If a system attempts a dry-run autobind when all available pools are blocked from it (for example due to a consumer type mismatch), the request returns an error message containing the last rule failure encountered, when it should just return no results.

To reproduce:

- Register a consumer system and note it's UUID. (to the admin owner, with test data loaded)

- Open the candlepin database and make a rogue consumer type: insert into cp_consumer_type(id, label, manifest) values('1000', 'junk', 'N'); 

- Update your consumer to use it: update cp_consumer set type_id = '1000' where uuid = 'myuuid'; 

- Now use curl to request autobind for that consumer:

(dgoodwin@redhat {sla} ~/src/subscription-manager) $ curl -i -k -u admin:admin "https://localhost:8443/candlepin/consumers/c42bc476-332d-40a3-8ef8-0e2e7f116e15/entitlements/dry-run"
HTTP/1.1 403 Forbidden
{
  "displayMessage" : "rulefailed.consumer.type.mismatch"
}%                

This is definitely wrong and if we can't autobind to anything we should just return empty results.

I think it has something to do with this error handling in ConsumerResource.dryBind():

        try {
            checkServiceLevel(consumer.getOwner(), serviceLevel);
            dryRunPools = entitler.getDryRunMap(consumer, serviceLevel);
        }
        catch (ForbiddenException fe) {
            throw fe;
        }
        catch (BadRequestException bre) {
            throw bre;
        }
        catch (RuntimeException re) {
            return dryRunPools;
        }

        return dryRunPools;

That ForbiddenException in particular, the method re-used for dry-run was originally written for bind by product and throws forbidden if it find any suitable pools for the products installed, in this case because our consumer type blocks us from all test data. (it uses the last rule failure encountered)