use os.Rename to put certs in place

main.go

@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
+	"os/user"
 	"path/filepath"
 	"runtime"
 	"strconv"
@@ -24,6 +25,7 @@ var (
 	CertBase                  string
 	KeyBase                   string
 	GroupName                 string
+	GroupID                   int
 	RedisBaseURL              string
 	VaultBaseURL              string
 	certificateDestination    string
@@ -209,12 +211,11 @@ func GetVaultKey(vaulturl string, vaulttoken string) string {
 }
 
 // create directory structure and write certificate to file
-func WriteToFile(content string, destination string, groupname string, filemode os.FileMode, dirmode os.FileMode) {
+func WriteToFile(content string, destination string, filemode os.FileMode) {
 	baseDir := filepath.Dir(destination)
 	if _, err := os.Stat(baseDir); os.IsNotExist(err) {
 		os.MkdirAll(baseDir, 0755)
 	}
-	os.Chmod(baseDir, dirmode)
 
 	file, err := os.OpenFile(destination, os.O_WRONLY|os.O_CREATE, filemode)
 	if err != nil {
@@ -226,6 +227,27 @@ func WriteToFile(content string, destination string, groupname string, filemode
 	file.Close()
 }
 
+// move temp file to destination
+func moveFile(source string, destination string, groupid int, filemode os.FileMode, dirmode os.FileMode) {
+	baseDir := filepath.Dir(destination)
+	if _, err := os.Stat(baseDir); os.IsNotExist(err) {
+		os.MkdirAll(baseDir, 0755)
+	}
+	err := os.Rename(source, destination)
+	if err != nil {
+		fmt.Printf("[ERR] Fail to install %v: %v\n", destination, err)
+		appExit(255)
+	}
+	if runtime.GOOS != "windows" {
+		err = os.Chown(destination, 0, groupid)
+		if err != nil {
+			fmt.Printf("[ERR] Changing file owner to %v", groupid)
+			appExit(255)
+		}
+	}
+	fmt.Printf("[INFO] installed: %v\n", destination)
+}
+
 // ReadOSRelease from /etc/os-release
 func ReadOSRelease(configfile string) map[string]string {
 	ConfigParams := make(map[string]string)
@@ -283,7 +305,7 @@ Options:
   --redis-token=REDISTOKEN                      Redis access token
   --vault-token=VAULTTOKEN                      Vault access token
   --cert-name=CERTNAME                          Certificate name
-  --team-name=TEAMNAME                          Team name: swd, dream_team, it, ne, ti...
+  --team-name=TEAMNAME                          Team name: swd, it, ne, ti...
   --days=DAYS                                   Days before expiration [default: 30]
   --type=TYPE                                   Type, EV or OV [default: EV]
   --cert-destination=CERTDESTINATION            Cert Destination [default: %v/<cert-name>.crt]
@@ -304,11 +326,18 @@ Options:
 		tmpFullchainDestination = "C:\\tmp\\acme-downloader\\cert\\amce_fullchain.pem"
 		tmpCaDestination = "C:\\tmp\\acme-downloader\\cert\\amce_ca.pem"
 		tmpKeyDestination = "C:\\tmp\\acme-downloader\\key\\amce_key.pem"
+		GroupID = 0 // just a fake one
 	} else {
 		tmpCertificateDestination = "/tmp/acme-downloader/cert/amce_cert.pem"
 		tmpFullchainDestination = "/tmp/acme-downloader/cert/amce_fullchain.pem"
 		tmpCaDestination = "/tmp/acme-downloader/cert/amce_ca.pem"
 		tmpKeyDestination = "/tmp/acme-downloader/key/amce_key.pem"
+		group, groupErr := user.LookupGroup(GroupName)
+		if groupErr != nil {
+			fmt.Printf("[ERR] Fail looking up %v user user info", GroupName)
+			appExit(255)
+		}
+		GroupID, _ = strconv.Atoi(group.Gid)
 	}
 
 	VaultToken := arguments["--vault-token"].(string)
@@ -330,9 +359,7 @@ Options:
 	RedisCAURL := fmt.Sprintf("%v/%v:%v:redis_%v_chain_pem.txt", RedisBaseURL, TeamName, CertName, CertNameUndercored)
 	RedisFullChainURL := fmt.Sprintf("%v/%v:%v:redis_%v_fullchain_pem.txt", RedisBaseURL, TeamName, CertName, CertNameUndercored)
 
-	// fmt.Println(filepath.Join("a", "b", "c"))
 	if arguments["--cert-destination"] == fmt.Sprintf(filepath.Join(CertBase, "<cert-name>.crt")) {
-		// certificateDestination = fmt.Sprintf("%v/%v.crt", CertBase, CertName)
 		certificateDestination = fmt.Sprintf(filepath.Join(CertBase, fmt.Sprintf("%v.crt", CertName)))
 	} else {
 		certificateDestination = arguments["--cert-destination"].(string)
@@ -365,22 +392,18 @@ Options:
 	privKey := GetVaultKey(VaultURL, VaultToken)
 
 	// download and test certificates on a temporary location
-	WriteToFile(certificate, tmpCertificateDestination, GroupName, 0644, 0755)
-	WriteToFile(fullChain, tmpFullchainDestination, GroupName, 0644, 0755)
-	WriteToFile(ca, tmpCaDestination, GroupName, 0644, 0755)
-	WriteToFile(privKey, tmpKeyDestination, GroupName, 0640, 0750)
+	WriteToFile(certificate, tmpCertificateDestination, 0644)
+	WriteToFile(fullChain, tmpFullchainDestination, 0644)
+	WriteToFile(ca, tmpCaDestination, 0644)
+	WriteToFile(privKey, tmpKeyDestination, 0640)
 
 	checkCerificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, true)
 
-	WriteToFile(certificate, certificateDestination, GroupName, 0644, 0755)
-	WriteToFile(fullChain, fullchainDestination, GroupName, 0644, 0755)
-	WriteToFile(ca, caDestination, GroupName, 0644, 0755)
-	WriteToFile(privKey, keyDestination, GroupName, 0640, 0750)
-
-	fmt.Printf("[INFO] installed: %v\n", certificateDestination)
-	fmt.Printf("[INFO] installed: %v\n", caDestination)
-	fmt.Printf("[INFO] installed: %v\n", fullchainDestination)
-	fmt.Printf("[INFO] installed: %v\n", keyDestination)
+	// move certificates in place
+	moveFile(tmpCertificateDestination, certificateDestination, GroupID, 0644, 0755)
+	moveFile(tmpFullchainDestination, fullchainDestination, GroupID, 0644, 0755)
+	moveFile(tmpCaDestination, caDestination, GroupID, 0644, 0755)
+	moveFile(tmpKeyDestination, keyDestination, GroupID, 0640, 0750)
 
 	// Exit 1 means application needs to be reloaded
 	appExit(1)