ngclient,tests,examples: Use new verify_delegate()

jku · jku · commit ec09778d75f2 · 2023-05-05T10:22:16.000+03:00
Avoid Metadata.verify_delegate() now that it's deprecated.

Note that this commit does not try to make any code cleanups
that are now possible: this is the minimal change to use the new
API.

Future improvements can make code in TrustedMetadataSet and
Updater slightly easier to read: as an example there's no need for
TrustedMetadataSet to actually store or expose actual Metadata in its
cache -- Signed is all that's needed.

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;
diff --git a/examples/repository/_simplerepo.py b/examples/repository/_simplerepo.py
@@ -177,8 +177,7 @@ def submit_role(self, role: str, data: bytes) -> bool:
                 if not targetpath.startswith(f"{role}/"):
                     raise ValueError(f"targets allowed under {role}/ only")
 
-            targets_md = self.open("targets")
-            targets_md.verify_delegate(role, md)
+            self.targets().verify_delegate(role, md)
 
             if md.signed.version != self.targets(role).version + 1:
                 raise ValueError("Invalid version {md.signed.version}")
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -345,44 +345,83 @@ def test_metadata_verify_delegate(self) -> None:
         with self.assertRaises(ValueError):
             role2.verify_delegate("role1", role1)
 
+    # pylint: disable=too-many-locals,too-many-statements
+    def test_signed_verify_delegate(self) -> None:
+        root_path = os.path.join(self.repo_dir, "metadata", "root.json")
+        root_md = Metadata[Root].from_file(root_path)
+        root = root_md.signed
+        snapshot_path = os.path.join(self.repo_dir, "metadata", "snapshot.json")
+        snapshot_md = Metadata[Snapshot].from_file(snapshot_path)
+        snapshot = snapshot_md.signed
+        targets_path = os.path.join(self.repo_dir, "metadata", "targets.json")
+        targets_md = Metadata[Targets].from_file(targets_path)
+        targets = targets_md.signed
+        role1_path = os.path.join(self.repo_dir, "metadata", "role1.json")
+        role1_md = Metadata[Targets].from_file(role1_path)
+        role1 = role1_md.signed
+        role2_path = os.path.join(self.repo_dir, "metadata", "role2.json")
+        role2_md = Metadata[Targets].from_file(role2_path)
+        role2 = role2_md.signed
+
+        # test the expected delegation tree
+        root.verify_delegate(Root.type, root_md)
+        root.verify_delegate(Snapshot.type, snapshot_md)
+        root.verify_delegate(Targets.type, targets_md)
+        targets.verify_delegate("role1", role1_md)
+        role1.verify_delegate("role2", role2_md)
+
+        # only root and targets can verify delegates
+        with self.assertRaises(AttributeError):
+            snapshot.verify_delegate(Snapshot.type, snapshot_md)
+        # verify fails for roles that are not delegated by delegator
+        with self.assertRaises(ValueError):
+            root.verify_delegate("role1", role1_md)
+        with self.assertRaises(ValueError):
+            targets.verify_delegate(Targets.type, targets_md)
+        # verify fails when delegator has no delegations
+        with self.assertRaises(ValueError):
+            role2.verify_delegate("role1", role1_md)
+
         # verify fails when delegate content is modified
-        expires = snapshot.signed.expires
-        snapshot.signed.expires = expires + timedelta(days=1)
+        expires = snapshot.expires
+        snapshot.expires = expires + timedelta(days=1)
         with self.assertRaises(exceptions.UnsignedMetadataError):
-            root.verify_delegate(Snapshot.type, snapshot)
-        snapshot.signed.expires = expires
+            root.verify_delegate(Snapshot.type, snapshot_md)
+        snapshot.expires = expires
 
         # verify fails if sslib verify fails with VerificationError
         # (in this case signature is malformed)
-        keyid = next(iter(root.signed.roles[Snapshot.type].keyids))
-        good_sig = snapshot.signatures[keyid].signature
-        snapshot.signatures[keyid].signature = "foo"
+        keyid = next(iter(root.roles[Snapshot.type].keyids))
+        good_sig = snapshot_md.signatures[keyid].signature
+        snapshot_md.signatures[keyid].signature = "foo"
         with self.assertRaises(exceptions.UnsignedMetadataError):
-            root.verify_delegate(Snapshot.type, snapshot)
-        snapshot.signatures[keyid].signature = good_sig
+            root.verify_delegate(Snapshot.type, snapshot_md)
+        snapshot_md.signatures[keyid].signature = good_sig
 
         # verify fails if roles keys do not sign the metadata
         with self.assertRaises(exceptions.UnsignedMetadataError):
-            root.verify_delegate(Timestamp.type, snapshot)
+            root.verify_delegate(Timestamp.type, snapshot_md)
 
         # Add a key to snapshot role, make sure the new sig fails to verify
-        ts_keyid = next(iter(root.signed.roles[Timestamp.type].keyids))
-        root.signed.add_key(root.signed.keys[ts_keyid], Snapshot.type)
-        snapshot.signatures[ts_keyid] = Signature(ts_keyid, "ff" * 64)
+        ts_keyid = next(iter(root.roles[Timestamp.type].keyids))
+        root.add_key(root.keys[ts_keyid], Snapshot.type)
+        snapshot_md.signatures[ts_keyid] = Signature(ts_keyid, "ff" * 64)
 
         # verify succeeds if threshold is reached even if some signatures
         # fail to verify
-        root.verify_delegate(Snapshot.type, snapshot)
+        root.verify_delegate(Snapshot.type, snapshot_md)
 
         # verify fails if threshold of signatures is not reached
-        root.signed.roles[Snapshot.type].threshold = 2
+        root.roles[Snapshot.type].threshold = 2
         with self.assertRaises(exceptions.UnsignedMetadataError):
-            root.verify_delegate(Snapshot.type, snapshot)
+            root.verify_delegate(Snapshot.type, snapshot_md)
 
         # verify succeeds when we correct the new signature and reach the
         # threshold of 2 keys
-        snapshot.sign(SSlibSigner(self.keystore[Timestamp.type]), append=True)
-        root.verify_delegate(Snapshot.type, snapshot)
+        snapshot_md.sign(
+            SSlibSigner(self.keystore[Timestamp.type]), append=True
+        )
+        root.verify_delegate(Snapshot.type, snapshot_md)
 
     def test_key_class(self) -> None:
         # Test if from_securesystemslib_key removes the private key from keyval
diff --git a/tuf/ngclient/_internal/trusted_metadata_set.py b/tuf/ngclient/_internal/trusted_metadata_set.py
@@ -161,7 +161,7 @@ def update_root(self, data: bytes) -> Metadata[Root]:
             )
 
         # Verify that new root is signed by trusted root
-        self.root.verify_delegate(Root.type, new_root)
+        self.root.signed.verify_delegate(Root.type, new_root)
 
         if new_root.signed.version != self.root.signed.version + 1:
             raise exceptions.BadVersionNumberError(
@@ -170,7 +170,7 @@ def update_root(self, data: bytes) -> Metadata[Root]:
             )
 
         # Verify that new root is signed by itself
-        new_root.verify_delegate(Root.type, new_root)
+        new_root.signed.verify_delegate(Root.type, new_root)
 
         self._trusted_set[Root.type] = new_root
         logger.debug("Updated root v%d", new_root.signed.version)
@@ -215,7 +215,7 @@ def update_timestamp(self, data: bytes) -> Metadata[Timestamp]:
                 f"Expected 'timestamp', got '{new_timestamp.signed.type}'"
             )
 
-        self.root.verify_delegate(Timestamp.type, new_timestamp)
+        self.root.signed.verify_delegate(Timestamp.type, new_timestamp)
 
         # If an existing trusted timestamp is updated,
         # check for a rollback attack
@@ -310,7 +310,7 @@ def update_snapshot(
                 f"Expected 'snapshot', got '{new_snapshot.signed.type}'"
             )
 
-        self.root.verify_delegate(Snapshot.type, new_snapshot)
+        self.root.signed.verify_delegate(Snapshot.type, new_snapshot)
 
         # version not checked against meta version to allow old snapshot to be
         # used in rollback protection: it is checked when targets is updated
@@ -418,7 +418,7 @@ def update_delegated_targets(
                 f"Expected 'targets', got '{new_delegate.signed.type}'"
             )
 
-        delegator.verify_delegate(role_name, new_delegate)
+        delegator.signed.verify_delegate(role_name, new_delegate)
 
         version = new_delegate.signed.version
         if version != meta.version:
@@ -447,7 +447,7 @@ def _load_trusted_root(self, data: bytes) -> None:
                 f"Expected 'root', got '{new_root.signed.type}'"
             )
 
-        new_root.verify_delegate(Root.type, new_root)
+        new_root.signed.verify_delegate(Root.type, new_root)
 
         self._trusted_set[Root.type] = new_root
         logger.debug("Loaded trusted root v%d", new_root.signed.version)
