// Security coverage for installed secret permissions.
//
// Scope: preserve installer and UI behavior that keeps private keys readable
// only by the local Lesavka operator account.
// Targets: install scripts and the client TLS-bundle import helper.
// Why: mTLS is only meaningful if client/server private keys are not installed
// with broad filesystem permissions.

const SERVER_INSTALL: &str = include_str!(concat!(
    env!("CARGO_MANIFEST_DIR"),
    "/scripts/install/server.sh"
));
const CLIENT_INSTALL: &str = include_str!(concat!(
    env!("CARGO_MANIFEST_DIR"),
    "/scripts/install/client.sh"
));
const CERT_UI: &str = include_str!(concat!(
    env!("CARGO_MANIFEST_DIR"),
    "/client/src/launcher/ui/utility_button_bindings.rs"
));

#[test]
fn server_private_keys_and_client_bundle_are_installed_private() {
    for marker in [
        "chmod 0600 \"$LESAVKA_TLS_DIR/\"*.key",
        "chmod 0644 \"$LESAVKA_TLS_DIR/\"*.crt",
        "chmod 0600 \"$LESAVKA_CLIENT_BUNDLE\"",
        "cp \"$LESAVKA_TLS_DIR/client.key\"",
    ] {
        assert!(
            SERVER_INSTALL.contains(marker),
            "server installer should preserve private PKI permission marker {marker}"
        );
    }
}

#[test]
fn client_installer_preserves_private_client_key_mode() {
    for marker in [
        "sudo install -m 0600",
        "\"$tmp/client.key\" \"$CLIENT_PKI_DIR/client.key\"",
        "sudo install -m 0644",
        "\"$tmp/ca.crt\"",
        "\"$tmp/client.crt\"",
    ] {
        assert!(
            CLIENT_INSTALL.contains(marker),
            "client installer should preserve enrollment permission marker {marker}"
        );
    }
}

#[test]
fn client_ui_bundle_import_tightens_key_permissions() {
    for marker in [
        "tighten_client_key_permissions",
        "PermissionsExt",
        "permissions.set_mode(0o600)",
        "target.join(\"client.key\")",
    ] {
        assert!(
            CERT_UI.contains(marker),
            "cert import UI should preserve permission marker {marker}"
        );
    }
}