git.stella-ops.org/tests/AirGap/StellaOps.AirGap.Importer.Tests/RootRotationPolicyTests.cs

using StellaOps.AirGap.Importer.Validation;

namespace StellaOps.AirGap.Importer.Tests;

public class RootRotationPolicyTests
{
    [Fact]
    public void RequiresTwoApprovers()
    {
        var policy = new RootRotationPolicy();
        var result = policy.Validate(new Dictionary<string, byte[]>(), new Dictionary<string, byte[]> { ["k1"] = new byte[] { 1 } }, new[] { "a" });
        Assert.False(result.IsValid);
        Assert.Equal("rotation-dual-approval-required", result.Reason);
    }

    [Fact]
    public void RejectsNoChange()
    {
        var policy = new RootRotationPolicy();
        var result = policy.Validate(
            new Dictionary<string, byte[]> { ["k1"] = new byte[] { 1 } },
            new Dictionary<string, byte[]> { ["k1"] = new byte[] { 1 } },
            new[] { "a", "b" });
        Assert.False(result.IsValid);
        Assert.Equal("rotation-no-change", result.Reason);
    }

    [Fact]
    public void AcceptsRotationWithDualApproval()
    {
        var policy = new RootRotationPolicy();
        var result = policy.Validate(
            new Dictionary<string, byte[]> { ["old"] = new byte[] { 1 } },
            new Dictionary<string, byte[]> { ["new"] = new byte[] { 2 } },
            new[] { "a", "b" });

        Assert.True(result.IsValid);
        Assert.Equal("rotation-approved", result.Reason);
    }
}