explicit encode role names

This commit explicitly encodes role names. Mostly this encoding is already
happening in ``requests`` for what is not a URL.
The "/" in a role name will now be encoded.

Also, a slight change in the RepositorySimulator will align with the tests.

This commit partially covers issue theupdateframework#1634

Signed-off-by: Kairo de Araujo <[email protected]>

Author: Kairo de Araujo

tests/repository_simulator.py

@@ -259,6 +259,8 @@ def fetch_metadata(self, role: str, version: Optional[int] = None) -> bytes:
         If version is None, non-versioned metadata is being requested.
         """
         self.fetch_tracker.metadata.append((role, version))
+        # decode role for the metadata
+        role = parse.unquote(role, encoding="utf-8")
 
         if role == Root.type:
             # return a version previously serialized in publish_root()

tests/test_updater_delegation_graphs.py

@@ -346,13 +346,21 @@ def test_fishy_rolenames(self) -> None:
         fishy_rolenames = DelegationsTestCase(delegations)
         self._init_repo(fishy_rolenames)
         updater = self._init_updater()
+        updater.refresh()
 
-        # trigger updater to fetch the delegated metadata, check filenames
+        # trigger updater to fetch the delegated metadata
+        self.sim.fetch_tracker.metadata.clear()
         updater.get_targetinfo("anything")
+
+        # assert that local delegated metadata filenames are expected
         local_metadata = os.listdir(self.metadata_dir)
         for fname in roles_to_filenames.values():
             self.assertTrue(fname in local_metadata)
 
+        # assert that requested URLs are quoted without extension
+        exp_calls = [(quoted[:-5], 1) for quoted in roles_to_filenames.values()]
+        self.assertListEqual(self.sim.fetch_tracker.metadata, exp_calls)
+
 
 class TestTargetFileSearch(TestDelegations):
     r"""

tuf/ngclient/updater.py

@@ -290,10 +290,11 @@ def _download_metadata(
         self, rolename: str, length: int, version: Optional[int] = None
     ) -> bytes:
         """Download a metadata file and return it as bytes"""
+        encoded_name = parse.quote(rolename, "")
         if version is None:
-            url = f"{self._metadata_base_url}{rolename}.json"
+            url = f"{self._metadata_base_url}{encoded_name}.json"
         else:
-            url = f"{self._metadata_base_url}{version}.{rolename}.json"
+            url = f"{self._metadata_base_url}{version}.{encoded_name}.json"
         return self._fetcher.download_bytes(url, length)
 
     def _load_local_metadata(self, rolename: str) -> bytes: