Files

knacky 6e803a482a fix(backend): stop seeding the audit-writer role via postgres-init (MA1)

Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql`
hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted
into the dev Postgres container; on prod boxes this risks lingering as the
real credential.

- The init script was removed in the previous commit alongside the dropped
  scripts dir.
- `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d`
  directory; the audit-writer role provisioning is the Ansible playbook's
  responsibility (D-010).
- `backend/README.md` documents the manual one-shot `CREATE ROLE` command
  for local dev with a placeholder password.

Net effect: no `CHANGE_ME` credential reaches a container image / git history.
The Alembic migration's `audit_log` grant block stays idempotent — it is a
no-op when the role is absent.

2026-05-22 05:24:13 +02:00

3.0 KiB

Raw Blame History

Mimic — backend

Sprint 0 skeleton. Python 3.12+ / Flask / SQLAlchemy 2 / Alembic / Pydantic 2.

Layout

backend/
├── src/mimic/
│   ├── app.py                # Flask app factory + SocketIO init
│   ├── config.py             # Pydantic Settings
│   ├── extensions.py         # db, migrate, socketio, login_manager
│   ├── db/
│   │   ├── models/           # SQLAlchemy 2 typed models
│   │   ├── repositories/     # data access per aggregate
│   │   └── migrations/       # Alembic
│   ├── schemas/              # Pydantic 2 DTOs
│   ├── api/                  # Flask blueprints (REST)
│   ├── ws/                   # Flask-SocketIO namespaces
│   ├── connectors/           # C2Connector ABC + payload mapping
│   ├── orchestrator/         # run state machine (stub in sprint 0)
│   ├── templating/           # Jinja2 sandbox + regex_extract
│   ├── audit/                # append-only writer + rotation
│   ├── reporting/            # WeasyPrint builder (stub in sprint 0)
│   ├── rbac/                 # group-based permission matrix (F11)
│   ├── importers/            # ATR + C2 journal (stub in sprint 0)
│   └── cli/                  # mimic-cli (click)
└── tests/
    ├── unit/                 # SQLite, pure logic
    └── integration/          # testcontainers Postgres

Local dev

make install      # uv venv + pip install -e .[dev]
make db-up        # docker compose up -d postgres
make db-bootstrap # one-time: create the mimic_audit_writer role (see below)
make db-migrate   # alembic upgrade head
make run          # flask run (debug)
make test         # pytest unit
make test-int     # pytest integration (testcontainers)
make lint         # ruff + mypy strict

Audit writer role (dev)

mimic_audit_writer is provisioned by the Ansible playbook in production (decision D-010). For local development, create it manually after make db-up:

docker exec -it mimic-postgres psql -U mimic_app -d mimic \
  -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'pick-a-dev-secret';"

Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env. The Alembic migration grants the INSERT-only permission on audit_log against this role; if it does not exist, the grant block is a no-op (idempotent).

What sprint 0 ships

Full §8 data model + Alembic initial migration (Postgres-specific constraints: audit_log write-only role, soc_session hash, c2_credential Fernet column).
C2Connector ABC + dataclasses + payload_type enum + factory. No real Mythic/Home implementation (blocked on PR1/PR2).
Jinja2 SandboxedEnvironment + regex_extract filter (re2).
Local auth (bcrypt + Flask session) + group-based RBAC matching the F11 permission matrix.
Flat CRUD on engagements / hosts / TTPs / scenarios.
pytest baseline + testcontainers Postgres scaffolding.

Out of sprint 0

Orchestrator, WebSocket cockpit, real connectors, report generation, audit rotation.

3.0 KiB Raw Blame History