knacky/mimic-big
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(backend): stop seeding the audit-writer role via postgres-init (MA1)

Browse Source 
Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql`
hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted
into the dev Postgres container; on prod boxes this risks lingering as the
real credential.

- The init script was removed in the previous commit alongside the dropped
  scripts dir.
- `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d`
  directory; the audit-writer role provisioning is the Ansible playbook's
  responsibility (D-010).
- `backend/README.md` documents the manual one-shot `CREATE ROLE` command
  for local dev with a placeholder password.

Net effect: no `CHANGE_ME` credential reaches a container image / git history.
The Alembic migration's `audit_log` grant block stays idempotent — it is a
no-op when the role is absent.
This commit is contained in:
knacky
2026-05-22 05:24:13 +02:00
parent 90f8141cfc
commit 6e803a482a
2 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
backend/README.md
View File

@@ -35,6 +35,7 @@ backend/
```bash
make install # uv venv + pip install -e .[dev]
make db-up # docker compose up -d postgres
make db-bootstrap # one-time: create the mimic_audit_writer role (see below)
make db-migrate # alembic upgrade head
make run # flask run (debug)
make test # pytest unit
@@ -42,6 +43,20 @@ make test-int # pytest integration (testcontainers)
make lint # ruff + mypy strict
```
### Audit writer role (dev)
`mimic_audit_writer` is provisioned by the Ansible playbook in production
(decision D-010). For local development, create it manually after `make db-up`:
```bash
docker exec -it mimic-postgres psql -U mimic_app -d mimic \
-c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'pick-a-dev-secret';"
```
Then expose the same secret in `MIMIC_DATABASE_AUDIT_URL` in your `.env`. The
Alembic migration grants the INSERT-only permission on `audit_log` against
this role; if it does not exist, the grant block is a no-op (idempotent).
## What sprint 0 ships
- Full §8 data model + Alembic initial migration (Postgres-specific constraints: audit_log write-only role, soc_session hash, c2_credential Fernet column).

6
backend/docker-compose.yml
View File

@@ -11,7 +11,11 @@ services:
- "127.0.0.1:5432:5432"
volumes:
- mimic_pgdata:/var/lib/postgresql/data
- ./scripts/postgres-init:/docker-entrypoint-initdb.d:ro
# The `mimic_audit_writer` role is provisioned by the Ansible playbook
# in prod (D-010). For dev, create it manually after `make db-up`:
# docker exec -it mimic-postgres psql -U mimic_app -d mimic \
# -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD '<choose one>';"
# Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env.
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mimic_app} -d ${POSTGRES_DB:-mimic}"]
interval: 5s