From 6e803a482a45e3da939c3c38b79dddfac818b470 Mon Sep 17 00:00:00 2001 From: knacky Date: Fri, 22 May 2026 05:24:13 +0200 Subject: [PATCH] fix(backend): stop seeding the audit-writer role via postgres-init (MA1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql` hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted into the dev Postgres container; on prod boxes this risks lingering as the real credential. - The init script was removed in the previous commit alongside the dropped scripts dir. - `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d` directory; the audit-writer role provisioning is the Ansible playbook's responsibility (D-010). - `backend/README.md` documents the manual one-shot `CREATE ROLE` command for local dev with a placeholder password. Net effect: no `CHANGE_ME` credential reaches a container image / git history. The Alembic migration's `audit_log` grant block stays idempotent — it is a no-op when the role is absent. --- backend/README.md | 15 +++++++++++++++ backend/docker-compose.yml | 6 +++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/backend/README.md b/backend/README.md index 62adec3..88bae7f 100644 --- a/backend/README.md +++ b/backend/README.md @@ -35,6 +35,7 @@ backend/ ```bash make install # uv venv + pip install -e .[dev] make db-up # docker compose up -d postgres +make db-bootstrap # one-time: create the mimic_audit_writer role (see below) make db-migrate # alembic upgrade head make run # flask run (debug) make test # pytest unit @@ -42,6 +43,20 @@ make test-int # pytest integration (testcontainers) make lint # ruff + mypy strict ``` +### Audit writer role (dev) + +`mimic_audit_writer` is provisioned by the Ansible playbook in production +(decision D-010). For local development, create it manually after `make db-up`: + +```bash +docker exec -it mimic-postgres psql -U mimic_app -d mimic \ + -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'pick-a-dev-secret';" +``` + +Then expose the same secret in `MIMIC_DATABASE_AUDIT_URL` in your `.env`. The +Alembic migration grants the INSERT-only permission on `audit_log` against +this role; if it does not exist, the grant block is a no-op (idempotent). + ## What sprint 0 ships - Full §8 data model + Alembic initial migration (Postgres-specific constraints: audit_log write-only role, soc_session hash, c2_credential Fernet column). diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml index 4aacd6d..54e6c70 100644 --- a/backend/docker-compose.yml +++ b/backend/docker-compose.yml @@ -11,7 +11,11 @@ services: - "127.0.0.1:5432:5432" volumes: - mimic_pgdata:/var/lib/postgresql/data - - ./scripts/postgres-init:/docker-entrypoint-initdb.d:ro + # The `mimic_audit_writer` role is provisioned by the Ansible playbook + # in prod (D-010). For dev, create it manually after `make db-up`: + # docker exec -it mimic-postgres psql -U mimic_app -d mimic \ + # -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD '';" + # Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env. healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mimic_app} -d ${POSTGRES_DB:-mimic}"] interval: 5s