refactor: modernize ACME error handling and add order submission tests

jgnagy · claude · jgnagy · commit 29840e6010f2 · 2025-08-19T21:00:39.000-07:00
- Convert ACME error classes to use modern Ruby syntax (def method = value) - Add AccountDoesNotExist error class for proper ACME compliance - Refactor CA service error handling for better flow - Add comprehensive test coverage for order submission - Update RuboCop config to accommodate longer test examples - Clean up test helper methods 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -73,7 +73,7 @@ RSpec/MultipleExpectations:
   Max: 13
 
 RSpec/ExampleLength:
-  Max: 34
+  Max: 40
 
 Gemspec/DevelopmentDependencies:
   Enabled: false
diff --git a/lib/bullion/acme/error.rb b/lib/bullion/acme/error.rb
@@ -19,53 +19,44 @@ def acme_error
     end
 
     module Errors
+      # ACME exception for nonexistent accounts
+      class AccountDoesNotExist < Bullion::Acme::Error
+        def acme_type = "accountDoesNotExist"
+      end
+
       # ACME exception for bad CSRs
       class BadCsr < Bullion::Acme::Error
-        def acme_type
-          "badCSR"
-        end
+        def acme_type = "badCSR"
       end
 
       # ACME exception for bad Nonces
       class BadNonce < Bullion::Acme::Error
-        def acme_type
-          "badNonce"
-        end
+        def acme_type = "badNonce"
       end
 
       # ACME exception for invalid contacts in accounts
       class InvalidContact < Bullion::Acme::Error
-        def acme_type
-          "invalidContact"
-        end
+        def acme_type = "invalidContact"
       end
 
       # ACME exception for invalid orders
       class InvalidOrder < Bullion::Acme::Error
-        def acme_type
-          "invalidOrder"
-        end
+        def acme_type = "invalidOrder"
       end
 
       # ACME exception for malformed requests
       class Malformed < Bullion::Acme::Error
-        def acme_type
-          "malformed"
-        end
+        def acme_type = "malformed"
       end
 
       # ACME exception for unsupported contacts in accounts
       class UnsupportedContact < Bullion::Acme::Error
-        def acme_type
-          "unsupportedContact"
-        end
+        def acme_type = "unsupportedContact"
       end
 
       # Non-standard exception for unsupported challenge types
       class UnsupportedChallengeType < Bullion::Acme::Error
-        def acme_error
-          "urn:ietf:params:bullion:error:unsupportedChallengeType"
-        end
+        def acme_error = "urn:ietf:params:bullion:error:unsupportedChallengeType"
       end
     end
   end
diff --git a/lib/bullion/services/ca.rb b/lib/bullion/services/ca.rb
@@ -118,22 +118,20 @@ class CA < Service
       # @see https://tools.ietf.org/html/rfc8555#section-7.3
       post "/accounts" do
         header_data = JSON.parse(Base64.decode64(@json_body[:protected]))
-        begin
-          parse_acme_jwt(header_data["jwk"], validate_nonce: false)
+        parse_acme_jwt(header_data["jwk"], validate_nonce: false)
 
-          account_data_valid?(@payload_data)
-        rescue Bullion::Acme::Error => e
-          content_type "application/problem+json"
-          halt 400, { type: e.acme_error, detail: e.message }.to_json
-        end
+        account_data_valid?(@payload_data)
 
         user = Models::Account.where(
           public_key: header_data["jwk"]
         ).first
 
         if @payload_data["onlyReturnExisting"]
           content_type "application/problem+json"
-          halt 400, { type: "urn:ietf:params:acme:error:accountDoesNotExist" }.to_json unless user
+          unless user
+            raise Bullion::Acme::Error::AccountDoesNotExist,
+                  "onlyReturnExisting requested and account does not exist"
+          end
         end
 
         user ||= Models::Account.new(public_key: header_data["jwk"])
@@ -149,6 +147,9 @@ class CA < Service
           contact: user.contacts,
           orders: uri("/accounts/#{user.id}/orders")
         }.to_json
+      rescue Bullion::Acme::Error => e
+        content_type "application/problem+json"
+        halt 400, { type: e.acme_error, detail: e.message }.to_json
       end
 
       # Endpoint for updating accounts
diff --git a/spec/bullion/services/ca_spec.rb b/spec/bullion/services/ca_spec.rb
@@ -422,5 +422,57 @@ def app
       expect(parsed_body["contact"]).to eq(["mailto:#{account_email}"])
       expect(parsed_body["orders"]).to match(%r{^http://.+/accounts/[0-9]+/orders$})
     end
+
+    it "allows submitting new orders" do
+      account_key = ecdsa_key
+
+      # Create an account so we can use it
+      Bullion::Models::Account.create(
+        tos_agreed: true,
+        contacts: [account_email],
+        public_key: ecdsa_public_key_hash(account_key)
+      )
+
+      get "/nonces"
+
+      nonce = last_response.headers["Replay-Nonce"]
+
+      jwk = {
+        typ: "JWT",
+        alg: "ES256",
+        jwk: ecdsa_public_key_hash(account_key),
+        nonce:,
+        url: "/orders"
+      }.to_json
+
+      encoded_jwk = acme_base64(jwk)
+      payload = { identifiers: }.to_json
+      encoded_payload = acme_base64(payload)
+      signature_data = "#{encoded_jwk}.#{encoded_payload}"
+
+      body = {
+        protected: encoded_jwk,
+        payload: encoded_payload,
+        signature: acme_sign(account_key, signature_data)
+      }.to_json
+
+      post "/orders", body, { "CONTENT_TYPE" => "application/jose+json" }
+
+      expect(last_response).to be_created
+      expect(last_response.headers["Content-Type"]).to eq("application/json")
+      expect(last_response.headers["Location"]).to match(%r{^http://.+/orders/[0-9]+$})
+      expect(last_response.body).to be_a(String)
+
+      parsed_body = JSON.parse(last_response.body)
+      expect(parsed_body["status"]).to eq("pending")
+      expect(parsed_body).to include("expires")
+      expect(parsed_body).to include("notBefore")
+      expect(parsed_body).to include("notAfter")
+      expect(parsed_body).to include("authorizations")
+      expect(parsed_body["authorizations"]).to be_an(Array)
+      expect(parsed_body["authorizations"].size).to eq(2)
+      expect(parsed_body["identifiers"]).to eq(identifiers)
+      expect(parsed_body["finalize"]).to match(%r{http://.+/orders/[0-9]+/finalize})
+    end
   end
 end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -57,8 +57,7 @@ def ecsda_crv_to_openssl(crv)
     end
 
     def ecdsa_key(crv = "P-256")
-      key = OpenSSL::PKey::EC.generate(ecsda_crv_to_openssl(crv))
-      @ecdsa_key ||= key
+      @ecdsa_key ||= OpenSSL::PKey::EC.generate(ecsda_crv_to_openssl(crv))
     end
 
     def ecdsa_public_key_hash(key, crv = "P-256")
