From 1bc5527c69bfcb32a83ec236f1e6a889a559fc50 Mon Sep 17 00:00:00 2001
From: Hugo Chargois <hugo.chargois@free.fr>
Date: Mon, 27 Mar 2017 22:52:18 +0200
Subject: [PATCH] Vault: Remove tmp decrypted file when experiencing error
 while writing (#14835)

* Vault edit: Erase tmp file if error while writing to it

* Close the FDs returned by mkstemp()
---
 lib/ansible/parsing/vault/__init__.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lib/ansible/parsing/vault/__init__.py b/lib/ansible/parsing/vault/__init__.py
index ddcb7cfc8b..1ccc47e775 100644
--- a/lib/ansible/parsing/vault/__init__.py
+++ b/lib/ansible/parsing/vault/__init__.py
@@ -372,13 +372,14 @@ class VaultEditor:
     def _edit_file_helper(self, filename, existing_data=None, force_save=False):
 
         # Create a tempfile
-        _, tmp_path = tempfile.mkstemp()
+        fd, tmp_path = tempfile.mkstemp()
+        os.close(fd)
 
-        if existing_data:
-            self.write_data(existing_data, tmp_path, shred=False)
-
-        # drop the user into an editor on the tmp file
         try:
+            if existing_data:
+                self.write_data(existing_data, tmp_path, shred=False)
+
+            # drop the user into an editor on the tmp file
             call(self._editor_shell_command(tmp_path))
         except:
             # whatever happens, destroy the decrypted file