use our own boulder rate limit file (#9889)

* use our own rate limit file * clarify path
certbot · Feb 8, 2024 · 8b5a017 · 8b5a017
1 parent b7ef536
commit 8b5a017
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 3 deletions.
diff --git a/certbot-ci/certbot_integration_tests/assets/boulder-rate-limit-policies.yml b/certbot-ci/certbot_integration_tests/assets/boulder-rate-limit-policies.yml
@@ -0,0 +1,55 @@
+# See https://github.com/letsencrypt/boulder/blob/main/cmd/shell.go for
+# definitions of these rate limits.
+certificatesPerName:
+  window: 2160h
+  threshold: 99
+  overrides:
+    ratelimit.me: 1
+    lim.it: 0
+    # Hostnames used by the letsencrypt client integration test.
+    le.wtf: 9999
+    le1.wtf: 9999
+    le2.wtf: 9999
+    le3.wtf: 9999
+    le4.wtf: 9999
+    nginx.wtf: 9999
+    good-caa-reserved.com: 9999
+    bad-caa-reserved.com: 9999
+    ecdsa.le.wtf: 9999
+    must-staple.le.wtf: 9999
+  registrationOverrides:
+    101: 1000
+registrationsPerIP:
+  window: 168h # 1 week
+  threshold: 9999
+  overrides:
+    127.0.0.1: 999990
+registrationsPerIPRange:
+  window: 168h # 1 week
+  threshold: 99999
+  overrides:
+    127.0.0.1: 1000000
+pendingAuthorizationsPerAccount:
+  window: 168h # 1 week, should match pending authorization lifetime.
+  threshold: 999
+newOrdersPerAccount:
+  window: 3h
+  threshold: 9999
+certificatesPerFQDNSet:
+  window: 168h
+  threshold: 99999
+  overrides:
+    le.wtf: 9999
+    le1.wtf: 9999
+    le2.wtf: 9999
+    le3.wtf: 9999
+    le.wtf,le1.wtf: 9999
+    good-caa-reserved.com: 9999
+    nginx.wtf: 9999
+    ecdsa.le.wtf: 9999
+    must-staple.le.wtf: 9999
+certificatesPerFQDNSetFast:
+  window: 2h
+  threshold: 20
+  overrides:
+    le.wtf: 9
diff --git a/certbot-ci/certbot_integration_tests/utils/acme_server.py b/certbot-ci/certbot_integration_tests/utils/acme_server.py
@@ -29,6 +29,11 @@
 from certbot_integration_tests.utils import proxy
 from certbot_integration_tests.utils.constants import *
 
+if sys.version_info >= (3, 9):  # pragma: no cover
+    import importlib.resources as importlib_resources
+else:  # pragma: no cover
+    import importlib_resources
+
 
 class ACMEServer:
     """
@@ -185,8 +190,10 @@ def _prepare_boulder_server(self) -> None:
         process.wait(MAX_SUBPROCESS_WAIT)
 
         # Allow Boulder to ignore usual limit rate policies, useful for tests.
-        os.rename(join(instance_path, 'test/rate-limit-policies-b.yml'),
-                  join(instance_path, 'test/rate-limit-policies.yml'))
+        ref = importlib_resources.files("certbot_integration_tests")
+        ref = ref / "assets" / "boulder-rate-limit-policies.yml"
+        with importlib_resources.as_file(ref) as path:
+            shutil.copyfile(path, join(instance_path, 'test/rate-limit-policies.yml'))
 
         if self._dns_server:
             # Change Boulder config to use the provided DNS server
@@ -215,7 +222,7 @@ def _prepare_boulder_server(self) -> None:
             # Wait for the ACME CA server to be up.
             print('=> Waiting for boulder instance to respond...')
             misc.check_until_timeout(
-                self.acme_xdist['directory_url'], attempts=300)
+                self.acme_xdist['directory_url'], attempts=480)
 
             if not self._dns_server:
                 # Configure challtestsrv to answer any A record request with ip of the docker host.