repository_tool incorrectly prevents distinct delegations to same role

[awwad]

The repository tool's delegate function will currently mistakenly prevent you from delegating to the same role from two different roles. Such delegations are expected to be allowed per prior conversation, not forbidden in the spec, and -- except for the error raised below -- seem to be supported by the code.

Simple scenario:
A delegates to C, with some delegation settings (path, keys expected, threshold, termination, etc)
B delegates to C, with possibly different delegation settings

The check raising this error is likely a holdover from the days when role and delegation were more or less synonymous and roles existed in a tree instead of a more general graph.

Current behavior

>>> role_a.delegate('role_c', [dk1_pub, dk2_pub, dk3_pub], ["a*"], threshold=2)
>>> role_b.delegate('role_c', [dk1_pub, dk2_pub], ["b*"], threshold=1)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/s/w/tuf_clean/tuf/repository_tool.py", line 2227, in delegate
    raise securesystemslib.exceptions.Error(repr(rolename) + ' already'
securesystemslib.exceptions.Error: 'role_c' already delegated.

Expected behavior

No error should be raised; the second delegation to the same role functions independently.

>>> role_a.delegate('role_c', [dk1_pub, dk2_pub, dk3_pub], ["a*"], threshold=2)
>>> role_b.delegate('role_c', [dk1_pub, dk2_pub], ["b*"], threshold=1)
Adding a verification key that has already been used.
Adding a verification key that has already been used.
Adding a verification key that has already been used.

Fix

This is easily solved by removing the lines that raise the error. It should be verified that no damage is done, however (i.e. that the code does support this edge case correctly) so testing this will take a bit of effort and require updater testing.

[jku]

This is no longer an issue in the current implementation.