From 0c8c26fa0801cb7c7569ff3b079c19573ed7f203 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Fri, 25 Aug 2023 15:29:41 +0200 Subject: [PATCH] Check 'role' field in 'sign_metadata' payload 'sign_metadata' only supports root, thus the role in the payload is not relevant, and was ignored previously. For consistency, this commit adds a check that the role is indeed root and fails otherwise. This is also tested by adding another column to the test table of test_sign_metadata__update, used to patch the default payload in test runs. Signed-off-by: Lukas Puehringer --- repository_service_tuf_worker/repository.py | 6 ++++++ .../test_repository.py | 21 +++++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/repository_service_tuf_worker/repository.py b/repository_service_tuf_worker/repository.py index 20343a42..9abecf1d 100644 --- a/repository_service_tuf_worker/repository.py +++ b/repository_service_tuf_worker/repository.py @@ -1362,6 +1362,12 @@ def _result(status, error=None, bootstrap=None, update=None): return self._task_result(TaskName.SIGN_METADATA, status, details) signature = Signature.from_dict(payload["signature"]) + rolename = payload["role"] + + # Assert requested metadata type is root + if rolename != Root.type: + msg = f"Expected '{Root.type}', got '{rolename}'" + return _result(False, error=msg) # Assert pending signing event exists metadata_dict = self._settings.get_fresh("ROOT_SIGNING") diff --git a/tests/unit/tuf_repository_service_worker/test_repository.py b/tests/unit/tuf_repository_service_worker/test_repository.py index 230c8e7a..d1b3fb28 100644 --- a/tests/unit/tuf_repository_service_worker/test_repository.py +++ b/tests/unit/tuf_repository_service_worker/test_repository.py @@ -3272,14 +3272,25 @@ def fake_get_fresh(key): ] @pytest.mark.parametrize( - "validation_results, details, status", + "payload_patch, validation_results, details, status", [ ( + {"role": "foo"}, + {}, + { + "message": "Signature Failed", + "error": "Expected 'root', got 'foo'", + }, + False, + ), + ( + {}, {"signature": iter((False, False))}, {"message": "Signature Failed", "error": "Invalid signature"}, False, ), ( + {}, { "signature": iter((True, False)), "threshold": iter((False, False)), @@ -3291,6 +3302,7 @@ def fake_get_fresh(key): True, ), ( + {}, { "signature": iter((False, True)), "threshold": iter((False, True)), @@ -3302,6 +3314,7 @@ def fake_get_fresh(key): True, ), ( + {}, { "signature": iter((True, False)), "threshold": iter((True, False)), @@ -3313,6 +3326,7 @@ def fake_get_fresh(key): True, ), ( + {}, { "signature": iter((True, True)), "threshold": iter((True, True)), @@ -3330,6 +3344,7 @@ def test_sign_metadata__update( test_repo, monkeypatch, mocked_datetime, + payload_patch, validation_results, details, status, @@ -3390,7 +3405,9 @@ def fake_get_fresh(key): # Call sign_metadata with fake payload # All deserialization and validation is mocked - result = test_repo.sign_metadata({"signature": "fake"}) + payload = {"signature": "fake", "role": "root"} + payload.update(payload_patch) + result = test_repo.sign_metadata(payload) assert result == { "task": "sign_metadata",