ligbox-ops-platform/verify-auth.sh

#!/usr/bin/env bash
set -euo pipefail

ENV_FILE="${ENV_FILE:-/opt/ligbox-ops-platform/.env}"
if [[ -f "$ENV_FILE" ]]; then
  set -a
  # shellcheck disable=SC1090
  source "$ENV_FILE"
  set +a
fi

API="${API_URL:-http://10.10.10.122:8080}"
PASS="${DESK_BOOTSTRAP_PASSWORD:-805353}"
WEBHOOK_SECRET="${WEBHOOK_SECRET:-ligbox-ops-dev-secret}"
INTERNAL="${OPS_INTERNAL_TOKEN:-}"

echo "=== verify-auth.sh === API=$API"

fail() { echo "FAIL: $1"; exit 1; }
ok() { echo "OK: $1"; }

# Public health
curl -sf "$API/health" | grep -q '"status":"ok"' || fail "health"
ok "GET /health público"

# Protected without token
code=$(curl -s -o /dev/null -w '%{http_code}' "$API/api/v1/desk/tickets")
[[ "$code" == "401" ]] || fail "desk/tickets sem token devia 401 (got $code)"
ok "desk/tickets sem token → 401"

login_token() {
  local user=$1
  curl -sf -X POST "$API/api/v1/auth/login" \
    -H "Content-Type: application/json" \
    -d "{\"username\":\"$user\",\"password\":\"$PASS\"}" \
    | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])"
}

TOKEN_ROOT=$(login_token root)
TOKEN_ADMIN=$(login_token admin)
TOKEN_MINI=$(login_token mini)
TOKEN_NOC=$(login_token noc)
ok "login root/admin/mini/noc"

curl -sf -H "Authorization: Bearer $TOKEN_ROOT" "$API/api/v1/desk/tickets" | grep -q '"tickets"' || fail "root tickets"
ok "root GET tickets"

curl -sf -H "Authorization: Bearer $TOKEN_NOC" "$API/api/v1/desk/tickets" | grep -q '"tickets"' || fail "noc tickets read"
ok "noc GET tickets (masked)"

code=$(curl -s -o /dev/null -w '%{http_code}' -X PATCH \
  -H "Authorization: Bearer $TOKEN_NOC" \
  -H "Content-Type: application/json" \
  -d '{"status":"closed"}' \
  "$API/api/v1/desk/tickets/1")
[[ "$code" == "403" ]] || fail "noc PATCH devia 403 (got $code)"
ok "noc PATCH ticket → 403"

code=$(curl -s -o /dev/null -w '%{http_code}' -X POST \
  -H "Authorization: Bearer $TOKEN_MINI" \
  "$API/api/v1/audit/cycle")
[[ "$code" == "403" ]] || fail "mini audit cycle devia 403 (got $code)"
ok "mini POST audit/cycle → 403"

curl -sf -H "Authorization: Bearer $TOKEN_ADMIN" -X POST "$API/api/v1/audit/cycle" | grep -q 'audits_run\|domains_synced' || fail "admin audit cycle"
ok "admin POST audit/cycle"

code=$(curl -s -o /dev/null -w '%{http_code}' \
  -H "X-Ops-Internal-Token: $INTERNAL" \
  -X POST "$API/api/v1/audit/cycle")
[[ "$code" == "200" ]] || fail "worker internal token (got $code)"
ok "worker X-Ops-Internal-Token audit/cycle"

code=$(curl -s -o /dev/null -w '%{http_code}' \
  -H "Authorization: Bearer $TOKEN_NOC" \
  "$API/api/v1/onboard/sessions/test-session/timeline")
[[ "$code" == "403" ]] || fail "noc timeline devia 403 (got $code)"
ok "noc session timeline → 403"

curl -sf -H "Authorization: Bearer $TOKEN_MINI" \
  "$API/api/v1/onboard/sessions/6fbd2387-14e6-4c85-a017-336f178bcb1a/timeline" | grep -q '"events"' || true
ok "mini session timeline (se sessão existir)"

code=$(curl -s -o /dev/null -w '%{http_code}' \
  -H "Authorization: Bearer $TOKEN_ADMIN" \
  "$API/api/v1/auth/users")
[[ "$code" == "403" ]] || fail "admin list users devia 403 (got $code)"
ok "admin GET auth/users → 403"

curl -sf -H "Authorization: Bearer $TOKEN_ROOT" "$API/api/v1/auth/users" | grep -q '"users"' || fail "root list users"
ok "root GET auth/users"

# Webhook without JWT still works
curl -sf -X POST "$API/api/v1/webhooks/onboard" \
  -H "Content-Type: application/json" \
  -H "X-Webhook-Secret: $WEBHOOK_SECRET" \
  -d '{"event":"account.created","domain":"auth-verify.ligbox","session_id":"auth-spec-003-verify"}' \
  | grep -q '"accepted"' || fail "webhook onboard"
ok "webhook onboard sem JWT"

echo "=== verify-auth.sh PASSED ==="