ligbox/obsidian-vault
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
obsidian-vault/ligbox-ops-platform/specs/003-desk-auth-rbac/tasks.md
Ligbox Obsidian Vault a8b62b2de1 Initial import: obsidian-infra vault
2026-06-19 17:26:42 +00:00

4.2 KiB
Raw Blame History

Tasks: Desk Auth & RBAC (003)

Input: spec.md · plan.md · contracts/auth-api.md

Prerequisites: spec.md · plan.md · research.md · data-model.md

Status: Fechada 100% — 2026-06-10

Format: [ID] [P?] [Story] Description

Phase 1: Setup

Purpose: Dependências e configuração

  • T001 Confirmar API healthy: curl http://10.10.10.122:8080/health
  • T002 [P] Adicionar python-jose[cryptography], passlib[bcrypt] em api/requirements.txt
  • T003 [P] Adicionar .env: JWT_SECRET, JWT_EXPIRE_HOURS=8, DESK_AUTH_ENABLED=true, OPS_INTERNAL_TOKEN, DESK_BOOTSTRAP_PASSWORD
  • T004 [P] Criar scripts/verify-auth.sh (esqueleto)

Checkpoint: deps prontas para build

Phase 2: Foundation — Auth backend (US1)

Purpose: Login, JWT, tabela users

  • T005 [US1] Criar api/app/permissions.py — ROLE constants + can_patch_ticket, can_run_audit, etc.
  • T006 [US1] Criar api/app/auth.py — bcrypt hash/verify, JWT create/decode, get_current_user dependency
  • T007 [US1] Em init_db(): CREATE desk_users; seed root/admin/mini/noc se vazio
  • T008 [US1] Criar api/app/auth_routes.pyPOST /login, GET /me, rate limit 5/min
  • T009 [US1] Feature flag DESK_AUTH_ENABLED — bypass auth quando false
  • T010 [US1] Registar router auth em main.py
  • T011 [US1] Testar login 4 users via curl

Checkpoint: login funcional, JWT emitido

Phase 3: Protect API routes (US2)

Purpose: RBAC em endpoints existentes

  • T012 [US2] Adicionar assigned_to, assigned_at em tickets (migration init_db)
  • T013 [US2] Proteger GET/PATCH /api/v1/desk/* com Depends(get_current_user)
  • T014 [US2] Proteger GET /api/v1/onboard/*, GET /api/v1/audit/*
  • T015 [US2] POST /api/v1/audit/* — ops_lead+ only; cycle aceita X-Ops-Internal-Token
  • T016 [US2] Proteger GET /api/v1/tenants, webhooks/events, infra/*, integrations
  • T017 [US2] Implementar _mask_ticket_for_noc() em enrich ticket
  • T018 [US2] PATCH ticket: validar can_patch_ticket; aceitar assigned_to no body
  • T019 [US2] Manter webhooks e /health públicos
  • T020 [US2] Bump version → 0.6.0-desk-auth
  • T021 [US2] Rebuild API: docker-compose -f docker-compose.mvp.yml up -d --build api

Checkpoint: curl sem token → 401; com token role-correct → 200/403

Phase 4: Frontend login (US1 + US2)

Purpose: UI exige login; role gates

  • T022 [P] [US1] Criar frontend/assets/auth.js — login, logout, token storage
  • T023 [US1] Criar frontend/login.html — form + redirect
  • T024 [US1] app.js: guard no boot; api() inject Bearer
  • T025 [US2] Sidebar: user info + logout
  • T026 [US2] Esconder acções PATCH para noc; esconder audit POST para technician/noc
  • T027 [US2] Rebuild frontend container
  • T028 [US1] Teste browser: desk.ligbox.com.br → login → dashboard

Checkpoint: UI não expõe dados sem login

Phase 5: Webhook regression (US3)

Purpose: Integrações intactas

  • T029 [US3] verify-webhook.sh — ainda passa com secret, sem JWT
  • T030 [US3] verify-wazuh-webhook.sh — ainda passa (via verify-auth webhook test)
  • T031 [US3] Worker audit: configurar OPS_INTERNAL_TOKEN em worker env
  • T032 [US3] Confirmar VM112 onboarding E2E após auth deploy (portal healthy)

Checkpoint: zero regressão 001/002

Phase 6: User management (US4 — P2)

  • T033 [US4] GET /api/v1/auth/users — super_admin
  • T034 [US4] PATCH /api/v1/auth/users/{username} — role, active, password
  • T035 [P] [US4] UI secção Admin (super_admin only) — lista users

Checkpoint: root gere equipa sem SSH

Phase 7: Polish & verify

  • T036 Completar scripts/verify-auth.sh — matrix 20+ testes
  • T037 Testar público api.ops.ligbox.com.br → 401 em desk
  • T038 Documentar rotação senha em quickstart
  • T039 Actualizar BACKLOG Obsidian: 003 (sync VM112 workspace + obsidian-infra)
  • T040 fail2ban VM122 — confirmar active pós-deploy

Checkpoint: SC-001 a SC-005 verdes