From f10a27fd7a45401d5b9d4ad9010279e911be6ee4 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 15 Feb 2022 17:13:04 -0500
Subject: [PATCH] Switch to mkstemp

Use mkstemp to more confidently reserve a filename as expected.
---
 .../profiles/default/scripts/image2disk.py           |  2 +-
 confluent_server/confluent/certutil.py               | 12 ++++++++----
 confluent_server/confluent/syncfiles.py              |  7 +++++--
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/confluent_osdeploy/el7-diskless/profiles/default/scripts/image2disk.py b/confluent_osdeploy/el7-diskless/profiles/default/scripts/image2disk.py
index c4602d4b..fa378632 100644
--- a/confluent_osdeploy/el7-diskless/profiles/default/scripts/image2disk.py
+++ b/confluent_osdeploy/el7-diskless/profiles/default/scripts/image2disk.py
@@ -373,4 +373,4 @@ def install_to_disk(imgpath):
 
 
 if __name__ == '__main__':
-    install_to_disk(os.environ['mountsrc'])
\ No newline at end of file
+    install_to_disk(os.environ['mountsrc'])
diff --git a/confluent_server/confluent/certutil.py b/confluent_server/confluent/certutil.py
index 13f866f1..f1df0c6a 100644
--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@@ -85,7 +85,8 @@ def assure_tls_ca():
             if e.errno != 17:
                 raise
         sslcfg = get_openssl_conf_location()
-        tmpconfig = tempfile.mktemp()
+        tmphdl, tmpconfig = tempfile.mkstemp()
+        os.close(tmphdl)
         shutil.copy2(sslcfg, tmpconfig)
         subprocess.check_call(
             ['openssl', 'ecparam', '-name', 'secp384r1', '-genkey', '-out',
@@ -151,9 +152,12 @@ def create_certificate(keyout=None, certout=None):
     #san.append('DNS:{0}'.format(longname))
     san = ','.join(san)
     sslcfg = get_openssl_conf_location()
-    tmpconfig = tempfile.mktemp()
-    extconfig = tempfile.mktemp()
-    csrout = tempfile.mktemp()
+    tmphdl, tmpconfig = tempfile.mkstemp()
+    os.close(tmphdl)
+    tmphdl, extconfig = tempfile.mkstemp()
+    os.close(tmphdl)
+    tmphdl, csrout = tempfile.mkstemp()
+    os.close(tmphdl)
     shutil.copy2(sslcfg, tmpconfig)
     serialnum = '0x' + ''.join(['{:02x}'.format(x) for x in bytearray(os.urandom(20))])
     try:
diff --git a/confluent_server/confluent/syncfiles.py b/confluent_server/confluent/syncfiles.py
index b5d6c277..b6598edd 100644
--- a/confluent_server/confluent/syncfiles.py
+++ b/confluent_server/confluent/syncfiles.py
@@ -254,8 +254,11 @@ def mkpathorlink(source, destination, appendexist=False):
         else:
             mkdirp(os.path.dirname(destination))
         if appendexist and os.path.exists(destination):
-            tmpnam = tempfile.mktemp()
-            shutil.copy(destination, tmpnam)
+            tmphdl, tmpnam = tempfile.mkstemp()
+            try:
+                shutil.copy(destination, tmpnam)
+            finally:
+                os.close(tmphdl)
             os.remove(destination)
             with open(destination, 'w') as realdest:
                 with open(tmpnam) as olddest: