Rename old submission flags and rate limiters

phbnf · phbnf · commit 6dbb2e2080d7 · 2025-09-29T15:16:42.000Z
diff --git a/cmd/tesseract/README.md b/cmd/tesseract/README.md
@@ -54,7 +54,7 @@ means no upper bound on the accepted range. RFC3339 UTC format, e.g:
 signing algorithms. This flag is a temporary solution to allow chains submitted
 by Chrome's Merge Delay Monitor Root. It will eventually be removed and chains
 using such algorithms will be rejected.
-- `limit_old_submissions`: This optional flag can be set define a limit on how
+- `rate_limit_old_not_before`: This optional flag can be set define a limit on how
 many "old" certificates and precertificates will be accepted per second.
 The flag value should be of the form `<age>:<limit>`, where `<limit>` is a
 per-second rate limit, and `<age>` defines how old a given submission's
diff --git a/cmd/tesseract/aws/main.go b/cmd/tesseract/aws/main.go
@@ -70,7 +70,7 @@ var (
 	rejectExtensions         = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.")
 	acceptSHA1               = flag.Bool("accept_sha1_signing_algorithms", true, "If true, accept chains that use SHA-1 based signing algorithms. This flag will eventually be removed, and such algorithms will be rejected.")
 	enablePublicationAwaiter = flag.Bool("enable_publication_awaiter", true, "If true then the certificate is integrated into log before returning the response.")
-	limitOldCerts            = flag.String("limit_old_submissions", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")
+	notBeforeRL              = flag.String("rate_limit_old_not_before", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")
 
 	// Performance flags
 	httpDeadline              = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")
@@ -140,8 +140,8 @@ eventually go away. See /internal/lax509/README.md for more information.`)
 	}
 
 	hOpts := tesseract.LogHandlerOpts{
-		OldSubmissionLimit: rateLimitFromFlags(),
-		DedupRL:            dedupRL,
+		NotBeforeRL: notBeforeRLFromFlags(),
+		DedupRL:     dedupRL,
 	}
 	logHandler, err := tesseract.NewLogHandler(ctx, *origin, signer, chainValidationConfig, newAWSStorage, *httpDeadline, *maskInternalErrors, *pathPrefix, hOpts)
 	if err != nil {
@@ -362,21 +362,21 @@ func antispamMySQLConfig() *mysql.Config {
 	}
 }
 
-func rateLimitFromFlags() *tesseract.OldSubmissionLimit {
-	if *limitOldCerts == "" {
+func notBeforeRLFromFlags() *tesseract.NotBeforeRL {
+	if *notBeforeRL == "" {
 		return nil
 	}
-	bits := strings.Split(*limitOldCerts, ":")
+	bits := strings.Split(*notBeforeRL, ":")
 	if len(bits) != 2 {
-		klog.Exitf("Invalid format for --limit_old_submissions flag")
+		klog.Exitf("Invalid format for --rate_limit_old_not_before flag")
 	}
 	a, err := time.ParseDuration(bits[0])
 	if err != nil {
-		klog.Exitf("Invalid age passed to --limit_old_submissions flag %q: %v", bits[0], err)
+		klog.Exitf("Invalid age passed to --rate_limit_old_not_before flag %q: %v", bits[0], err)
 	}
 	l, err := strconv.ParseFloat(bits[1], 64)
 	if err != nil {
-		klog.Exitf("Invalid rate limit passed to --limit_old_submissions %q: %v", bits[1], err)
+		klog.Exitf("Invalid rate limit passed to --rate_limit_old_not_before %q: %v", bits[1], err)
 	}
-	return &tesseract.OldSubmissionLimit{AgeThreshold: a, RateLimit: l}
+	return &tesseract.NotBeforeRL{AgeThreshold: a, RateLimit: l}
 }
diff --git a/cmd/tesseract/gcp/main.go b/cmd/tesseract/gcp/main.go
@@ -71,7 +71,7 @@ var (
 	acceptSHA1               = flag.Bool("accept_sha1_signing_algorithms", true, "If true, accept chains that use SHA-1 based signing algorithms. This flag will eventually be removed, and such algorithms will be rejected.")
 	enablePublicationAwaiter = flag.Bool("enable_publication_awaiter", true, "If true then the certificate is integrated into log before returning the response.")
 	witnessPolicyFile        = flag.String("witness_policy_file", "", "(Optional) Path to the file containing the witness policy in the format described at https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md")
-	limitOldCerts            = flag.String("limit_old_submissions", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")
+	notBeforeRL              = flag.String("rate_limit_old_not_before", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")
 
 	// Performance flags
 	httpDeadline              = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")
@@ -127,8 +127,8 @@ eventually go away. See /internal/lax509/README.md for more information.`)
 	}
 
 	hOpts := tesseract.LogHandlerOpts{
-		OldSubmissionLimit: rateLimitFromFlags(),
-		DedupRL:            dedupRL,
+		NotBeforeRL: notBeforeRLFromFlags(),
+		DedupRL:     dedupRL,
 	}
 	logHandler, err := tesseract.NewLogHandler(ctx, *origin, signer, chainValidationConfig, newGCPStorage, *httpDeadline, *maskInternalErrors, *pathPrefix, hOpts)
 	if err != nil {
@@ -314,21 +314,21 @@ func (t *timestampFlag) Set(w string) error {
 	return nil
 }
 
-func rateLimitFromFlags() *tesseract.OldSubmissionLimit {
-	if *limitOldCerts == "" {
+func notBeforeRLFromFlags() *tesseract.NotBeforeRL {
+	if *notBeforeRL == "" {
 		return nil
 	}
-	bits := strings.Split(*limitOldCerts, ":")
+	bits := strings.Split(*notBeforeRL, ":")
 	if len(bits) != 2 {
-		klog.Exitf("Invalid format for --limit_old_submissions flag")
+		klog.Exitf("Invalid format for --rate_limit_old_not_before flag")
 	}
 	a, err := time.ParseDuration(bits[0])
 	if err != nil {
-		klog.Exitf("Invalid age passed to --limit_old_submissions flag %q: %v", bits[0], err)
+		klog.Exitf("Invalid age passed to --rate_limit_old_not_before flag %q: %v", bits[0], err)
 	}
 	l, err := strconv.ParseFloat(bits[1], 64)
 	if err != nil {
-		klog.Exitf("Invalid rate limit passed to --limit_old_submissions %q: %v", bits[1], err)
+		klog.Exitf("Invalid rate limit passed to --rate_limit_old_not_before %q: %v", bits[1], err)
 	}
-	return &tesseract.OldSubmissionLimit{AgeThreshold: a, RateLimit: l}
+	return &tesseract.NotBeforeRL{AgeThreshold: a, RateLimit: l}
 }
diff --git a/cmd/tesseract/posix/main.go b/cmd/tesseract/posix/main.go
@@ -74,7 +74,7 @@ var (
 	acceptSHA1               = flag.Bool("accept_sha1_signing_algorithms", true, "If true, accept chains that use SHA-1 based signing algorithms. This flag will eventually be removed, and such algorithms will be rejected.")
 	enablePublicationAwaiter = flag.Bool("enable_publication_awaiter", true, "If true then the certificate is integrated into log before returning the response.")
 	witnessPolicyFile        = flag.String("witness_policy_file", "", "(Optional) Path to the file containing the witness policy in the format describe at https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md")
-	limitOldCerts            = flag.String("limit_old_submissions", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")
+	notBeforeRL              = flag.String("rate_limit_old_not_before", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")
 
 	// Performance flags
 	httpDeadline              = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")
@@ -120,8 +120,8 @@ eventually go away. See /internal/lax509/README.md for more information.`)
 	}
 
 	hOpts := tesseract.LogHandlerOpts{
-		OldSubmissionLimit: rateLimitFromFlags(),
-		DedupRL:            dedupRL,
+		NotBeforeRL: notBeforeRLFromFlags(),
+		DedupRL:     dedupRL,
 	}
 	logHandler, err := tesseract.NewLogHandler(ctx, *origin, signer, chainValidationConfig, newStorage, *httpDeadline, *maskInternalErrors, *pathPrefix, hOpts)
 	if err != nil {
@@ -338,21 +338,21 @@ func (ms *multiStringFlag) Set(w string) error {
 	return nil
 }
 
-func rateLimitFromFlags() *tesseract.OldSubmissionLimit {
-	if *limitOldCerts == "" {
+func notBeforeRLFromFlags() *tesseract.NotBeforeRL {
+	if *notBeforeRL == "" {
 		return nil
 	}
-	bits := strings.Split(*limitOldCerts, ":")
+	bits := strings.Split(*notBeforeRL, ":")
 	if len(bits) != 2 {
-		klog.Exitf("Invalid format for --limit_old_submissions flag")
+		klog.Exitf("Invalid format for --rate_limit_old_not_before flag")
 	}
 	a, err := time.ParseDuration(bits[0])
 	if err != nil {
-		klog.Exitf("Invalid age passed to --limit_old_submissions flag %q: %v", bits[0], err)
+		klog.Exitf("Invalid age passed to --rate_limit_old_not_before flag %q: %v", bits[0], err)
 	}
 	l, err := strconv.ParseFloat(bits[1], 64)
 	if err != nil {
-		klog.Exitf("Invalid rate limit passed to --limit_old_submissions %q: %v", bits[1], err)
+		klog.Exitf("Invalid rate limit passed to --rate_limit_old_not_before %q: %v", bits[1], err)
 	}
-	return &tesseract.OldSubmissionLimit{AgeThreshold: a, RateLimit: l}
+	return &tesseract.NotBeforeRL{AgeThreshold: a, RateLimit: l}
 }
diff --git a/ctlog.go b/ctlog.go
@@ -124,14 +124,14 @@ func newChainValidator(cfg ChainValidationConfig) (ct.ChainValidator, error) {
 }
 
 // OldSubmissionOpts
-type OldSubmissionLimit struct {
+type NotBeforeRL struct {
 	AgeThreshold time.Duration
 	RateLimit    float64
 }
 
 type LogHandlerOpts struct {
-	OldSubmissionLimit *OldSubmissionLimit
-	DedupRL            float64
+	NotBeforeRL *NotBeforeRL
+	DedupRL     float64
 }
 
 // NewLogHandler creates a Tessera based CT log pluged into HTTP handlers.
@@ -160,8 +160,8 @@ func NewLogHandler(ctx context.Context, origin string, signer crypto.Signer, cfg
 		TimeSource:         sysTimeSource,
 		PathPrefix:         pathPrefix,
 	}
-	if opts.OldSubmissionLimit != nil {
-		ctOpts.RateLimits.OldSubmission(opts.OldSubmissionLimit.AgeThreshold, opts.OldSubmissionLimit.RateLimit)
+	if opts.NotBeforeRL != nil {
+		ctOpts.RateLimits.NotBefore(opts.NotBeforeRL.AgeThreshold, opts.NotBeforeRL.RateLimit)
 	}
 	if opts.DedupRL >= 0 {
 		ctOpts.RateLimits.Dedup(opts.DedupRL)
diff --git a/deployment/live/gcp/static-ct-staging/logs/arche2025h1/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/logs/arche2025h1/terragrunt.hcl
@@ -14,7 +14,7 @@ locals {
   trace_fraction                = 0.1
   create_internal_load_balancer = true
   public_bucket                 = true
-  limit_old_submissions         = "28h:150"
+  rate_limit_old_not_before         = "28h:150"
 }
 
 include "root" {
diff --git a/deployment/live/gcp/static-ct-staging/logs/arche2025h2/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/logs/arche2025h2/terragrunt.hcl
@@ -15,7 +15,7 @@ locals {
   create_internal_load_balancer = true
   public_bucket                 = true
   machine_type                  = "n2-standard-8"
-  limit_old_submissions         = "28h:150"
+  rate_limit_old_not_before         = "28h:150"
 }
 
 include "root" {
diff --git a/deployment/live/gcp/static-ct-staging/logs/arche2026h1/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/logs/arche2026h1/terragrunt.hcl
@@ -14,7 +14,7 @@ locals {
   trace_fraction                = 0.1
   create_internal_load_balancer = true
   public_bucket                 = true
-  limit_old_submissions         = "28h:150"
+  rate_limit_old_not_before         = "28h:150"
 }
 
 include "root" {
diff --git a/deployment/modules/gcp/gce/tesseract/main.tf b/deployment/modules/gcp/gce/tesseract/main.tf
@@ -40,7 +40,7 @@ module "gce_container_tesseract" {
       "--batch_max_age=${var.batch_max_age}",
       "--enable_publication_awaiter=${var.enable_publication_awaiter}",
       "--accept_sha1_signing_algorithms=true",
-      "--limit_old_submissions=${var.limit_old_submissions}",
+      "--rate_limit_old_not_before=${var.rate_limit_old_not_before}",
       "--rate_limit_dedup=${var.rate_limit_dedup}"
     ]
     tty : true # maybe remove this
diff --git a/deployment/modules/gcp/gce/tesseract/variables.tf b/deployment/modules/gcp/gce/tesseract/variables.tf
@@ -100,8 +100,8 @@ variable "enable_publication_awaiter" {
   default     = true
 }
 
-variable "limit_old_submissions" {
-  description = "Set to configure rate limiting for old submissions. See --limit_old_submissions flag for format."
+variable "rate_limit_old_not_before" {
+  description = "Set to configure rate limiting for old submissions. See --rate_limit_old_not_before flag for format."
   type        = string
   default     = ""
 }
diff --git a/deployment/modules/gcp/tesseract/gce/main.tf b/deployment/modules/gcp/tesseract/gce/main.tf
@@ -41,7 +41,7 @@ module "gce" {
   batch_max_age                  = var.batch_max_age
   batch_max_size                 = var.batch_max_size
   enable_publication_awaiter     = var.enable_publication_awaiter
-  limit_old_submissions          = var.limit_old_submissions
+  rate_limit_old_not_before      = var.rate_limit_old_not_before
   rate_limit_dedup               = var.rate_limit_dedup
 
   depends_on = [
diff --git a/deployment/modules/gcp/tesseract/gce/variables.tf b/deployment/modules/gcp/tesseract/gce/variables.tf
@@ -99,8 +99,8 @@ variable "public_bucket" {
   default     = false
 }
 
-variable "limit_old_submissions" {
-  description = "Set to configure rate limiting for old submissions. See --limit_old_submissions flag for format."
+variable "rate_limit_old_not_before" {
+  description = "Set to configure rate limiting for old submissions. See --rate_limit_old_not_before flag for format."
   type        = string
   default     = ""
 }
diff --git a/internal/ct/handlers.go b/internal/ct/handlers.go
@@ -192,17 +192,17 @@ func (a appHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 // RateLimits knows how to apply configurable rate limits to submissions.
 type RateLimits struct {
-	oldAge     time.Duration
-	oldLimiter *rate.Limiter
-	dedup      *rate.Limiter
+	notBeforeLimit time.Duration
+	notBefore      *rate.Limiter
+	dedup          *rate.Limiter
 }
 
 // NotBefore configures a rate limit on old certs.
 //
 // Submissions whose notBefore date is at least as old as age will be subject to the specified number of entries per second.
-func (r *RateLimits) OldSubmission(age time.Duration, limit float64) {
-	r.oldAge = age
-	r.oldLimiter = rate.NewLimiter(rate.Limit(limit), int(math.Ceil(limit)))
+func (r *RateLimits) NotBefore(age time.Duration, limit float64) {
+	r.notBeforeLimit = age
+	r.notBefore = rate.NewLimiter(rate.Limit(limit), int(math.Ceil(limit)))
 	klog.Infof("Configured OldSubmission limiter with %0.2f qps for certs aged >= %s", limit, age)
 }
 
@@ -214,14 +214,14 @@ func (r *RateLimits) Dedup(limit float64) {
 	klog.Infof("Configured DedupInFlight limiter with %0.2f qps", limit)
 }
 
-// Accept returns true if the provided chain should be accepted, and false otherwise.
-func (r *RateLimits) Accept(ctx context.Context, chain []*x509.Certificate) bool {
+// AcceptNotBefore returns true if the provided chain should be accepted, and false otherwise.
+func (r *RateLimits) AcceptNotBefore(ctx context.Context, chain []*x509.Certificate) bool {
 	if len(chain) == 0 {
 		return false
 	}
-	if r.oldLimiter != nil {
-		if age := time.Since(chain[0].NotBefore); age >= r.oldAge {
-			if r.oldLimiter.Allow() {
+	if r.notBefore != nil {
+		if age := time.Since(chain[0].NotBefore); age >= r.notBeforeLimit {
+			if r.notBefore.Allow() {
 				return true
 			}
 			rateLimitedRequests.Add(ctx, 1, metric.WithAttributes(rateLimitReasonKey.String("old_cert")))
@@ -340,7 +340,7 @@ func addChainInternal(ctx context.Context, opts *HandlerOptions, log *log, w htt
 		return http.StatusBadRequest, nil, fmt.Errorf("failed to parse add-chain contents: %s", err)
 	}
 
-	if ok := opts.RateLimits.Accept(ctx, chain); !ok {
+	if ok := opts.RateLimits.AcceptNotBefore(ctx, chain); !ok {
 		opts.RequestLog.addCertToChain(ctx, chain[0])
 		w.Header().Add("Retry-After", strconv.Itoa(rand.IntN(5)+1)) // random retry within [1,6) seconds
 		return http.StatusTooManyRequests, []attribute.KeyValue{tooManyRequestsReasonKey.String("rate_limit_old_cert")}, errors.New(http.StatusText(http.StatusTooManyRequests))
diff --git a/internal/ct/handlers_test.go b/internal/ct/handlers_test.go
@@ -855,8 +855,8 @@ func TestRateLimiter(t *testing.T) {
 	} {
 		t.Run(test.name, func(t *testing.T) {
 			r := RateLimits{}
-			r.OldSubmission(test.age, test.rate)
-			if got := r.Accept(t.Context(), chain); got != test.wantAccept {
+			r.NotBefore(test.age, test.rate)
+			if got := r.AcceptNotBefore(t.Context(), chain); got != test.wantAccept {
 				t.Fatalf("Got %t want %t", got, test.wantAccept)
 			}
 		})

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ var (`
`70`	`70`	`rejectExtensions = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.")`
`71`	`71`	`acceptSHA1 = flag.Bool("accept_sha1_signing_algorithms", true, "If true, accept chains that use SHA-1 based signing algorithms. This flag will eventually be removed, and such algorithms will be rejected.")`
`72`	`72`	`enablePublicationAwaiter = flag.Bool("enable_publication_awaiter", true, "If true then the certificate is integrated into log before returning the response.")`
`73`		`- limitOldCerts = flag.String("limit_old_submissions", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")`
	`73`	`+ notBeforeRL = flag.String("rate_limit_old_not_before", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")`
`74`	`74`
`75`	`75`	`// Performance flags`
`76`	`76`	`httpDeadline = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")`
@@ -140,8 +140,8 @@ eventually go away. See /internal/lax509/README.md for more information.`)
`140`	`140`	`}`
`141`	`141`
`142`	`142`	`hOpts := tesseract.LogHandlerOpts{`
`143`		`- OldSubmissionLimit: rateLimitFromFlags(),`
`144`		`- DedupRL: dedupRL,`
	`143`	`+ NotBeforeRL: notBeforeRLFromFlags(),`
	`144`	`+ DedupRL: dedupRL,`
`145`	`145`	`}`
`146`	`146`	`logHandler, err := tesseract.NewLogHandler(ctx, origin, signer, chainValidationConfig, newAWSStorage, httpDeadline, maskInternalErrors, pathPrefix, hOpts)`
`147`	`147`	`if err != nil {`
`@@ -362,21 +362,21 @@ func antispamMySQLConfig() *mysql.Config {`
`362`	`362`	`}`
`363`	`363`	`}`
`364`	`364`
`365`		`-func rateLimitFromFlags() *tesseract.OldSubmissionLimit {`
`366`		`- if *limitOldCerts == "" {`
	`365`	`+func notBeforeRLFromFlags() *tesseract.NotBeforeRL {`
	`366`	`+ if *notBeforeRL == "" {`
`367`	`367`	`return nil`
`368`	`368`	`}`
`369`		`- bits := strings.Split(*limitOldCerts, ":")`
	`369`	`+ bits := strings.Split(*notBeforeRL, ":")`
`370`	`370`	`if len(bits) != 2 {`
`371`		`- klog.Exitf("Invalid format for --limit_old_submissions flag")`
	`371`	`+ klog.Exitf("Invalid format for --rate_limit_old_not_before flag")`
`372`	`372`	`}`
`373`	`373`	`a, err := time.ParseDuration(bits[0])`
`374`	`374`	`if err != nil {`
`375`		`- klog.Exitf("Invalid age passed to --limit_old_submissions flag %q: %v", bits[0], err)`
	`375`	`+ klog.Exitf("Invalid age passed to --rate_limit_old_not_before flag %q: %v", bits[0], err)`
`376`	`376`	`}`
`377`	`377`	`l, err := strconv.ParseFloat(bits[1], 64)`
`378`	`378`	`if err != nil {`
`379`		`- klog.Exitf("Invalid rate limit passed to --limit_old_submissions %q: %v", bits[1], err)`
	`379`	`+ klog.Exitf("Invalid rate limit passed to --rate_limit_old_not_before %q: %v", bits[1], err)`
`380`	`380`	`}`
`381`		`- return &tesseract.OldSubmissionLimit{AgeThreshold: a, RateLimit: l}`
	`381`	`+ return &tesseract.NotBeforeRL{AgeThreshold: a, RateLimit: l}`
`382`	`382`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ var (`
`71`	`71`	`acceptSHA1 = flag.Bool("accept_sha1_signing_algorithms", true, "If true, accept chains that use SHA-1 based signing algorithms. This flag will eventually be removed, and such algorithms will be rejected.")`
`72`	`72`	`enablePublicationAwaiter = flag.Bool("enable_publication_awaiter", true, "If true then the certificate is integrated into log before returning the response.")`
`73`	`73`	`witnessPolicyFile = flag.String("witness_policy_file", "", "(Optional) Path to the file containing the witness policy in the format described at https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md")`
`74`		`- limitOldCerts = flag.String("limit_old_submissions", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")`
	`74`	`+ notBeforeRL = flag.String("rate_limit_old_not_before", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")`
`75`	`75`
`76`	`76`	`// Performance flags`
`77`	`77`	`httpDeadline = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")`
@@ -127,8 +127,8 @@ eventually go away. See /internal/lax509/README.md for more information.`)
`127`	`127`	`}`
`128`	`128`
`129`	`129`	`hOpts := tesseract.LogHandlerOpts{`
`130`		`- OldSubmissionLimit: rateLimitFromFlags(),`
`131`		`- DedupRL: dedupRL,`
	`130`	`+ NotBeforeRL: notBeforeRLFromFlags(),`
	`131`	`+ DedupRL: dedupRL,`
`132`	`132`	`}`
`133`	`133`	`logHandler, err := tesseract.NewLogHandler(ctx, origin, signer, chainValidationConfig, newGCPStorage, httpDeadline, maskInternalErrors, pathPrefix, hOpts)`
`134`	`134`	`if err != nil {`
`@@ -314,21 +314,21 @@ func (t *timestampFlag) Set(w string) error {`
`314`	`314`	`return nil`
`315`	`315`	`}`
`316`	`316`
`317`		`-func rateLimitFromFlags() *tesseract.OldSubmissionLimit {`
`318`		`- if *limitOldCerts == "" {`
	`317`	`+func notBeforeRLFromFlags() *tesseract.NotBeforeRL {`
	`318`	`+ if *notBeforeRL == "" {`
`319`	`319`	`return nil`
`320`	`320`	`}`
`321`		`- bits := strings.Split(*limitOldCerts, ":")`
	`321`	`+ bits := strings.Split(*notBeforeRL, ":")`
`322`	`322`	`if len(bits) != 2 {`
`323`		`- klog.Exitf("Invalid format for --limit_old_submissions flag")`
	`323`	`+ klog.Exitf("Invalid format for --rate_limit_old_not_before flag")`
`324`	`324`	`}`
`325`	`325`	`a, err := time.ParseDuration(bits[0])`
`326`	`326`	`if err != nil {`
`327`		`- klog.Exitf("Invalid age passed to --limit_old_submissions flag %q: %v", bits[0], err)`
	`327`	`+ klog.Exitf("Invalid age passed to --rate_limit_old_not_before flag %q: %v", bits[0], err)`
`328`	`328`	`}`
`329`	`329`	`l, err := strconv.ParseFloat(bits[1], 64)`
`330`	`330`	`if err != nil {`
`331`		`- klog.Exitf("Invalid rate limit passed to --limit_old_submissions %q: %v", bits[1], err)`
	`331`	`+ klog.Exitf("Invalid rate limit passed to --rate_limit_old_not_before %q: %v", bits[1], err)`
`332`	`332`	`}`
`333`		`- return &tesseract.OldSubmissionLimit{AgeThreshold: a, RateLimit: l}`
	`333`	`+ return &tesseract.NotBeforeRL{AgeThreshold: a, RateLimit: l}`
`334`	`334`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ var (`
`74`	`74`	`acceptSHA1 = flag.Bool("accept_sha1_signing_algorithms", true, "If true, accept chains that use SHA-1 based signing algorithms. This flag will eventually be removed, and such algorithms will be rejected.")`
`75`	`75`	`enablePublicationAwaiter = flag.Bool("enable_publication_awaiter", true, "If true then the certificate is integrated into log before returning the response.")`
`76`	`76`	`witnessPolicyFile = flag.String("witness_policy_file", "", "(Optional) Path to the file containing the witness policy in the format describe at https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/doc/policy.md")`
`77`		`- limitOldCerts = flag.String("limit_old_submissions", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")`
	`77`	`+ notBeforeRL = flag.String("rate_limit_old_not_before", "", "Optionally rate limits submissions with old notBefore dates. Expects a value of with the format: \"<go duration>:<rate limit>\", e.g. \"30d:50\" would impose a limit of 50 certs/s on submissions whose notBefore date is >= 30days old.")`
`78`	`78`
`79`	`79`	`// Performance flags`
`80`	`80`	`httpDeadline = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")`
@@ -120,8 +120,8 @@ eventually go away. See /internal/lax509/README.md for more information.`)
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`hOpts := tesseract.LogHandlerOpts{`
`123`		`- OldSubmissionLimit: rateLimitFromFlags(),`
`124`		`- DedupRL: dedupRL,`
	`123`	`+ NotBeforeRL: notBeforeRLFromFlags(),`
	`124`	`+ DedupRL: dedupRL,`
`125`	`125`	`}`
`126`	`126`	`logHandler, err := tesseract.NewLogHandler(ctx, origin, signer, chainValidationConfig, newStorage, httpDeadline, maskInternalErrors, pathPrefix, hOpts)`
`127`	`127`	`if err != nil {`
`@@ -338,21 +338,21 @@ func (ms *multiStringFlag) Set(w string) error {`
`338`	`338`	`return nil`
`339`	`339`	`}`
`340`	`340`
`341`		`-func rateLimitFromFlags() *tesseract.OldSubmissionLimit {`
`342`		`- if *limitOldCerts == "" {`
	`341`	`+func notBeforeRLFromFlags() *tesseract.NotBeforeRL {`
	`342`	`+ if *notBeforeRL == "" {`
`343`	`343`	`return nil`
`344`	`344`	`}`
`345`		`- bits := strings.Split(*limitOldCerts, ":")`
	`345`	`+ bits := strings.Split(*notBeforeRL, ":")`
`346`	`346`	`if len(bits) != 2 {`
`347`		`- klog.Exitf("Invalid format for --limit_old_submissions flag")`
	`347`	`+ klog.Exitf("Invalid format for --rate_limit_old_not_before flag")`
`348`	`348`	`}`
`349`	`349`	`a, err := time.ParseDuration(bits[0])`
`350`	`350`	`if err != nil {`
`351`		`- klog.Exitf("Invalid age passed to --limit_old_submissions flag %q: %v", bits[0], err)`
	`351`	`+ klog.Exitf("Invalid age passed to --rate_limit_old_not_before flag %q: %v", bits[0], err)`
`352`	`352`	`}`
`353`	`353`	`l, err := strconv.ParseFloat(bits[1], 64)`
`354`	`354`	`if err != nil {`
`355`		`- klog.Exitf("Invalid rate limit passed to --limit_old_submissions %q: %v", bits[1], err)`
	`355`	`+ klog.Exitf("Invalid rate limit passed to --rate_limit_old_not_before %q: %v", bits[1], err)`
`356`	`356`	`}`
`357`		`- return &tesseract.OldSubmissionLimit{AgeThreshold: a, RateLimit: l}`
	`357`	`+ return &tesseract.NotBeforeRL{AgeThreshold: a, RateLimit: l}`
`358`	`358`	`}`
Original file line number	Diff line number	Diff line change
`@@ -124,14 +124,14 @@ func newChainValidator(cfg ChainValidationConfig) (ct.ChainValidator, error) {`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`// OldSubmissionOpts`
`127`		`-type OldSubmissionLimit struct {`
	`127`	`+type NotBeforeRL struct {`
`128`	`128`	`AgeThreshold time.Duration`
`129`	`129`	`RateLimit float64`
`130`	`130`	`}`
`131`	`131`
`132`	`132`	`type LogHandlerOpts struct {`
`133`		`- OldSubmissionLimit *OldSubmissionLimit`
`134`		`- DedupRL float64`
	`133`	`+ NotBeforeRL *NotBeforeRL`
	`134`	`+ DedupRL float64`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`// NewLogHandler creates a Tessera based CT log pluged into HTTP handlers.`
`@@ -160,8 +160,8 @@ func NewLogHandler(ctx context.Context, origin string, signer crypto.Signer, cfg`
`160`	`160`	`TimeSource: sysTimeSource,`
`161`	`161`	`PathPrefix: pathPrefix,`
`162`	`162`	`}`
`163`		`- if opts.OldSubmissionLimit != nil {`
`164`		`- ctOpts.RateLimits.OldSubmission(opts.OldSubmissionLimit.AgeThreshold, opts.OldSubmissionLimit.RateLimit)`
	`163`	`+ if opts.NotBeforeRL != nil {`
	`164`	`+ ctOpts.RateLimits.NotBefore(opts.NotBeforeRL.AgeThreshold, opts.NotBeforeRL.RateLimit)`
`165`	`165`	`}`
`166`	`166`	`if opts.DedupRL >= 0 {`
`167`	`167`	`ctOpts.RateLimits.Dedup(opts.DedupRL)`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ locals {`
`14`	`14`	`trace_fraction = 0.1`
`15`	`15`	`create_internal_load_balancer = true`
`16`	`16`	`public_bucket = true`
`17`		`- limit_old_submissions = "28h:150"`
	`17`	`+ rate_limit_old_not_before = "28h:150"`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`include "root" {`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ locals {`
`15`	`15`	`create_internal_load_balancer = true`
`16`	`16`	`public_bucket = true`
`17`	`17`	`machine_type = "n2-standard-8"`
`18`		`- limit_old_submissions = "28h:150"`
	`18`	`+ rate_limit_old_not_before = "28h:150"`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`include "root" {`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ module "gce_container_tesseract" {`
`40`	`40`	`"--batch_max_age=${var.batch_max_age}",`
`41`	`41`	`"--enable_publication_awaiter=${var.enable_publication_awaiter}",`
`42`	`42`	`"--accept_sha1_signing_algorithms=true",`
`43`		`- "--limit_old_submissions=${var.limit_old_submissions}",`
	`43`	`+ "--rate_limit_old_not_before=${var.rate_limit_old_not_before}",`
`44`	`44`	`"--rate_limit_dedup=${var.rate_limit_dedup}"`
`45`	`45`	`]`
`46`	`46`	`tty : true # maybe remove this`
Original file line number	Diff line number	Diff line change
`@@ -100,8 +100,8 @@ variable "enable_publication_awaiter" {`
`100`	`100`	`default = true`
`101`	`101`	`}`
`102`	`102`
`103`		`-variable "limit_old_submissions" {`
`104`		`- description = "Set to configure rate limiting for old submissions. See --limit_old_submissions flag for format."`
	`103`	`+variable "rate_limit_old_not_before" {`
	`104`	`+ description = "Set to configure rate limiting for old submissions. See --rate_limit_old_not_before flag for format."`
`105`	`105`	`type = string`
`106`	`106`	`default = ""`
`107`	`107`	`}`