sa: deprecate two feature flags (#8580)

StoreAuthzsInOrders and StoreARIReplacesInOrders have been deployed in
prod.

Also, ensure both flags are set in `config/sa.json`, and neither is set
in `config-next/sa.json`.

This removes all reads of the `orderToAuthz2` table, which will make it
possible to drop the table.

Author: jsha

db/map_test.go

@@ -162,10 +162,6 @@ func TestTableFromQuery(t *testing.T) {
 			query:         "insert into `orders` (`ID`,`RegistrationID`,`Expires`,`Created`,`Error`,`CertificateSerial`,`BeganProcessing`) values (null,?,?,?,?,?,?)",
 			expectedTable: "`orders`",
 		},
-		{
-			query:         "insert into `orderToAuthz2` (`OrderID`,`AuthzID`) values (?,?);",
-			expectedTable: "`orderToAuthz2`",
-		},
 		{
 			query:         "UPDATE authz2 SET status = :status, attempted = :attempted, validationRecord = :validationRecord, validationError = :validationError, expires = :expires WHERE id = :id AND status = :pending",
 			expectedTable: "authz2",

features/features.go

@@ -29,6 +29,8 @@ type Config struct {
 	DOH                         bool
 	IgnoreAccountContacts       bool
 	NoPendingAuthzReuse         bool
+	StoreAuthzsInOrders         bool
+	StoreARIReplacesInOrders    bool
 
 	// ServeRenewalInfo exposes the renewalInfo endpoint in the directory and for
 	// GET requests. WARNING: This feature is a draft and highly unstable.
@@ -72,20 +74,11 @@ type Config struct {
 	// fails validation.
 	AutomaticallyPauseZombieClients bool
 
-	// StoreARIReplacesInOrders causes the SA to store and retrieve the optional
-	// ARI replaces field in the orders table.
-	StoreARIReplacesInOrders bool
-
 	// DNSAccount01Enabled controls support for the dns-account-01 challenge
 	// type. When enabled, the server can offer and validate this challenge
 	// during certificate issuance. This flag must be set to true in the
 	// RA, VA, and WFE2 services for full functionality.
 	DNSAccount01Enabled bool
-
-	// StoreAuthzsInOrders causes the SA to write to the `authzs`
-	// column in NewOrder and read from it in GetOrder. It should be enabled
-	// after the migration to add that column has been run.
-	StoreAuthzsInOrders bool
 }
 
 var fMu = new(sync.RWMutex)

sa/database.go

@@ -13,7 +13,6 @@ import (
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
 	boulderDB "github.com/letsencrypt/boulder/db"
-	"github.com/letsencrypt/boulder/features"
 	blog "github.com/letsencrypt/boulder/log"
 )
 
@@ -250,18 +249,9 @@ func initTables(dbMap *borp.DbMap) {
 	dbMap.AddTableWithName(core.Certificate{}, "certificates").SetKeys(true, "ID")
 	dbMap.AddTableWithName(certificateStatusModel{}, "certificateStatus").SetKeys(true, "ID")
 	dbMap.AddTableWithName(fqdnSet{}, "fqdnSets").SetKeys(true, "ID")
-	tableMap := dbMap.AddTableWithName(orderModel{}, "orders").SetKeys(true, "ID")
-	if !features.Get().StoreARIReplacesInOrders {
-		tableMap.ColMap("Replaces").SetTransient(true)
-	}
-	if !features.Get().StoreAuthzsInOrders {
-		tableMap.ColMap("Authzs").SetTransient(true)
-	}
-
-	dbMap.AddTableWithName(orderToAuthzModel{}, "orderToAuthz").SetKeys(false, "OrderID", "AuthzID")
+	dbMap.AddTableWithName(orderModel{}, "orders").SetKeys(true, "ID")
 	dbMap.AddTableWithName(orderFQDNSet{}, "orderFqdnSets").SetKeys(true, "ID")
 	dbMap.AddTableWithName(authzModel{}, "authz2").SetKeys(true, "ID")
-	dbMap.AddTableWithName(orderToAuthzModel{}, "orderToAuthz2").SetKeys(false, "OrderID", "AuthzID")
 	dbMap.AddTableWithName(recordedSerialModel{}, "serials").SetKeys(true, "ID")
 	dbMap.AddTableWithName(lintingCertModel{}, "precertificates").SetKeys(true, "ID")
 	dbMap.AddTableWithName(keyHashModel{}, "keyHashToSerial").SetKeys(true, "ID")

sa/database_test.go

@@ -134,9 +134,12 @@ func TestStrictness(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, err = dbMap.ExecContext(ctx, `insert into orderToAuthz2 set
-		orderID=999999999999999999999999999,
-		authzID=999999999999999999999999999;`)
+	_, err = dbMap.ExecContext(ctx, `insert into serials set
+		id=999999999999999999999999999,
+		serial="abcd",
+		registrationID=99,
+		created="2026-01-01",
+		expires="2026-02-01";`)
 	if err == nil {
 		t.Fatal("Expected error when providing out of range value, got none.")
 	}

sa/db-next/boulder_sa/20250304000000_OrdersReplaces.sql

@@ -0,0 +1 @@
+../../db/boulder_sa/20250304000000_OrdersReplaces.sql

sa/db-next/boulder_sa/20250304000000_OrdersReplaces.sql

@@ -22,7 +22,6 @@ GRANT SELECT,INSERT on fqdnSets TO 'sa'@'localhost';
 GRANT SELECT,INSERT,UPDATE ON orders TO 'sa'@'localhost';
 GRANT SELECT,INSERT,DELETE ON orderFqdnSets TO 'sa'@'localhost';
 GRANT SELECT,INSERT,UPDATE ON authz2 TO 'sa'@'localhost';
-GRANT SELECT,INSERT ON orderToAuthz2 TO 'sa'@'localhost';
 GRANT INSERT,SELECT ON serials TO 'sa'@'localhost';
 GRANT SELECT,INSERT ON precertificates TO 'sa'@'localhost';
 GRANT SELECT,INSERT ON keyHashToSerial TO 'sa'@'localhost';
@@ -43,7 +42,6 @@ GRANT SELECT on fqdnSets TO 'sa_ro'@'localhost';
 GRANT SELECT ON orders TO 'sa_ro'@'localhost';
 GRANT SELECT ON orderFqdnSets TO 'sa_ro'@'localhost';
 GRANT SELECT ON authz2 TO 'sa_ro'@'localhost';
-GRANT SELECT ON orderToAuthz2 TO 'sa_ro'@'localhost';
 GRANT SELECT ON serials TO 'sa_ro'@'localhost';
 GRANT SELECT ON precertificates TO 'sa_ro'@'localhost';
 GRANT SELECT ON keyHashToSerial TO 'sa_ro'@'localhost';

sa/db-users/boulder_sa.sql

@@ -0,0 +1,9 @@
+-- +migrate Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+ALTER TABLE `orders` ADD COLUMN `replaces` varchar(255) DEFAULT NULL;
+
+-- +migrate Down
+-- SQL section 'Down' is executed when this migration is rolled back
+
+ALTER TABLE `orders` DROP COLUMN `replaces`;

sa/db/boulder_sa/20250304000000_OrdersReplaces.sql

@@ -350,11 +350,6 @@ type orderModel struct {
 	Authzs                 []byte
 }
 
-type orderToAuthzModel struct {
-	OrderID int64
-	AuthzID int64
-}
-
 func modelToOrder(om *orderModel) (*corepb.Order, error) {
 	profile := ""
 	if om.CertificateProfileName != nil {
@@ -1182,18 +1177,6 @@ func getAuthorizationStatuses(ctx context.Context, s db.Selector, ids []int64) (
 	return validities, nil
 }
 
-// authzForOrder retrieves the authorization IDs for an order.
-func authzForOrder(ctx context.Context, s db.Selector, orderID int64) ([]int64, error) {
-	var v2IDs []int64
-	_, err := s.Select(
-		ctx,
-		&v2IDs,
-		"SELECT authzID FROM orderToAuthz2 WHERE orderID = ?",
-		orderID,
-	)
-	return v2IDs, err
-}
-
 // crlShardModel represents one row in the crlShards table. The ThisUpdate and
 // NextUpdate fields are pointers because they are NULL-able columns.
 type crlShardModel struct {

sa/model.go

@@ -22,7 +22,6 @@ import (
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	"github.com/letsencrypt/boulder/db"
 	berrors "github.com/letsencrypt/boulder/errors"
-	"github.com/letsencrypt/boulder/features"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
 	"github.com/letsencrypt/boulder/identifier"
 	blog "github.com/letsencrypt/boulder/log"
@@ -493,15 +492,11 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
 
 		// Second, insert the new order.
 		created := ssa.clk.Now()
-		var encodedAuthzs []byte
-		var err error
-		if features.Get().StoreAuthzsInOrders {
-			encodedAuthzs, err = proto.Marshal(&sapb.Authzs{
-				AuthzIDs: allAuthzIds,
-			})
-			if err != nil {
-				return nil, err
-			}
+		encodedAuthzs, err := proto.Marshal(&sapb.Authzs{
+			AuthzIDs: allAuthzIds,
+		})
+		if err != nil {
+			return nil, err
 		}
 
 		om := orderModel{
@@ -518,22 +513,6 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
 		}
 		orderID := om.ID
 
-		// Third, insert all of the orderToAuthz relations.
-		inserter, err := db.NewMultiInserter("orderToAuthz2", []string{"orderID", "authzID"})
-		if err != nil {
-			return nil, err
-		}
-		for _, id := range allAuthzIds {
-			err := inserter.Add([]any{orderID, id})
-			if err != nil {
-				return nil, err
-			}
-		}
-		err = inserter.Insert(ctx, tx)
-		if err != nil {
-			return nil, err
-		}
-
 		// Fourth, insert the FQDNSet entry for the order.
 		err = addOrderFQDNSet(ctx, tx, identifier.FromProtoSlice(req.NewOrder.Identifiers), orderID, req.NewOrder.RegistrationID, req.NewOrder.Expires.AsTime())
 		if err != nil {