ligbox/obsidian-vault
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
obsidian-vault/ligbox-ops-platform/specs/003-desk-auth-rbac/quickstart.md
Ligbox Obsidian Vault a8b62b2de1 Initial import: obsidian-infra vault
2026-06-19 17:26:42 +00:00

134 lines
3 KiB
Markdown
Raw Blame History

# Quickstart: Desk Auth & RBAC (003)
## Pré-requisitos
- VM122 API: `curl http://10.10.10.122:8080/health`
- Feature 003 implementada e deployada
- `.env` com `JWT_SECRET` definido
---
## 1. Login (cada role)
```bash
API="http://10.10.10.122:8080"
login() {
local user=$1 pass=$2
curl -sf -X POST "$API/api/v1/auth/login" \
-H "Content-Type: application/json" \
-d "{\"username\":\"$user\",\"password\":\"$pass\"}" | python3 -m json.tool
}
login root 805353 # super_admin
login admin 805353 # ops_lead
login mini 805353 # technician
login noc 805353 # noc
```
---
## 2. API protegida
```bash
TOKEN=$(curl -sf -X POST "$API/api/v1/auth/login" \
-H "Content-Type: application/json" \
-d '{"username":"root","password":"805353"}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")
curl -sf -H "Authorization: Bearer $TOKEN" "$API/api/v1/desk/tickets" | python3 -m json.tool | head
```
---
## 3. Verificar bloqueio público
```bash
# Deve falhar (401)
curl -sf "https://api.ops.ligbox.com.br/api/v1/desk/tickets" && echo FAIL || echo "401 OK"
# Health continua público
curl -sf "https://api.ops.ligbox.com.br/health"
```
---
## 4. Webhook inalterado
```bash
curl -sf -X POST "$API/api/v1/webhooks/onboard" \
-H "Content-Type: application/json" \
-H "X-Webhook-Secret: ligbox-ops-dev-secret" \
-d '{"event":"account.created","domain":"auth-test.ligbox","session_id":"auth-spec-003"}'
```
---
## 5. Testes RBAC por role
| Teste | root | admin | mini | noc |
|-------|------|-------|------|-----|
| GET tickets | ✅ | ✅ | ✅ | ✅ masked |
| PATCH ticket | ✅ | ✅ | ✅* | ❌ 403 |
| POST audit/run | ✅ | ✅ | ❌ 403 | ❌ 403 |
| GET audit/overview | ✅ | ✅ | ❌ 403 | ✅ masked |
| GET auth/users | ✅ | ❌ 403 | ❌ | ❌ |
\* mini: só se `assigned_to` null ou `mini`
Script automatizado:
```bash
bash /opt/ligbox-ops-platform/scripts/verify-auth.sh
```
---
## 6. UI
1. Abrir `https://desk.ligbox.com.br` → login
2. `root` / senha → dashboard
3. Ver sidebar: `Roger (super_admin)` + Sair
4. Login `noc` → sem botão fechar ticket; dados empresa mascarados
---
## 7. Deploy
```bash
cd /opt/ligbox-ops-platform
# Gerar secrets
echo "JWT_SECRET=$(openssl rand -hex 32)" >> .env
echo "OPS_INTERNAL_TOKEN=$(openssl rand -hex 32)" >> .env
echo "DESK_AUTH_ENABLED=true" >> .env
docker-compose -f docker-compose.mvp.yml up -d --build api frontend
bash scripts/verify-auth.sh
```
---
## 8. Rotação senha bootstrap
Após primeiro deploy:
1. Login `root` no Desk
2. `PATCH /api/v1/auth/users/root` com nova password (quando endpoint disponível)
3. Ou SQL: `UPDATE desk_users SET password_hash=...` via bcrypt
4. Alterar senhas SSH VM122 independentemente (`passwd root`)
**Nunca** manter `805353` em produção pública.
---
## 9. Rollback emergência
```bash
# .env
DESK_AUTH_ENABLED=false
docker-compose -f docker-compose.mvp.yml up -d --build api
```
API volta ao modo aberto — usar só em emergência.
Reference in a new issue View git blame Copy permalink