envoyproxy · alyssawilk · Jul 29, 2021 · Jul 28, 2021
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -49,6 +49,7 @@ Removed Config or Runtime
 * http: removed ``envoy.reloadable_features.http_upstream_wait_connect_response`` runtime guard and legacy code paths.
 * http: removed ``envoy.reloadable_features.allow_preconnect`` runtime guard and legacy code paths.
 * listener: removed ``envoy.reloadable_features.disable_tls_inspector_injection`` runtime guard and legacy code paths.
+* ocsp: removed ``envoy.reloadable_features.check_ocsp_policy deprecation`` runtime guard and legacy code paths.
 
 New Features
 ------------

diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc
@@ -59,7 +59,6 @@ constexpr const char* runtime_features[] = {
     "envoy.reloadable_features.add_and_validate_scheme_header",
     "envoy.reloadable_features.allow_response_for_timeout",
     "envoy.reloadable_features.check_unsupported_typed_per_filter_config",
-    "envoy.reloadable_features.check_ocsp_policy",
     "envoy.reloadable_features.correct_scheme_and_xfp",
     "envoy.reloadable_features.disable_tls_inspector_injection",
     "envoy.reloadable_features.dont_add_content_length_for_bodiless_requests",

@@ -1047,11 +1047,6 @@ OcspStapleAction ServerContextImpl::ocspStapleAction(const TlsContext& ctx,
   }
 
   auto& response = ctx.ocsp_response_;
-  if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.check_ocsp_policy")) {
-    // Expiration check is disabled. Proceed as if the policy is LenientStapling and the response
-    // is not expired.
-    return response ? OcspStapleAction::Staple : OcspStapleAction::NoStaple;
-  }
 
   auto policy = ocsp_staple_policy_;
   if (ctx.is_must_staple_) {

@@ -5811,69 +5811,6 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenCertIsMustStapleAndResponseExpired)
   testUtil(test_options.setExpectedServerStats("ssl.ocsp_staple_failed").enableOcspStapling());
 }
 
-TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidationOff) {
-  const std::string server_ctx_yaml = R"EOF(
-  common_tls_context:
-    tls_certificates:
-    - certificate_chain:
-        filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem"
-      private_key:
-        filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem"
-      ocsp_staple:
-        filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der"
-  ocsp_staple_policy: must_staple
-  )EOF";
-
-  const std::string client_ctx_yaml = R"EOF(
-  common_tls_context:
-    tls_params:
-      cipher_suites:
-      - TLS_RSA_WITH_AES_128_GCM_SHA256
-)EOF";
-
-  TestScopedRuntime scoped_runtime;
-  Runtime::LoaderSingleton::getExisting()->mergeValues(
-      {{"envoy.reloadable_features.check_ocsp_policy", "false"}});
-
-  TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam());
-  std::string ocsp_response_path =
-      "{{ test_rundir "
-      "}}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der";
-  std::string expected_response =
-      TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path));
-  testUtil(test_options.enableOcspStapling()
-               .setExpectedServerStats("ssl.ocsp_staple_responses")
-               .setExpectedOcspResponse(expected_response));
-}
-
-TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertNoValidationNoResponse) {
-  const std::string server_ctx_yaml = R"EOF(
-  common_tls_context:
-    tls_certificates:
-    - certificate_chain:
-        filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem"
-      private_key:
-        filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem"
-  ocsp_staple_policy: lenient_stapling
-  )EOF";
-
-  const std::string client_ctx_yaml = R"EOF(
-  common_tls_context:
-    tls_params:
-      cipher_suites:
-      - TLS_RSA_WITH_AES_128_GCM_SHA256
-)EOF";
-
-  TestScopedRuntime scoped_runtime;
-  Runtime::LoaderSingleton::getExisting()->mergeValues(
-      {{"envoy.reloadable_features.require_ocsp_response_for_must_staple_certs", "false"},
-       {"envoy.reloadable_features.check_ocsp_policy", "false"}});
-  TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam());
-  testUtil(test_options.setExpectedServerStats("ssl.ocsp_staple_omitted")
-               .enableOcspStapling()
-               .setExpectedOcspResponse(""));
-}
-
 TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) {
   const std::string server_ctx_yaml = R"EOF(
   common_tls_context: