From c127b6b5a38744882216cececef77b5e8cc335fa Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@vmware.com>
Date: Mon, 30 Aug 2021 14:28:34 +0300
Subject: [PATCH 1/2] tests: Improve add_key/remove_key API tests

Make sure key is not removed from root.signed.keys on remove_key()
if another role is still using the key.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
---
 tests/test_api.py | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index 10bf1885c6..2042c7fdfc 100755
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -431,16 +431,14 @@ def test_key_class(self):
         self.assertFalse('private' in key.keyval.keys())
 
 
-    def test_metadata_root(self):
+    def test_root_add_key_and_remove_key(self):
         root_path = os.path.join(
                 self.repo_dir, 'metadata', 'root.json')
         root = Metadata[Root].from_file(root_path)
 
-        # Add a second key to root role
+        # Create a new key
         root_key2 =  import_ed25519_publickey_from_file(
                     os.path.join(self.keystore_dir, 'root_key2.pub'))
-
-
         keyid = root_key2['keyid']
         key_metadata = Key(keyid, root_key2['keytype'], root_key2['scheme'],
             root_key2['keyval'])
@@ -465,11 +463,17 @@ def test_metadata_root(self):
         root.signed.add_key('root', key_metadata)
         self.assertEqual(pre_add_keyid, root.signed.roles['root'].keyids)
 
-        # Remove the key
-        root.signed.remove_key('root', keyid)
+        # Add the same key to targets role as well
+        root.signed.add_key('targets', key_metadata)
 
-        # Assert that root does not contain the new key anymore
+        # Remove the key from root role (targets role still uses it)
+        root.signed.remove_key('root', keyid)
         self.assertNotIn(keyid, root.signed.roles['root'].keyids)
+        self.assertIn(keyid, root.signed.keys)
+
+        # Remove the key from targets as well
+        root.signed.remove_key('targets', keyid)
+        self.assertNotIn(keyid, root.signed.roles['targets'].keyids)
         self.assertNotIn(keyid, root.signed.keys)
 
         with self.assertRaises(KeyError):

From 017425e497cc5713bbb95cce502c7ae7cd1fa543 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@vmware.com>
Date: Mon, 30 Aug 2021 15:03:37 +0300
Subject: [PATCH 2/2] tests: Improve DelegatedRole coverage

Test basic cases of DelegatedRole.is_delegated_path()

This is not trying to be an extensive test of possible methods of delegation:
this gives us basic coverage for all code paths.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
---
 tests/test_api.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/tests/test_api.py b/tests/test_api.py
index 2042c7fdfc..4d8ef1f92a 100755
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -623,6 +623,28 @@ def  test_length_and_hash_validation(self):
             self.assertRaises(exceptions.LengthOrHashMismatchError,
                 file1_targetfile.verify_length_and_hashes, file1)
 
+    def test_is_delegated_role(self):
+        # test path matches
+        # see more extensive tests in test_is_target_in_pathpattern()
+        for paths in [
+            ["a/path"],
+            ["otherpath", "a/path"],
+            ["*/?ath"],
+        ]:
+            role = DelegatedRole("", [], 1, False, paths, None)
+            self.assertFalse(role.is_delegated_path("a/non-matching path"))
+            self.assertTrue(role.is_delegated_path("a/path"))
+
+        # test path hash prefix matches: sha256 sum of "a/path" is 927b0ecf9...
+        for hash_prefixes in [
+            ["927b0ecf9"],
+            ["other prefix", "927b0ecf9"],
+            ["927b0"],
+            ["92"],
+        ]:
+            role = DelegatedRole("", [], 1, False, None, hash_prefixes)
+            self.assertFalse(role.is_delegated_path("a/non-matching path"))
+            self.assertTrue(role.is_delegated_path("a/path"))
 
 # Run unit test.
 if __name__ == '__main__':