From 907d23793dddcded51a269a9655450da7a39cb24 Mon Sep 17 00:00:00 2001
From: shujun10086 <43774659+shujun10086@users.noreply.github.com>
Date: Sat, 11 Jun 2022 16:51:48 +0800
Subject: [PATCH 1/3] Fix keyring file missing after Vault restart

Fix keyring file missing after Vault restart

    Vault can be killed by signal SIGTERM in anytime. If Vault is
    doing keyring rotation and the fd is still not closed at that time,
    the size of the keyring file will be zero. The orignal key will be
    lost totally.
    Because the file is opened with os.O_TRUNC, and the fd will be closed
    automatically after Vault exits.
    Then try to unseal Vault after it startup again, the keyring file will
    be deleted in getInternal function due to its size is zero. So that is
    why the keyring file is missing. And the Vault cannot be unsealed
    anymore due to the file missing.
    Write data into a temp file then move it can avoid the file crash.

    Fix:#15680
---
 sdk/physical/file/file.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sdk/physical/file/file.go b/sdk/physical/file/file.go
index 320ee21caa91..e5e64e6efa41 100644
--- a/sdk/physical/file/file.go
+++ b/sdk/physical/file/file.go
@@ -242,8 +242,9 @@ func (b *FileBackend) PutInternal(ctx context.Context, entry *physical.Entry) er
 
 	// JSON encode the entry and write it
 	fullPath := filepath.Join(path, key)
+	tempPath := fullPath + ".temp"
 	f, err := os.OpenFile(
-		fullPath,
+		tempPath,
 		os.O_CREATE|os.O_TRUNC|os.O_WRONLY,
 		0o600)
 	if err != nil {
@@ -262,6 +263,10 @@ func (b *FileBackend) PutInternal(ctx context.Context, entry *physical.Entry) er
 	})
 	f.Close()
 	if encErr == nil {
+		err = os.Rename(tempPath, fullPath)
+		if err != nil {
+			return err
+		}
 		return nil
 	}
 
@@ -270,7 +275,7 @@ func (b *FileBackend) PutInternal(ctx context.Context, entry *physical.Entry) er
 	// See if we ended up with a zero-byte file and if so delete it, might be a
 	// case of disk being full but the file info is in metadata that is
 	// reserved.
-	fi, err := os.Stat(fullPath)
+	fi, err := os.Stat(tempPath)
 	if err != nil {
 		return encErr
 	}
@@ -278,7 +283,7 @@ func (b *FileBackend) PutInternal(ctx context.Context, entry *physical.Entry) er
 		return encErr
 	}
 	if fi.Size() == 0 {
-		os.Remove(fullPath)
+		os.Remove(tempPath)
 	}
 	return encErr
 }

From a242cba4ca08c99ec82e6347fbe9a5fe7efa2100 Mon Sep 17 00:00:00 2001
From: shujun10086 <43774659+shujun10086@users.noreply.github.com>
Date: Sat, 11 Jun 2022 17:24:34 +0800
Subject: [PATCH 2/3] Create 15946.txt

---
 changelog/15946.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/15946.txt

diff --git a/changelog/15946.txt b/changelog/15946.txt
new file mode 100644
index 000000000000..0ac70755c875
--- /dev/null
+++ b/changelog/15946.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/seal: write a temp file and encrypt it, then rename it to the target path file. This can avoid the orignal file crash if Vault restart.
+```

From 9759caa9e42cd11aaa4cfa0f828924a2691b8795 Mon Sep 17 00:00:00 2001
From: shujun10086 <43774659+shujun10086@users.noreply.github.com>
Date: Wed, 15 Jun 2022 10:48:00 +0800
Subject: [PATCH 3/3] Update 15946.txt

---
 changelog/15946.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog/15946.txt b/changelog/15946.txt
index 0ac70755c875..869f61a10cba 100644
--- a/changelog/15946.txt
+++ b/changelog/15946.txt
@@ -1,3 +1,3 @@
 ```release-note:bug
-core/seal: write a temp file and encrypt it, then rename it to the target path file. This can avoid the orignal file crash if Vault restart.
+core/seal: Fix possible keyring truncation when using the file backend.
 ```