Prevents delegate role name as top-level role name

This commit adds the validation in the ``metadata.Delegations``
to prevent that one of the delegate role names given is a top-level
role name.

A ``ValueError`` will be raised if one of the roles names in the
list given to as delegated contains the role name as one of the
top-level roles.

Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
This commit is contained in:
Kairo de Araujo 2021-11-22 16:33:06 +01:00
parent 1b5df4ccfe
commit f5bf6b0784
2 changed files with 43 additions and 0 deletions

View file

@ -360,6 +360,43 @@ def test_delegation_serialization(self, test_case_data: str):
delegation = Delegations.from_dict(copy.deepcopy(case_dict))
self.assertDictEqual(case_dict, delegation.to_dict())
valid_delegations: utils.DataSet = {
"using root as delegate role name": '{"keys": { \
"keyid1" : {"keytype": "rsa", "scheme": "rsassa-pss-sha256", "keyval": {"public": "foo"}}}, \
"roles": [ \
{"keyids": ["keyid"], "name": "root", "terminating": true, "paths": ["fn1"], "threshold": 3}] \
}',
"using snapshot as delegate role name": '{"keys": { \
"keyid1" : {"keytype": "rsa", "scheme": "rsassa-pss-sha256", "keyval": {"public": "foo"}}}, \
"roles": [ \
{"keyids": ["keyid"], "name": "snapshot", "terminating": true, "paths": ["fn1"], "threshold": 3}] \
}',
"using targets as delegate role name": '{"keys": { \
"keyid1" : {"keytype": "rsa", "scheme": "rsassa-pss-sha256", "keyval": {"public": "foo"}}}, \
"roles": [ \
{"keyids": ["keyid"], "name": "targets", "terminating": true, "paths": ["fn1"], "threshold": 3}] \
}',
"using timestamp as delegate role name": '{"keys": { \
"keyid1" : {"keytype": "rsa", "scheme": "rsassa-pss-sha256", "keyval": {"public": "foo"}}}, \
"roles": [ \
{"keyids": ["keyid"], "name": "root", "terminating": true, "paths": ["fn1"], "threshold": 3}] \
}',
"using valid and top-level role name": '{"keys": { \
"keyid1" : {"keytype": "rsa", "scheme": "rsassa-pss-sha256", "keyval": {"public": "foo"}}, \
"keyid2" : {"keytype": "ed25519", "scheme": "ed25519", "keyval": {"public": "bar"}}}, \
"roles": [ \
{"keyids": ["keyid"], "name": "b", "terminating": true, "paths": ["fn1"], "threshold": 3}, \
{"keyids": ["keyid2"], "name": "root", "terminating": true, "paths": ["fn2"], "threshold": 4} ] \
}',
}
@utils.run_sub_tests_with_dataset(valid_delegations)
def test_delegation_top_role_names(self, test_case_data: str):
case_dict = json.loads(test_case_data)
with self.assertRaises(ValueError):
Delegations.from_dict(copy.deepcopy(case_dict))
invalid_targetfiles: utils.DataSet = {
"no hashes": '{"length": 1}',
"no length": '{"hashes": {"sha256": "abc"}}'

View file

@ -1213,6 +1213,12 @@ def __init__(
unrecognized_fields: Optional[Mapping[str, Any]] = None,
):
self.keys = keys
if [role for role in set(roles) if role in TOP_LEVEL_ROLE_NAMES]:
raise ValueError(
"A delegated role can not use top-level role names ("
f"{', '.join(TOP_LEVEL_ROLE_NAMES)})"
)
self.roles = roles
self.unrecognized_fields = unrecognized_fields or {}