From c393383b16dc6384bc5aa43e02605463949df505 Mon Sep 17 00:00:00 2001
From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com>
Date: Mon, 23 Oct 2023 00:48:50 +0200
Subject: [PATCH] manage pg password using docker secrets

- manage pg password using docker secrets
- add POSTGRES_PASSWORD_FILE variable support
- update doc
- remove duplicate print
---
 .gitignore                 |  1 +
 README.md                  |  9 +++++----
 ciso_assistant/settings.py |  4 +++-
 docker-compose-pg.sh       |  3 ++-
 docker-compose.yaml        | 11 +++++++++--
 5 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/.gitignore b/.gitignore
index 22180b445..b383e4ea7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ ciso_assistant/build.json
 db/django_secret_key
 db/attachments/
 db/data/
+db/pg_password.txt
diff --git a/README.md b/README.md
index 23f44ca5e..ad416e22f 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ To install gettext and pango, do `sudo apt update && sudo apt install gettext li
 
 ### Quick start 🚀
 
-There are two methods to run CISO locally: using Python or using Docker.
+There are three methods to run CISO locally: using Python, using Docker or using docker-compose.
 
 By default, Django secret key is generated randomly at each start of Mira. This is convenient for quick test, but not recommended for production, as it can break the sessions (see this [topic](https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key) for more information). To set a fixed secret key, use the environment variable DJANGO_SECRET_KEY.
 
@@ -149,7 +149,7 @@ When asked for, enter your email and password for your superuser.
 
 You can then reach CISO Assistant using your web brower at [http://127.0.0.1:8000/](http://127.0.0.1:8000/)
 
-For following executions, use "docker-compose up" directly.
+For the following executions, use "docker-compose up" directly.
 
 ### How to set up CISO Assistant for development? ✍️
 
@@ -182,15 +182,16 @@ export EMAIL_HOST=localhost
 export EMAIL_PORT=1025
 
 ```
-> As said in the quickstart section, CISO generates a random Django secret key if not specified. To avoid broken sessions, it is preferable to set a fixed random value using the DJANGO_SECRET_KEY environment variable.
+> As said in the quickstart section, CISO Assistant generates a random Django secret key if not specified. To avoid broken sessions, it is preferable to set a fixed random value using the DJANGO_SECRET_KEY environment variable.
 
 **Optional variables**
 
 ```sh
-# CISO will use SQLite by default, but you can setup PostgreSQL by declaring these variables
+# CISO Assistant will use SQLite by default, but you can setup PostgreSQL by declaring these variables
 export POSTGRES_NAME=ciso-assistant
 export POSTGRES_USER=ciso-assistantuser
 export POSTGRES_PASSWORD=<XXX>
+export POSTGRES_PASSWORD_FILE=<XXX>  # alternative way to specify password
 export DB_HOST=localhost
 export DB_PORT=5432  # optional, default value is 5432
 
diff --git a/ciso_assistant/settings.py b/ciso_assistant/settings.py
index 3a286870a..46f3505a9 100644
--- a/ciso_assistant/settings.py
+++ b/ciso_assistant/settings.py
@@ -238,6 +238,9 @@
 
 if 'POSTGRES_NAME' in os.environ:
     print("Postgresql database engine")
+    fp = os.environ.get('POSTGRES_PASSWORD_FILE')
+    if fp:
+        os.environ['POSTGRES_PASSWORD'] = Path(fp).read_text().strip()
     DATABASES = {
         'default': {
             'ENGINE': 'django.db.backends.postgresql_psycopg2',
@@ -248,7 +251,6 @@
             'PORT': os.environ.get('DB_PORT', '5432'),
         }
     }
-    print("Postgresql database engine")
 else:
     print("sqlite database engine")
     DATABASES = {
diff --git a/docker-compose-pg.sh b/docker-compose-pg.sh
index 5f4f02dcc..147e632aa 100755
--- a/docker-compose-pg.sh
+++ b/docker-compose-pg.sh
@@ -4,7 +4,8 @@ if [ -d db/data ] ; then
     echo "the database seems already created"
     echo "you should launch docker-compose up -d"
 else
-    POSTGRES_PASSWORD=`uuidgen` docker-compose up -d
+    uuidgen > ./db/pg_password.txt
+    docker-compose up -d
     echo "initialize your superuser account..."
     docker-compose exec ciso-assistant python manage.py createsuperuser
     echo "for successive runs you can now use docker compose up"
diff --git a/docker-compose.yaml b/docker-compose.yaml
index a133a8d6b..90d18b7b2 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -14,7 +14,7 @@ services:
         CISO_URL: http://127.0.0.1:8000
         POSTGRES_NAME: postgres
         POSTGRES_USER: postgres
-        POSTGRES_PASSWORD: $POSTGRES_PASSWORD
+        POSTGRES_PASSWORD_FILE: /run/secrets/pg_password
 #        CISO_SUPERUSER_EMAIL: ciso@assistant.local
         EMAIL_HOST: your.mail.server
         EMAIL_PORT: 1025
@@ -26,13 +26,15 @@ services:
         DB_HOST: ciso-postgres
       volumes:
         - ./db:/code/db
+      secrets:
+        - pg_password
 
     postgres:
       image: postgres
       container_name: "ciso-postgres"
       restart: always
       environment:
-        POSTGRES_PASSWORD: $POSTGRES_PASSWORD
+        POSTGRES_PASSWORD_FILE: /run/secrets/pg_password
       volumes:
         - ./db/data:/var/lib/postgresql/data
       healthcheck:
@@ -40,3 +42,8 @@ services:
         interval: 5s
         timeout: 5s
         retries: 5
+      secrets:
+        - pg_password
+secrets:
+   pg_password:
+     file: ./db/pg_password.txt