tests: Improve verify_delegate() tests

Make sure verify_delegate() succeeds when threshold is reached even if
some signatures fail to verify.

Make sure higher threshold (2/2) works.

Change error type for "Call is valid only on delegator metadata" error.

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: Jussi Kukkonen

tests/test_api.py

@@ -51,7 +51,8 @@
 )
 
 from securesystemslib.signer import (
-    SSlibSigner
+    SSlibSigner,
+    Signature
 )
 
 logger = logging.getLogger(__name__)
@@ -357,7 +358,7 @@ def test_metadata_verify_delegate(self):
         role1.verify_delegate('role2', role2)
 
         # only root and targets can verify delegates
-        with self.assertRaises(ValueError):
+        with self.assertRaises(TypeError):
             snapshot.verify_delegate('snapshot', snapshot)
         # verify fails for roles that are not delegated by delegator
         with self.assertRaises(ValueError):
@@ -376,12 +377,25 @@ def test_metadata_verify_delegate(self):
         with self.assertRaises(exceptions.UnsignedMetadataError):
             root.verify_delegate('timestamp', snapshot)
 
+        # Add a key to snapshot role, make sure the new sig fails to verify
+        ts_keyid = next(iter(root.signed.roles["timestamp"].keyids))
+        root.signed.add_key("snapshot", root.signed.keys[ts_keyid])
+        snapshot.signatures[ts_keyid] = Signature(ts_keyid, "ff"*64)
+
+        # verify succeeds if threshold is reached even if some signatures
+        # fail to verify
+        root.verify_delegate('snapshot', snapshot)
+
         # verify fails if threshold of signatures is not reached
         root.signed.roles['snapshot'].threshold = 2
         with self.assertRaises(exceptions.UnsignedMetadataError):
             root.verify_delegate('snapshot', snapshot)
 
-        # TODO test successful verify with higher thresholds
+        # verify succeeds when we correct the new signature and reach the
+        # threshold of 2 keys
+        snapshot.sign(SSlibSigner(self.keystore['timestamp']), append=True)
+        root.verify_delegate('snapshot', snapshot)
+
 
     def test_key_class(self):
         keys = {

tuf/api/metadata.py

@@ -298,7 +298,7 @@ def verify_delegate(
                 roles = self.signed.delegations.roles
                 role = next((r for r in roles if r.name == role_name), None)
         else:
-            raise ValueError("Call is valid only on delegator metadata")
+            raise TypeError("Call is valid only on delegator metadata")
 
         if role is None:
             raise ValueError(f"No delegation found for {role_name}")