git.stella-ops.org/src/__Libraries/__Tests/StellaOps.Evidence.Pack.Tests/EvidenceCardServiceTests.Verify.cs

// <copyright file="EvidenceCardServiceTests.Verify.cs" company="StellaOps">
// Copyright (c) StellaOps. Licensed under the BUSL-1.1.
// </copyright>
using System.Collections.Immutable;
using StellaOps.Evidence.Pack.Models;
using Xunit;

namespace StellaOps.Evidence.Pack.Tests;

public sealed partial class EvidenceCardServiceTests
{
    [Fact]
    public async Task VerifyCardAsync_ValidCard_ReturnsValidAsync()
    {
        var service = CreateService();
        var card = await CreateTestCardAsync(service);

        var result = await service.VerifyCardAsync(card);

        Assert.True(result.Valid);
        Assert.True(result.SignatureValid);
        Assert.True(result.SbomDigestValid);
    }

    [Fact]
    public async Task VerifyCardAsync_WithMissingReceipt_AllowedByDefaultAsync()
    {
        var service = CreateService();
        var card = await CreateTestCardAsync(service);

        var result = await service.VerifyCardAsync(card, new EvidenceCardVerificationOptions
        {
            AllowMissingReceipt = true
        });

        Assert.True(result.Valid);
        Assert.Null(result.RekorReceiptValid);
    }

    [Fact]
    public async Task VerifyCardAsync_WithMissingReceipt_FailsWhenRequiredAsync()
    {
        var service = CreateService();
        var card = await CreateTestCardAsync(service);

        var result = await service.VerifyCardAsync(card, new EvidenceCardVerificationOptions
        {
            AllowMissingReceipt = false
        });

        Assert.False(result.Valid);
        Assert.Contains(result.Issues, i => i.Contains("Rekor receipt is required"));
    }

    [Fact]
    public async Task VerifyCardAsync_WithValidRekorReceipt_ReturnsTrueAsync()
    {
        var service = CreateService();
        var card = await CreateTestCardAsync(service);

        var cardWithReceipt = card with
        {
            RekorReceipt = new RekorReceiptMetadata
            {
                Uuid = "abc123def456",
                LogIndex = 12345,
                LogId = "0x1234",
                LogUrl = "https://rekor.sigstore.dev",
                IntegratedTime = _timeProvider.GetUtcNow().ToUnixTimeSeconds(),
                RootHash = "sha256:root123",
                TreeSize = 100000,
                InclusionProofHashes = ImmutableArray.Create("hash1", "hash2"),
                CheckpointNote = "rekor.sigstore.dev - 12345\n100000\nroot123\n",
                CheckpointSignatures = ImmutableArray.Create(new CheckpointSignature
                {
                    KeyId = "key1",
                    Signature = "c2lnbmF0dXJl"
                })
            }
        };

        var result = await service.VerifyCardAsync(cardWithReceipt);

        Assert.True(result.Valid);
        Assert.True(result.RekorReceiptValid);
    }
}