Expose RFC7807 sub-problems on errors (#265)

nckslvrmn · web-flow · commit 4a4b5932c0fe · 2026-03-09T16:26:58.000-04:00
diff --git a/lib/acme/client/error.rb b/lib/acme/client/error.rb
@@ -1,4 +1,33 @@
 class Acme::Client::Error < StandardError
+  attr_reader :subproblems
+
+  Subproblem = Struct.new(:type, :detail, :identifier, keyword_init: true) do
+    def to_h
+      { type: type, detail: detail, identifier: identifier }
+    end
+  end
+
+  def initialize(message = nil, subproblems: nil)
+    super(message)
+    @subproblems = parse_subproblems(subproblems)
+  end
+
+  private
+
+  def parse_subproblems(raw)
+    return [] if raw.nil? || !raw.is_a?(Array)
+
+    raw.map do |sp|
+      Subproblem.new(
+        type: sp['type'],
+        detail: sp['detail'],
+        identifier: sp['identifier']
+      )
+    end
+  end
+
+  public
+
   class Timeout < Acme::Client::Error; end
 
   class ClientError < Acme::Client::Error; end
diff --git a/lib/acme/client/error/rate_limited.rb b/lib/acme/client/error/rate_limited.rb
@@ -3,8 +3,8 @@ class Acme::Client::Error::RateLimited < Acme::Client::Error::ServerError
 
   DEFAULT_MESSAGE = 'Error message: urn:ietf:params:acme:error:rateLimited'
 
-  def initialize(message = DEFAULT_MESSAGE, retry_after = 10)
-    super(message)
+  def initialize(message = DEFAULT_MESSAGE, retry_after = 10, subproblems: nil)
+    super(message, subproblems: subproblems)
     @retry_after = retry_after.nil? ? 10 : retry_after.to_i
   end
 end
diff --git a/lib/acme/client/http_client.rb b/lib/acme/client/http_client.rb
@@ -101,10 +101,11 @@ def raise_on_not_found!
     end
 
     def raise_on_error!
+      subproblems = error_subproblems
       if error_class == Acme::Client::Error::RateLimited
-        raise error_class.new(error_message, env.response_headers['Retry-After'])
+        raise error_class.new(error_message, env.response_headers['Retry-After'], subproblems: subproblems)
       end
-      raise error_class, error_message
+      raise error_class.new(error_message, subproblems: subproblems)
     end
 
     def error_message
@@ -125,6 +126,11 @@ def error_name
       env.body['type']
     end
 
+    def error_subproblems
+      return unless env.body.is_a?(Hash)
+      env.body['subproblems']
+    end
+
     def decode_body
       content_type = env.response_headers['Content-Type'].to_s
 
diff --git a/spec/subproblems_spec.rb b/spec/subproblems_spec.rb
@@ -0,0 +1,148 @@
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.join(__dir__, '../lib')
+
+require 'acme/client'
+
+RSpec.describe 'RFC 7807 subproblems support' do
+  let(:raw_subproblems) do
+    [
+      {
+        'type' => 'urn:ietf:params:acme:error:rejectedIdentifier',
+        'detail' => 'This CA will not issue for "example.net"',
+        'identifier' => { 'type' => 'dns', 'value' => 'example.net' }
+      },
+      {
+        'type' => 'urn:ietf:params:acme:error:caa',
+        'detail' => 'CAA record for "example.org" prevents issuance',
+        'identifier' => { 'type' => 'dns', 'value' => 'example.org' }
+      }
+    ]
+  end
+
+  describe Acme::Client::Error do
+    it 'exposes parsed subproblems when provided' do
+      error = Acme::Client::Error.new('multi-identifier failure', subproblems: raw_subproblems)
+      expect(error.subproblems.length).to eq(2)
+    end
+
+    it 'returns Subproblem structs with type, detail, and identifier' do
+      error = Acme::Client::Error.new('failure', subproblems: raw_subproblems)
+      sp = error.subproblems.first
+
+      expect(sp).to be_a(Acme::Client::Error::Subproblem)
+      expect(sp.type).to eq('urn:ietf:params:acme:error:rejectedIdentifier')
+      expect(sp.detail).to eq('This CA will not issue for "example.net"')
+      expect(sp.identifier).to eq({ 'type' => 'dns', 'value' => 'example.net' })
+    end
+
+    it 'defaults to an empty array when no subproblems' do
+      error = Acme::Client::Error.new('simple error')
+      expect(error.subproblems).to eq([])
+    end
+
+    it 'defaults to an empty array when subproblems is nil' do
+      error = Acme::Client::Error.new('simple error', subproblems: nil)
+      expect(error.subproblems).to eq([])
+    end
+
+    it 'handles non-array subproblems gracefully' do
+      error = Acme::Client::Error.new('bad data', subproblems: 'not an array')
+      expect(error.subproblems).to eq([])
+    end
+
+    it 'works with no arguments' do
+      error = Acme::Client::Error.new
+      expect(error.subproblems).to eq([])
+    end
+  end
+
+  describe Acme::Client::Error::Subproblem do
+    it 'supports keyword initialization' do
+      sp = Acme::Client::Error::Subproblem.new(
+        type: 'urn:ietf:params:acme:error:dns',
+        detail: 'DNS lookup failed',
+        identifier: { 'type' => 'dns', 'value' => 'example.com' }
+      )
+
+      expect(sp.type).to eq('urn:ietf:params:acme:error:dns')
+      expect(sp.detail).to eq('DNS lookup failed')
+      expect(sp.identifier).to eq({ 'type' => 'dns', 'value' => 'example.com' })
+    end
+
+    it 'supports to_h' do
+      sp = Acme::Client::Error::Subproblem.new(
+        type: 'urn:ietf:params:acme:error:dns',
+        detail: 'DNS lookup failed',
+        identifier: { 'type' => 'dns', 'value' => 'example.com' }
+      )
+
+      expect(sp.to_h).to eq({
+        type: 'urn:ietf:params:acme:error:dns',
+        detail: 'DNS lookup failed',
+        identifier: { 'type' => 'dns', 'value' => 'example.com' }
+      })
+    end
+
+    it 'handles nil fields' do
+      sp = Acme::Client::Error::Subproblem.new(
+        type: 'urn:ietf:params:acme:error:dns',
+        detail: nil,
+        identifier: nil
+      )
+
+      expect(sp.type).to eq('urn:ietf:params:acme:error:dns')
+      expect(sp.detail).to be_nil
+      expect(sp.identifier).to be_nil
+    end
+  end
+
+  describe 'subproblems on error subclasses' do
+    it 'works on Malformed errors (common multi-identifier parent)' do
+      error = Acme::Client::Error::Malformed.new(
+        'Some of the identifiers requested were rejected',
+        subproblems: raw_subproblems
+      )
+      expect(error.subproblems.length).to eq(2)
+      expect(error.subproblems.first.type).to eq('urn:ietf:params:acme:error:rejectedIdentifier')
+    end
+
+    it 'works on Unauthorized errors' do
+      error = Acme::Client::Error::Unauthorized.new('unauthorized', subproblems: raw_subproblems)
+      expect(error.subproblems.length).to eq(2)
+    end
+
+    it 'works on RateLimited with positional args preserved' do
+      error = Acme::Client::Error::RateLimited.new('rate limited', 60, subproblems: raw_subproblems)
+      expect(error.retry_after).to eq(60)
+      expect(error.subproblems.length).to eq(2)
+    end
+
+    it 'works on RateLimited with defaults' do
+      error = Acme::Client::Error::RateLimited.new
+      expect(error.retry_after).to eq(10)
+      expect(error.subproblems).to eq([])
+    end
+
+    it 'all ACME_ERRORS subclasses accept subproblems keyword' do
+      Acme::Client::Error::ACME_ERRORS.each_value do |error_class|
+        next if error_class == Acme::Client::Error::RateLimited
+
+        error = error_class.new('test', subproblems: raw_subproblems)
+        expect(error.subproblems.length).to eq(2),
+          "#{error_class} did not accept subproblems correctly"
+      end
+    end
+  end
+
+  describe 'single subproblem' do
+    it 'handles a response with one subproblem' do
+      error = Acme::Client::Error::Malformed.new(
+        'identifier rejected',
+        subproblems: [raw_subproblems.first]
+      )
+      expect(error.subproblems.length).to eq(1)
+      expect(error.subproblems.first.detail).to eq('This CA will not issue for "example.net"')
+    end
+  end
+end
