#!/usr/bin/env bash set -euo pipefail ENV_FILE="${ENV_FILE:-/opt/ligbox-ops-platform/.env}" if [[ -f "$ENV_FILE" ]]; then set -a # shellcheck disable=SC1090 source "$ENV_FILE" set +a fi API="${API_URL:-http://10.10.10.122:8080}" PASS="${DESK_BOOTSTRAP_PASSWORD:-805353}" WEBHOOK_SECRET="${WEBHOOK_SECRET:-ligbox-ops-dev-secret}" INTERNAL="${OPS_INTERNAL_TOKEN:-}" echo "=== verify-auth.sh === API=$API" fail() { echo "FAIL: $1"; exit 1; } ok() { echo "OK: $1"; } # Public health curl -sf "$API/health" | grep -q '"status":"ok"' || fail "health" ok "GET /health público" # Protected without token code=$(curl -s -o /dev/null -w '%{http_code}' "$API/api/v1/desk/tickets") [[ "$code" == "401" ]] || fail "desk/tickets sem token devia 401 (got $code)" ok "desk/tickets sem token → 401" login_token() { local user=$1 curl -sf -X POST "$API/api/v1/auth/login" \ -H "Content-Type: application/json" \ -d "{\"username\":\"$user\",\"password\":\"$PASS\"}" \ | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])" } TOKEN_ROOT=$(login_token root) TOKEN_ADMIN=$(login_token admin) TOKEN_MINI=$(login_token mini) TOKEN_NOC=$(login_token noc) ok "login root/admin/mini/noc" curl -sf -H "Authorization: Bearer $TOKEN_ROOT" "$API/api/v1/desk/tickets" | grep -q '"tickets"' || fail "root tickets" ok "root GET tickets" curl -sf -H "Authorization: Bearer $TOKEN_NOC" "$API/api/v1/desk/tickets" | grep -q '"tickets"' || fail "noc tickets read" ok "noc GET tickets (masked)" code=$(curl -s -o /dev/null -w '%{http_code}' -X PATCH \ -H "Authorization: Bearer $TOKEN_NOC" \ -H "Content-Type: application/json" \ -d '{"status":"closed"}' \ "$API/api/v1/desk/tickets/1") [[ "$code" == "403" ]] || fail "noc PATCH devia 403 (got $code)" ok "noc PATCH ticket → 403" code=$(curl -s -o /dev/null -w '%{http_code}' -X POST \ -H "Authorization: Bearer $TOKEN_MINI" \ "$API/api/v1/audit/cycle") [[ "$code" == "403" ]] || fail "mini audit cycle devia 403 (got $code)" ok "mini POST audit/cycle → 403" curl -sf -H "Authorization: Bearer $TOKEN_ADMIN" -X POST "$API/api/v1/audit/cycle" | grep -q 'audits_run\|domains_synced' || fail "admin audit cycle" ok "admin POST audit/cycle" code=$(curl -s -o /dev/null -w '%{http_code}' \ -H "X-Ops-Internal-Token: $INTERNAL" \ -X POST "$API/api/v1/audit/cycle") [[ "$code" == "200" ]] || fail "worker internal token (got $code)" ok "worker X-Ops-Internal-Token audit/cycle" code=$(curl -s -o /dev/null -w '%{http_code}' \ -H "Authorization: Bearer $TOKEN_NOC" \ "$API/api/v1/onboard/sessions/test-session/timeline") [[ "$code" == "403" ]] || fail "noc timeline devia 403 (got $code)" ok "noc session timeline → 403" curl -sf -H "Authorization: Bearer $TOKEN_MINI" \ "$API/api/v1/onboard/sessions/6fbd2387-14e6-4c85-a017-336f178bcb1a/timeline" | grep -q '"events"' || true ok "mini session timeline (se sessão existir)" code=$(curl -s -o /dev/null -w '%{http_code}' \ -H "Authorization: Bearer $TOKEN_ADMIN" \ "$API/api/v1/auth/users") [[ "$code" == "403" ]] || fail "admin list users devia 403 (got $code)" ok "admin GET auth/users → 403" curl -sf -H "Authorization: Bearer $TOKEN_ROOT" "$API/api/v1/auth/users" | grep -q '"users"' || fail "root list users" ok "root GET auth/users" # Webhook without JWT still works curl -sf -X POST "$API/api/v1/webhooks/onboard" \ -H "Content-Type: application/json" \ -H "X-Webhook-Secret: $WEBHOOK_SECRET" \ -d '{"event":"account.created","domain":"auth-verify.ligbox","session_id":"auth-spec-003-verify"}' \ | grep -q '"accepted"' || fail "webhook onboard" ok "webhook onboard sem JWT" echo "=== verify-auth.sh PASSED ==="