feat: add certificate deletion API with validation rules (#688)

* feat: add certificate deletion API with validation rules

Implements DELETE /api/v1/amt/certificates/{guid}/{instanceId} with:
- Profile association validation
- Read-only certificate protection
- Full layer implementation (HTTP -> usecase -> WSMAN)

Closes: #567

Signed-off-by: ShradhaGupta31 <shradha.gupta@intel.com>

* refactor: Rename DeletePublicCert to DeleteCertificate for consistency

- Rename Management interface method from DeletePublicCert to DeleteCertificate
- Update ConnectionEntry implementation method name to match interface
- Update all test references and comments to use consistent naming
- Align method naming with REST API endpoints and use case methods

This change ensures consistent naming convention across the codebase where
all certificate deletion operations use the "DeleteCertificate" naming
pattern instead of the inconsistent "DeletePublicCert".

Signed-off-by: ShradhaGupta31 <shradha.gupta@intel.com>

---------

Signed-off-by: ShradhaGupta31 <shradha.gupta@intel.com>

Author: ShradhaGupta31

internal/controller/http/v1/certs.go

@@ -53,3 +53,17 @@ func (r *deviceManagementRoutes) addCertificate(c *gin.Context) {
 
 	c.JSON(http.StatusOK, handle)
 }
+
+func (r *deviceManagementRoutes) deleteCertificate(c *gin.Context) {
+	guid := c.Param("guid")
+	instanceID := c.Param("instanceId")
+
+	err := r.d.DeleteCertificate(c.Request.Context(), guid, instanceID)
+	if err != nil {
+		ErrorResponse(c, err)
+
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "Certificate deleted successfully"})
+}

internal/controller/http/v1/devicemanagement.go

@@ -57,6 +57,7 @@ func NewAmtRoutes(handler *gin.RouterGroup, d devices.Feature, amt amtexplorer.F
 
 		h.GET("certificates/:guid", r.getCertificates)
 		h.POST("certificates/:guid", r.addCertificate)
+		h.DELETE("certificates/:guid/:instanceId", r.deleteCertificate)
 
 		// KVM display settings
 		h.GET("kvm/displays/:guid", r.getKVMDisplays)

internal/controller/http/v1/devicemanagement_test.go

@@ -18,6 +18,8 @@ import (
 	"github.com/device-management-toolkit/console/internal/entity/dto/v1"
 	dtov2 "github.com/device-management-toolkit/console/internal/entity/dto/v2"
 	"github.com/device-management-toolkit/console/internal/mocks"
+	"github.com/device-management-toolkit/console/internal/usecase/devices"
+	"github.com/device-management-toolkit/console/pkg/consoleerrors"
 	"github.com/device-management-toolkit/console/pkg/logger"
 )
 
@@ -401,6 +403,49 @@ func TestDeviceManagement(t *testing.T) {
 			expectedCode: http.StatusInternalServerError,
 			response:     nil,
 		},
+		{
+			name:   "deleteCertificate - successful deletion",
+			url:    "/api/v1/amt/certificates/valid-guid/Intel%28r%29%20AMT%20Certificate%3A%20Handle%3A%201",
+			method: http.MethodDelete,
+			mock: func(m *mocks.MockDeviceManagementFeature) {
+				m.EXPECT().DeleteCertificate(
+					context.Background(),
+					"valid-guid",
+					"Intel(r) AMT Certificate: Handle: 1",
+				).Return(nil)
+			},
+			expectedCode: http.StatusOK,
+			response:     gin.H{"message": "Certificate deleted successfully"},
+		},
+		{
+			name:   "deleteCertificate - device not found",
+			url:    "/api/v1/amt/certificates/invalid-guid/Intel%28r%29%20AMT%20Certificate%3A%20Handle%3A%201",
+			method: http.MethodDelete,
+			mock: func(m *mocks.MockDeviceManagementFeature) {
+				m.EXPECT().DeleteCertificate(
+					context.Background(),
+					"invalid-guid",
+					"Intel(r) AMT Certificate: Handle: 1",
+				).Return(devices.ErrNotFound)
+			},
+			expectedCode: http.StatusNotFound,
+			response:     nil,
+		},
+		{
+			name:   "deleteCertificate - certificate is read-only",
+			url:    "/api/v1/amt/certificates/valid-guid/Intel%28r%29%20AMT%20Certificate%3A%20Handle%3A%200",
+			method: http.MethodDelete,
+			mock: func(m *mocks.MockDeviceManagementFeature) {
+				validationErr := dto.NotValidError{Console: consoleerrors.CreateConsoleError("DeleteCertificate")}
+				m.EXPECT().DeleteCertificate(
+					context.Background(),
+					"valid-guid",
+					"Intel(r) AMT Certificate: Handle: 0",
+				).Return(validationErr)
+			},
+			expectedCode: http.StatusBadRequest,
+			response:     nil,
+		},
 	}
 
 	for _, tc := range tests {

internal/controller/ws/v1/interface.go

@@ -61,6 +61,7 @@ type Feature interface {
 	GetDiskInfo(c context.Context, guid string) (dto.DiskInfo, error)
 	GetDeviceCertificate(c context.Context, guid string) (dto.Certificate, error)
 	AddCertificate(c context.Context, guid string, certInfo dto.CertInfo) (string, error)
+	DeleteCertificate(c context.Context, guid, instanceID string) error
 	GetBootSourceSetting(ctx context.Context, guid string) ([]dto.BootSources, error)
 	// KVM Screen Settings
 	GetKVMScreenSettings(c context.Context, guid string) (dto.KVMScreenSettings, error)

internal/mocks/devicemanagement_mocks.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/device-management-toolkit/console/internal/entity/dto/v1"
 	"github.com/device-management-toolkit/console/internal/usecase/devices/wsman"
+	"github.com/device-management-toolkit/console/pkg/consoleerrors"
 )
 
 const (
@@ -31,6 +32,12 @@ const (
 	TypeWired    string = "Wired"
 )
 
+var (
+	ErrCertificateNotFound           = fmt.Errorf("certificate not found")
+	ErrCertificateAssociatedProfiles = fmt.Errorf("certificate is associated with profiles")
+	ErrCertificateReadOnly           = fmt.Errorf("certificate is read-only")
+)
+
 func processConcreteDependencies(certificateHandle string, profileAssociation *dto.ProfileAssociation, dependencyItems []concrete.ConcreteDependency, securitySettings dto.SecuritySettings) {
 	for i := range dependencyItems {
 		di := dependencyItems[i]
@@ -379,3 +386,59 @@ func (uc *UseCase) AddCertificate(c context.Context, guid string, certInfo dto.C
 
 	return handle, nil
 }
+
+func (uc *UseCase) DeleteCertificate(c context.Context, guid, instanceID string) error {
+	item, err := uc.repo.GetByID(c, guid, "")
+	if err != nil {
+		return err
+	}
+
+	if item == nil || item.GUID == "" {
+		return ErrNotFound
+	}
+
+	// First, get all certificates to check if the certificate to delete is associated with any profiles
+	securitySettings, err := uc.GetCertificates(c, guid)
+	if err != nil {
+		return err
+	}
+
+	// Find the certificate to be deleted
+	var targetCert *dto.RefinedCertificate
+
+	for i := range securitySettings.CertificateResponse.Certificates {
+		if securitySettings.CertificateResponse.Certificates[i].InstanceID == instanceID {
+			targetCert = &securitySettings.CertificateResponse.Certificates[i]
+
+			break
+		}
+	}
+
+	if targetCert == nil {
+		return ErrNotFound.Wrap("DeleteCertificate", "certificate not found", ErrCertificateNotFound)
+	}
+
+	// Check if the certificate is associated with any profiles
+	if len(targetCert.AssociatedProfiles) > 0 {
+		validationErr := dto.NotValidError{Console: consoleerrors.CreateConsoleError("DeleteCertificate")}
+
+		return validationErr.Wrap("DeleteCertificate", "certificate associated with profiles", ErrCertificateAssociatedProfiles)
+	}
+
+	// Check if the certificate is read-only (cannot be deleted)
+	if targetCert.ReadOnlyCertificate {
+		validationErr := dto.NotValidError{Console: consoleerrors.CreateConsoleError("DeleteCertificate")}
+
+		return validationErr.Wrap("DeleteCertificate", "certificate is read-only", ErrCertificateReadOnly)
+	}
+
+	// If the certificate is not associated with any profiles and is not read-only, proceed with deletion
+	device := uc.device.SetupWsmanClient(*item, false, true)
+
+	err = device.DeleteCertificate(instanceID)
+	if err != nil {
+		return ErrDeviceUseCase.Wrap("DeleteCertificate", "failed to delete certificate", fmt.Errorf("failed to delete certificate %s: %w", instanceID, err))
+	}
+
+	return nil
+}