save progress

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/WebServiceFeatureGateTests.cs

@@ -0,0 +1,86 @@
+using System;
+using System.Net;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text.Json;
+using StellaOps.Attestor.WebService.Contracts;
+using StellaOps.TestKit;
+using Xunit;
+
+namespace StellaOps.Attestor.Tests;
+
+public sealed class WebServiceFeatureGateTests
+{
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task AnchorsEndpoints_Disabled_Returns501()
+    {
+        using var factory = new AttestorWebApplicationFactory();
+        var client = factory.CreateClient();
+        AttachAuth(client);
+
+        var response = await client.GetAsync("/anchors");
+
+        Assert.Equal(HttpStatusCode.NotImplemented, response.StatusCode);
+        var payload = await response.Content.ReadFromJsonAsync<JsonElement>();
+        Assert.True(payload.TryGetProperty("code", out var code));
+        Assert.Equal("feature_not_implemented", code.GetString());
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task ProofsEndpoints_Disabled_Returns501()
+    {
+        using var factory = new AttestorWebApplicationFactory();
+        var client = factory.CreateClient();
+        AttachAuth(client);
+
+        var entry = "sha256:deadbeef:pkg:npm/test@1.0.0";
+        var response = await client.GetAsync($"/proofs/{Uri.EscapeDataString(entry)}/receipt");
+
+        Assert.Equal(HttpStatusCode.NotImplemented, response.StatusCode);
+        var payload = await response.Content.ReadFromJsonAsync<JsonElement>();
+        Assert.True(payload.TryGetProperty("code", out var code));
+        Assert.Equal("feature_not_implemented", code.GetString());
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task VerifyEndpoints_Disabled_Returns501()
+    {
+        using var factory = new AttestorWebApplicationFactory();
+        var client = factory.CreateClient();
+        AttachAuth(client);
+
+        var response = await client.PostAsync("/verify/test-bundle", new StringContent(string.Empty));
+
+        Assert.Equal(HttpStatusCode.NotImplemented, response.StatusCode);
+        var payload = await response.Content.ReadFromJsonAsync<JsonElement>();
+        Assert.True(payload.TryGetProperty("code", out var code));
+        Assert.Equal("feature_not_implemented", code.GetString());
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task VerdictEndpoint_RequiresAuthentication()
+    {
+        using var factory = new AttestorWebApplicationFactory();
+        var client = factory.CreateClient();
+
+        var request = new VerdictAttestationRequestDto
+        {
+            PredicateType = "https://stellaops.dev/predicates/policy-verdict@v1",
+            Predicate = "{\"verdict\":{\"status\":\"pass\"}}",
+            Subject = new VerdictSubjectDto { Name = "finding-1" }
+        };
+
+        var response = await client.PostAsJsonAsync("/internal/api/v1/attestations/verdict", request);
+
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    private static void AttachAuth(HttpClient client)
+    {
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "test-token");
+    }
+}