fix: implement atomic file writes and fix config variable names

- Implement atomic file writes for tokens.json to prevent corruption
  - Use mkstemp() to create temporary file in same directory
  - Write data to temp file, set permissions, then atomic rename
  - Clean up temp file on error to prevent orphaned files
  - Prevents data loss if process crashes during write

- Fix configuration variable name mismatch
  - Changed ORACLE_HOST/ORACLE_PORT to CHELON_HOST/CHELON_PORT in config file
  - Aligns with variable names expected by server code
  - Prevents service misconfiguration

Addresses critical security issues:
- Data corruption risk from non-atomic writes
- Service startup failures from config mismatches

Author: NeilHanlon

config/chelon.conf

@@ -2,8 +2,8 @@
 # This file is managed by the chelon RPM package
 
 # Server binding
-ORACLE_HOST=127.0.0.1
-ORACLE_PORT=5050
+CHELON_HOST=127.0.0.1
+CHELON_PORT=5050
 
 # GPG home directory (where keys are stored)
 GNUPGHOME=/var/lib/chelon/.gnupg

server/auth.py

@@ -12,6 +12,7 @@
 import pwd
 import grp
 import threading
+import tempfile
 from pathlib import Path
 from typing import Dict, Optional
 from datetime import datetime, UTC
@@ -83,23 +84,47 @@ def _load_tokens(self) -> Dict:
             return {}
 
     def _save_tokens(self):
-        """Save tokens to file"""
+        """Save tokens to file atomically to prevent corruption"""
+        import tempfile
+        
         try:
             self.tokens_file.parent.mkdir(parents=True, exist_ok=True)
-            with open(self.tokens_file, 'w') as f:
-                json.dump(self.tokens, f, indent=2)
-            # Secure permissions
-            self.tokens_file.chmod(0o600)
 
-            # If running as root, try to chown to chelon user
-            if os.getuid() == 0:
+            # Write to temporary file first (atomic rename requires same filesystem)
+            fd, tmp_path = tempfile.mkstemp(
+                dir=self.tokens_file.parent,
+                prefix='.tokens.json.',
+                suffix='.tmp'
+            )
+            
+            try:
+                with os.fdopen(fd, 'w') as f:
+                    json.dump(self.tokens, f, indent=2)
+                
+                # Set secure permissions before moving
+                os.chmod(tmp_path, 0o600)
+                
+                # If running as root, try to chown to chelon user
+                if os.getuid() == 0:
+                    try:
+                        uid = pwd.getpwnam('chelon').pw_uid
+                        gid = grp.getgrnam('chelon').gr_gid
+                        os.chown(tmp_path, uid, gid)
+                    except KeyError:
+                        # User or group doesn't exist, ignore
+                        pass
+                
+                # Atomic rename (POSIX guarantees atomicity)
+                os.rename(tmp_path, self.tokens_file)
+                
+            except Exception:
+                # Clean up temp file on error
                 try:
-                    uid = pwd.getpwnam('chelon').pw_uid
-                    gid = grp.getgrnam('chelon').gr_gid
-                    os.chown(self.tokens_file, uid, gid)
-                except KeyError:
-                    # User or group doesn't exist, ignore
+                    os.unlink(tmp_path)
+                except OSError:
                     pass
+                raise
+                
         except Exception as e:
             logger.error(f"Failed to save tokens: {e}")