From 5e68cbe552b90c8e0f1d92eeca8459fe52ea0599 Mon Sep 17 00:00:00 2001
From: Samantha <hello@entropy.cat>
Date: Mon, 18 Mar 2024 12:22:01 -0400
Subject: [PATCH] WFE: Gate ARI limit exemption and replacement tracking on a
 feature flag (#7383)

Gate checking of replacement orders and exemption for ARI replacements
on the `TrackReplacementCertificatesARI` feature flag.
---
 sa/sa.go                   |  2 +-
 test/config-next/wfe2.json |  3 ++-
 wfe2/wfe.go                | 12 ++++++++----
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/sa/sa.go b/sa/sa.go
index 17d729e7351..e5f38b805b6 100644
--- a/sa/sa.go
+++ b/sa/sa.go
@@ -567,7 +567,7 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
 			BeganProcessing: false,
 		}
 
-		if features.Get().TrackReplacementCertificatesARI && req.NewOrder.ReplacesSerial != "" {
+		if req.NewOrder.ReplacesSerial != "" {
 			// Update the replacementOrders table to indicate that this order
 			// replaces the provided certificate serial.
 			err := addReplacementOrder(ctx, tx, req.NewOrder.ReplacesSerial, order.ID, order.Expires)
diff --git a/test/config-next/wfe2.json b/test/config-next/wfe2.json
index fbf2bb7db4f..9083325938c 100644
--- a/test/config-next/wfe2.json
+++ b/test/config-next/wfe2.json
@@ -127,7 +127,8 @@
 			"Overrides": "test/config-next/wfe2-ratelimit-overrides.yml"
 		},
 		"features": {
-			"ServeRenewalInfo": true
+			"ServeRenewalInfo": true,
+			"TrackReplacementCertificatesARI": true
 		}
 	},
 	"syslog": {
diff --git a/wfe2/wfe.go b/wfe2/wfe.go
index 9a97138b272..559f094bb92 100644
--- a/wfe2/wfe.go
+++ b/wfe2/wfe.go
@@ -2316,10 +2316,14 @@ func (wfe *WebFrontEndImpl) NewOrder(
 
 	logEvent.DNSNames = names
 
-	replaces, limitsExempt, err := wfe.validateReplacementOrder(ctx, acct, names, newOrderRequest.Replaces)
-	if err != nil {
-		wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While validating order as a replacement an error occurred"), err)
-		return
+	var replaces string
+	var limitsExempt bool
+	if features.Get().TrackReplacementCertificatesARI {
+		replaces, limitsExempt, err = wfe.validateReplacementOrder(ctx, acct, names, newOrderRequest.Replaces)
+		if err != nil {
+			wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While validating order as a replacement an error occurred"), err)
+			return
+		}
 	}
 
 	// TODO(#5545): Spending and Refunding can be async until these rate limits