Tests/Public/Get-PWSHCertutilIssuedCerts.Tests.ps1

BeforeAll {
    Import-Module (Resolve-Path "$PSScriptRoot\..\..\Posh-Certutil.psd1") -Force

    $testJson = @'
{
  "version": "1.0",
  "profiles": {
    "test-profile": {
      "description": "Test",
      "remoting": { "useTls": true, "port": 5986, "maxSessionsPerCA": 2 },
      "cas": [
        { "fqdn": "ca01.test.local", "displayName": "CA01" },
        { "fqdn": "ca02.test.local", "displayName": "CA02" }
      ],
      "certutilView": {
        "restrict": { "issuedCerts": "GeneralFlags=0,Disposition=20" },
        "out": { "issuedCerts": ["RequestID","CommonName"] }
      },
      "syncState": {
        "lastSync": "2026-01-01T00:00:00Z",
        "fieldNameMap": { "RequestID": "RequestID", "CommonName": "CommonName" }
      }
    }
  }
}
'@

    $script:TestConfigPath = [IO.Path]::GetTempFileName()
    Set-Content -Path $script:TestConfigPath -Value $testJson -Encoding UTF8
    InModuleScope Posh-Certutil -Parameters @{ ConfigPath = $script:TestConfigPath } {
        param($ConfigPath)
        $script:ConfigPath = $ConfigPath
    }

    $fakeCsvOutput = @('"RequestID","CommonName"','"1","server01.corp.local"')
    $fakeSession   = New-MockObject -Type System.Management.Automation.Runspaces.PSSession
}

AfterAll {
    Remove-Item -Path $script:TestConfigPath -ErrorAction SilentlyContinue
    Remove-Module Posh-Certutil -ErrorAction SilentlyContinue
}

Describe 'Get-PWSHCertutilIssuedCerts' -Tag Unit {
    BeforeEach {
        Mock -ModuleName Posh-Certutil Get-CASession     { $fakeSession }
        Mock -ModuleName Posh-Certutil Invoke-CertutilView { $fakeCsvOutput }
    }

    It 'Queries all CAs in the profile when -CAFqdn is not specified' {
        Get-PWSHCertutilIssuedCerts -Profile 'test-profile' | Out-Null
        Should -Invoke -ModuleName Posh-Certutil Get-CASession -Times 2
    }

    It 'Queries only the specified CA when -CAFqdn is provided' {
        Get-PWSHCertutilIssuedCerts -Profile 'test-profile' -CAFqdn 'ca01.test.local' | Out-Null
        Should -Invoke -ModuleName Posh-Certutil Get-CASession -Times 1
    }

    It 'Throws when the specified -CAFqdn is not in the profile' {
        { Get-PWSHCertutilIssuedCerts -Profile 'test-profile' -CAFqdn 'ca99.test.local' } |
            Should -Throw -ExpectedMessage "*ca99.test.local*"
    }

    It 'Stamps Profile and CAServer on each returned object' {
        $result = Get-PWSHCertutilIssuedCerts -Profile 'test-profile' -CAFqdn 'ca01.test.local'
        $result.Profile  | Should -Be 'test-profile'
        $result.CAServer | Should -Be 'ca01.test.local'
    }

    It 'Returns empty collection when certutil returns no data rows' {
        Mock -ModuleName Posh-Certutil Invoke-CertutilView { @('"RequestID","CommonName"') }
        $result = Get-PWSHCertutilIssuedCerts -Profile 'test-profile' -CAFqdn 'ca01.test.local'
        $result | Should -BeNullOrEmpty
    }

    It 'Writes an error but continues when one CA fails' {
        Mock -ModuleName Posh-Certutil Get-CASession {
            if ($CAFqdn -eq 'ca01.test.local') { throw 'connection refused' }
            $fakeSession
        }
        { Get-PWSHCertutilIssuedCerts -Profile 'test-profile' -ErrorAction SilentlyContinue } |
            Should -Not -Throw
    }

    It 'Returns objects with canonical property names when FieldMap is applied' {
        $localizedCsv = @('"Issued Request ID","Issued Common Name"', '"1","server01.corp.local"')
        Mock -ModuleName Posh-Certutil Invoke-CertutilView { $localizedCsv }
        InModuleScope Posh-Certutil -Parameters @{ ConfigPath = $script:TestConfigPath } {
            param($ConfigPath)
            $localizedMap = @{ 'Issued Request ID' = 'RequestID'; 'Issued Common Name' = 'CommonName' }
            $json = Get-Content -Path $ConfigPath -Raw | ConvertFrom-Json
            $json.profiles.'test-profile'.syncState.fieldNameMap |
                Add-Member -MemberType NoteProperty -Name 'Issued Request ID'  -Value 'RequestID'  -Force
            $json.profiles.'test-profile'.syncState.fieldNameMap |
                Add-Member -MemberType NoteProperty -Name 'Issued Common Name' -Value 'CommonName' -Force
            $json | ConvertTo-Json -Depth 10 | Set-Content -Path $ConfigPath -Encoding UTF8
            $script:ConfigPath = $ConfigPath
        }
        $result = Get-PWSHCertutilIssuedCerts -Profile 'test-profile' -CAFqdn 'ca01.test.local'
        $result.RequestID  | Should -Be '1'
        $result.CommonName | Should -Be 'server01.corp.local'
    }
}