func (ra *RegistrationAuthorityImpl) checkCertificatesPerFQDNSetLimit(ctx context.Context, names []string, limit ratelimit.RateLimitPolicy, regID int64) error { count, err := ra.SA.CountFQDNSets(ctx, limit.Window.Duration, names) if err != nil { return err } names = core.UniqueLowerNames(names) if int(count) > limit.GetThreshold(strings.Join(names, ","), regID) { return core.RateLimitedError(fmt.Sprintf( "Too many certificates already issued for exact set of domains: %s", strings.Join(names, ","), )) } return nil }
func (ra *RegistrationAuthorityImpl) checkCertificatesPerNameLimit(ctx context.Context, names []string, limit ratelimit.RateLimitPolicy, regID int64) error { names, err := domainsForRateLimiting(names) if err != nil { return err } now := ra.clk.Now() windowBegin := limit.WindowBegin(now) counts, err := ra.SA.CountCertificatesByNames(ctx, names, windowBegin, now) if err != nil { return err } var badNames []string for _, name := range names { count, ok := counts[name] if !ok { // Shouldn't happen, but let's be careful anyhow. return errors.New("StorageAuthority failed to return a count for every name") } if count >= limit.GetThreshold(name, regID) { badNames = append(badNames, name) } } if len(badNames) > 0 { // check if there is already a existing certificate for // the exact name set we are issuing for. If so bypass the // the certificatesPerName limit. exists, err := ra.SA.FQDNSetExists(ctx, names) if err != nil { return err } if exists { ra.certsForDomainStats.Inc("FQDNSetBypass", 1) return nil } domains := strings.Join(badNames, ", ") ra.certsForDomainStats.Inc("Exceeded", 1) ra.log.Info(fmt.Sprintf("Rate limit exceeded, CertificatesForDomain, regID: %d, domains: %s", regID, domains)) return core.RateLimitedError(fmt.Sprintf( "Too many certificates already issued for: %s", domains)) } ra.certsForDomainStats.Inc("Pass", 1) return nil }