From 9ea9b1001405543dc69897fb67e56147002b243e Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Fri, 27 Jan 2023 11:51:11 +0100
Subject: [PATCH] Include Utility::SetFileOwnership() inside FS transactions

to make them even more atomic.
---
 lib/cli/nodesetupcommand.cpp  | 8 +++++---
 lib/cli/nodewizardcommand.cpp | 8 +++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/lib/cli/nodesetupcommand.cpp b/lib/cli/nodesetupcommand.cpp
index da63d003c..2a685b503 100644
--- a/lib/cli/nodesetupcommand.cpp
+++ b/lib/cli/nodesetupcommand.cpp
@@ -524,15 +524,17 @@ int NodeSetupCommand::SetupNode(const boost::program_options::variables_map& vm,
 
 	if (!ticket.IsEmpty()) {
 		String ticketPath = ApiListener::GetCertsDir() + "/ticket";
+		AtomicFile af (ticketPath, 0600);
 
-		AtomicFile::Write(ticketPath, 0600, ticket);
-
-		if (!Utility::SetFileOwnership(ticketPath, user, group)) {
+		if (!Utility::SetFileOwnership(af.GetTempFilename(), user, group)) {
 			Log(LogWarning, "cli")
 				<< "Cannot set ownership for user '" << user
 				<< "' group '" << group
 				<< "' on file '" << ticketPath << "'. Verify it yourself!";
 		}
+
+		af << ticket;
+		af.Commit();
 	}
 
 	/* If no parent connection was made, the user must supply the ca.crt before restarting Icinga 2.*/
diff --git a/lib/cli/nodewizardcommand.cpp b/lib/cli/nodewizardcommand.cpp
index 1f7d33578..3a3cd42bd 100644
--- a/lib/cli/nodewizardcommand.cpp
+++ b/lib/cli/nodewizardcommand.cpp
@@ -553,15 +553,17 @@ wizard_global_zone_loop_start:
 
 	if (!ticket.IsEmpty()) {
 		String ticketPath = ApiListener::GetCertsDir() + "/ticket";
+		AtomicFile af (ticketPath, 0600);
 
-		AtomicFile::Write(ticketPath, 0600, ticket);
-
-		if (!Utility::SetFileOwnership(ticketPath, user, group)) {
+		if (!Utility::SetFileOwnership(af.GetTempFilename(), user, group)) {
 			Log(LogWarning, "cli")
 				<< "Cannot set ownership for user '" << user
 				<< "' group '" << group
 				<< "' on file '" << ticketPath << "'. Verify it yourself!";
 		}
+
+		af << ticket;
+		af.Commit();
 	}
 
 	/* If no parent connection was made, the user must supply the ca.crt before restarting Icinga 2.*/