ligbox-ops-platform/specs/003-desk-auth-rbac/tasks.md

Tasks: Desk Auth & RBAC (003)

Input: spec.md · plan.md · contracts/auth-api.md

Prerequisites: spec.md ✅ · plan.md ✅ · research.md ✅ · data-model.md ✅

Status: ✅ Fechada 100% — 2026-06-10

Format: [ID] [P?] [Story] Description

---

Phase 1: Setup

Purpose: Dependências e configuração

• T001 Confirmar API healthy: curl http://10.10.10.122:8080/health
• T002 [P] Adicionar python-jose[cryptography], passlib[bcrypt] em api/requirements.txt
• T003 [P] Adicionar .env: JWT_SECRET, JWT_EXPIRE_HOURS=8, DESK_AUTH_ENABLED=true, OPS_INTERNAL_TOKEN, DESK_BOOTSTRAP_PASSWORD
• T004 [P] Criar scripts/verify-auth.sh (esqueleto)

Checkpoint: deps prontas para build ✅

---

Phase 2: Foundation — Auth backend (US1)

Purpose: Login, JWT, tabela users

• T005 [US1] Criar api/app/permissions.py — ROLE constants + can_patch_ticket, can_run_audit, etc.
• T006 [US1] Criar api/app/auth.py — bcrypt hash/verify, JWT create/decode, get_current_user dependency
• T007 [US1] Em init_db(): CREATE desk_users; seed root/admin/mini/noc se vazio
• T008 [US1] Criar api/app/auth_routes.py — POST /login, GET /me, rate limit 5/min
• T009 [US1] Feature flag DESK_AUTH_ENABLED — bypass auth quando false
• T010 [US1] Registar router auth em main.py
• T011 [US1] Testar login 4 users via curl

Checkpoint: login funcional, JWT emitido ✅

---

Phase 3: Protect API routes (US2)

Purpose: RBAC em endpoints existentes

• T012 [US2] Adicionar assigned_to, assigned_at em tickets (migration init_db)
• T013 [US2] Proteger GET/PATCH /api/v1/desk/* com Depends(get_current_user)
• T014 [US2] Proteger GET /api/v1/onboard/*, GET /api/v1/audit/*
• T015 [US2] POST /api/v1/audit/* — ops_lead+ only; cycle aceita X-Ops-Internal-Token
• T016 [US2] Proteger GET /api/v1/tenants, webhooks/events, infra/*, integrations
• T017 [US2] Implementar _mask_ticket_for_noc() em enrich ticket
• T018 [US2] PATCH ticket: validar can_patch_ticket; aceitar assigned_to no body
• T019 [US2] Manter webhooks e /health públicos
• T020 [US2] Bump version → 0.6.0-desk-auth
• T021 [US2] Rebuild API: docker-compose -f docker-compose.mvp.yml up -d --build api

Checkpoint: curl sem token → 401; com token role-correct → 200/403 ✅

---

Phase 4: Frontend login (US1 + US2)

Purpose: UI exige login; role gates

• T022 [P] [US1] Criar frontend/assets/auth.js — login, logout, token storage
• T023 [US1] Criar frontend/login.html — form + redirect
• T024 [US1] app.js: guard no boot; api() inject Bearer
• T025 [US2] Sidebar: user info + logout
• T026 [US2] Esconder acções PATCH para noc; esconder audit POST para technician/noc
• T027 [US2] Rebuild frontend container
• T028 [US1] Teste browser: desk.ligbox.com.br → login → dashboard

Checkpoint: UI não expõe dados sem login ✅

---

Phase 5: Webhook regression (US3)

Purpose: Integrações intactas

• T029 [US3] verify-webhook.sh — ainda passa com secret, sem JWT
• T030 [US3] verify-wazuh-webhook.sh — ainda passa (via verify-auth webhook test)
• T031 [US3] Worker audit: configurar OPS_INTERNAL_TOKEN em worker env
• T032 [US3] Confirmar VM112 onboarding E2E após auth deploy (portal healthy)

Checkpoint: zero regressão 001/002 ✅

---

Phase 6: User management (US4 — P2)

• T033 [US4] GET /api/v1/auth/users — super_admin
• T034 [US4] PATCH /api/v1/auth/users/{username} — role, active, password
• T035 [P] [US4] UI secção Admin (super_admin only) — lista users

Checkpoint: root gere equipa sem SSH ✅

---

Phase 7: Polish & verify

• T036 Completar scripts/verify-auth.sh — matrix 20+ testes
• T037 Testar público api.ops.ligbox.com.br → 401 em desk
• T038 Documentar rotação senha em quickstart
• T039 Actualizar BACKLOG Obsidian: 003 ✅ (sync VM112 workspace + obsidian-infra)
• T040 fail2ban VM122 — confirmar active pós-deploy

Checkpoint: SC-001 a SC-005 verdes ✅