From 520ad7d865ff147d3ff8819d3e384d7cbd69bfb7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 26 Aug 2016 11:11:56 +1000
Subject: [PATCH] cert-request: raise CertificateOperationError if CA disabled

Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.

Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/plugins/cert.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 8da18697f..68fc2bf7c 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -749,8 +749,16 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                     info=_("Subject alt name type %s is forbidden") % desc)
 
         # Request the certificate
-        result = self.Backend.ra.request_certificate(
-            csr, profile_id, ca_id, request_type=request_type)
+        try:
+            result = self.Backend.ra.request_certificate(
+                csr, profile_id, ca_id, request_type=request_type)
+        except errors.HTTPRequestError as e:
+            if e.status == 409:  # pylint: disable=no-member
+                raise errors.CertificateOperationError(
+                    error=_("CA '%s' is disabled") % ca)
+            else:
+                raise e
+
         if not raw:
             self.obj._parse(result, all)
             result['request_id'] = int(result['request_id'])