ratelimits: Implement batched Spends and Refunds

cmd/boulder-wfe2/main.go

@@ -340,15 +340,18 @@ func main() {
 	pendingAuthorizationLifetime := time.Duration(c.WFE.PendingAuthorizationLifetimeDays) * 24 * time.Hour
 
 	var limiter *ratelimits.Limiter
+	var txnBuilder *ratelimits.TransactionBuilder
 	var limiterRedis *bredis.Ring
 	if c.WFE.Limiter.Defaults != "" {
 		// Setup rate limiting.
 		limiterRedis, err = bredis.NewRingFromConfig(*c.WFE.Limiter.Redis, stats, logger)
 		cmd.FailOnError(err, "Failed to create Redis ring")
 
 		source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats)
-		limiter, err = ratelimits.NewLimiter(clk, source, c.WFE.Limiter.Defaults, c.WFE.Limiter.Overrides, stats)
+		limiter, err = ratelimits.NewLimiter(clk, source, stats)
 		cmd.FailOnError(err, "Failed to create rate limiter")
+		txnBuilder, err = ratelimits.NewTransactionBuilder(c.WFE.Limiter.Defaults, c.WFE.Limiter.Overrides)
+		cmd.FailOnError(err, "Failed to create rate limits transaction builder")
 	}
 
 	var accountGetter wfe2.AccountGetter
@@ -380,6 +383,7 @@ func main() {
 		npKey,
 		accountGetter,
 		limiter,
+		txnBuilder,
 	)
 	cmd.FailOnError(err, "Unable to create WFE")
 

ra/ra.go

@@ -20,7 +20,6 @@ import (
 
 	"github.com/jmhodges/clock"
 	"github.com/prometheus/client_golang/prometheus"
-	"github.com/weppos/publicsuffix-go/publicsuffix"
 	"golang.org/x/crypto/ocsp"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/proto"
@@ -1375,26 +1374,6 @@ func (ra *RegistrationAuthorityImpl) getSCTs(ctx context.Context, cert []byte, e
 	return scts, nil
 }
 
-// domainsForRateLimiting transforms a list of FQDNs into a list of eTLD+1's
-// for the purpose of rate limiting. It also de-duplicates the output
-// domains. Exact public suffix matches are included.
-func domainsForRateLimiting(names []string) []string {
-	var domains []string
-	for _, name := range names {
-		domain, err := publicsuffix.Domain(name)
-		if err != nil {
-			// The only possible errors are:
-			// (1) publicsuffix.Domain is giving garbage values
-			// (2) the public suffix is the domain itself
-			// We assume 2 and include the original name in the result.
-			domains = append(domains, name)
-		} else {
-			domains = append(domains, domain)
-		}
-	}
-	return core.UniqueLowerNames(domains)
-}
-
 // enforceNameCounts uses the provided count RPC to find a count of certificates
 // for each of the names. If the count for any of the names exceeds the limit
 // for the given registration then the names out of policy are returned to be
@@ -1465,7 +1444,7 @@ func (ra *RegistrationAuthorityImpl) checkCertificatesPerNameLimit(ctx context.C
 		return nil
 	}
 
-	tldNames := domainsForRateLimiting(names)
+	tldNames := ratelimits.DomainsForRateLimiting(names)
 	namesOutOfLimit, earliest, err := ra.enforceNameCounts(ctx, tldNames, limit, regID)
 	if err != nil {
 		return fmt.Errorf("checking certificates per name limit for %q: %s",

ra/ra_test.go

@@ -1114,26 +1114,6 @@ func TestAuthzFailedRateLimitingNewOrder(t *testing.T) {
 	testcase()
 }
 
-func TestDomainsForRateLimiting(t *testing.T) {
-	domains := domainsForRateLimiting([]string{})
-	test.AssertEquals(t, len(domains), 0)
-
-	domains = domainsForRateLimiting([]string{"www.example.com", "example.com"})
-	test.AssertDeepEquals(t, domains, []string{"example.com"})
-
-	domains = domainsForRateLimiting([]string{"www.example.com", "example.com", "www.example.co.uk"})
-	test.AssertDeepEquals(t, domains, []string{"example.co.uk", "example.com"})
-
-	domains = domainsForRateLimiting([]string{"www.example.com", "example.com", "www.example.co.uk", "co.uk"})
-	test.AssertDeepEquals(t, domains, []string{"co.uk", "example.co.uk", "example.com"})
-
-	domains = domainsForRateLimiting([]string{"foo.bar.baz.www.example.com", "baz.example.com"})
-	test.AssertDeepEquals(t, domains, []string{"example.com"})
-
-	domains = domainsForRateLimiting([]string{"github.io", "foo.github.io", "bar.github.io"})
-	test.AssertDeepEquals(t, domains, []string{"bar.github.io", "foo.github.io", "github.io"})
-}
-
 type mockSAWithNameCounts struct {
 	mocks.StorageAuthority
 	nameCounts *sapb.CountByNames