Re-use part of _root_metadata_update

Factor out "finalize" part of _root_metadata_update to re-use in sign_metadata. Prior to this commit, sign_metadata would call _root_metadata_update duplicating much of the verification behavior, although it only cared for the finalization part. Now, it can call into the desired subroutine only. Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh · Oct 4, 2023 · 3743855 · 3743855
1 parent 0c8c26f
commit 3743855
Showing 1 changed file with 12 additions and 16 deletions.
diff --git a/repository_service_tuf_worker/repository.py b/repository_service_tuf_worker/repository.py
@@ -1159,6 +1159,16 @@ def _root_metadata_update(
                 },
             )
 
+        self._root_metadata_update_finalize(current_root, new_root)
+        return self._task_result(
+            TaskName.METADATA_UPDATE,
+            True,
+            {"message": "Metadata Update Processed", "role": Root.type},
+        )
+
+    def _root_metadata_update_finalize(
+        self, current_root: Metadata[Root], new_root: Metadata[Root]
+    ) -> None:
         # We always persist the new root metadata, but we cannot persist
         # without verifying if the online key is rotated to avoid a mismatch
         # with the rest of the roles using the online key.
@@ -1198,12 +1208,6 @@ def _root_metadata_update(
                         f"({self._timeout} seconds)"
                     )
 
-        return self._task_result(
-            TaskName.METADATA_UPDATE,
-            True,
-            {"message": "Metadata Update Processed", "role": Root.type},
-        )
-
     def metadata_update(
         self,
         payload: Dict[Literal["metadata"], Dict[Literal[Root.type], Any]],
@@ -1422,16 +1426,8 @@ def _result(status, error=None, bootstrap=None, update=None):
                 msg = f"Root v{root.signed.version} is pending signatures"
                 return _result(True, update=msg)
 
-            # TODO: Refactor `_root_metadata_update` to de-duplicate validation
-            # and messaging. At this point, we know that root is valid and
-            # there can be only one message. (remove assert after refactor!)
-            result = self._root_metadata_update(root)
-            assert result == {  # nosec
-                "message": "Metadata Update Processed",
-                "role": "root",
-            }
-
-            # Update successful, root persisted -> finalize event...
+            # Threshold reached -> finalize event
+            self._root_metadata_update_finalize(trusted_root, root)
             self.write_repository_settings("ROOT_SIGNING", None)
             return _result(True, update="Metadata update finished")