def test_invalid_delegated_role_serialization(self, test_case_data: str):
case_dict = json.loads(test_case_data)
with self.assertRaises(ValueError):
DelegatedRole.from_dict(copy.copy(case_dict))
def test_targets_key_api(self) -> None:
targets_path = os.path.join(self.repo_dir, "metadata", "targets.json")
targets: Targets = Metadata[Targets].from_file(targets_path).signed
# Add a new delegated role "role2" in targets
delegated_role = DelegatedRole.from_dict({
"keyids": [],
"name": "role2",
"paths": ["fn3", "fn4"],
"terminating": False,
"threshold": 1,
})
assert isinstance(targets.delegations, Delegations)
assert isinstance(targets.delegations.roles, Dict)
targets.delegations.roles["role2"] = delegated_role
key_dict = {
"keytype": "ed25519",
"keyval": {
"public":
"edcd0a32a07dce33f7c7873aaffbff36d20ea30787574ead335eefd337e4dacd"
},
"scheme": "ed25519",
}
key = Key.from_dict("id2", key_dict)
# Assert that add_key with old argument order will raise an error
with self.assertRaises(ValueError):
targets.add_key("role1", key) # type: ignore
# Assert that delegated role "role1" does not contain the new key
self.assertNotIn(key.keyid, targets.delegations.roles["role1"].keyids)
targets.add_key(key, "role1")
# Assert that the new key is added to the delegated role "role1"
self.assertIn(key.keyid, targets.delegations.roles["role1"].keyids)
# Confirm that the newly added key does not break the obj serialization
targets.to_dict()
# Try adding the same key again and assert its ignored.
past_keyid = targets.delegations.roles["role1"].keyids.copy()
targets.add_key(key, "role1")
self.assertEqual(past_keyid, targets.delegations.roles["role1"].keyids)
# Try adding a key to a delegated role that doesn't exists
with self.assertRaises(ValueError):
targets.add_key(key, "nosuchrole")
# Add the same key to "role2" as well
targets.add_key(key, "role2")
# Remove the key from "role1" role ("role2" still uses it)
targets.revoke_key(key.keyid, "role1")
# Assert that delegated role "role1" doesn't contain the key.
self.assertNotIn(key.keyid, targets.delegations.roles["role1"].keyids)
self.assertIn(key.keyid, targets.delegations.roles["role2"].keyids)
# Remove the key from "role2" as well
targets.revoke_key(key.keyid, "role2")
self.assertNotIn(key.keyid, targets.delegations.roles["role2"].keyids)
# Try remove key not used by "role1"
with self.assertRaises(ValueError):
targets.revoke_key(key.keyid, "role1")
# Try removing a key from delegated role that doesn't exists
with self.assertRaises(ValueError):
targets.revoke_key(key.keyid, "nosuchrole")
# Remove delegations as a whole
targets.delegations = None
# Test that calling add_key and revoke_key throws an error
# and that delegations is still None after each of the api calls
with self.assertRaises(ValueError):
targets.add_key(key, "role1")
self.assertTrue(targets.delegations is None)
with self.assertRaises(ValueError):
targets.revoke_key(key.keyid, "role1")
self.assertTrue(targets.delegations is None)
def test_delegated_role_serialization(self, test_case_data: str):
case_dict = json.loads(test_case_data)
deserialized_role = DelegatedRole.from_dict(copy.copy(case_dict))
self.assertDictEqual(case_dict, deserialized_role.to_dict())