Take order into account for certain cases

Martin Vrachev · Martin Vrachev · commit 6ea5372edb87 · 2022-02-28T14:42:06.000+02:00
After we have dropped OrderedDict in e3b267e we are relying on python3.7+ default behavior to preserve the insertion order, but there is one caveat. When comparing dictionaries the order is still irrelevant compared to OrderedDict. For example: >>> OrderedDict([(1,1), (2,2)]) == OrderedDict([(2,2), (1,1)]) False >>> dict([(1,1), (2,2)]) == dict([(2,2), (1,1)]) True There are two special attributes, defined in the specification, where the order makes a difference when comparing two objects: - Metadata.signatures - Targets.delegations.roles. We want to make sure that the order in those two cases makes a difference when comparing two objects and that's why those changes are required inside two __eq__ implementations. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
diff --git a/tests/test_metadata_eq_.py b/tests/test_metadata_eq_.py
@@ -12,6 +12,8 @@
 import unittest
 from typing import Any, ClassVar, Dict
 
+from securesystemslib.signer import Signature
+
 from tests import utils
 from tuf.api.metadata import (
     TOP_LEVEL_ROLE_NAMES,
@@ -60,6 +62,23 @@ def test_metadata_eq_(self) -> None:
             setattr(md_2, attr, value)
             self.assertNotEqual(md, md_2, f"Failed case: {attr}")
 
+    def test_md_eq_signatures_reversed_order(self) -> None:
+        # Test comparing objects with same signatures but different order.
+
+        # Remove all signatures and create new ones.
+        md = Metadata.from_bytes(self.metadata["snapshot"])
+        md.signatures = {"a": Signature("a", "a"), "b": Signature("b", "b")}
+        md_2 = copy.deepcopy(md)
+        # Reverse signatures order in md_2.
+        # In python3.7 we need to cast to a list and then reverse.
+        md_2.signatures = dict(reversed(list(md_2.signatures.items())))
+        # Assert that both objects are not the same because of signatures order.
+        self.assertNotEqual(md, md_2)
+
+        # but if we fix the signatures order they will be equal
+        md_2.signatures = {"a": Signature("a", "a"), "b": Signature("b", "b")}
+        self.assertEqual(md, md_2)
+
     def test_md_eq_special_signatures_tests(self) -> None:
         # Test that metadata objects with different signatures are not equal.
         md = Metadata.from_bytes(self.metadata["snapshot"])
@@ -226,6 +245,48 @@ def test_targetfile_eq_(self) -> None:
         setattr(targetfile_2, "path", "")
         self.assertNotEqual(targetfile, targetfile_2)
 
+    def test_delegations_eq_roles_reversed_order(self) -> None:
+        # Test comparing objects with same delegated roles but different order.
+        role_one_dict = {
+            "keyids": ["keyid1"],
+            "name": "a",
+            "terminating": False,
+            "paths": ["fn1"],
+            "threshold": 1,
+        }
+        role_two_dict = {
+            "keyids": ["keyid2"],
+            "name": "b",
+            "terminating": True,
+            "paths": ["fn2"],
+            "threshold": 4,
+        }
+
+        delegations_dict = {
+            "keys": {
+                "keyid2": {
+                    "keytype": "ed25519",
+                    "scheme": "ed25519",
+                    "keyval": {"public": "bar"},
+                }
+            },
+            "roles": [role_one_dict, role_two_dict],
+        }
+        delegations = Delegations.from_dict(copy.deepcopy(delegations_dict))
+
+        # Create a second delegations obj with reversed roles order
+        delegations_2 = copy.deepcopy(delegations)
+        # In python3.7 we need to cast to a list and then reverse.
+        delegations_2.roles = dict(reversed(list(delegations.roles.items())))
+
+        # Both objects are not the equal because of delegated roles order.
+        self.assertNotEqual(delegations, delegations_2)
+
+        # but if we fix the delegated roles order they will be equal
+        delegations_2.roles = delegations.roles
+
+        self.assertEqual(delegations, delegations_2)
+
     def test_targets_eq_(self) -> None:
         md = Metadata.from_bytes(self.metadata["targets"])
         signed_copy: Targets = self.copy_and_simple_assert(md.signed)
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -133,6 +133,8 @@ def __eq__(self, other: Any) -> bool:
 
         return (
             self.signatures == other.signatures
+            # Order of the signatures matters (see issue #1788).
+            and list(self.signatures.items()) == list(other.signatures.items())
             and self.signed == other.signed
             and self.unrecognized_fields == other.unrecognized_fields
         )
@@ -1429,6 +1431,8 @@ def __eq__(self, other: Any) -> bool:
 
         return (
             self.keys == other.keys
+            # Order of the delegated roles matters (see issue #1788).
+            and list(self.roles.items()) == list(other.roles.items())
             and self.roles == other.roles
             and self.unrecognized_fields == other.unrecognized_fields
         )
