108 lines
4.2 KiB
Markdown
108 lines
4.2 KiB
Markdown
# Tasks: Desk Auth & RBAC (003)
|
|
|
|
**Input**: [spec.md](./spec.md) · [plan.md](./plan.md) · [contracts/auth-api.md](./contracts/auth-api.md)
|
|
|
|
**Prerequisites**: spec.md ✅ · plan.md ✅ · research.md ✅ · data-model.md ✅
|
|
|
|
**Status**: ✅ Fechada 100% — 2026-06-10
|
|
|
|
## Format: `[ID] [P?] [Story] Description`
|
|
|
|
---
|
|
|
|
## Phase 1: Setup
|
|
|
|
**Purpose**: Dependências e configuração
|
|
|
|
- [x] T001 Confirmar API healthy: `curl http://10.10.10.122:8080/health`
|
|
- [x] T002 [P] Adicionar `python-jose[cryptography]`, `passlib[bcrypt]` em `api/requirements.txt`
|
|
- [x] T003 [P] Adicionar `.env`: `JWT_SECRET`, `JWT_EXPIRE_HOURS=8`, `DESK_AUTH_ENABLED=true`, `OPS_INTERNAL_TOKEN`, `DESK_BOOTSTRAP_PASSWORD`
|
|
- [x] T004 [P] Criar `scripts/verify-auth.sh` (esqueleto)
|
|
|
|
**Checkpoint**: deps prontas para build ✅
|
|
|
|
---
|
|
|
|
## Phase 2: Foundation — Auth backend (US1)
|
|
|
|
**Purpose**: Login, JWT, tabela users
|
|
|
|
- [x] T005 [US1] Criar `api/app/permissions.py` — ROLE constants + `can_patch_ticket`, `can_run_audit`, etc.
|
|
- [x] T006 [US1] Criar `api/app/auth.py` — bcrypt hash/verify, JWT create/decode, `get_current_user` dependency
|
|
- [x] T007 [US1] Em `init_db()`: CREATE `desk_users`; seed root/admin/mini/noc se vazio
|
|
- [x] T008 [US1] Criar `api/app/auth_routes.py` — `POST /login`, `GET /me`, rate limit 5/min
|
|
- [x] T009 [US1] Feature flag `DESK_AUTH_ENABLED` — bypass auth quando false
|
|
- [x] T010 [US1] Registar router auth em `main.py`
|
|
- [x] T011 [US1] Testar login 4 users via curl
|
|
|
|
**Checkpoint**: login funcional, JWT emitido ✅
|
|
|
|
---
|
|
|
|
## Phase 3: Protect API routes (US2)
|
|
|
|
**Purpose**: RBAC em endpoints existentes
|
|
|
|
- [x] T012 [US2] Adicionar `assigned_to`, `assigned_at` em tickets (migration init_db)
|
|
- [x] T013 [US2] Proteger `GET/PATCH /api/v1/desk/*` com `Depends(get_current_user)`
|
|
- [x] T014 [US2] Proteger `GET /api/v1/onboard/*`, `GET /api/v1/audit/*`
|
|
- [x] T015 [US2] `POST /api/v1/audit/*` — ops_lead+ only; cycle aceita `X-Ops-Internal-Token`
|
|
- [x] T016 [US2] Proteger `GET /api/v1/tenants`, `webhooks/events`, `infra/*`, `integrations`
|
|
- [x] T017 [US2] Implementar `_mask_ticket_for_noc()` em enrich ticket
|
|
- [x] T018 [US2] PATCH ticket: validar `can_patch_ticket`; aceitar `assigned_to` no body
|
|
- [x] T019 [US2] Manter webhooks e `/health` públicos
|
|
- [x] T020 [US2] Bump version → `0.6.0-desk-auth`
|
|
- [x] T021 [US2] Rebuild API: `docker-compose -f docker-compose.mvp.yml up -d --build api`
|
|
|
|
**Checkpoint**: curl sem token → 401; com token role-correct → 200/403 ✅
|
|
|
|
---
|
|
|
|
## Phase 4: Frontend login (US1 + US2)
|
|
|
|
**Purpose**: UI exige login; role gates
|
|
|
|
- [x] T022 [P] [US1] Criar `frontend/assets/auth.js` — login, logout, token storage
|
|
- [x] T023 [US1] Criar `frontend/login.html` — form + redirect
|
|
- [x] T024 [US1] `app.js`: guard no boot; `api()` inject Bearer
|
|
- [x] T025 [US2] Sidebar: user info + logout
|
|
- [x] T026 [US2] Esconder acções PATCH para noc; esconder audit POST para technician/noc
|
|
- [x] T027 [US2] Rebuild frontend container
|
|
- [x] T028 [US1] Teste browser: desk.ligbox.com.br → login → dashboard
|
|
|
|
**Checkpoint**: UI não expõe dados sem login ✅
|
|
|
|
---
|
|
|
|
## Phase 5: Webhook regression (US3)
|
|
|
|
**Purpose**: Integrações intactas
|
|
|
|
- [x] T029 [US3] `verify-webhook.sh` — ainda passa com secret, sem JWT
|
|
- [x] T030 [US3] `verify-wazuh-webhook.sh` — ainda passa (via verify-auth webhook test)
|
|
- [x] T031 [US3] Worker audit: configurar `OPS_INTERNAL_TOKEN` em worker env
|
|
- [x] T032 [US3] Confirmar VM112 onboarding E2E após auth deploy (portal healthy)
|
|
|
|
**Checkpoint**: zero regressão 001/002 ✅
|
|
|
|
---
|
|
|
|
## Phase 6: User management (US4 — P2)
|
|
|
|
- [x] T033 [US4] `GET /api/v1/auth/users` — super_admin
|
|
- [x] T034 [US4] `PATCH /api/v1/auth/users/{username}` — role, active, password
|
|
- [x] T035 [P] [US4] UI secção Admin (super_admin only) — lista users
|
|
|
|
**Checkpoint**: root gere equipa sem SSH ✅
|
|
|
|
---
|
|
|
|
## Phase 7: Polish & verify
|
|
|
|
- [x] T036 Completar `scripts/verify-auth.sh` — matrix 20+ testes
|
|
- [x] T037 Testar público `api.ops.ligbox.com.br` → 401 em desk
|
|
- [x] T038 Documentar rotação senha em quickstart
|
|
- [x] T039 Actualizar BACKLOG Obsidian: 003 ✅ (sync VM112 workspace + obsidian-infra)
|
|
- [x] T040 fail2ban VM122 — confirmar active pós-deploy
|
|
|
|
**Checkpoint**: SC-001 a SC-005 verdes ✅
|