Add tests for sign_metadata/update (WIP)

Add test to fail with invalid signature TODO: Required tests - fail with invalid threshold - pass Bonus tests - _validate_signature with delegator - _validate_threshold with delegator - pass _validate_signature calls with (True, False), and (False, True) - fail _validate_threshold calls with (True, False) and (False, True Signed-off-by: Lukas Puehringer <[email protected]>
repository-service-tuf · Aug 16, 2023 · b96010e · b96010e
1 parent b697505
commit b96010e
Showing 1 changed file with 67 additions and 0 deletions.
diff --git a/tests/unit/tuf_repository_service_worker/test_repository.py b/tests/unit/tuf_repository_service_worker/test_repository.py
@@ -3267,3 +3267,70 @@ def fake_get_fresh(key):
         assert test_repo.write_repository_settings.calls == [
             pretend.call("ROOT_SIGNING", "fake_metadata")
         ]
+
+    def test_sign_metadata__update__invalid_signature(
+        self, test_repo, monkeypatch, mocked_datetime
+    ):
+        fake_datetime = mocked_datetime
+
+        def fake_get_fresh(key):
+            if key == "BOOTSTRAP":
+                return "<task-id>"
+            if key == "ROOT_SIGNING":
+                return {"metadata": "fake"}
+
+        fake_settings = pretend.stub(
+            get_fresh=pretend.call_recorder(fake_get_fresh),
+        )
+
+        monkeypatch.setattr(
+            repository,
+            "get_repository_settings",
+            lambda *a, **kw: fake_settings,
+        )
+
+        fake_signature = pretend.stub(keyid="fake_sig")
+        repository.Signature.from_dict = pretend.call_recorder(
+            lambda *a: fake_signature
+        )
+        test_repo._validate_signature = pretend.call_recorder(lambda *a: False)
+
+        fake_trusted_root = repository.Root(version=1)
+        fake_trusted_root.signatures = {}
+        fake_trusted_root.signed = repository.Root()
+        test_repo._storage_backend.get = pretend.call_recorder(
+            lambda r: fake_trusted_root
+        )
+        fake_new_root = repository.Root(version=2)
+        fake_new_root.signatures = {}
+        fake_new_root.signed = repository.Root()
+        repository.Metadata.from_dict = pretend.call_recorder(
+            lambda *a: fake_new_root
+        )
+
+        payload = {
+            "role": "root",
+            "signature": {"keyid": "keyid2", "sig": "sig2"},
+        }
+        result = test_repo.sign_metadata(payload)
+
+        assert result == {
+            "task": "sign_metadata",
+            "status": False,
+            "last_update": fake_datetime.now(),
+            "details": {
+                "message": "Signature Failed",
+                "error": "Invalid signature",
+            },
+        }
+        assert fake_settings.get_fresh.calls == [
+            pretend.call("ROOT_SIGNING"),
+            pretend.call("BOOTSTRAP"),
+        ]
+        assert repository.Metadata.from_dict.calls == [
+            pretend.call({"metadata": "fake"})
+        ]
+        assert test_repo._validate_signature.calls == [
+            pretend.call(fake_new_root, fake_signature, fake_trusted_root),
+            pretend.call(fake_new_root, fake_signature),
+        ]