From 6d470245e2215366917c07e6ef99a4dc7401d1b6 Mon Sep 17 00:00:00 2001
From: Zachary Newman <z@znewman.net>
Date: Sun, 20 Mar 2022 09:55:50 -0400
Subject: [PATCH] Clarify `payload` and `add-signature` args.

Specifically, they expect a metadata file name, *not* a role name.

Added a test for each.
---
 cmd/tuf/add_signature.go |  9 +++++----
 cmd/tuf/payload.go       |  6 +++---
 errors.go                |  2 +-
 repo_test.go             | 12 +++++++++++-
 4 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/cmd/tuf/add_signature.go b/cmd/tuf/add_signature.go
index 5dbbe19fc..88ab99018 100644
--- a/cmd/tuf/add_signature.go
+++ b/cmd/tuf/add_signature.go
@@ -10,16 +10,17 @@ import (
 
 func init() {
 	register("add-signature", cmdAddSignature, `
-usage: tuf add-signature <role> --key-id <key_id> --signature <sig_file>
+usage: tuf add-signature <metadata> --key-id <key_id> --signature <sig_file>
 
-Adds a signature (as hex-encoded bytes) generated by an offline tool to the given role.
+Adds a signature (as hex-encoded bytes) generated by an offline tool to the
+given role metadata file.
 
 If the signature does not verify, it will not be added.
 `)
 }
 
 func cmdAddSignature(args *docopt.Args, repo *tuf.Repo) error {
-	role := args.String["<role>"]
+	roleFilename := args.String["<metadata>"]
 	keyID := args.String["<key_id>"]
 
 	f := args.String["<sig_file>"]
@@ -33,5 +34,5 @@ func cmdAddSignature(args *docopt.Args, repo *tuf.Repo) error {
 		KeyID:     keyID,
 		Signature: sigData,
 	}
-	return repo.AddOrUpdateSignature(role, sig)
+	return repo.AddOrUpdateSignature(roleFilename, sig)
 }
diff --git a/cmd/tuf/payload.go b/cmd/tuf/payload.go
index ebb5bcff6..087f2d542 100644
--- a/cmd/tuf/payload.go
+++ b/cmd/tuf/payload.go
@@ -9,16 +9,16 @@ import (
 
 func init() {
 	register("payload", cmdPayload, `
-usage: tuf payload <role>
+usage: tuf payload <metadata>
 
-Output a role's metadata in a ready-to-sign format.
+Output the metadata file for a role in a ready-to-sign format.
 
 The output is canonicalized.
 `)
 }
 
 func cmdPayload(args *docopt.Args, repo *tuf.Repo) error {
-	p, err := repo.Payload(args.String["<role>"])
+	p, err := repo.Payload(args.String["<metadata>"])
 	if err != nil {
 		return err
 	}
diff --git a/errors.go b/errors.go
index 33d67c4bc..de538fa7e 100644
--- a/errors.go
+++ b/errors.go
@@ -17,7 +17,7 @@ type ErrMissingMetadata struct {
 }
 
 func (e ErrMissingMetadata) Error() string {
-	return fmt.Sprintf("tuf: missing metadata %s", e.Name)
+	return fmt.Sprintf("tuf: missing metadata file %s", e.Name)
 }
 
 type ErrFileNotFound struct {
diff --git a/repo_test.go b/repo_test.go
index 677b1fc7e..488f915ad 100644
--- a/repo_test.go
+++ b/repo_test.go
@@ -1739,6 +1739,13 @@ func (rs *RepoSuite) TestBadAddOrUpdateSignatures(c *C) {
 	c.Assert(err, IsNil)
 	c.Assert(r.AddVerificationKey("timestamp", timestampKey.PublicData()), IsNil)
 
+	// attempt to sign `root`, rather than `root.json`
+	for _, id := range rootKey.PublicData().IDs() {
+		c.Assert(r.AddOrUpdateSignature("root", data.Signature{
+			KeyID:     id,
+			Signature: nil}), Equals, ErrMissingMetadata{"root"})
+	}
+
 	// add a signature with a bad role
 	rootMeta, err := r.SignedMeta("root.json")
 	c.Assert(err, IsNil)
@@ -1845,7 +1852,10 @@ func (rs *RepoSuite) TestPayload(c *C) {
 	c.Assert(err, IsNil)
 
 	_, err = r.Payload("badrole.json")
-	c.Assert(err, NotNil)
+	c.Assert(err, Equals, ErrInvalidRole{"badrole"})
+
+	_, err = r.Payload("root")
+	c.Assert(err, Equals, ErrMissingMetadata{"root"})
 
 	payload, err := r.Payload("root.json")
 	c.Assert(err, IsNil)