ligbox/ligbox-ops-platform
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ligbox-ops-platform/specs/003-desk-auth-rbac/quickstart.md
Ligbox Spec Hub 3a2c64834b Initial import: ligbox-ops-platform + specs + LAPTOP + obsidian merge (CT130) 
Source: VM122 /opt + obsidian-infra + LAPTOP
Hub: CT130 spec-hub 10.10.10.130
2026-06-19 17:26:41 +00:00

3 KiB
Raw Blame History

Quickstart: Desk Auth & RBAC (003)

Pré-requisitos

  • VM122 API: curl http://10.10.10.122:8080/health
  • Feature 003 implementada e deployada
  • .env com JWT_SECRET definido

1. Login (cada role)

API="http://10.10.10.122:8080"

login() {
  local user=$1 pass=$2
  curl -sf -X POST "$API/api/v1/auth/login" \
    -H "Content-Type: application/json" \
    -d "{\"username\":\"$user\",\"password\":\"$pass\"}" | python3 -m json.tool
}

login root 805353    # super_admin
login admin 805353   # ops_lead
login mini 805353    # technician
login noc 805353     # noc

2. API protegida

TOKEN=$(curl -sf -X POST "$API/api/v1/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"root","password":"805353"}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")

curl -sf -H "Authorization: Bearer $TOKEN" "$API/api/v1/desk/tickets" | python3 -m json.tool | head

3. Verificar bloqueio público

# Deve falhar (401)
curl -sf "https://api.ops.ligbox.com.br/api/v1/desk/tickets" && echo FAIL || echo "401 OK"

# Health continua público
curl -sf "https://api.ops.ligbox.com.br/health"

4. Webhook inalterado

curl -sf -X POST "$API/api/v1/webhooks/onboard" \
  -H "Content-Type: application/json" \
  -H "X-Webhook-Secret: ligbox-ops-dev-secret" \
  -d '{"event":"account.created","domain":"auth-test.ligbox","session_id":"auth-spec-003"}'

5. Testes RBAC por role

Teste root admin mini noc
GET tickets masked
PATCH ticket * 403
POST audit/run 403 403
GET audit/overview 403 masked
GET auth/users 403

* mini: só se assigned_to null ou mini

Script automatizado:

bash /opt/ligbox-ops-platform/scripts/verify-auth.sh

6. UI

  1. Abrir https://desk.ligbox.com.br → login
  2. root / senha → dashboard
  3. Ver sidebar: Roger (super_admin) + Sair
  4. Login noc → sem botão fechar ticket; dados empresa mascarados

7. Deploy

cd /opt/ligbox-ops-platform

# Gerar secrets
echo "JWT_SECRET=$(openssl rand -hex 32)" >> .env
echo "OPS_INTERNAL_TOKEN=$(openssl rand -hex 32)" >> .env
echo "DESK_AUTH_ENABLED=true" >> .env

docker-compose -f docker-compose.mvp.yml up -d --build api frontend
bash scripts/verify-auth.sh

8. Rotação senha bootstrap

Após primeiro deploy:

  1. Login root no Desk
  2. PATCH /api/v1/auth/users/root com nova password (quando endpoint disponível)
  3. Ou SQL: UPDATE desk_users SET password_hash=... via bcrypt
  4. Alterar senhas SSH VM122 independentemente (passwd root)

Nunca manter 805353 em produção pública.

9. Rollback emergência

# .env
DESK_AUTH_ENABLED=false

docker-compose -f docker-compose.mvp.yml up -d --build api

API volta ao modo aberto — usar só em emergência.