diff --git a/Dockerfile b/Dockerfile index 93e5773..9795090 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,7 +27,8 @@ COPY backend/ ./backend/ COPY frontend/ ./frontend/ # Create non-root user for security + data directory for auth persistence -RUN groupadd -r obsigate && useradd -r -g obsigate -d /app -s /sbin/nologin obsigate \ +# Using explicit UID/GID 1000 to match common host user and docker-compose settings +RUN groupadd -g 1000 obsigate && useradd -u 1000 -g obsigate -d /app -s /sbin/nologin obsigate \ && mkdir -p /app/data \ && chown -R obsigate:obsigate /app USER obsigate diff --git a/backend/auth/user_store.py b/backend/auth/user_store.py index 2e1a48a..bf9d742 100644 --- a/backend/auth/user_store.py +++ b/backend/auth/user_store.py @@ -31,14 +31,22 @@ def _read() -> dict: def _write(data: dict): """Atomic write: write to .tmp then rename to prevent corruption.""" - USERS_FILE.parent.mkdir(parents=True, exist_ok=True) - tmp = USERS_FILE.with_suffix(".tmp") - tmp.write_text(json.dumps(data, indent=2, default=str), encoding="utf-8") - shutil.move(str(tmp), str(USERS_FILE)) try: - USERS_FILE.chmod(0o600) - except OSError: - pass # Windows doesn't support Unix permissions + USERS_FILE.parent.mkdir(parents=True, exist_ok=True) + tmp = USERS_FILE.with_suffix(".tmp") + tmp.write_text(json.dumps(data, indent=2, default=str), encoding="utf-8") + shutil.move(str(tmp), str(USERS_FILE)) + try: + USERS_FILE.chmod(0o600) + except OSError: + pass # Windows doesn't support Unix permissions + except PermissionError as e: + logger.critical("=" * 60) + logger.critical(f"ERREUR DE PERMISSION : Impossible d'écrire dans {USERS_FILE.parent}") + logger.critical("Le conteneur n'a pas les droits sur le volume monté dans /app/data.") + logger.critical("FIX : Exécutez sur l'hôte (Linux) : sudo chown -R 1000:1000 /votre/chemin/data") + logger.critical("=" * 60) + raise e def has_users() -> bool: diff --git a/backend/main.py b/backend/main.py index e566059..d1870ff 100644 --- a/backend/main.py +++ b/backend/main.py @@ -370,8 +370,17 @@ def bootstrap_admin(): logger.warning("CHANGEZ CE MOT DE PASSE dès la première connexion !") logger.warning("=" * 60) - create_user(admin_user, admin_pass, role="admin", vaults=["*"]) - logger.info(f"Admin '{admin_user}' créé avec succès") + try: + create_user(admin_user, admin_pass, role="admin", vaults=["*"]) + logger.info(f"Admin '{admin_user}' créé avec succès") + except PermissionError as e: + logger.critical("=" * 60) + logger.critical("DÉMARRAGE IMPOSSIBLE : Erreur de permission sur le dossier 'data'") + logger.critical("L'indexation et l'authentification ne peuvent pas fonctionner.") + logger.critical("FIX : Vérifiez les droits du volume /app/data sur l'hôte.") + logger.critical("Exemple : sudo chown -R 1000:1000 /DOCKER_CONFIG/ObsiGate/data") + logger.critical("=" * 60) + raise e # --------------------------------------------------------------------------- diff --git a/backend/vault_settings.py b/backend/vault_settings.py index 2e6c806..6986298 100644 --- a/backend/vault_settings.py +++ b/backend/vault_settings.py @@ -64,9 +64,12 @@ def save_vault_settings() -> None: _SETTINGS_PATH.write_text(content, encoding="utf-8") logger.info(f"Successfully saved settings for {len(_vault_settings)} vaults to {_SETTINGS_PATH}") except PermissionError as e: - logger.error(f"Permission denied writing to {_SETTINGS_PATH}: {e}") - logger.error(f"Check that user has write permissions to {_SETTINGS_PATH.parent}") - raise + logger.critical("=" * 60) + logger.critical(f"ERREUR DE PERMISSION : Impossible d'écrire dans {_SETTINGS_PATH.parent}") + logger.critical("Le conteneur n'a pas les droits sur le volume monté dans /app/data.") + logger.critical("FIX : Exécutez sur l'hôte (Linux) : sudo chown -R 1000:1000 /votre/chemin/data") + logger.critical("=" * 60) + raise e except Exception as e: logger.error(f"Failed to save vault settings to {_SETTINGS_PATH}: {e}") logger.error(f"Error type: {type(e).__name__}")