Merge 203425f into 95b77db

sa/_db-next/migrations/20210308140000_SimplePartitioning.sql

@@ -0,0 +1,53 @@
+
+-- +goose Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+ALTER TABLE authz2 DROP INDEX IF EXISTS token;
+ALTER TABLE authz2 PARTITION BY RANGE(id) (
+     PARTITION p_start VALUES LESS THAN MAXVALUE);
+
+ALTER TABLE certificates DROP FOREIGN KEY IF EXISTS regId_certificates;
+ALTER TABLE certificates DROP INDEX IF EXISTS serial, ADD INDEX serial (serial);
+ALTER TABLE certificates PARTITION BY RANGE(id) (
+    PARTITION p_start VALUES LESS THAN MAXVALUE);
+
+ALTER TABLE fqdnSets DROP INDEX IF EXISTS serial, ADD INDEX serial (serial);
+ALTER TABLE fqdnSets PARTITION BY RANGE(id) (
+    PARTITION p_start VALUES LESS THAN MAXVALUE);
+
+ALTER TABLE issuedNames PARTITION BY RANGE(id) (
+    PARTITION p_start VALUES LESS THAN MAXVALUE);
+
+ALTER TABLE orderFqdnSets DROP FOREIGN KEY IF EXISTS orderFqdnSets_orderID_orders;
+ALTER TABLE orderFqdnSets DROP FOREIGN KEY IF EXISTS orderFqdnSets_registrationID_registrations;
+ALTER TABLE orderFqdnSets PARTITION BY RANGE (id) (
+    PARTITION p_start VALUES LESS THAN MAXVALUE);
+
+ALTER TABLE orderToAuthz2 PARTITION BY RANGE COLUMNS(orderID, authzID) (
+    PARTITION p_start VALUES LESS THAN (MAXVALUE, MAXVALUE));
+
+-- Must be before orders, to remove the foreign key before partitioning orders.
+ALTER TABLE requestedNames DROP FOREIGN KEY IF EXISTS orderID_orders;
+ALTER TABLE requestedNames PARTITION BY RANGE (id) (
+    PARTITION p_start VALUES LESS THAN MAXVALUE);
+
+ALTER TABLE orders PARTITION BY RANGE (id) (
+    PARTITION p_start VALUES LESS THAN MAXVALUE);
+
+ALTER TABLE precertificates DROP FOREIGN KEY IF EXISTS regId_precertificates;
+ALTER TABLE precertificates DROP INDEX IF EXISTS serial, ADD INDEX serial (serial);
+ALTER TABLE precertificates PARTITION BY RANGE(id) (
+    PARTITION p_start VALUES LESS THAN MAXVALUE);
+
+-- +goose Down
+-- SQL section 'Down' is executed when this migration is rolled back
+
+ALTER TABLE authz2 REMOVE PARTITIONING;
+ALTER TABLE certificates REMOVE PARTITIONING;
+ALTER TABLE fqdnSets REMOVE PARTITIONING;
+ALTER TABLE issuedNames REMOVE PARTITIONING;
+ALTER TABLE orderFqdnSets REMOVE PARTITIONING;
+ALTER TABLE orderToAuthz2 REMOVE PARTITIONING;
+ALTER TABLE orders REMOVE PARTITIONING;
+ALTER TABLE precertificates REMOVE PARTITIONING;
+ALTER TABLE requestedNames REMOVE PARTITIONING;

sa/precertificates.go

@@ -36,6 +36,9 @@ func (ssa *SQLStorageAuthority) AddSerial(ctx context.Context, req *sapb.AddSeri
 }
 
 // AddPrecertificate writes a record of a precertificate generation to the DB.
+// Note: this is not idempotent: it does not protect against inserting the same
+// certificate multiple times. Calling code needs to first insert the cert's
+// serial into the Serials table to ensure uniqueness.
 func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*corepb.Empty, error) {
 	if core.IsAnyNilOrZero(req.Der, req.Issued, req.RegID, req.IssuerID) {
 		return nil, errIncompleteRequest
@@ -57,9 +60,6 @@ func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb
 
 	_, overallError := db.WithTransaction(ctx, ssa.dbMap, func(txWithCtx db.Executor) (interface{}, error) {
 		if err := txWithCtx.Insert(preCertModel); err != nil {
-			if db.IsDuplicate(err) {
-				return nil, berrors.DuplicateError("cannot add a duplicate precertificate")
-			}
 			return nil, err
 		}
 

sa/precertificates_test.go

@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/letsencrypt/boulder/db"
-	berrors "github.com/letsencrypt/boulder/errors"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
 	"github.com/letsencrypt/boulder/sa/satest"
 	"github.com/letsencrypt/boulder/test"
@@ -83,18 +82,6 @@ func TestAddPrecertificate(t *testing.T) {
 			// AddCertificate not AddPrecertificate will be updating this table.
 			test.AssertEquals(t, db.IsNoRows(err), true)
 		}
-
-		// Adding the same certificate with the same serial should result in an
-		// error
-		_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
-			Der:      testCert.Raw,
-			RegID:    regID,
-			Ocsp:     ocspResp,
-			Issued:   issuedTime.UnixNano(),
-			IssuerID: 1,
-		})
-		test.AssertError(t, err, "Expected error inserting duplicate precertificate")
-		test.AssertErrorIs(t, err, berrors.Duplicate)
 	}
 
 	addPrecert(true)

sa/sa_test.go

@@ -1689,37 +1689,6 @@ func TestAddCertificateRenewalBit(t *testing.T) {
 	}
 }
 
-func TestAddCertificateBadRatelimitUpdate(t *testing.T) {
-	sa, _, cleanUp := initSA(t)
-	defer cleanUp()
-
-	reg := satest.CreateWorkingRegistration(t, sa)
-	issued := sa.clk.Now()
-	serial, cert := test.ThrowAwayCert(t, 1)
-
-	// Manually add an fqdn set for the certificate serial. This will cause the
-	// real fqdn set update in AddCertificate to fail due to the duplicate serial.
-	err := addFQDNSet(
-		sa.dbMap,
-		cert.DNSNames,
-		serial,
-		cert.NotBefore,
-		cert.NotAfter)
-	test.AssertNotError(t, err, "Couldn't manually add fqdnSet")
-
-	// Add the test certificate, it shouldn't error even though part of the rate
-	// limit updates failed.
-	_, err = sa.AddCertificate(ctx, cert.Raw, reg.ID, nil, &issued)
-	test.AssertNotError(t, err, "Couldn't add testCert")
-
-	// The rate limit transaction failure stat should have been incremented
-	test.AssertEquals(t, test.CountCounter(sa.rateLimitWriteErrors), 1)
-
-	// The rate limit transaction failure should have been audit logged
-	logLines := log.GetAllMatching(`ERR: \[AUDIT\] failed AddCertificate ratelimit update transaction: failed to insert \*core.FQDNSet: Error 1062: Duplicate entry '.*' for key 'serial'`)
-	test.AssertEquals(t, len(logLines), 1)
-}
-
 func TestCountCertificatesRenewalBit(t *testing.T) {
 	sa, fc, cleanUp := initSA(t)
 	defer cleanUp()