string{"novalidationtime.com"}, authzs, fc.Now())
|
||||
test.AssertEquals(t, err.Error(), "authorization's challenge has no validated timestamp for: id noval")
|
||||
|
||||
// Test to make sure the authorization lifetime codepath was not used
|
||||
// to determine if CAA needed recheck.
|
||||
test.AssertMetricWithLabelsEquals(t, ra.recheckCAAUsedAuthzLifetime, prometheus.Labels{}, 0)
|
||||
|
||||
// We expect that "recent.com" is not checked because its mock authorization
|
||||
// isn't expired
|
||||
if _, present := recorder.names["recent.com"]; present {
|
||||
|
|
|
|||
Loading…
Reference in New Issue