tests: Improve verify_delegate() tests

Make sure verify_delegate() succeeds when threshold is reached even if some signatures fail to verify. Make sure higher threshold (2/2) works. Change error type for "Call is valid only on delegator metadata" error. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
theupdateframework · Jun 17, 2021 · 1e54bed · 1e54bed
1 parent 80014aa
commit 1e54bed
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -51,7 +51,8 @@
 )
 
 from securesystemslib.signer import (
-    SSlibSigner
+    SSlibSigner,
+    Signature
 )
 
 logger = logging.getLogger(__name__)
@@ -381,7 +382,7 @@ def test_metadata_verify_delegate(self):
         role1.verify_delegate('role2', role2)
 
         # only root and targets can verify delegates
-        with self.assertRaises(ValueError):
+        with self.assertRaises(TypeError):
             snapshot.verify_delegate('snapshot', snapshot)
         # verify fails for roles that are not delegated by delegator
         with self.assertRaises(ValueError):
@@ -400,12 +401,25 @@ def test_metadata_verify_delegate(self):
         with self.assertRaises(exceptions.UnsignedMetadataError):
             root.verify_delegate('timestamp', snapshot)
 
+        # Add a key to snapshot role, make sure the new sig fails to verify
+        ts_keyid = next(iter(root.signed.roles["timestamp"].keyids))
+        root.signed.add_key("snapshot", root.signed.keys[ts_keyid])
+        snapshot.signatures[ts_keyid] = Signature(ts_keyid, "ff"*64)
+
+        # verify succeeds if threshold is reached even if some signatures
+        # fail to verify
+        root.verify_delegate('snapshot', snapshot)
+
         # verify fails if threshold of signatures is not reached
         root.signed.roles['snapshot'].threshold = 2
         with self.assertRaises(exceptions.UnsignedMetadataError):
             root.verify_delegate('snapshot', snapshot)
 
-        # TODO test successful verify with higher thresholds
+        # verify succeeds when we correct the new signature and reach the
+        # threshold of 2 keys
+        snapshot.sign(SSlibSigner(self.keystore['timestamp']), append=True)
+        root.verify_delegate('snapshot', snapshot)
+
 
     def test_key_class(self):
         keys = {

diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -305,7 +305,7 @@ def verify_delegate(
                 roles = self.signed.delegations.roles
                 role = next((r for r in roles if r.name == role_name), None)
         else:
-            raise ValueError("Call is valid only on delegator metadata")
+            raise TypeError("Call is valid only on delegator metadata")
 
         if role is None:
             raise ValueError(f"No delegation found for {role_name}")