From 795bb0a199679fbcf66cb588436d71270736c123 Mon Sep 17 00:00:00 2001 From: Niels Grewe Date: Wed, 22 Jul 2020 23:49:55 +0200 Subject: [PATCH] fix: Ensure writing the certificate is indeed atomic by staying in the target directory --- vault_ssh_renew/cert.py | 4 ++-- vault_ssh_renew/vault.py | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/vault_ssh_renew/cert.py b/vault_ssh_renew/cert.py index c8912b8..fb8c90e 100644 --- a/vault_ssh_renew/cert.py +++ b/vault_ssh_renew/cert.py @@ -60,10 +60,10 @@ def get(cls, key_path: Path, cert_path: Path) -> HostCertificateInit: return cast(HostCertificateInit, cls(key_path, cert_path)) def read(self) -> HostCertificateValidate: - self.public_key = self._key_path.read_text(encoding='utf-8') + self.public_key = self._key_path.read_text(encoding="utf-8") if not self._cert_path.exists(): return HostCertificateStatusNoCert(self, True) - certificate_contents = self._cert_path.read_text(encoding='utf-8').split(" ") + certificate_contents = self._cert_path.read_text(encoding="utf-8").split(" ") if len(certificate_contents) != 2: raise RenewError("Invalid certificate file") self.cert_type = certificate_contents[0] diff --git a/vault_ssh_renew/vault.py b/vault_ssh_renew/vault.py index f4f3ffd..a7bc595 100644 --- a/vault_ssh_renew/vault.py +++ b/vault_ssh_renew/vault.py @@ -58,7 +58,9 @@ def renew(self) -> VaultRenewDone: def write_certificate(self): assert self._signed_key is not None - with NamedTemporaryFile(delete=False) as tmp: + with NamedTemporaryFile( + delete=False, dir=os.path.dirname(str(self._cert_path)) + ) as tmp: tmp.write(self._signed_key.encode("utf-8")) tmp.flush() shutil.move(tmp.name, str(self._cert_path))