From 26c2e8d894f528965e6eea1d7d74e5a101442a03 Mon Sep 17 00:00:00 2001
From: Martin Vrachev <mvrachev@vmware.com>
Date: Tue, 1 Jun 2021 18:06:47 +0300
Subject: [PATCH] Validate spec_version during initialization

Even though version strings like "2.0.0-rc.2" or "1.0.0-beta" are
valid strings in semantic versioning format, in TUF we never needed
to add letters for our specification number.

That's why I validate that: spec_version is a . separated string
and when split it has a length of 3 and that each of the
three elements is a number.

Also, I check that the given spec_version is supported against
the tuf code spec version.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
---
 tuf/api/metadata.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
index 12d294c9f3..9762c4f4c6 100644
--- a/tuf/api/metadata.py
+++ b/tuf/api/metadata.py
@@ -26,6 +26,7 @@
 from securesystemslib.util import persist_temp_file
 
 from tuf import exceptions
+from tuf.api import SPECIFICATION_VERSION
 from tuf.api.serialization import (
     MetadataDeserializer,
     MetadataSerializer,
@@ -290,6 +291,16 @@ def __init__(
         expires: datetime,
         unrecognized_fields: Optional[Mapping[str, Any]] = None,
     ) -> None:
+        spec_list = spec_version.split(".")
+        if (
+            len(spec_list) != 3
+            or not all(el.isdigit() for el in spec_list)
+            or spec_list[0] != SPECIFICATION_VERSION[0]
+        ):
+            raise ValueError(
+                f"Unsupported spec_version, got {spec_list}, "
+                f"supported {'.'.join(SPECIFICATION_VERSION)}"
+            )
         self.spec_version = spec_version
         self.expires = expires