From 508c092ec7d3687af35e8dafae9ff07223a4471a Mon Sep 17 00:00:00 2001
From: Vladimir Diaz <vladimir.v.diaz@gmail.com>
Date: Thu, 3 Aug 2017 10:10:33 -0400
Subject: [PATCH] Test _visit_child_roles

---
 tests/test_updater.py | 25 ++++++++++++++++++++++---
 tuf/client/updater.py | 21 ++++++++-------------
 2 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/tests/test_updater.py b/tests/test_updater.py
index 09d03bd6..605e1435 100755
--- a/tests/test_updater.py
+++ b/tests/test_updater.py
@@ -1458,22 +1458,41 @@ def test_10__visit_child_role(self):
     # 'path_hash_prefixes', and if both are missing.
 
     targets_role = self.repository_updater.metadata['current']['targets']
+    targets_role['delegations']['roles'][0]['paths'] = ['/*.txt']
+    self.repository_updater._load_metadata_from_file('current', 'role1')
+    role1 = self.repository_updater.metadata['current']['role1']
+    child_role = role1['delegations']['roles'][0]
+    child_role['paths'] = ['/target.exe']
 
-    child_role = targets_role['delegations']['roles'][0]
+    '''
     self.assertEqual(self.repository_updater._visit_child_role(child_role,
                      '/file3.txt', targets_role['delegations']), child_role['name'])
 
     # Test path hash prefixes.
+    print('attempting test for path hash prefix')
     child_role['path_hash_prefixes'] = ['8baf', '0000']
     self.assertEqual(self.repository_updater._visit_child_role(child_role,
                      '/file3.txt', targets_role['delegations']), child_role['name'])
 
-    # Test if both 'path' and 'path_hash_prefixes' is missing.
+    '''
+    # Test for forbidden target.
+    print('attempting test for forbidden target')
+    print('child role: ' + repr(child_role))
+    self.repository_updater._visit_child_role(child_role,
+        '/target.exe', targets_role['delegations'])
+
+    '''
+    # Test if unequal path_hash_prefixes are skipped.
+    child_role['path_hash_prefixes'] = ['bad', 'bad']
+    self.assertEqual(None, self.repository_updater._visit_child_role(child_role,
+        '/file3.txt', targets_role['delegations']))
+
+    # Test if both 'path' and 'path_hash_prefixes' are missing.
     del child_role['paths']
     del child_role['path_hash_prefixes']
     self.assertRaises(securesystemslib.exceptions.FormatError, self.repository_updater._visit_child_role,
                       child_role, targets_role['delegations'], child_role['name'])
-
+    '''
 
 
   def test_11__verify_uncompressed_metadata_file(self):
diff --git a/tuf/client/updater.py b/tuf/client/updater.py
index ecf79df2..ee011a0d 100755
--- a/tuf/client/updater.py
+++ b/tuf/client/updater.py
@@ -2523,6 +2523,7 @@ def _visit_child_role(self, child_role, target_filepath, parent_delegations):
     # the target with the name 'target_filepath'.
     child_role_is_relevant = False
 
+    print('child_role_paths: ' + repr(child_role_paths))
     if child_role_path_hash_prefixes is not None:
       target_filepath_hash = self._get_target_hash(target_filepath)
       for child_role_path_hash_prefix in child_role_path_hash_prefixes:
@@ -2538,10 +2539,14 @@ def _visit_child_role(self, child_role, target_filepath, parent_delegations):
         # shell-style wildcards).  The child role 'child_role_name' is added if
         # 'target_filepath' is equal or matches 'child_role_path'.  Explicit
         # filepaths are also added.
+        print('Checking if path is relevant: ' + repr(target_filepath))
+        print('child_role_path: ' + repr(child_role_path))
         if fnmatch.fnmatch(target_filepath, child_role_path):
+          print('child role is relevant')
           child_role_is_relevant = True
 
         else:
+          print('path is relevant: ' + repr(target_filepath))
           logger.debug('Target path' + repr(target_filepath) + ' does not'
             ' match child role path ' + repr(child_role_path))
 
@@ -2549,28 +2554,18 @@ def _visit_child_role(self, child_role, target_filepath, parent_delegations):
       # 'role_name' should have been validated when it was downloaded.
       # The 'paths' or 'path_hash_prefixes' fields should not be missing,
       # so we raise a format error here in case they are both missing.
+      print('neither')
       raise securesystemslib.exceptions.FormatError(repr(child_role_name) + ' has neither '
                                 '"paths" nor "path_hash_prefixes".')
 
     if child_role_is_relevant:
-      # Is the child role allowed by its parent role to specify this path
-      # in its metadata?
-      try:
-        securesystemslib.util.ensure_all_targets_allowed(child_role_name,
-          [target_filepath], parent_delegations)
-
-      except tuf.exceptions.ForbiddenTargetError:
-        logger.debug('Child role ' + repr(child_role_name) + ' has target ' + \
-                     repr(target_filepath) + ', but is not allowed to sign for'
-                     ' it according to its delegating role.')
-        return None
-
-      else:
+        print('child role is relevant')
         logger.debug('Child role ' + repr(child_role_name) + ' has target ' + \
                      repr(target_filepath))
         return child_role_name
 
     else:
+      print('child role does not have target')
       logger.debug('Child role ' + repr(child_role_name) + \
                    ' does not have target ' + repr(target_filepath))
       return None