1  """Tests for capability-based verification (Phase 2).
 2  
 3  These tests use the bare FFI functions directly since they don't require
 4  a full git registry — just attestation JSON and public keys.
 5  """
 6  
 7  import json
 8  
 9  import pytest
10  
11  from auths import Auths
12  
13  TEST_SEED_HEX = "a" * 64
14  
15  
16  def test_verify_without_capability_backwards_compat():
17      """Calling verify without required_capability should work as before."""
18      auths = Auths()
19      with pytest.raises(Exception):
20          auths.verify(attestation_json="{}", issuer_key="bad-hex")
21  
22  
23  def test_verify_with_capability_invalid_attestation():
24      """Invalid attestation should still fail even with capability param."""
25      auths = Auths()
26      with pytest.raises(Exception):
27          auths.verify(
28              attestation_json="{}",
29              issuer_key="bad-hex",
30              required_capability="sign_commit",
31          )
32  
33  
34  def test_verify_chain_without_capability_backwards_compat():
35      """Calling verify_chain without required_capability should work as before."""
36      auths = Auths()
37      with pytest.raises(Exception):
38          auths.verify_chain(attestations=["{}"], root_key="bad-hex")
39  
40  
41  def test_verify_chain_with_capability_invalid_attestation():
42      """Invalid chain should still fail even with capability param."""
43      auths = Auths()
44      with pytest.raises(Exception):
45          auths.verify_chain(
46              attestations=["{}"],
47              root_key="bad-hex",
48              required_capability="sign_commit",
49          )
50  
51  
52  def test_bare_function_imports():
53      """The capability functions should be importable from auths.verify."""
54      from auths.verify import (
55          verify_attestation_with_capability,
56          verify_chain_with_capability,
57      )
58  
59      assert verify_attestation_with_capability is not None
60      assert verify_chain_with_capability is not None