fix: Ensure writing the certificate is indeed atomic by staying in th…

…e target directory
ngrewe · Jul 22, 2020 · 795bb0a · 795bb0a
1 parent 05d4193
commit 795bb0a
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/vault_ssh_renew/cert.py b/vault_ssh_renew/cert.py
@@ -60,10 +60,10 @@ def get(cls, key_path: Path, cert_path: Path) -> HostCertificateInit:
         return cast(HostCertificateInit, cls(key_path, cert_path))
 
     def read(self) -> HostCertificateValidate:
-        self.public_key = self._key_path.read_text(encoding='utf-8')
+        self.public_key = self._key_path.read_text(encoding="utf-8")
         if not self._cert_path.exists():
             return HostCertificateStatusNoCert(self, True)
-        certificate_contents = self._cert_path.read_text(encoding='utf-8').split(" ")
+        certificate_contents = self._cert_path.read_text(encoding="utf-8").split(" ")
         if len(certificate_contents) != 2:
             raise RenewError("Invalid certificate file")
         self.cert_type = certificate_contents[0]

diff --git a/vault_ssh_renew/vault.py b/vault_ssh_renew/vault.py
@@ -58,7 +58,9 @@ def renew(self) -> VaultRenewDone:
 
     def write_certificate(self):
         assert self._signed_key is not None
-        with NamedTemporaryFile(delete=False) as tmp:
+        with NamedTemporaryFile(
+            delete=False, dir=os.path.dirname(str(self._cert_path))
+        ) as tmp:
             tmp.write(self._signed_key.encode("utf-8"))
             tmp.flush()
             shutil.move(tmp.name, str(self._cert_path))