Check 'rolename' field in 'sign_metadata' payload

'sign_metadata' only supports root, thus the rolename in the payload is
not relevant, and was ignored previously.

For consistency, this commit adds a check that the rolename is indeed
root and fails otherwise.

This is also tested by adding another column to the test table of
test_sign_metadata__update, used to patch the default payload in test
runs.

Signed-off-by: Lukas Puehringer <[email protected]>

repository_service_tuf_worker/repository.py

@@ -1447,6 +1447,12 @@ def _result(status, error=None, bootstrap=None, update=None):
             return self._task_result(TaskName.SIGN_METADATA, status, details)
 
         signature = Signature.from_dict(payload["signature"])
+        rolename = payload["rolename"]
+
+        # Assert requested metadata type is root
+        if rolename != Root.type:
+            msg = f"Expected '{Root.type}', got '{rolename}'"
+            return _result(False, error=msg)
 
         # Assert pending signing event exists
         metadata_dict = self._settings.get_fresh("ROOT_SIGNING")

tests/unit/tuf_repository_service_worker/test_repository.py

@@ -3269,14 +3269,25 @@ def fake_get_fresh(key):
         ]
 
     @pytest.mark.parametrize(
-        "validation_results, details, status",
+        "payload_patch, validation_results, details, status",
         [
             (
+                {"rolename": "foo"},
+                {},
+                {
+                    "message": "Signature Failed",
+                    "error": "Expected 'root', got 'foo'",
+                },
+                False,
+            ),
+            (
+                {},
                 {"signature": iter((False, False))},
                 {"message": "Signature Failed", "error": "Invalid signature"},
                 False,
             ),
             (
+                {},
                 {
                     "signature": iter((True, False)),
                     "threshold": iter((False, False)),
@@ -3288,6 +3299,7 @@ def fake_get_fresh(key):
                 True,
             ),
             (
+                {},
                 {
                     "signature": iter((False, True)),
                     "threshold": iter((False, True)),
@@ -3299,6 +3311,7 @@ def fake_get_fresh(key):
                 True,
             ),
             (
+                {},
                 {
                     "signature": iter((True, False)),
                     "threshold": iter((True, False)),
@@ -3310,6 +3323,7 @@ def fake_get_fresh(key):
                 True,
             ),
             (
+                {},
                 {
                     "signature": iter((True, True)),
                     "threshold": iter((True, True)),
@@ -3327,6 +3341,7 @@ def test_sign_metadata__update(
         test_repo,
         monkeypatch,
         mocked_datetime,
+        payload_patch,
         validation_results,
         details,
         status,
@@ -3387,7 +3402,9 @@ def fake_get_fresh(key):
 
         # Call sign_metadata with fake payload
         # All deserialization and validation is mocked
-        result = test_repo.sign_metadata({"signature": "fake"})
+        payload = {"signature": "fake", "rolename": "root"}
+        payload.update(payload_patch)
+        result = test_repo.sign_metadata(payload)
 
         assert result == {
             "task": "sign_metadata",