__file: make file uploading and attribute changes more atomic

Signed-off-by: Steven Armstrong <steven@armstrong.cc>

cdist/conf/type/__file/gencode-local

@@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2011-2012 Nico Schottelius (nico-cdist at schottelius.org)
-# 2013 Steven Armstrong (steven-cdist armstrong.cc)
+# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
 #
 # This file is part of cdist.
 #
@@ -88,11 +88,24 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
       mkdir "$__object/files"
       touch "$__object/files/set-attributes"
 
-      # upload file to temp location
-      tempfile_template="${destination}.cdist.XXXXXXXXXX"
+      # Upload file to a temporary directory.
+      # We create our own directory for uploading so we can safely control
+      # write access which would not be possible with just a file.
+      upload_directory="$(mktemp -u "${destination}.cdist.XXXXXXXXXX")"
       cat << DONE
-destination_upload="\$($__remote_exec $__target_host "mktemp $tempfile_template")"
+$__remote_exec $__target_host "umask 777; test -e $upload_directory && exit 1 || mkdir $upload_directory" || {
+   echo "Refusing to upload file to existing destination: $upload_directory" >&2
+   exit 1
+}
 DONE
+      # Tell gencode-remote to where we uploaded the file so it can move
+      # it to its final destination.
+      echo "$upload_directory" > "$__object/files/upload-directory"
+      # We use a random filename for uploading to prevent someone from
+      # tampering with our otherwise predictable filename.
+      upload_filename="$(mktemp -u "XXXXXXXXXX")"
+      echo "$upload_filename" > "$__object/files/upload-filename"
+
       if [ "$upload_file" ]; then
          echo upload >> "$__messages_out"
          # IPv6 fix
@@ -103,12 +116,8 @@ DONE
              my_target_host="${__target_host}"
          fi
          cat << DONE
-$__remote_copy "$source" "${my_target_host}:\$destination_upload"
+$__remote_copy "$source" "$my_target_host:$upload_directory/$upload_filename"
 DONE
       fi
-# move uploaded file into place
-cat << DONE
-$__remote_exec $__target_host "rm -rf \"$destination\"; mv \"\$destination_upload\" \"$destination\""
-DONE
    fi
 fi

cdist/conf/type/__file/gencode-remote

@@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
-# 2013 Steven Armstrong (steven-cdist armstrong.cc)
+# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
 #
 # This file is part of cdist.
 #
@@ -62,6 +62,15 @@ set_mode() {
 
 case "$state_should" in
     present|exists)
+        if [ -f "$__object/files/upload-directory" ]; then
+            final_destination="$destination"
+            upload_directory="$(cat "$__object/files/upload-directory")"
+            upload_filename="$(cat "$__object/files/upload-filename")"
+            # We change the 'global' $destination variable here so we can
+            # change attributes of the new/uploaded file before moving it
+            # to it's final destination.
+            destination="$upload_directory/$upload_filename"
+        fi
         # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
         #  clearing S_ISUID and S_ISGID bits (see chown(2))
         for attribute in group owner mode; do
@@ -81,6 +90,11 @@ case "$state_should" in
                 fi
             fi
         done
+        if [ -f "$__object/files/upload-directory" ]; then
+            # move uploaded file into place
+            printf 'mv -T -f "%s" "%s"\n' "$destination" "$final_destination"
+            printf 'rm -rf "%s"\n' "$upload_directory"
+        fi
         if [ -f "$__object/files/set-attributes" ]; then
             # set-attributes is created if file is created or uploaded in gencode-local
             fire_onchange=1