func (ra *RegistrationAuthorityImpl) checkCertificatesPerNameLimit(names []string, limit cmd.RateLimitPolicy, regID int64) error {
names, err := domainsForRateLimiting(names)
if err != nil {
return err
}
now := ra.clk.Now()
windowBegin := limit.WindowBegin(now)
counts, err := ra.SA.CountCertificatesByNames(names, windowBegin, now)
if err != nil {
return err
}
var badNames []string
for _, name := range names {
count, ok := counts[name]
if !ok {
// Shouldn't happen, but let's be careful anyhow.
return errors.New("StorageAuthority failed to return a count for every name")
}
if count >= limit.GetThreshold(name, regID) {
badNames = append(badNames, name)
}
}
if len(badNames) > 0 {
return core.RateLimitedError(fmt.Sprintf(
"Too many certificates already issued for: %s",
strings.Join(badNames, ", ")))
}
return nil
}
func (ra *RegistrationAuthorityImpl) checkCertificatesPerFQDNSetLimit(ctx context.Context, names []string, limit cmd.RateLimitPolicy, regID int64) error {
count, err := ra.SA.CountFQDNSets(ctx, limit.Window.Duration, names)
if err != nil {
return err
}
names = core.UniqueLowerNames(names)
if int(count) > limit.GetThreshold(strings.Join(names, ","), regID) {
return core.RateLimitedError(fmt.Sprintf(
"Too many certificates already issued for exact set of domains: %s",
strings.Join(names, ","),
))
}
return nil
}
func checkPendingAuthorizationLimit(sa core.StorageGetter, limit *cmd.RateLimitPolicy, regID int64) error {
if limit.Enabled() {
count, err := sa.CountPendingAuthorizations(regID)
if err != nil {
return err
}
// Most rate limits have a key for overrides, but there is no meaningful key
// here.
noKey := ""
if count > limit.GetThreshold(noKey, regID) {
return core.RateLimitedError("Too many currently pending authorizations.")
}
}
return nil
}
func (ra *RegistrationAuthorityImpl) checkCertificatesPerNameLimit(ctx context.Context, names []string, limit cmd.RateLimitPolicy, regID int64) error {
names, err := domainsForRateLimiting(names)
if err != nil {
return err
}
now := ra.clk.Now()
windowBegin := limit.WindowBegin(now)
counts, err := ra.SA.CountCertificatesByNames(ctx, names, windowBegin, now)
if err != nil {
return err
}
var badNames []string
for _, name := range names {
count, ok := counts[name]
if !ok {
// Shouldn't happen, but let's be careful anyhow.
return errors.New("StorageAuthority failed to return a count for every name")
}
if count >= limit.GetThreshold(name, regID) {
badNames = append(badNames, name)
}
}
if len(badNames) > 0 {
// check if there is already a existing certificate for
// the exact name set we are issuing for. If so bypass the
// the certificatesPerName limit.
exists, err := ra.SA.FQDNSetExists(ctx, names)
if err != nil {
return err
}
if exists {
ra.certsForDomainStats.Inc("FQDNSetBypass", 1)
return nil
}
domains := strings.Join(badNames, ", ")
ra.certsForDomainStats.Inc("Exceeded", 1)
ra.log.Info(fmt.Sprintf("Rate limit exceeded, CertificatesForDomain, regID: %d, domains: %s", regID, domains))
return core.RateLimitedError(fmt.Sprintf(
"Too many certificates already issued for: %s", domains))
}
ra.certsForDomainStats.Inc("Pass", 1)
return nil
}