certctl/internal/connector/target/wincertstore/wincertstore_test.go

package wincertstore

import (
	"context"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/json"
	"encoding/pem"
	"fmt"
	"log/slog"
	"math/big"
	"os"
	"strings"
	"testing"
	"time"

	"github.com/certctl-io/certctl/internal/connector/target"
)

func testLogger() *slog.Logger {
	return slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError}))
}

// mockExecutor records PowerShell scripts and returns configurable responses.
type mockExecutor struct {
	scripts   []string
	responses []string
	errors    []error
	callIndex int
}

func (m *mockExecutor) Execute(ctx context.Context, script string) (string, error) {
	m.scripts = append(m.scripts, script)
	idx := m.callIndex
	m.callIndex++
	if idx < len(m.errors) && m.errors[idx] != nil {
		resp := ""
		if idx < len(m.responses) {
			resp = m.responses[idx]
		}
		return resp, m.errors[idx]
	}
	if idx < len(m.responses) {
		return m.responses[idx], nil
	}
	return "", nil
}

// generateTestCertAndKey creates a self-signed certificate and key for testing.
func generateTestCertAndKey() (string, string, error) {
	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return "", "", err
	}

	template := &x509.Certificate{
		SerialNumber: big.NewInt(1),
		Subject:      pkix.Name{CommonName: "test.example.com"},
		NotBefore:    time.Now().Add(-1 * time.Hour),
		NotAfter:     time.Now().Add(24 * time.Hour),
		KeyUsage:     x509.KeyUsageDigitalSignature,
	}

	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
	if err != nil {
		return "", "", err
	}

	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})

	keyDER, err := x509.MarshalPKCS8PrivateKey(key)
	if err != nil {
		return "", "", err
	}
	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: keyDER})

	return string(certPEM), string(keyPEM), nil
}

// --- ValidateConfig Tests ---

func TestValidateConfig_Success(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{"store_name":"My","store_location":"LocalMachine"}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err != nil {
		t.Fatalf("expected success, got: %v", err)
	}
}

func TestValidateConfig_Defaults(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err != nil {
		t.Fatalf("expected success with defaults, got: %v", err)
	}
	if c.config.StoreName != "My" {
		t.Errorf("expected default store_name 'My', got: %s", c.config.StoreName)
	}
	if c.config.StoreLocation != "LocalMachine" {
		t.Errorf("expected default store_location 'LocalMachine', got: %s", c.config.StoreLocation)
	}
	if c.config.Mode != "local" {
		t.Errorf("expected default mode 'local', got: %s", c.config.Mode)
	}
}

func TestValidateConfig_InvalidJSON(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	err := c.ValidateConfig(context.Background(), json.RawMessage(`{bad`))
	if err == nil {
		t.Fatal("expected error for invalid JSON")
	}
}

func TestValidateConfig_InvalidStoreName(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{"store_name":"My; Drop-Database"}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err == nil || !strings.Contains(err.Error(), "invalid store_name") {
		t.Fatalf("expected invalid store_name error, got: %v", err)
	}
}

func TestValidateConfig_InvalidStoreLocation(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{"store_location":"InvalidLocation"}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err == nil || !strings.Contains(err.Error(), "invalid store_location") {
		t.Fatalf("expected invalid store_location error, got: %v", err)
	}
}

func TestValidateConfig_CurrentUser(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{"store_location":"CurrentUser"}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err != nil {
		t.Fatalf("expected success with CurrentUser, got: %v", err)
	}
}

func TestValidateConfig_InvalidMode(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{"mode":"ssh"}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err == nil || !strings.Contains(err.Error(), "invalid mode") {
		t.Fatalf("expected invalid mode error, got: %v", err)
	}
}

func TestValidateConfig_WinRM_MissingHost(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{"mode":"winrm","winrm_username":"admin","winrm_password":"pass"}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err == nil || !strings.Contains(err.Error(), "winrm_host") {
		t.Fatalf("expected winrm_host error, got: %v", err)
	}
}

func TestValidateConfig_WinRM_MissingUsername(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{"mode":"winrm","winrm_host":"host","winrm_password":"pass"}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err == nil || !strings.Contains(err.Error(), "winrm_username") {
		t.Fatalf("expected winrm_username error, got: %v", err)
	}
}

func TestValidateConfig_InvalidFriendlyName(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{"friendly_name":"cert; rm -rf /"}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err == nil || !strings.Contains(err.Error(), "invalid friendly_name") {
		t.Fatalf("expected invalid friendly_name error, got: %v", err)
	}
}

func TestValidateConfig_WithFriendlyName(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	cfg := `{"friendly_name":"My Production Cert"}`
	err := c.ValidateConfig(context.Background(), json.RawMessage(cfg))
	if err != nil {
		t.Fatalf("expected success with friendly name, got: %v", err)
	}
}

// --- DeployCertificate Tests ---

func TestDeployCertificate_Success(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	// Bundle 10: idempotency probe runs first (returns IDEM_MISS by default),
	// then Bundle 7: success path runs 3 PowerShell scripts in order:
	// probe → snapshot → import → cleanup. Seed responses for each.
	mock := &mockExecutor{
		responses: []string{
			"IDEM_MISS",
			"TEMPDIR:/tmp/certctl-snapshot-abc",
			"SUCCESS:AABBCCDD",
			"CLEANUP_OK",
		},
	}
	c := NewWithExecutor(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
	}, testLogger(), mock)

	result, err := c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err != nil {
		t.Fatalf("deploy failed: %v", err)
	}
	if !result.Success {
		t.Error("expected success=true")
	}
	if result.TargetAddress != "cert:\\LocalMachine\\My" {
		t.Errorf("expected target address cert:\\LocalMachine\\My, got: %s", result.TargetAddress)
	}
	if result.Metadata["store_name"] != "My" {
		t.Errorf("expected store_name metadata 'My', got: %s", result.Metadata["store_name"])
	}

	// Bundle 10: 4 scripts on success path (probe + snapshot + import + cleanup).
	if len(mock.scripts) != 4 {
		t.Fatalf("expected 4 script calls (probe + snapshot + import + cleanup), got %d", len(mock.scripts))
	}
	if !strings.Contains(mock.scripts[0], "# CERTCTL_IDEM_PROBE") {
		t.Errorf("expected # CERTCTL_IDEM_PROBE in first script, got: %s", mock.scripts[0])
	}
	if !strings.Contains(mock.scripts[1], "# CERTCTL_SNAPSHOT") {
		t.Errorf("expected # CERTCTL_SNAPSHOT in second script, got: %s", mock.scripts[1])
	}
	importScript := mock.scripts[2]
	if !strings.Contains(importScript, "Import-PfxCertificate") {
		t.Error("expected Import-PfxCertificate in third script")
	}
	if !strings.Contains(importScript, "Cert:\\LocalMachine\\My") {
		t.Error("expected correct cert store path in third script")
	}
	if !strings.Contains(mock.scripts[3], "# CERTCTL_CLEANUP") {
		t.Errorf("expected # CERTCTL_CLEANUP in fourth script, got: %s", mock.scripts[3])
	}
}

func TestWinCertStore_Idempotent_SkipsImportWhenCertInStore(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	// Probe returns IDEM_MATCH
	mock := &mockExecutor{
		responses: []string{"IDEM_MATCH"},
	}
	c := NewWithExecutor(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
	}, testLogger(), mock)

	result, err := c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err != nil {
		t.Fatalf("deploy failed: %v", err)
	}
	if !result.Success {
		t.Error("expected success=true")
	}

	// Verify idempotent flag is set
	if result.Metadata["idempotent"] != "true" {
		t.Errorf("expected idempotent=true, got %s", result.Metadata["idempotent"])
	}

	// Only the probe should have run (1 script call)
	if len(mock.scripts) != 1 {
		t.Errorf("expected 1 script call (probe only), got %d", len(mock.scripts))
	}
	if !strings.Contains(mock.scripts[0], "# CERTCTL_IDEM_PROBE") {
		t.Errorf("expected probe script, got: %s", mock.scripts[0])
	}

	// Verify no Import-PfxCertificate call
	for i, script := range mock.scripts {
		if strings.Contains(script, "Import-PfxCertificate") {
			t.Errorf("script %d should not contain Import-PfxCertificate (idempotent short-circuit): %s", i, script)
		}
	}
}

func TestWinCertStore_Idempotent_NotInStore_FallsThroughToDeploy(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	// Probe returns IDEM_MISS, then standard snapshot + import + cleanup responses
	mock := &mockExecutor{
		responses: []string{
			"IDEM_MISS",
			"TEMPDIR:/tmp/certctl-snapshot-def",
			"SUCCESS:DDEEFFGG",
			"CLEANUP_OK",
		},
	}
	c := NewWithExecutor(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
	}, testLogger(), mock)

	result, err := c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err != nil {
		t.Fatalf("deploy failed: %v", err)
	}
	if !result.Success {
		t.Error("expected success=true")
	}

	// Verify idempotent flag is NOT set
	if result.Metadata["idempotent"] != "" {
		t.Errorf("expected no idempotent flag, got %s", result.Metadata["idempotent"])
	}

	// Full flow: probe + snapshot + import + cleanup = 4 scripts
	if len(mock.scripts) != 4 {
		t.Errorf("expected 4 script calls (probe, snapshot, import, cleanup), got %d", len(mock.scripts))
	}

	// Verify probe ran first
	if !strings.Contains(mock.scripts[0], "# CERTCTL_IDEM_PROBE") {
		t.Errorf("expected probe as first script, got: %s", mock.scripts[0])
	}

	// Verify import happened
	hasImport := false
	for _, script := range mock.scripts {
		if strings.Contains(script, "Import-PfxCertificate") {
			hasImport = true
			break
		}
	}
	if !hasImport {
		t.Error("expected Import-PfxCertificate in scripts")
	}
}

func TestDeployCertificate_MissingKey(t *testing.T) {
	certPEM, _, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	_, err = c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
	})
	if err == nil || !strings.Contains(err.Error(), "private key is required") {
		t.Fatalf("expected missing key error, got: %v", err)
	}
}

func TestDeployCertificate_InvalidCert(t *testing.T) {
	c := NewWithExecutor(&Config{}, testLogger(), &mockExecutor{})
	_, err := c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: "not-a-cert",
		KeyPEM:  "not-a-key",
	})
	if err == nil {
		t.Fatal("expected error for invalid cert")
	}
}

func TestDeployCertificate_ImportFailed(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	// Bundle 10 / Top-10 fix #3 idempotency probe runs first → IDEM_MISS,
	// fall through. Bundle 7: snapshot returns empty → import fails →
	// rollback runs (and succeeds since snapshot was empty, only removes
	// the new cert if it landed).
	mock := &mockExecutor{
		responses: []string{
			"IDEM_MISS",
			"TEMPDIR:/tmp/certctl-snapshot-xyz",
			"Access denied",
			"ROLLBACK_OK",
		},
		errors: []error{nil, nil, fmt.Errorf("exit code 1"), nil},
	}
	c := NewWithExecutor(&Config{}, testLogger(), mock)

	_, err = c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err == nil || !strings.Contains(err.Error(), "PowerShell import failed") {
		t.Fatalf("expected import failure error, got: %v", err)
	}
	// Bundle 7: error message must reference rollback so operators know
	// the deploy left the store in a known state.
	if !strings.Contains(err.Error(), "rolled back") {
		t.Errorf("expected error to mention 'rolled back', got: %v", err)
	}
}

func TestDeployCertificate_WithFriendlyName(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	mock := &mockExecutor{
		responses: []string{
			"IDEM_MISS",
			"TEMPDIR:/tmp/certctl-snapshot-fn",
			"SUCCESS:AABB",
			"CLEANUP_OK",
		},
	}
	c := NewWithExecutor(&Config{
		StoreName:    "My",
		FriendlyName: "Production API Cert",
	}, testLogger(), mock)

	_, err = c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err != nil {
		t.Fatalf("deploy failed: %v", err)
	}
	// Bundle 10: probe at [0], snapshot at [1], import at [2].
	if len(mock.scripts) < 3 {
		t.Fatalf("expected at least 3 scripts (probe + snapshot + import), got %d", len(mock.scripts))
	}
	if !strings.Contains(mock.scripts[2], "FriendlyName") {
		t.Error("expected FriendlyName in import script")
	}
}

func TestDeployCertificate_WithRemoveExpired(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	mock := &mockExecutor{
		responses: []string{
			"IDEM_MISS",
			"TEMPDIR:/tmp/certctl-snapshot-re",
			"SUCCESS:AABB",
			"CLEANUP_OK",
		},
	}
	c := NewWithExecutor(&Config{
		StoreName:     "My",
		RemoveExpired: true,
	}, testLogger(), mock)

	_, err = c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err != nil {
		t.Fatalf("deploy failed: %v", err)
	}
	// Bundle 10: probe at [0], snapshot at [1], import at [2].
	if len(mock.scripts) < 3 {
		t.Fatalf("expected at least 3 scripts (probe + snapshot + import), got %d", len(mock.scripts))
	}
	if !strings.Contains(mock.scripts[2], "Remove-Item") {
		t.Error("expected Remove-Item for expired cert cleanup in import script")
	}
}

// --- Bundle 7: pre-deploy snapshot + on-import-failure rollback ---
//
// These four tests pin the load-bearing rollback contract added in
// Bundle 7 of the 2026-05-02 deployment-target audit:
//   - happy rollback path: snapshot finds same-Subject cert → import
//     fails → rollback removes new cert + re-imports snapshot;
//   - first-time deploy: snapshot finds no same-Subject certs → import
//     fails → rollback only removes the new cert (no re-import);
//   - FriendlyName-step failure: import script fails on Set
//     FriendlyName → same rollback path;
//   - rollback-also-fails: operator-actionable wrapped error.

func TestWinCertStore_ImportFails_RemovesNewCert_RestoresOldFromSnapshot(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	// Probe → IDEM_MISS, fall through. Snapshot finds one same-Subject
	// cert and exports it. Import fails. Rollback succeeds. Verify confirms.
	mock := &mockExecutor{
		responses: []string{
			"IDEM_MISS",
			"SNAPSHOT:OLDTHUMB123:/tmp/certctl-snapshot-abc/OLDTHUMB123.pfx\nTEMPDIR:/tmp/certctl-snapshot-abc",
			"PFX import error",
			"ROLLBACK_OK",
			"VERIFY_OK",
		},
		errors: []error{nil, nil, fmt.Errorf("exit code 1"), nil, nil},
	}
	c := NewWithExecutor(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
	}, testLogger(), mock)

	result, err := c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err == nil {
		t.Fatal("expected error when import fails")
	}
	if result == nil {
		t.Fatal("expected non-nil result on rollback path")
	}
	if result.Success {
		t.Fatal("expected failure result")
	}
	if !strings.Contains(err.Error(), "PowerShell import failed") {
		t.Errorf("expected error to mention import failure, got: %v", err)
	}
	if !strings.Contains(err.Error(), "rolled back") {
		t.Errorf("expected error to mention 'rolled back', got: %v", err)
	}

	// 5 scripts: probe + snapshot + import + rollback + verify.
	if len(mock.scripts) != 5 {
		t.Fatalf("expected 5 scripts (probe + snapshot + import + rollback + verify), got %d", len(mock.scripts))
	}

	// Locate the rollback script and assert it contains BOTH a Remove-Item
	// for the new thumbprint AND an Import-PfxCertificate for the
	// snapshotted PFX.
	var rollbackScript string
	for _, s := range mock.scripts {
		if strings.Contains(s, "# CERTCTL_ROLLBACK") {
			rollbackScript = s
			break
		}
	}
	if rollbackScript == "" {
		t.Fatal("expected rollback script to be executed")
	}
	if !strings.Contains(rollbackScript, "Remove-Item") {
		t.Errorf("expected rollback to contain Remove-Item, got: %s", rollbackScript)
	}
	if !strings.Contains(rollbackScript, "Import-PfxCertificate") {
		t.Errorf("expected rollback to Import-PfxCertificate the snapshot, got: %s", rollbackScript)
	}
	if !strings.Contains(rollbackScript, "OLDTHUMB123.pfx") {
		t.Errorf("expected rollback to reference the snapshot pfx path, got: %s", rollbackScript)
	}

	if result.Metadata["rolled_back"] != "true" {
		t.Errorf("expected rolled_back=true in metadata, got: %s", result.Metadata["rolled_back"])
	}
}

func TestWinCertStore_ImportFails_NoExistingSameSubject_RemovesNewCertOnly(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	// Probe → IDEM_MISS, fall through. Snapshot returns THUMB lines
	// (different-Subject certs in store) but NO SNAPSHOT lines — no
	// same-Subject cert was exported. Rollback removes the new cert but
	// does NOT call Import-PfxCertificate.
	mock := &mockExecutor{
		responses: []string{
			"IDEM_MISS",
			"THUMB:UNRELATED1\nTHUMB:UNRELATED2\nTEMPDIR:/tmp/certctl-snapshot-noss",
			"PFX import error",
			"ROLLBACK_OK",
			"VERIFY_OK",
		},
		errors: []error{nil, nil, fmt.Errorf("exit code 1"), nil, nil},
	}
	c := NewWithExecutor(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
	}, testLogger(), mock)

	_, err = c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err == nil {
		t.Fatal("expected error when import fails")
	}

	var rollbackScript string
	for _, s := range mock.scripts {
		if strings.Contains(s, "# CERTCTL_ROLLBACK") {
			rollbackScript = s
			break
		}
	}
	if rollbackScript == "" {
		t.Fatal("expected rollback script to be executed")
	}
	if !strings.Contains(rollbackScript, "Remove-Item") {
		t.Errorf("expected rollback to remove new cert via Remove-Item, got: %s", rollbackScript)
	}
	// No same-Subject snapshots → no Import-PfxCertificate during rollback.
	if strings.Contains(rollbackScript, "Import-PfxCertificate") {
		t.Errorf("expected no Import-PfxCertificate when snapshot has no same-Subject entries, got: %s", rollbackScript)
	}
}

func TestWinCertStore_FriendlyNameFails_NewCertRemoved_OldCertsRestored(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	// The connector cannot inspect WHICH step inside the import script
	// failed — Execute returns a single (output, error). Operators see
	// the FriendlyName failure surfaced via the error output. The
	// rollback runs the same way regardless of which post-Import step
	// failed (FriendlyName, Get-ChildItem verify, RemoveExpired).
	mock := &mockExecutor{
		responses: []string{
			"IDEM_MISS",
			"SNAPSHOT:OLDTHUMB456:/tmp/certctl-snapshot-fn/OLDTHUMB456.pfx\nTEMPDIR:/tmp/certctl-snapshot-fn",
			"Cannot set FriendlyName: invalid character in friendly name",
			"ROLLBACK_OK",
			"VERIFY_OK",
		},
		errors: []error{nil, nil, fmt.Errorf("Set-ItemProperty failed"), nil, nil},
	}
	c := NewWithExecutor(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
		FriendlyName:  "Production",
	}, testLogger(), mock)

	result, err := c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err == nil {
		t.Fatal("expected error when FriendlyName step fails")
	}
	if result.Success {
		t.Fatal("expected failure result")
	}
	// Operator visibility: the import_error in metadata should preserve
	// the PowerShell output so operators can tell what went wrong.
	if !strings.Contains(result.Metadata["import_error"], "FriendlyName") {
		t.Errorf("expected import_error to reference FriendlyName, got: %s", result.Metadata["import_error"])
	}

	var rollbackScript string
	for _, s := range mock.scripts {
		if strings.Contains(s, "# CERTCTL_ROLLBACK") {
			rollbackScript = s
			break
		}
	}
	if rollbackScript == "" {
		t.Fatal("expected rollback script to be executed")
	}
	if !strings.Contains(rollbackScript, "Remove-Item") {
		t.Errorf("expected rollback to Remove-Item the new cert, got: %s", rollbackScript)
	}
	if !strings.Contains(rollbackScript, "OLDTHUMB456.pfx") {
		t.Errorf("expected rollback to restore snapshotted cert, got: %s", rollbackScript)
	}

	if result.Metadata["rolled_back"] != "true" {
		t.Errorf("expected rolled_back=true, got: %s", result.Metadata["rolled_back"])
	}
}

func TestWinCertStore_ImportFails_RollbackAlsoFails_OperatorActionable(t *testing.T) {
	certPEM, keyPEM, err := generateTestCertAndKey()
	if err != nil {
		t.Fatalf("generate cert: %v", err)
	}

	// Probe → IDEM_MISS, fall through. Snapshot succeeds; import fails;
	// rollback ALSO fails. Operator-actionable case: both errors must be
	// surfaced + metadata flags manual_action_required.
	mock := &mockExecutor{
		responses: []string{
			"IDEM_MISS",
			"SNAPSHOT:OLDTHUMB789:/tmp/certctl-snapshot-rbf/OLDTHUMB789.pfx\nTEMPDIR:/tmp/certctl-snapshot-rbf",
			"Import error",
			"Rollback step failed",
		},
		errors: []error{
			nil,
			nil,
			fmt.Errorf("import-step exit code 1"),
			fmt.Errorf("rollback-step exit code 2"),
		},
	}
	c := NewWithExecutor(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
	}, testLogger(), mock)

	result, err := c.DeployCertificate(context.Background(), target.DeploymentRequest{
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	})
	if err == nil {
		t.Fatal("expected error when both import and rollback fail")
	}
	if result.Success {
		t.Fatal("expected failure result")
	}

	// Wrapped error must mention BOTH errors.
	if !strings.Contains(err.Error(), "PowerShell import failed") {
		t.Errorf("expected error to mention import failure, got: %v", err)
	}
	if !strings.Contains(err.Error(), "rollback also failed") {
		t.Errorf("expected error to mention rollback failure, got: %v", err)
	}
	if !strings.Contains(err.Error(), "manual operator inspection required") {
		t.Errorf("expected error to flag manual inspection, got: %v", err)
	}

	// Metadata flags manual action + surfaces both errors.
	if result.Metadata["manual_action_required"] != "true" {
		t.Errorf("expected manual_action_required=true, got: %s", result.Metadata["manual_action_required"])
	}
	if result.Metadata["rolled_back"] != "false" {
		t.Errorf("expected rolled_back=false, got: %s", result.Metadata["rolled_back"])
	}
	if result.Metadata["rollback_error"] == "" {
		t.Error("expected rollback_error in metadata")
	}
	if result.Metadata["import_error"] == "" {
		t.Error("expected import_error in metadata")
	}
}

// --- ValidateDeployment Tests ---

func TestValidateDeployment_Success(t *testing.T) {
	mock := &mockExecutor{
		responses: []string{"FOUND:AABBCCDD:2027-01-01T00:00:00"},
	}
	c := NewWithExecutor(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
	}, testLogger(), mock)

	result, err := c.ValidateDeployment(context.Background(), target.ValidationRequest{
		Serial: "01",
		Metadata: map[string]string{
			"thumbprint": "AABBCCDD",
		},
	})
	if err != nil {
		t.Fatalf("validate failed: %v", err)
	}
	if !result.Valid {
		t.Error("expected valid=true")
	}
	if result.Metadata["thumbprint"] != "AABBCCDD" {
		t.Errorf("expected thumbprint AABBCCDD, got: %s", result.Metadata["thumbprint"])
	}
}

func TestValidateDeployment_NotFound(t *testing.T) {
	mock := &mockExecutor{
		responses: []string{"NOT_FOUND"},
	}
	c := NewWithExecutor(&Config{}, testLogger(), mock)

	result, err := c.ValidateDeployment(context.Background(), target.ValidationRequest{
		Serial: "01",
	})
	if err == nil {
		t.Fatal("expected error for not found cert")
	}
	if result.Valid {
		t.Error("expected valid=false")
	}
}

func TestValidateDeployment_QueryFailed(t *testing.T) {
	mock := &mockExecutor{
		responses: []string{"error"},
		errors:    []error{fmt.Errorf("powershell error")},
	}
	c := NewWithExecutor(&Config{}, testLogger(), mock)

	result, err := c.ValidateDeployment(context.Background(), target.ValidationRequest{
		Serial: "01",
	})
	if err == nil {
		t.Fatal("expected error for query failure")
	}
	if result.Valid {
		t.Error("expected valid=false")
	}
}

func TestValidateDeployment_BySerial(t *testing.T) {
	mock := &mockExecutor{
		responses: []string{"FOUND:AABB:2027-01-01T00:00:00"},
	}
	c := NewWithExecutor(&Config{}, testLogger(), mock)

	// No thumbprint in metadata — should query by serial
	_, err := c.ValidateDeployment(context.Background(), target.ValidationRequest{
		Serial: "DEADBEEF",
	})
	if err != nil {
		t.Fatalf("validate failed: %v", err)
	}
	if !strings.Contains(mock.scripts[0], "SerialNumber") {
		t.Error("expected serial number query in script")
	}
}

// --- Top-10 fix #4: default-deadline ctx wrapper for PowerShell exec calls ---
//
// These tests pin realExecutor's safety-net behavior. See the matching pair
// in iis_test.go for the rationale (subprocess fails fast on non-Windows
// runners / deadline cancels on Windows; either path must return fast).

func TestWinCertStore_RealExecutor_AttachesDefaultDeadlineWhenCallerHasNone(t *testing.T) {
	e := &realExecutor{deadline: 100 * time.Millisecond}
	start := time.Now()
	_, err := e.Execute(context.Background(), "Start-Sleep -Seconds 5")
	elapsed := time.Since(start)
	if elapsed > 500*time.Millisecond {
		t.Errorf("expected fast return (default deadline = 100ms), took %v: err=%v", elapsed, err)
	}
	if err == nil {
		t.Error("expected an error (context.DeadlineExceeded on Windows / powershell.exe missing on Linux)")
	}
}

func TestWinCertStore_RealExecutor_RespectsCallerDeadlineWhenSet(t *testing.T) {
	e := &realExecutor{deadline: 10 * time.Second} // long fallback
	ctx, cancel := context.WithTimeout(context.Background(), 50*time.Millisecond)
	defer cancel()
	start := time.Now()
	_, _ = e.Execute(ctx, "Start-Sleep -Seconds 5")
	elapsed := time.Since(start)
	if elapsed > 500*time.Millisecond {
		t.Errorf("expected caller's tight 50ms deadline to fire fast, took %v", elapsed)
	}
}

func TestWinCertStore_RealExecutor_NoDeadlineWiredWhenZero(t *testing.T) {
	// deadline=0 means "no fallback wrapper". Pass a tight caller deadline.
	e := &realExecutor{deadline: 0}
	ctx, cancel := context.WithTimeout(context.Background(), 50*time.Millisecond)
	defer cancel()
	start := time.Now()
	_, _ = e.Execute(ctx, "Start-Sleep -Seconds 5")
	elapsed := time.Since(start)
	if elapsed > 500*time.Millisecond {
		t.Errorf("expected caller deadline to bound the call, took %v", elapsed)
	}
}

func TestWinCertStore_New_DefaultsExecDeadlineTo60s(t *testing.T) {
	c, err := New(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
	}, testLogger())
	if err != nil {
		t.Fatalf("New failed: %v", err)
	}
	if c.config.ExecDeadline != 60*time.Second {
		t.Errorf("expected default ExecDeadline=60s, got %v", c.config.ExecDeadline)
	}
}

func TestWinCertStore_New_RespectsExplicitExecDeadline(t *testing.T) {
	c, err := New(&Config{
		StoreName:     "My",
		StoreLocation: "LocalMachine",
		ExecDeadline:  10 * time.Minute,
	}, testLogger())
	if err != nil {
		t.Fatalf("New failed: %v", err)
	}
	if c.config.ExecDeadline != 10*time.Minute {
		t.Errorf("expected ExecDeadline=10m, got %v", c.config.ExecDeadline)
	}
}