These aid in the roledb rewrite to start to address Issue #660.

Also add two minor TODOs.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

- Rename and alter some schemas that really address delegations,
to make that clear.
- Do away with the ROLEDB_SCHEMA, an intermediate metadata format
that is not necessary and which incorrectly flattens the delegation
graph, and similar schemas.
- Rewrite getters/setters in roledb to respect the delegation
graph rather than assuming that delegated targets roles have only
one delegation pointing to them (see Issue #660).
- Add a variety of TODOs for later.
- Clarify docstrings as a result of the above.

reinterpreting metadata

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

This is mid-development, but I'm pushing it so that Aditya can see
where things are and the general shape of things.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

Warn folks about the larger structures being near the end,
make description a bit more readable, highlight matches() and
check_match() funcs, emphasize that this module defines the
data structures / formats used.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

- remove re-definition of rolename_schema
- use securesystemslib.formats.PATH_SCHEMA for all paths, rather
  than using RELPATH_SCHEMA, which implies a distinction that
  we do not actually make, and checks we do not actually perform.
- use INTEGER_NATURAL_SCHEMA for lengths and metadata versions

Excludes fileinfo-related adjustments of the above, as those will
follow in a separate fileinfo-specific commit.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

The misleadingly-named ROLE_SCHEMA was renamed to SIGNING_SCHEMA,
but I'm now making it SIGNERS_SCHEMA, which I think is clearer.

I also added an example.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

Failed to include key and value definitions.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

In TUF, we store information about files in a variety of ways.
Sometimes, versions are used, and sometimes length and hashes are required.
So FILEINFO_SCHEMA will match any of these three new schemas:
FILEINFO_IN_TIMESTAMP_SCHEMA, FILEINFO_IN_SNAPSHOT_SCHEMA,
and FILEINFO_IN_TARGETS_SCHEMA.

This should be more intuitive than the former mess, I think.

I also renamed TARGETINFO to LABELED_FILEINFO_SCHEMA, with an
explanation.  I hope that proves more intuitive as well.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

It'll now be a public function used by other modules (tuf.sig),
so make it public and improve the name (takes a rolename, not a
role):  roledb.is_top_level_rolename().

Also bugfix it to handle casing issues.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

It previously included information that wasn't really appropriate
at this level of the code (about the project as a whole).

Add short summary and list the two public functions with short
explanations.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

- get_signature_status() and verify() will expect EITHER:
    - keyids AND threshold
    - a rolename
  never both.  A rolename can be used in place of keyids
  and threshold only for top-level roles, and keyids and
  threshold will then be drawn from currently trusted
  Root metadata.  See comments in the code for more.
  This includes making rolename an optional argument.
  Now uses tuf.roledb.is_top_level_rolename.
- renamed "role" argument to "rolename", which is more
  correct (since the actual role metadata is another
  argument...)
- Pulled the elaborate argument validation and the
  retrieval of keyids and threshold from Root metadata
  into a separate function:
    _determine_keyids_and_threshold_to_use
- perform retrieval of keyids and threshold only from
  Root metadata, for top-level roles (part of #660)
- removed unused generate_rsa_signature
- cleaned up the structure of get_signature_status() a bit

Tests will break and require fixes.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

The keyids and threshold retrieval are already performed above now,
so this lingering threshold retrieval is no longer needed.  Move
the comment about errors it would raise to where that actually
would happen now (and refine comment given new functionality).

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

tuf.sig.generate_rsa_signature and tuf.sig.may_need_new_keys
were not necessary and were deleted.  This commit removes their
tests.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

Explain the test conditions.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

…hanges

An error that is raised if someone tries to query a delegation
that shouldn't exist (root to a delegated targets role or a
delegated targets role to root, say) previously only described
one direction, leading to misleading error messages.  It now
explains both possible causes of the error.

Also removes a pdb.set_trace() left over from prior revisions.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

Two functions now exist to replace _test_rolename (which was a bit
of a misleading name), and these are now used to perform argument
testing for roledb functions that query a single role or query
information about a delegation from one role to another role.

In addition, tests for roledb.get_delegated_paths were also
updated, duplicating some of the above for reasons explained in
code comments.

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>