From 4f0d978eaaebdd118af3bfe623782c70601daaed Mon Sep 17 00:00:00 2001
From: Javier Peletier <jpeletier@users.noreply.github.com>
Date: Mon, 26 Nov 2018 17:37:59 +0100
Subject: [PATCH] cmd/swarm: update should error on manifest mismatch (#18047)

* cmd/swarm: fix ethersphere/go-ethereum#979:

update should error on manifest mistmatch

* cmd/swarm: fixed comments and remove sprintf from log.Info

* cmd/swarm: remove unnecessary comment
---
 cmd/swarm/feeds.go      |  6 +++++-
 cmd/swarm/feeds_test.go | 41 ++++++++++++++++++++++++++++++++++++-----
 2 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/cmd/swarm/feeds.go b/cmd/swarm/feeds.go
index f26a8cc7d..6cd971a92 100644
--- a/cmd/swarm/feeds.go
+++ b/cmd/swarm/feeds.go
@@ -169,7 +169,6 @@ func feedUpdate(ctx *cli.Context) {
 		query = new(feed.Query)
 		query.User = signer.Address()
 		query.Topic = getTopic(ctx)
-
 	}
 
 	// Retrieve a feed update request
@@ -178,6 +177,11 @@ func feedUpdate(ctx *cli.Context) {
 		utils.Fatalf("Error retrieving feed status: %s", err.Error())
 	}
 
+	// Check that the provided signer matches the request to sign
+	if updateRequest.User != signer.Address() {
+		utils.Fatalf("Signer address does not match the update request")
+	}
+
 	// set the new data
 	updateRequest.SetData(data)
 
diff --git a/cmd/swarm/feeds_test.go b/cmd/swarm/feeds_test.go
index a0cedf0d3..4c40f62a8 100644
--- a/cmd/swarm/feeds_test.go
+++ b/cmd/swarm/feeds_test.go
@@ -19,7 +19,6 @@ package main
 import (
 	"bytes"
 	"encoding/json"
-	"fmt"
 	"io/ioutil"
 	"os"
 	"testing"
@@ -69,7 +68,7 @@ func TestCLIFeedUpdate(t *testing.T) {
 		hexData}
 
 	// create an update and expect an exit without errors
-	log.Info(fmt.Sprintf("updating a feed with 'swarm feed update'"))
+	log.Info("updating a feed with 'swarm feed update'")
 	cmd := runSwarm(t, flags...)
 	cmd.ExpectExit()
 
@@ -116,7 +115,7 @@ func TestCLIFeedUpdate(t *testing.T) {
 		"--user", address.Hex(),
 	}
 
-	log.Info(fmt.Sprintf("getting feed info with 'swarm feed info'"))
+	log.Info("getting feed info with 'swarm feed info'")
 	cmd = runSwarm(t, flags...)
 	_, matches := cmd.ExpectRegexp(`.*`) // regex hack to extract stdout
 	cmd.ExpectExit()
@@ -141,9 +140,9 @@ func TestCLIFeedUpdate(t *testing.T) {
 		"--topic", topic.Hex(),
 	}
 
-	log.Info(fmt.Sprintf("Publishing manifest with 'swarm feed create'"))
+	log.Info("Publishing manifest with 'swarm feed create'")
 	cmd = runSwarm(t, flags...)
-	_, matches = cmd.ExpectRegexp(`[a-f\d]{64}`) // regex hack to extract stdout
+	_, matches = cmd.ExpectRegexp(`[a-f\d]{64}`)
 	cmd.ExpectExit()
 
 	manifestAddress := matches[0] // read the received feed manifest
@@ -162,4 +161,36 @@ func TestCLIFeedUpdate(t *testing.T) {
 	if !bytes.Equal(data, retrieved) {
 		t.Fatalf("Received %s, expected %s", retrieved, data)
 	}
+
+	// test publishing a manifest for a different user
+	flags = []string{
+		"--bzzapi", srv.URL,
+		"feed", "create",
+		"--topic", topic.Hex(),
+		"--user", "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // different user
+	}
+
+	log.Info("Publishing manifest with 'swarm feed create' for a different user")
+	cmd = runSwarm(t, flags...)
+	_, matches = cmd.ExpectRegexp(`[a-f\d]{64}`)
+	cmd.ExpectExit()
+
+	manifestAddress = matches[0] // read the received feed manifest
+
+	// now let's try to update that user's manifest which we don't have the private key for
+	flags = []string{
+		"--bzzapi", srv.URL,
+		"--bzzaccount", pkFileName,
+		"feed", "update",
+		"--manifest", manifestAddress,
+		hexData}
+
+	// create an update and expect an error given there is a user mismatch
+	log.Info("updating a feed with 'swarm feed update'")
+	cmd = runSwarm(t, flags...)
+	cmd.ExpectRegexp("Fatal:.*") // best way so far to detect a failure.
+	cmd.ExpectExit()
+	if cmd.ExitStatus() == 0 {
+		t.Fatal("Expected nonzero exit code when updating a manifest with the wrong user. Got 0.")
+	}
 }
-- 
GitLab