Test _visit_child_roles

2026-05-24 10:08:28 +00:00 · 2017-08-03 10:10:33 -04:00 · 2017-08-03 10:10:33 -04:00 · 508c092ec7
commit 508c092ec7
parent 2cacdc4a8c
2 changed files with 30 additions and 16 deletions
--- a/tests/test_updater.py
+++ b/tests/test_updater.py
@ -1458,22 +1458,41 @@ def test_10__visit_child_role(self):
    # 'path_hash_prefixes', and if both are missing.

    targets_role = self.repository_updater.metadata['current']['targets']
+    targets_role['delegations']['roles'][0]['paths'] = ['/*.txt']
+    self.repository_updater._load_metadata_from_file('current', 'role1')
+    role1 = self.repository_updater.metadata['current']['role1']
+    child_role = role1['delegations']['roles'][0]
+    child_role['paths'] = ['/target.exe']

-    child_role = targets_role['delegations']['roles'][0]
+    '''
    self.assertEqual(self.repository_updater._visit_child_role(child_role,
                     '/file3.txt', targets_role['delegations']), child_role['name'])

    # Test path hash prefixes.
+    print('attempting test for path hash prefix')
    child_role['path_hash_prefixes'] = ['8baf', '0000']
    self.assertEqual(self.repository_updater._visit_child_role(child_role,
                     '/file3.txt', targets_role['delegations']), child_role['name'])

-    # Test if both 'path' and 'path_hash_prefixes' is missing.
+    '''
+    # Test for forbidden target.
+    print('attempting test for forbidden target')
+    print('child role: ' + repr(child_role))
+    self.repository_updater._visit_child_role(child_role,
+        '/target.exe', targets_role['delegations'])
+
+    '''
+    # Test if unequal path_hash_prefixes are skipped.
+    child_role['path_hash_prefixes'] = ['bad', 'bad']
+    self.assertEqual(None, self.repository_updater._visit_child_role(child_role,
+        '/file3.txt', targets_role['delegations']))
+
+    # Test if both 'path' and 'path_hash_prefixes' are missing.
    del child_role['paths']
    del child_role['path_hash_prefixes']
    self.assertRaises(securesystemslib.exceptions.FormatError, self.repository_updater._visit_child_role,
                      child_role, targets_role['delegations'], child_role['name'])
-
+    '''


  def test_11__verify_uncompressed_metadata_file(self):
--- a/tuf/client/updater.py
+++ b/tuf/client/updater.py
@ -2523,6 +2523,7 @@ def _visit_child_role(self, child_role, target_filepath, parent_delegations):
    # the target with the name 'target_filepath'.
    child_role_is_relevant = False

+    print('child_role_paths: ' + repr(child_role_paths))
    if child_role_path_hash_prefixes is not None:
      target_filepath_hash = self._get_target_hash(target_filepath)
      for child_role_path_hash_prefix in child_role_path_hash_prefixes:
@ -2538,10 +2539,14 @@ def _visit_child_role(self, child_role, target_filepath, parent_delegations):
        # shell-style wildcards).  The child role 'child_role_name' is added if
        # 'target_filepath' is equal or matches 'child_role_path'.  Explicit
        # filepaths are also added.
+        print('Checking if path is relevant: ' + repr(target_filepath))
+        print('child_role_path: ' + repr(child_role_path))
        if fnmatch.fnmatch(target_filepath, child_role_path):
+          print('child role is relevant')
          child_role_is_relevant = True

        else:
+          print('path is relevant: ' + repr(target_filepath))
          logger.debug('Target path' + repr(target_filepath) + ' does not'
            ' match child role path ' + repr(child_role_path))

@ -2549,28 +2554,18 @@ def _visit_child_role(self, child_role, target_filepath, parent_delegations):
      # 'role_name' should have been validated when it was downloaded.
      # The 'paths' or 'path_hash_prefixes' fields should not be missing,
      # so we raise a format error here in case they are both missing.
+      print('neither')
      raise securesystemslib.exceptions.FormatError(repr(child_role_name) + ' has neither '
                                '"paths" nor "path_hash_prefixes".')

    if child_role_is_relevant:
-      # Is the child role allowed by its parent role to specify this path
-      # in its metadata?
-      try:
-        securesystemslib.util.ensure_all_targets_allowed(child_role_name,
-          [target_filepath], parent_delegations)
-
-      except tuf.exceptions.ForbiddenTargetError:
-        logger.debug('Child role ' + repr(child_role_name) + ' has target ' + \
-                     repr(target_filepath) + ', but is not allowed to sign for'
-                     ' it according to its delegating role.')
-        return None
-
-      else:
+        print('child role is relevant')
        logger.debug('Child role ' + repr(child_role_name) + ' has target ' + \
                     repr(target_filepath))
        return child_role_name

    else:
+      print('child role does not have target')
      logger.debug('Child role ' + repr(child_role_name) + \
                   ' does not have target ' + repr(target_filepath))
      return None