Separate kerberos from service principal name and use correctly

Fix incomplete fix in ManageIQ#211.

We have two concepts that were being shared.
* kerberos principal name
* service principal name

getcert requires the kerberos principal name with the kerberos realm included:
getcert request -K SERVICE/host@REALM

ipa service-find and service-add use the service principal name, which doesn't include
the kerberos realm as that's assumed based on configuration and cannot be changed without
changing the configuration:

ipa service-find  --principal SERVICE/host

This commit clarifies these differences and uses the correct mechanism for service-add, service-find, and getcert.

lib/manageiq/appliance_console/principal.rb

@@ -10,12 +10,14 @@ class Principal
     attr_accessor :service
     # kerberos principal name
     attr_accessor :name
+    attr_accessor :service_principal
 
     def initialize(options = {})
       options.each { |n, v| public_send("#{n}=", v) }
       @ca_name ||= "ipa"
       @realm = @realm.upcase if @realm
-      @name ||= "#{service}/#{hostname}\\@#{realm}"
+      @service_principal ||= "#{service}/#{hostname}"
+      @name ||= "#{service_principal}@#{realm}"
     end
 
     def register
@@ -33,13 +35,13 @@ def ipa?
     private
 
     def exist?
-      AwesomeSpawn.run("/usr/bin/ipa", :params => ["-e", "skip_version_check=1", "service-find", "--principal", name]).success?
+      AwesomeSpawn.run("/usr/bin/ipa", :params => ["-e", "skip_version_check=1", "service-find", "--principal", service_principal]).success?
     end
 
     def request
       # using --force because these services tend not to be in dns
       # this is like VERIFY_NONE
-      AwesomeSpawn.run!("/usr/bin/ipa", :params => ["-e", "skip_version_check=1", "service-add", "--force", name])
+      AwesomeSpawn.run!("/usr/bin/ipa", :params => ["-e", "skip_version_check=1", "service-add", "--force", service_principal])
     end
   end
 end

spec/certificate_spec.rb

@@ -23,7 +23,7 @@
 
   # not sure if we care about this (it is probably allowing us to neglect )
   it "should have a principal" do
-    expect(subject.principal.name).to eq("postgres/#{host}\\@#{realm}")
+    expect(subject.principal.name).to eq("postgres/#{host}@#{realm}")
     expect(subject.principal).to be_ipa
   end
 

spec/principal_spec.rb

@@ -3,27 +3,28 @@
   let(:hostname) { "machine.network.com" }
   let(:realm)    { "NETWORK.COM" }
   let(:service)  { "postgres" }
-  let(:principal_name) { "postgres/machine.network.com\\@NETWORK.COM" }
+  let(:service_principal)  { "postgres/machine.network.com" }
+  let(:kerberos_principal) { "postgres/machine.network.com@NETWORK.COM" }
 
   subject { described_class.new(:hostname => hostname, :realm => realm, :service => service) }
 
   it { expect(subject.hostname).to eq(hostname) }
   it { expect(subject.realm).to eq(realm) }
   it { expect(subject.service).to eq(service) }
 
-  it { expect(subject.name).to eq(principal_name) }
+  it { expect(subject.name).to eq(kerberos_principal) }
   it { expect(subject.subject_name).to match(/CN=#{hostname}.*O=#{realm}/) }
   it { expect(subject).to be_ipa }
 
   it "should register if not yet registered" do
-    expect_run(/ipa/, ["-e", "skip_version_check=1", "service-find", "--principal", principal_name], response(1))
-    expect_run(/ipa/, ["-e", "skip_version_check=1", "service-add", "--force", principal_name], response)
+    expect_run(/ipa/, ["-e", "skip_version_check=1", "service-find", "--principal", service_principal], response(1))
+    expect_run(/ipa/, ["-e", "skip_version_check=1", "service-add", "--force", service_principal], response)
 
     subject.register
   end
 
   it "should not register if already registered" do
-    expect_run(/ipa/, ["-e", "skip_version_check=1", "service-find", "--principal", principal_name], response)
+    expect_run(/ipa/, ["-e", "skip_version_check=1", "service-find", "--principal", service_principal], response)
 
     subject.register
   end