How to use the securesystemslib.schema.Optional function in securesystemslib

def test_Optional(self):
    # Test conditions for valid arguments.
    optional_schema = SCHEMA.Object(k1=SCHEMA.String('X'),
        k2=SCHEMA.Optional(SCHEMA.String('Y')))

    self.assertTrue(optional_schema.matches({'k1': 'X', 'k2': 'Y'}))
    self.assertTrue(optional_schema.matches({'k1': 'X'}))

    # Test conditions for invalid arguments.
    self.assertFalse(optional_schema.matches({'k1': 'X', 'k2': 'Z'}))

    # Test conditions for invalid arguments in a schema definition.
    self.assertRaises(securesystemslib.exceptions.FormatError,
        SCHEMA.Optional, 1)
    self.assertRaises(securesystemslib.exceptions.FormatError,
        SCHEMA.Optional, [1])
    self.assertRaises(securesystemslib.exceptions.FormatError,
        SCHEMA.Optional, {'a': 1})

# A hexadecimal value in '23432df87ab..' format.
HASH_SCHEMA = SCHEMA.RegularExpression(r'[a-fA-F0-9]+')

# A key identifier (e.g., a hexadecimal value identifying an RSA key).
KEYID_SCHEMA = HASH_SCHEMA

# A list of KEYID_SCHEMA.
KEYIDS_SCHEMA = SCHEMA.ListOf(KEYID_SCHEMA)

# The actual values of a key, as opposed to meta data such as a key type and
# key identifier ('rsa', 233df889cb).  For RSA keys, the key value is a pair of
# public and private keys in PEM Format stored as strings.
KEYVAL_SCHEMA = SCHEMA.Object(
  object_name = 'KEYVAL_SCHEMA',
  public = SCHEMA.AnyString(),
  private = SCHEMA.Optional(SCHEMA.AnyString()))

# A generic TUF key.  All TUF keys should be saved to metadata files in this
# format.
KEY_SCHEMA = SCHEMA.Object(
  object_name = 'KEY_SCHEMA',
  keytype = SCHEMA.AnyString(),
  keyval = KEYVAL_SCHEMA,
  expires = SCHEMA.Optional(ISO8601_DATETIME_SCHEMA))

# A dict where the dict keys hold a keyid and the dict values a key object.
KEYDICT_SCHEMA = SCHEMA.DictOf(
  key_schema = KEYID_SCHEMA,
  value_schema = KEY_SCHEMA)

# The format used by the key database to store keys.  The dict keys hold a key
# identifier and the dict values any object.  The key database should store

# developer tools.  The second element of this list holds custom data about the
# target, such as file permissions, author(s), last modified, etc.
CUSTOM_SCHEMA = SCHEMA.Object()

PATH_FILEINFO_SCHEMA = SCHEMA.DictOf(
  key_schema = RELPATH_SCHEMA,
  value_schema = CUSTOM_SCHEMA)

# TUF roledb
ROLEDB_SCHEMA = SCHEMA.Object(
  object_name = 'ROLEDB_SCHEMA',
  keyids = SCHEMA.Optional(KEYIDS_SCHEMA),
  signing_keyids = SCHEMA.Optional(KEYIDS_SCHEMA),
  previous_keyids = SCHEMA.Optional(KEYIDS_SCHEMA),
  threshold = SCHEMA.Optional(THRESHOLD_SCHEMA),
  previous_threshold = SCHEMA.Optional(THRESHOLD_SCHEMA),
  version = SCHEMA.Optional(METADATAVERSION_SCHEMA),
  expires = SCHEMA.Optional(ISO8601_DATETIME_SCHEMA),
  signatures = SCHEMA.Optional(securesystemslib.formats.SIGNATURES_SCHEMA),
  paths = SCHEMA.Optional(SCHEMA.OneOf([RELPATHS_SCHEMA, PATH_FILEINFO_SCHEMA])),
  path_hash_prefixes = SCHEMA.Optional(PATH_HASH_PREFIXES_SCHEMA),
  delegations = SCHEMA.Optional(DELEGATIONS_SCHEMA),
  partial_loaded = SCHEMA.Optional(BOOLEAN_SCHEMA))

# A signable object.  Holds the signing role and its associated signatures.
SIGNABLE_SCHEMA = SCHEMA.Object(
  object_name = 'SIGNABLE_SCHEMA',
  signed = SCHEMA.Any(),
  signatures = SCHEMA.ListOf(securesystemslib.formats.SIGNATURE_SCHEMA))

# Root role: indicates root keys and top-level roles.
ROOT_SCHEMA = SCHEMA.Object(

)
DSA_PUBKEY_SCHEMA = _create_pubkey_with_subkey_schema(
    _DSA_PUBKEY_SCHEMA)


PUBKEY_SCHEMA = ssl_schema.OneOf([RSA_PUBKEY_SCHEMA,
    DSA_PUBKEY_SCHEMA])


SIGNATURE_SCHEMA = ssl_schema.Object(
    object_name = "SIGNATURE_SCHEMA",
    keyid = ssl_formats.KEYID_SCHEMA,
    short_keyid = ssl_schema.Optional(ssl_formats.KEYID_SCHEMA),
    other_headers = ssl_formats.HEX_SCHEMA,
    signature = ssl_formats.HEX_SCHEMA,
    info = ssl_schema.Optional(ssl_schema.Any()),
  )

# A list of securesystemslib key objects.
ANYKEYLIST_SCHEMA = SCHEMA.ListOf(ANYKEY_SCHEMA)

# RSA signature schemes.
RSA_SCHEME_SCHEMA = SCHEMA.OneOf([
  SCHEMA.RegularExpression(r'rsassa-pss-(md5|sha1|sha224|sha256|sha384|sha512)'),
  SCHEMA.RegularExpression(r'rsa-pkcs1v15-(md5|sha1|sha224|sha256|sha384|sha512)')])

# An RSA securesystemslib key.
RSAKEY_SCHEMA = SCHEMA.Object(
  object_name = 'RSAKEY_SCHEMA',
  keytype = SCHEMA.String('rsa'),
  scheme = RSA_SCHEME_SCHEMA,
  keyid = KEYID_SCHEMA,
  keyid_hash_algorithms = SCHEMA.Optional(HASHALGORITHMS_SCHEMA),
  keyval = KEYVAL_SCHEMA)

# An ECDSA securesystemslib key.
ECDSAKEY_SCHEMA = SCHEMA.Object(
  object_name = 'ECDSAKEY_SCHEMA',
  keytype = SCHEMA.RegularExpression(r'ecdsa-sha2-nistp(256|384)'),
  scheme = ECDSA_SCHEME_SCHEMA,
  keyid = KEYID_SCHEMA,
  keyid_hash_algorithms = SCHEMA.Optional(HASHALGORITHMS_SCHEMA),
  keyval = KEYVAL_SCHEMA)

# An ED25519 raw public key, which must be 32 bytes.
ED25519PUBLIC_SCHEMA = SCHEMA.LengthBytes(32)

# An ED25519 raw seed key, which must be 32 bytes.
ED25519SEED_SCHEMA = SCHEMA.LengthBytes(32)

y = ssl_formats.HEX_SCHEMA,
  p = ssl_formats.HEX_SCHEMA,
  q = ssl_formats.HEX_SCHEMA,
  g = ssl_formats.HEX_SCHEMA
)


# We have to define DSA_PUBKEY_SCHEMA in two steps, because it is
# self-referential. Here we define a shallow _DSA_PUBKEY_SCHEMA, which we use
# below to create the self-referential DSA_PUBKEY_SCHEMA.
_DSA_PUBKEY_SCHEMA = ssl_schema.Object(
  object_name = "DSA_PUBKEY_SCHEMA",
  type = ssl_schema.String("dsa"),
  method = ssl_schema.String(PGP_DSA_PUBKEY_METHOD_STRING),
  hashes = ssl_schema.ListOf(ssl_schema.String(GPG_HASH_ALGORITHM_STRING)),
  creation_time = ssl_schema.Optional(ssl_formats.UNIX_TIMESTAMP_SCHEMA),
  validity_period = ssl_schema.Optional(ssl_schema.Integer(lo=0)),
  keyid = ssl_formats.KEYID_SCHEMA,
  keyval = ssl_schema.Object(
      public = DSA_PUBKEYVAL_SCHEMA,
      private = ssl_schema.String("")
    )
)
DSA_PUBKEY_SCHEMA = _create_pubkey_with_subkey_schema(
    _DSA_PUBKEY_SCHEMA)


PUBKEY_SCHEMA = ssl_schema.OneOf([RSA_PUBKEY_SCHEMA,
    DSA_PUBKEY_SCHEMA])


SIGNATURE_SCHEMA = ssl_schema.Object(

public = SCHEMA.AnyString(),
  private = SCHEMA.Optional(SCHEMA.String("")))

# Supported securesystemslib key types.
KEYTYPE_SCHEMA = SCHEMA.OneOf(
  [SCHEMA.String('rsa'), SCHEMA.String('ed25519'),
   SCHEMA.RegularExpression(r'ecdsa-sha2-nistp(256|384)')])

# A generic securesystemslib key.  All securesystemslib keys should be saved to
# metadata files in this format.
KEY_SCHEMA = SCHEMA.Object(
  object_name = 'KEY_SCHEMA',
  keytype = SCHEMA.AnyString(),
  scheme = SCHEME_SCHEMA,
  keyval = KEYVAL_SCHEMA,
  expires = SCHEMA.Optional(ISO8601_DATETIME_SCHEMA))

# Like KEY_SCHEMA, but requires keyval's private portion to be unset or empty,
# and optionally includes the supported keyid hash algorithms used to generate
# the key's keyid.
PUBLIC_KEY_SCHEMA = SCHEMA.Object(
  object_name = 'PUBLIC_KEY_SCHEMA',
  keytype = SCHEMA.AnyString(),
  keyid_hash_algorithms = SCHEMA.Optional(HASHALGORITHMS_SCHEMA),
  keyval = PUBLIC_KEYVAL_SCHEMA,
  expires = SCHEMA.Optional(ISO8601_DATETIME_SCHEMA))

# A securesystemslib key object.  This schema simplifies validation of keys
# that may be one of the supported key types.  Supported key types: 'rsa',
# 'ed25519'.
ANYKEY_SCHEMA = SCHEMA.Object(
  object_name = 'ANYKEY_SCHEMA',

# TUF roledb
ROLEDB_SCHEMA = SCHEMA.Object(
  object_name = 'ROLEDB_SCHEMA',
  keyids = SCHEMA.Optional(KEYIDS_SCHEMA),
  signing_keyids = SCHEMA.Optional(KEYIDS_SCHEMA),
  previous_keyids = SCHEMA.Optional(KEYIDS_SCHEMA),
  threshold = SCHEMA.Optional(THRESHOLD_SCHEMA),
  previous_threshold = SCHEMA.Optional(THRESHOLD_SCHEMA),
  version = SCHEMA.Optional(METADATAVERSION_SCHEMA),
  expires = SCHEMA.Optional(ISO8601_DATETIME_SCHEMA),
  signatures = SCHEMA.Optional(securesystemslib.formats.SIGNATURES_SCHEMA),
  paths = SCHEMA.Optional(SCHEMA.OneOf([RELPATHS_SCHEMA, PATH_FILEINFO_SCHEMA])),
  path_hash_prefixes = SCHEMA.Optional(PATH_HASH_PREFIXES_SCHEMA),
  delegations = SCHEMA.Optional(DELEGATIONS_SCHEMA),
  partial_loaded = SCHEMA.Optional(BOOLEAN_SCHEMA))

# A signable object.  Holds the signing role and its associated signatures.
SIGNABLE_SCHEMA = SCHEMA.Object(
  object_name = 'SIGNABLE_SCHEMA',
  signed = SCHEMA.Any(),
  signatures = SCHEMA.ListOf(securesystemslib.formats.SIGNATURE_SCHEMA))

# Root role: indicates root keys and top-level roles.
ROOT_SCHEMA = SCHEMA.Object(
  object_name = 'ROOT_SCHEMA',
  _type = SCHEMA.String('root'),
  spec_version = SPECIFICATION_VERSION_SCHEMA,
  version = METADATAVERSION_SCHEMA,
  consistent_snapshot = BOOLEAN_SCHEMA,
  expires = ISO8601_DATETIME_SCHEMA,
  keys = KEYDICT_SCHEMA,

)
DSA_PUBKEY_SCHEMA = _create_pubkey_with_subkey_schema(
    _DSA_PUBKEY_SCHEMA)


PUBKEY_SCHEMA = ssl_schema.OneOf([RSA_PUBKEY_SCHEMA,
    DSA_PUBKEY_SCHEMA])


SIGNATURE_SCHEMA = ssl_schema.Object(
    object_name = "SIGNATURE_SCHEMA",
    keyid = ssl_formats.KEYID_SCHEMA,
    short_keyid = ssl_schema.Optional(ssl_formats.KEYID_SCHEMA),
    other_headers = ssl_formats.HEX_SCHEMA,
    signature = ssl_formats.HEX_SCHEMA,
    info = ssl_schema.Optional(ssl_schema.Any()),
  )

def _create_gpg_pubkey_with_subkey_schema(pubkey_schema):
  """Helper method to extend the passed public key schema with an optional
  dictionary of sub public keys "subkeys" with the same schema."""
  schema = pubkey_schema
  subkey_schema_tuple =  ("subkeys", SCHEMA.Optional(
        SCHEMA.DictOf(
          key_schema=KEYID_SCHEMA,
          value_schema=pubkey_schema
          )
        )
      )
  # Any subclass of `securesystemslib.schema.Object` stores the schemas that
  # define the attributes of the object in its `_required` property, even if
  # such a schema is of type `Optional`.
  # TODO: Find a way that does not require to access a protected member
  schema._required.append(subkey_schema_tuple) # pylint: disable=protected-access
  return schema