git.stella-ops.org/src/Attestor/__Tests/StellaOps.Provenance.Attestation.Tests/VerificationTests.cs

using System.Text;
using FluentAssertions;
using System.Threading.Tasks;
using StellaOps.Provenance.Attestation;
using StellaOps.Cryptography;
using Xunit;

using StellaOps.TestKit;
namespace StellaOps.Provenance.Attestation.Tests;

public class VerificationTests
{
    private const string Payload = "{\"hello\":\"world\"}";
    private const string ContentType = "application/json";

    [Trait("Category", TestCategories.Unit)]
        [Fact]
    public async Task Verifier_accepts_valid_signature()
    {
        var key = new InMemoryKeyProvider("test-key", Encoding.UTF8.GetBytes("secret"));
        var signer = new HmacSigner(key, DefaultCryptoHmac.CreateForTests());
        var verifier = new HmacVerifier(key);

        var request = new SignRequest(Encoding.UTF8.GetBytes(Payload), ContentType);
        var signature = await signer.SignAsync(request);

        var result = await verifier.VerifyAsync(request, signature);
        result.IsValid.Should().BeTrue();
        result.Reason.Should().Be("verified");
    }

    [Trait("Category", TestCategories.Unit)]
        [Fact]
    public async Task Verifier_rejects_tampered_payload()
    {
        var key = new InMemoryKeyProvider("test-key", Encoding.UTF8.GetBytes("secret"));
        var signer = new HmacSigner(key, DefaultCryptoHmac.CreateForTests());
        var verifier = new HmacVerifier(key);

        var request = new SignRequest(Encoding.UTF8.GetBytes(Payload), ContentType);
        var signature = await signer.SignAsync(request);

        var tampered = new SignRequest(Encoding.UTF8.GetBytes(Payload + "-tampered"), ContentType);
        var result = await verifier.VerifyAsync(tampered, signature);

        result.IsValid.Should().BeFalse();
        result.Reason.Should().Be("signature or time invalid");
    }
}