Move database password to file

Signed-off-by: alfred richardsn <rchrdsn@protonmail.ch>
fincubator · Nov 21, 2019 · c42bee0 · c42bee0
1 parent 71e4ceb
commit c42bee0
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 9 deletions.
diff --git a/.env.example b/.env.example
@@ -7,7 +7,7 @@ WEBHOOK_PATH=/tellerbot/webhook
 DATABASE_NAME=tellerbot
 DATABASE_HOST=database
 DATABASE_USERNAME=tellerbot
-DATABASE_PASSWORD=
+DATABASE_PASSWORD_FILENAME=/run/secrets/dbpassword
 
 # Logging
 LOGGER_LEVEL=INFO

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -9,6 +9,7 @@ services:
       - .env
     restart: on-failure
     volumes:
+      - ${DATABASE_PASSWORD_FILENAME}:${DATABASE_PASSWORD_FILENAME}:ro
       - ${TOKEN_FILENAME}:${TOKEN_FILENAME}:ro
       - ${WIF_FILENAME}:${WIF_FILENAME}:ro
     ports:
@@ -19,9 +20,10 @@ services:
     container_name: ${DATABASE_HOST}
     environment:
       - MONGO_INITDB_ROOT_USERNAME=${DATABASE_USERNAME}
-      - MONGO_INITDB_ROOT_PASSWORD=${DATABASE_PASSWORD}
+      - MONGO_INITDB_ROOT_PASSWORD_FILE=${DATABASE_PASSWORD_FILENAME}
     command: mongod --quiet
     ports:
       - 27017
     volumes:
+      - ${DATABASE_PASSWORD_FILENAME}:${DATABASE_PASSWORD_FILENAME}:ro
       - ~/data/db:/data/db
diff --git a/src/config.py b/src/config.py
@@ -40,7 +40,7 @@ def getenv_bool(key, default=None):
 DATABASE_NAME = getenv("DATABASE_NAME", "tellerbot")
 DATABASE_HOST = getenv("DATABASE_HOST", "127.0.0.1")
 DATABASE_USERNAME = getenv("DATABASE_USERNAME")
-DATABASE_PASSWORD = getenv("DATABASE_PASSWORD")
+DATABASE_PASSWORD_FILENAME = getenv("DATABASE_PASSWORD_FILENAME")
 
 LOGGER_LEVEL = getenv("LOGGER_LEVEL")
 LOG_FILENAME = getenv("LOG_FILENAME")

diff --git a/src/database.py b/src/database.py
@@ -22,11 +22,14 @@
 from src import config
 
 
-client = AsyncIOMotorClient(
-    config.DATABASE_HOST,
-    username=config.DATABASE_USERNAME,
-    password=config.DATABASE_PASSWORD,
-)
+if not config.DATABASE_PASSWORD_FILENAME:
+    raise Exception("DATABASE_PASSWORD_FILENAME is not set")
+with open(config.DATABASE_PASSWORD_FILENAME, "r") as password_file:
+    client = AsyncIOMotorClient(
+        config.DATABASE_HOST,
+        username=config.DATABASE_USERNAME,
+        password=password_file.read().strip(),
+    )
 database = client[config.DATABASE_NAME]
 
 STATE_KEY = "state"

diff --git a/src/escrow/blockchain/__init__.py b/src/escrow/blockchain/__init__.py
@@ -78,7 +78,7 @@ async def transfer(self, to: str, amount: Decimal, asset: str) -> str:
     async def is_block_confirmed(
         self, block_num: int, op: typing.Mapping[str, typing.Any]
     ) -> bool:
-        """Check if block #``block_num`` has ``op`` after confirmation.
+        """Check if block ``block_num`` has ``op`` after confirmation.
 
         Check block on blockchain-specific conditions to consider it confirmed.