letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ratelimits: Use full domain for the FailedAuthorizations limit (#7729) 

The key-value implementation for the Failed Authorizations limit
mistakenly used eTLD+1 instead of the full domain, unlike its
predecessor.
This commit is contained in:
Samantha Frank 2024-09-30 14:50:35 -04:00 committed by GitHub
parent 2fa9fbcd23
commit d850e633ae
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ratelimits/bucket.go
View File

@ -241,7 +241,6 @@ func (builder *TransactionBuilder) ordersPerAccountTransaction(regId int64) (Tra
// any of the order domain names are invalid. This method should be used for // any of the order domain names are invalid. This method should be used for
// checking capacity, before allowing more authorizations to be created. // checking capacity, before allowing more authorizations to be created.
// //
// Precondition: orderDomains must all pass policy.WellFormedDomainNames.
// Precondition: len(orderDomains) < maxNames. // Precondition: len(orderDomains) < maxNames.
func (builder *TransactionBuilder) FailedAuthorizationsPerDomainPerAccountCheckOnlyTransactions(regId int64, orderDomains []string) ([]Transaction, error) { func (builder *TransactionBuilder) FailedAuthorizationsPerDomainPerAccountCheckOnlyTransactions(regId int64, orderDomains []string) ([]Transaction, error) {
// FailedAuthorizationsPerDomainPerAccount limit uses the 'enum:regId' // FailedAuthorizationsPerDomainPerAccount limit uses the 'enum:regId'
@ -256,7 +255,7 @@ func (builder *TransactionBuilder) FailedAuthorizationsPerDomainPerAccountCheckO
} }
var txns []Transaction var txns []Transaction
for _, name := range DomainsForRateLimiting(orderDomains) { for _, name := range orderDomains {
// FailedAuthorizationsPerDomainPerAccount limit uses the // FailedAuthorizationsPerDomainPerAccount limit uses the
// 'enum:regId:domain' bucket key format for transactions. // 'enum:regId:domain' bucket key format for transactions.
perDomainPerAccountBucketKey, err := newRegIdDomainBucketKey(FailedAuthorizationsPerDomainPerAccount, regId, name) perDomainPerAccountBucketKey, err := newRegIdDomainBucketKey(FailedAuthorizationsPerDomainPerAccount, regId, name)
@ -280,8 +279,6 @@ func (builder *TransactionBuilder) FailedAuthorizationsPerDomainPerAccountCheckO
// only Transaction for the provided order domain name. An error is returned if // only Transaction for the provided order domain name. An error is returned if
// the order domain name is invalid. This method should be used for spending // the order domain name is invalid. This method should be used for spending
// capacity, as a result of a failed authorization. // capacity, as a result of a failed authorization.
//
// Precondition: orderDomain must pass policy.WellFormedDomainNames.
func (builder *TransactionBuilder) FailedAuthorizationsPerDomainPerAccountSpendOnlyTransaction(regId int64, orderDomain string) (Transaction, error) { func (builder *TransactionBuilder) FailedAuthorizationsPerDomainPerAccountSpendOnlyTransaction(regId int64, orderDomain string) (Transaction, error) {
// FailedAuthorizationsPerDomainPerAccount limit uses the 'enum:regId' // FailedAuthorizationsPerDomainPerAccount limit uses the 'enum:regId'
// bucket key format for overrides. // bucket key format for overrides.
@ -294,14 +291,9 @@ func (builder *TransactionBuilder) FailedAuthorizationsPerDomainPerAccountSpendO
return Transaction{}, err return Transaction{}, err
} }
orderDomains := DomainsForRateLimiting([]string{orderDomain})
if len(orderDomains) != 1 {
return Transaction{}, fmt.Errorf("expected 1 valid domain name, got %q", orderDomain)
}
// FailedAuthorizationsPerDomainPerAccount limit uses the // FailedAuthorizationsPerDomainPerAccount limit uses the
// 'enum:regId:domain' bucket key format for transactions. // 'enum:regId:domain' bucket key format for transactions.
perDomainPerAccountBucketKey, err := newRegIdDomainBucketKey(FailedAuthorizationsPerDomainPerAccount, regId, orderDomains[0]) perDomainPerAccountBucketKey, err := newRegIdDomainBucketKey(FailedAuthorizationsPerDomainPerAccount, regId, orderDomain)
if err != nil { if err != nil {
return Transaction{}, err return Transaction{}, err
} }