Metadata API: Fix role lookup for succinct delegation

get_delegated_role() should not return a Role if the rolename is not a delegated role. This is already true for "normal" DelegatedRole but was not actually verified for SuccinctRoles. Signed-off-by: Jussi Kukkonen <[email protected]>
theupdateframework · Feb 15, 2024 · 77cb66b · 77cb66b
1 parent 929174c
commit 77cb66b
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -2044,10 +2044,13 @@ def get_delegated_role(self, delegated_role: str) -> Role:
         if self.delegations is None:
             raise ValueError("No delegations found")
 
+        role: Optional[Role] = None
         if self.delegations.roles is not None:
-            role: Optional[Role] = self.delegations.roles.get(delegated_role)
-        else:
-            role = self.delegations.succinct_roles
+            role = self.delegations.roles.get(delegated_role)
+        elif self.delegations.succinct_roles is not None:
+            succinct = self.delegations.succinct_roles
+            if succinct.is_delegated_role(delegated_role):
+                role = succinct
 
         if not role:
             raise ValueError(f"Delegated role {delegated_role} not found")