Rename and simplify visit_child_role

Rename to DelegatedRole.is_in_trusted_paths and
return a boolean flag instead of the role's name.

Minor comments and code style improvements.

Some code simplification.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>

Author: sechkova

tuf/api/metadata.py

@@ -1033,48 +1033,29 @@ def to_dict(self) -> Dict[str, Any]:
             res_dict["path_hash_prefixes"] = self.path_hash_prefixes
         return res_dict
 
-    def visit_child_role(self, target_filepath: str) -> str:
-        """Determines whether the given 'target_filepath' is an
-        allowed path of DelegatedRole"""
+    def is_in_trusted_paths(self, target_filepath: str) -> bool:
+        """Determines whether the given 'target_filepath'
+        is in one of the trusted paths of DelegatedRole"""
 
         if self.path_hash_prefixes is not None:
             target_filepath_hash = _get_filepath_hash(target_filepath)
             for path_hash_prefix in self.path_hash_prefixes:
-                if not target_filepath_hash.startswith(path_hash_prefix):
-                    continue
-
-                return self.name
+                if target_filepath_hash.startswith(path_hash_prefix):
+                    return True
 
         elif self.paths is not None:
-            for path in self.paths:
-                # A child role path may be an explicit path or glob pattern (Unix
-                # shell-style wildcards).  The child role 'child_role_name' is
-                # returned if 'target_filepath' is equal to or matches
-                # 'child_role_path'. Explicit filepaths are also considered
-                # matches. A repo maintainer might delegate a glob pattern with a
-                # leading path separator, while the client requests a matching
-                # target without a leading path separator - make sure to strip any
-                # leading path separators so that a match is made.
+            for pathpattern in self.paths:
+                # A delegated role path may be an explicit path or glob
+                # pattern (Unix shell-style wildcards). Explicit filepaths
+                # are also considered matches. Make sure to strip any leading
+                # path separators so that a match is made.
                 # Example: "foo.tgz" should match with "/*.tgz".
                 if fnmatch.fnmatch(
-                    target_filepath.lstrip(os.sep), path.lstrip(os.sep)
+                    target_filepath.lstrip(os.sep), pathpattern.lstrip(os.sep)
                 ):
+                    return True
 
-                    return self.name
-
-                continue
-
-        else:
-            # 'role_name' should have been validated when it was downloaded.
-            # The 'paths' or 'path_hash_prefixes' fields should not be missing,
-            # so we raise a format error here in case they are both missing.
-            raise exceptions.FormatError(
-                repr(self.name) + " "
-                'has neither a "paths" nor "path_hash_prefixes".  At least'
-                " one of these attributes must be present."
-            )
-
-        return None
+        return False
 
 
 def _get_filepath_hash(target_filepath, hash_function="sha256"):

tuf/ngclient/updater.py

@@ -349,9 +349,10 @@ def _preorder_depth_first_walk(self, target_filepath) -> Dict:
                 # NOTE: This may be a slow operation if there are many
                 # delegated roles.
                 for child_role in child_roles:
-                    child_role_name = child_role.visit_child_role(
-                        target_filepath
-                    )
+                    if child_role.is_in_trusted_paths(target_filepath):
+                        child_role_name = child_role.name
+                    else:
+                        child_role_name = None
 
                     if child_role.terminating and child_role_name is not None:
                         logger.debug(