From 3fab1b63502c3206d792b7aeaa12d486612f0137 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 29 Jun 2016 15:02:51 +1000
Subject: cert-request: better error msg when 'add' not supported

cert-request supports adding service principals that don't exist.
If add is requested for other principal types, the error message
just says "the principal doesn't exist".

Add a new error type with better error message to explain that 'add'
is not supported for host or user principals.

Fixes: https://fedorahosted.org/freeipa/ticket/5991
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipalib/errors.py          | 10 ++++++++++
 ipaserver/plugins/cert.py | 21 ++++++++++++++++++---
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/ipalib/errors.py b/ipalib/errors.py
index 10491a942..7b4f15dd6 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1397,6 +1397,16 @@ class ServerRemovalError(ExecutionError):
     format = _('Server removal aborted: %(reason)s.')
 
 
+class OperationNotSupportedForPrincipalType(ExecutionError):
+    """
+    **4034** Raised when an operation is not supported for a principal type
+    """
+
+    errno = 4034
+    format = _(
+        '%(operation)s is not supported for %(principal_type)s principals')
+
+
 class BuiltinError(ExecutionError):
     """
     **4100** Base class for builtin execution errors (*4100 - 4199*).
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 63351c54c..526360bb6 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -145,6 +145,12 @@ http://www.ietf.org/rfc/rfc5280.txt
 
 USER, HOST, SERVICE = range(3)
 
+PRINCIPAL_TYPE_STRING_MAP = {
+    USER: _('user'),
+    HOST: _('host'),
+    SERVICE: _('service'),
+}
+
 register = Registry()
 
 PKIDATE_FORMAT = '%Y-%m-%d'
@@ -385,7 +391,9 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
         ),
         Flag(
             'add',
-            doc=_("automatically add the principal if it doesn't exist"),
+            doc=_(
+                "automatically add the principal if it doesn't exist "
+                "(service principals only)"),
         ),
     )
 
@@ -480,8 +488,15 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
             elif principal_type == USER:
                 principal_obj = api.Command['user_show'](principal_name, all=True)
         except errors.NotFound as e:
-            if principal_type == SERVICE and add:
-                principal_obj = api.Command['service_add'](principal_string, force=True)
+            if add:
+                if principal_type == SERVICE:
+                    principal_obj = api.Command['service_add'](
+                        principal_string, force=True)
+                else:
+                    princtype_str = PRINCIPAL_TYPE_STRING_MAP[principal_type]
+                    raise errors.OperationNotSupportedForPrincipalType(
+                        operation=_("'add' option"),
+                        principal_type=princtype_str)
             else:
                 raise errors.NotFound(
                     reason=_("The principal for this request doesn't exist."))
-- 
cgit