Merge pull request from GHSA-77hh-43cm-v8j6

jku · web-flow · commit 8f95162b2769 · 2024-02-16T10:43:15.000+02:00
Metadata API: Fix role lookup for succinct delegation
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -1119,6 +1119,33 @@ def test_get_roles_in_succinct_roles(self) -> None:
             expected_bin_suffix = f"{bin_numer:0{expected_suffix_length}x}"
             self.assertEqual(role_name, f"bin-{expected_bin_suffix}")
 
+    def test_delegations_get_delegated_role(self) -> None:
+        delegations = Delegations({}, {})
+        targets = Targets(delegations=delegations)
+
+        with self.assertRaises(ValueError):
+            targets.get_delegated_role("abc")
+
+        # test "normal" delegated role (path or path_hash_prefix)
+        role = DelegatedRole("delegated", [], 1, False, [])
+        delegations.roles = {"delegated": role}
+        with self.assertRaises(ValueError):
+            targets.get_delegated_role("not-delegated")
+        self.assertEqual(targets.get_delegated_role("delegated"), role)
+        delegations.roles = None
+
+        # test succinct delegation
+        bit_len = 3
+        role2 = SuccinctRoles([], 1, bit_len, "prefix")
+        delegations.succinct_roles = role2
+        for name in ["prefix-", "prefix--1", f"prefix-{2**bit_len:0x}"]:
+            with self.assertRaises(ValueError, msg=f"role name '{name}'"):
+                targets.get_delegated_role(name)
+        for i in range(0, 2**bit_len):
+            self.assertEqual(
+                targets.get_delegated_role(f"prefix-{i:0x}"), role2
+            )
+
 
 # Run unit test.
 if __name__ == "__main__":
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -2117,10 +2117,13 @@ def get_delegated_role(self, delegated_role: str) -> Role:
         if self.delegations is None:
             raise ValueError("No delegations found")
 
+        role: Optional[Role] = None
         if self.delegations.roles is not None:
-            role: Optional[Role] = self.delegations.roles.get(delegated_role)
-        else:
-            role = self.delegations.succinct_roles
+            role = self.delegations.roles.get(delegated_role)
+        elif self.delegations.succinct_roles is not None:
+            succinct = self.delegations.succinct_roles
+            if succinct.is_delegated_role(delegated_role):
+                role = succinct
 
         if not role:
             raise ValueError(f"Delegated role {delegated_role} not found")
