AdminGit2026/nis2-agile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6933e1d3fb
nis2-agile/public/integrazioniext.html
DevEnv nis2-agile 29aaf5db88 [INTEG] Aggiorna integrazioniext.html con token exchange, SSO e audit 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-07 14:47:10 +01:00

586 lines
28 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="it">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>NIS2 Agile — Integrazioni Esterne</title>
<link rel="stylesheet" href="css/style.css">
<style>
/* ── Page-specific overrides ── */
.integ-hero {
background: linear-gradient(135deg, rgba(6,182,212,.08) 0%, rgba(99,102,241,.06) 100%);
border: 1px solid rgba(6,182,212,.2);
border-radius: 12px;
padding: 2rem;
margin-bottom: 2rem;
}
.integ-hero h1 { font-size: 1.6rem; color: var(--primary); margin-bottom: .5rem; }
.integ-hero p { color: var(--text-secondary); max-width: 680px; line-height: 1.6; }
.provider-grid {
display: grid;
grid-template-columns: repeat(auto-fill, minmax(300px, 1fr));
gap: 1.25rem;
margin-bottom: 2rem;
}
.provider-card {
background: var(--bg-card);
border: 1px solid var(--border);
border-radius: 10px;
padding: 1.25rem;
transition: border-color .2s, transform .2s;
}
.provider-card:hover { border-color: var(--primary); transform: translateY(-2px); }
.provider-card .badge {
display: inline-block;
font-size: .65rem; font-weight: 700;
padding: .2rem .5rem; border-radius: 4px;
margin-bottom: .75rem;
}
.badge-available { background: rgba(34,197,94,.15); color: #22c55e; }
.badge-planned { background: rgba(234,179,8,.15); color: #eab308; }
.provider-card h3 { font-size: .95rem; margin-bottom: .4rem; }
.provider-card p { font-size: .82rem; color: var(--text-secondary); line-height: 1.5; }
.section-title {
font-size: 1.1rem; font-weight: 700;
color: var(--text-primary);
margin: 2rem 0 1rem;
padding-bottom: .5rem;
border-bottom: 1px solid var(--border);
}
.api-table { width: 100%; border-collapse: collapse; font-size: .83rem; margin-bottom: 1.5rem; }
.api-table th {
background: rgba(255,255,255,.04);
color: var(--text-secondary);
font-weight: 600; text-align: left;
padding: .6rem .75rem;
border-bottom: 1px solid var(--border);
}
.api-table td {
padding: .55rem .75rem;
border-bottom: 1px solid rgba(255,255,255,.04);
vertical-align: top;
}
.api-table tr:hover td { background: rgba(255,255,255,.02); }
.api-table code {
background: rgba(6,182,212,.1);
color: var(--primary);
padding: .15rem .4rem;
border-radius: 3px;
font-size: .78rem;
}
.method-get {
display: inline-block;
background: rgba(34,197,94,.15); color: #22c55e;
font-size: .65rem; font-weight: 700;
padding: .15rem .4rem; border-radius: 3px;
font-family: monospace;
}
.method-post {
display: inline-block;
background: rgba(249,115,22,.15); color: #f97316;
font-size: .65rem; font-weight: 700;
padding: .15rem .4rem; border-radius: 3px;
font-family: monospace;
}
.code-block {
background: #0f172a;
border: 1px solid var(--border);
border-radius: 8px;
padding: 1rem 1.25rem;
font-family: 'JetBrains Mono', 'Fira Code', monospace;
font-size: .78rem;
line-height: 1.6;
color: #cbd5e1;
overflow-x: auto;
margin: .75rem 0 1.25rem;
white-space: pre;
}
.code-block .kw { color: #818cf8; }
.code-block .str { color: #86efac; }
.code-block .key { color: #67e8f9; }
.code-block .cmt { color: #475569; }
.steps-list {
list-style: none;
counter-reset: steps;
margin-bottom: 1.5rem;
}
.steps-list li {
counter-increment: steps;
display: flex; align-items: flex-start; gap: .75rem;
padding: .65rem 0;
border-bottom: 1px solid rgba(255,255,255,.04);
font-size: .85rem;
color: var(--text-secondary);
line-height: 1.5;
}
.steps-list li::before {
content: counter(steps);
flex-shrink: 0;
width: 24px; height: 24px;
background: rgba(6,182,212,.15);
color: var(--primary);
border-radius: 50%;
display: flex; align-items: center; justify-content: center;
font-size: .75rem; font-weight: 700;
}
.checklist { list-style: none; margin-bottom: 1.5rem; }
.checklist li {
display: flex; align-items: flex-start; gap: .6rem;
padding: .4rem 0;
font-size: .84rem;
color: var(--text-secondary);
}
.checklist li::before {
content: '□';
color: var(--primary);
font-size: 1rem;
line-height: 1;
flex-shrink: 0;
}
.callout {
border-left: 3px solid var(--primary);
background: rgba(6,182,212,.05);
padding: .75rem 1rem;
border-radius: 0 6px 6px 0;
font-size: .83rem;
color: var(--text-secondary);
margin-bottom: 1.25rem;
line-height: 1.5;
}
.callout strong { color: var(--primary); }
.event-list { display: flex; flex-direction: column; gap: .5rem; margin-bottom: 1.5rem; }
.event-row {
display: flex; align-items: center; gap: .75rem;
background: rgba(255,255,255,.03);
border: 1px solid var(--border);
border-radius: 6px;
padding: .6rem .9rem;
font-size: .82rem;
}
.event-name {
font-family: monospace;
color: #f97316;
font-size: .78rem;
min-width: 230px;
}
.event-desc { color: var(--text-secondary); }
.event-lg231 {
margin-left: auto;
font-size: .7rem;
background: rgba(99,102,241,.12);
color: #818cf8;
padding: .15rem .5rem;
border-radius: 4px;
white-space: nowrap;
}
.tab-nav { display: flex; gap: 0; border-bottom: 1px solid var(--border); margin-bottom: 1.5rem; }
.tab-btn {
padding: .55rem 1.1rem;
font-size: .82rem; font-weight: 600;
color: var(--text-secondary);
background: none; border: none;
border-bottom: 2px solid transparent;
cursor: pointer; transition: .15s;
}
.tab-btn.active { color: var(--primary); border-color: var(--primary); }
.tab-pane { display: none; }
.tab-pane.active { display: block; }
</style>
</head>
<body>
<div id="sidebar-placeholder"></div>
<main class="main-content">
<div class="page-header">
<h1>Integrazioni Esterne</h1>
<p>API, webhook e connettori per sistemi GRC di terze parti</p>
</div>
<!-- Hero -->
<div class="integ-hero">
<h1>NIS2 Agile come Provider di Compliance</h1>
<p>NIS2 Agile espone una <strong>Services API REST</strong> che permette a sistemi esterni di leggere
score di conformità, rischi, incidenti e controlli in tempo reale. Auth via API Key dedicata,
rate limiting 100 req/ora, firma HMAC-SHA256 per webhook outbound.</p>
</div>
<!-- Provider cards -->
<div class="section-title">Provider Disponibili</div>
<div class="provider-grid">
<div class="provider-card">
<span class="badge badge-available">Disponibile</span>
<h3>231 Agile (lg231)</h3>
<p>Integrazione compliance D.Lgs. 231/2001 + NIS2. Incidenti cyber → OdV,
rischi IT → registro 231, score NIS2 nel dashboard aziendale.</p>
<a href="#lg231" style="color:var(--primary);font-size:.8rem;text-decoration:none">Guida integrazione →</a>
</div>
<div class="provider-card">
<span class="badge badge-planned">Pianificato</span>
<h3>AllRisk Agile</h3>
<p>Feed rischi cyber per piattaforma ERM unificata. Risk score NIS2
mappato su categorie ISO 31000.</p>
</div>
<div class="provider-card">
<span class="badge badge-planned">Pianificato</span>
<h3>SustainAI Agile</h3>
<p>Cybersecurity come pillar ESG. Score NIS2 nel report di sostenibilità
(CSRD, GRI 418).</p>
</div>
<div class="provider-card">
<span class="badge badge-available">Disponibile</span>
<h3>SIEM / SOC Esterni</h3>
<p>Webhook su <code>incident.created</code> e <code>risk.created_high</code>
verso qualsiasi endpoint HTTPS (Splunk, Elastic, PagerDuty…).</p>
</div>
</div>
<!-- Tabs -->
<div class="tab-nav">
<button class="tab-btn active" onclick="showTab('api')">Services API</button>
<button class="tab-btn" onclick="showTab('lg231')">Guida lg231</button>
<button class="tab-btn" onclick="showTab('webhook')">Webhook</button>
<button class="tab-btn" onclick="showTab('quickstart')">Quick Start</button>
</div>
<!-- TAB: Services API -->
<div id="tab-api" class="tab-pane active">
<div class="section-title">Endpoint disponibili</div>
<div class="callout">
<strong>Base URL:</strong> <code>https://nis2.agile.software/api/services</code><br>
<strong>Auth:</strong> Header <code>X-API-Key: nis2_xxxx</code> — oppure <code>Authorization: Bearer nis2_xxxx</code>
</div>
<table class="api-table">
<thead>
<tr><th>Metodo</th><th>Endpoint</th><th>Scope</th><th>Descrizione</th></tr>
</thead>
<tbody>
<tr><td><span class="method-post">POST</span></td><td><code>/token</code></td><td>read:all</td><td>Token exchange: API Key → JWT 15 min. lg231 usa questo JWT per le chiamate successive.</td></tr>
<tr><td><span class="method-post">POST</span></td><td><code>/sso</code></td><td>sso:login (o read:all)</td><td>SSO federato: passa email + ruolo + responsabilità → JWT NIS2 2h. Utente creato se non esiste. Auditato.</td></tr>
<tr><td><span class="method-get">GET</span></td><td><code>/status</code></td><td></td><td>Health check piattaforma, versione, DB. Nessuna auth.</td></tr>
<tr><td><span class="method-get">GET</span></td><td><code>/compliance-summary</code></td><td>read:compliance</td><td>Score NIS2 aggregato (0-100), domain scores Art.21, rischi aperti, incidenti</td></tr>
<tr><td><span class="method-get">GET</span></td><td><code>/risks/feed</code></td><td>read:risks</td><td>Registro rischi con livello ISO 27005, status, area. Filtri: <code>?level=high,critical&status=open</code></td></tr>
<tr><td><span class="method-get">GET</span></td><td><code>/incidents/feed</code></td><td>read:incidents</td><td>Incidenti Art.23: severity, status, notifiche CSIRT, deadline 72h, overdue</td></tr>
<tr><td><span class="method-get">GET</span></td><td><code>/controls/status</code></td><td>read:compliance</td><td>Stato controlli per dominio: implemented / partial / missing</td></tr>
<tr><td><span class="method-get">GET</span></td><td><code>/assets/critical</code></td><td>read:assets</td><td>Asset critici con tipo, criticità, dipendenze mappate</td></tr>
<tr><td><span class="method-get">GET</span></td><td><code>/suppliers/risk</code></td><td>read:suppliers</td><td>Fornitori: risk_level, ultimo assessment, is_flagged</td></tr>
<tr><td><span class="method-get">GET</span></td><td><code>/policies/approved</code></td><td>read:policies</td><td>Policy approvate: titolo, area, data, versione</td></tr>
<tr><td><span class="method-get">GET</span></td><td><code>/openapi.json</code></td><td></td><td>Specifica OpenAPI 3.0 in JSON</td></tr>
</tbody>
</table>
<div class="section-title">Esempio risposta /compliance-summary</div>
<div class="code-block"><span class="cmt">// GET /api/services/compliance-summary</span>
<span class="cmt">// X-API-Key: nis2_Abc123...</span>
{
<span class="key">"success"</span>: <span class="kw">true</span>,
<span class="key">"data"</span>: {
<span class="key">"organization"</span>: { <span class="key">"id"</span>: 5, <span class="key">"name"</span>: <span class="str">"Azienda XYZ"</span>, <span class="key">"sector"</span>: <span class="str">"energia"</span>, <span class="key">"nis2_entity_type"</span>: <span class="str">"essential"</span> },
<span class="key">"compliance"</span>: {
<span class="key">"overall_score"</span>: 73,
<span class="key">"label"</span>: <span class="str">"Parziale"</span>,
<span class="key">"domain_scores"</span>: [
{ <span class="key">"domain"</span>: <span class="str">"Gestione del rischio"</span>, <span class="key">"score"</span>: 80, <span class="key">"status"</span>: <span class="str">"compliant"</span> },
{ <span class="key">"domain"</span>: <span class="str">"Sicurezza supply chain"</span>, <span class="key">"score"</span>: 45, <span class="key">"status"</span>: <span class="str">"partial"</span> }
]
},
<span class="key">"risks"</span>: { <span class="key">"total"</span>: 12, <span class="key">"open"</span>: 8, <span class="key">"high_critical"</span>: 3 },
<span class="key">"incidents"</span>: { <span class="key">"total"</span>: 2, <span class="key">"open"</span>: 1, <span class="key">"significant"</span>: 1, <span class="key">"overdue"</span>: 0 }
}
}</div>
<div class="section-title">Headers risposta</div>
<table class="api-table">
<thead><tr><th>Header</th><th>Valore</th></tr></thead>
<tbody>
<tr><td><code>X-NIS2-API-Version</code></td><td>1.0</td></tr>
<tr><td><code>X-NIS2-Org-Id</code></td><td>ID organizzazione (intero)</td></tr>
<tr><td><code>X-RateLimit-Limit</code></td><td>100 (req/ora per chiave)</td></tr>
<tr><td><code>X-RateLimit-Remaining</code></td><td>Richieste rimaste nella finestra</td></tr>
</tbody>
</table>
</div>
<!-- TAB: Guida lg231 -->
<div id="tab-lg231" class="tab-pane">
<div class="callout">
<strong>Per l'agente Claude di lg231:</strong> questo tab descrive esattamente cosa implementare in lg231 Agile per consumare NIS2 come provider di compliance cybersecurity.
</div>
<div class="section-title">Perché integrare 231 con NIS2</div>
<table class="api-table" style="margin-bottom:1.5rem">
<thead><tr><th>Evento NIS2</th><th>Rilevanza D.Lgs. 231/2001</th></tr></thead>
<tbody>
<tr><td>Incidente cybersecurity (Art.23 NIS2)</td><td>Reato presupposto art.24-bis — criminalità informatica</td></tr>
<tr><td>Fornitore IT flaggato alto rischio</td><td>Rischio complicità in reati informatici via supply chain</td></tr>
<tr><td>Policy sicurezza non approvata</td><td>Gap nel MOG — Modello Organizzativo e di Gestione</td></tr>
<tr><td>Score NIS2 &lt; 40%</td><td>Indicatore OdV: carenza controlli, escalation consigliata</td></tr>
<tr><td>Whistleblowing sicurezza</td><td>Potenziale escalation verso OdV 231</td></tr>
</tbody>
</table>
<div class="section-title">1. Aggiungere NIS2 al provider-config (company-ms)</div>
<p style="font-size:.83rem;color:var(--text-secondary);margin-bottom:.75rem">
File: <code>services/company-ms/public/index.php</code> — route <code>PATCH /companies/{id}/provider-config</code>
</p>
<div class="code-block"><span class="cmt">// Aggiungere ai $allowed:</span>
$allowed = [
<span class="str">'certisource_pat'</span>,
<span class="str">'anthropic_api_key'</span>,
<span class="str">'openai_api_key'</span>,
<span class="cmt">// ── Nuovo provider NIS2 ──</span>
<span class="str">'nis2_api_key'</span>, <span class="cmt">// chiave da NIS2 → Settings → API Keys</span>
<span class="str">'nis2_org_id'</span>, <span class="cmt">// ID org NIS2 (dal URL dashboard o /api/services/status)</span>
<span class="str">'nis2_enabled'</span>, <span class="cmt">// bool: abilitare pull automatico</span>
];</div>
<div class="section-title">2. NIS2Client (shared lib o inline)</div>
<div class="code-block"><span class="kw">class</span> <span class="key">Nis2Client</span>
{
<span class="kw">const</span> BASE_URL = <span class="str">'https://nis2.agile.software/api/services'</span>;
<span class="kw">public static function</span> <span class="key">get</span>(<span class="key">string</span> $endpoint, <span class="key">string</span> $apiKey, <span class="key">array</span> $query = []): array
{
$url = self::BASE_URL . $endpoint;
<span class="kw">if</span> ($query) $url .= <span class="str">'?'</span> . http_build_query($query);
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => <span class="kw">true</span>,
CURLOPT_TIMEOUT => 10,
CURLOPT_HTTPHEADER => [
<span class="str">'X-API-Key: '</span> . $apiKey,
<span class="str">'Accept: application/json'</span>,
<span class="str">'X-Caller: lg231-agile/1.0'</span>,
],
]);
$body = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
<span class="kw">return</span> $code === 200 && $body
? [<span class="str">'success'</span> => <span class="kw">true</span>, <span class="str">'data'</span> => json_decode($body, <span class="kw">true</span>)]
: [<span class="str">'success'</span> => <span class="kw">false</span>, <span class="str">'http_code'</span> => $code];
}
}</div>
<div class="section-title">3. Widget score NIS2 nella company view</div>
<div class="code-block"><span class="cmt">// In company detail view PHP/JS:</span>
$nis2Key = $meta[<span class="str">'nis2_api_key'</span>] ?? <span class="kw">null</span>;
<span class="kw">if</span> ($nis2Key) {
$summary = Nis2Client::get(<span class="str">'/compliance-summary'</span>, $nis2Key);
<span class="cmt">// Mostrare gauge score + badge essential/important + rischi high</span>
<span class="cmt">// Link: https://nis2.agile.software/dashboard.html</span>
}</div>
<div class="section-title">4. Escalation incidenti → OdV (monitoring-ms)</div>
<div class="code-block"><span class="cmt">// Job periodico (cron o hook) nel monitoring-ms:</span>
$incidents = Nis2Client::get(<span class="str">'/incidents/feed'</span>, $apiKey,
[<span class="str">'significant'</span> => 1, <span class="str">'status'</span> => <span class="str">'open'</span>]);
<span class="kw">foreach</span> (($incidents[<span class="str">'data'</span>][<span class="str">'incidents'</span>] ?? []) <span class="kw">as</span> $inc) {
<span class="cmt">// Crea odv_activity:</span>
<span class="cmt">// type: 'cyber_incident_notifica'</span>
<span class="cmt">// description: 'Incidente NIS2 significativo: ' . $inc['title']</span>
<span class="cmt">// priority: $inc['overdue'] ? 'urgent' : 'high'</span>
<span class="cmt">// source: 'nis2_agile'</span>
<span class="cmt">// reference_id: $inc['id']</span>
}</div>
<div class="section-title">3b. SSO federato — apertura diretta NIS2 da lg231</div>
<div class="callout">
Quando un utente lg231 clicca "Apri NIS2" dal suo dashboard, lg231 chiama
<code>POST /api/services/sso</code> e redirige l'utente su NIS2 già autenticato,
portando con sé ruolo e responsabilità. Ogni accesso SSO è tracciato nell'audit trail.
</div>
<div class="code-block"><span class="cmt">// In lg231, quando l'utente clicca "Apri NIS2 Agile":</span>
$ssoResp = Nis2Client::post(<span class="str">'/sso'</span>, $apiKey, [
<span class="str">'user_email'</span> => $currentUser[<span class="str">'email'</span>],
<span class="str">'user_name'</span> => $currentUser[<span class="str">'first_name'</span>] . <span class="str">' '</span> . $currentUser[<span class="str">'last_name'</span>],
<span class="str">'user_role'</span> => <span class="str">'compliance_manager'</span>, <span class="cmt">// mappa da ruolo lg231</span>
<span class="str">'caller_system'</span> => <span class="str">'lg231'</span>,
<span class="str">'caller_user_id'</span> => $currentUser[<span class="str">'id'</span>],
<span class="str">'responsibilities'</span> => [
[<span class="str">'area'</span> => <span class="str">'MOG 231'</span>, <span class="str">'scope'</span> => <span class="str">'art.24-bis criminalità informatica'</span>],
[<span class="str">'area'</span> => <span class="str">'OdV'</span>, <span class="str">'scope'</span> => <span class="str">'monitoraggio cyber risk'</span>],
],
]);
<span class="kw">if</span> ($ssoResp[<span class="str">'success'</span>]) {
$jwt = $ssoResp[<span class="str">'data'</span>][<span class="str">'data'</span>][<span class="str">'token'</span>];
$redirectUrl = $ssoResp[<span class="str">'data'</span>][<span class="str">'data'</span>][<span class="str">'redirect_url'</span>];
<span class="cmt">// Redirect con token nel fragment (sicuro, non nel server log)</span>
header(<span class="str">'Location: '</span> . $redirectUrl . <span class="str">'#sso_token='</span> . urlencode($jwt));
}</div>
<div class="callout">
<strong>NIS2 lato frontend</strong>: in <code>dashboard.html</code> aggiungere:<br>
<code>const ssoToken = location.hash.match(/#sso_token=([^&]+)/)?.[1];</code><br>
<code>if (ssoToken) { localStorage.setItem('nis2_token', ssoToken); location.hash = ''; }</code>
</div>
<div class="section-title">Checklist implementazione lg231</div>
<ul class="checklist">
<li>company-ms: aggiungere <code>nis2_api_key</code>, <code>nis2_org_id</code>, <code>nis2_enabled</code> a provider-config</li>
<li>shared: creare <code>Nis2Client</code> (curl wrapper leggero)</li>
<li>UI: widget NIS2 score nella company detail (gauge + badge + rischi high)</li>
<li>risk-ms: import rischi cyber durante assessment (categoria art.24-bis)</li>
<li>monitoring-ms: escalation incidenti significativi → odv_activity</li>
<li>monitoring-ms: policy NIS2 non approvate → alert OdV</li>
<li>(opz.) endpoint <code>POST /api/integrations/nis2-webhook</code> + subscription</li>
</ul>
<div class="callout">
<strong>Nota CORS:</strong> tutte le chiamate a NIS2 devono avvenire <strong>server-to-server</strong>
(PHP cURL), non da browser. NIS2 non accetta origini lg231 in CORS per sicurezza.
</div>
</div>
<!-- TAB: Webhook -->
<div id="tab-webhook" class="tab-pane">
<div class="callout">
NIS2 invia notifiche push su eventi tramite webhook HTTPS firmati HMAC-SHA256.
Il sistema esterno riceve la notifica in tempo reale senza polling.
</div>
<div class="section-title">Eventi disponibili</div>
<div class="event-list">
<div class="event-row">
<span class="event-name">incident.created</span>
<span class="event-desc">Nuovo incidente di sicurezza registrato</span>
<span class="event-lg231">→ odv_activity</span>
</div>
<div class="event-row">
<span class="event-name">incident.deadline_warning</span>
<span class="event-desc">Scadenza Art.23 (24h/72h) entro 4 ore</span>
<span class="event-lg231">→ alert urgente OdV</span>
</div>
<div class="event-row">
<span class="event-name">risk.created_high</span>
<span class="event-desc">Nuovo rischio HIGH o CRITICAL creato</span>
<span class="event-lg231">→ risk register 231</span>
</div>
<div class="event-row">
<span class="event-name">compliance.score_changed</span>
<span class="event-desc">Variazione score NIS2 &gt; 5%</span>
<span class="event-lg231">→ aggiorna widget</span>
</div>
<div class="event-row">
<span class="event-name">policy.approved</span>
<span class="event-desc">Nuova policy di sicurezza approvata</span>
<span class="event-lg231">→ aggiorna MOG ref</span>
</div>
<div class="event-row">
<span class="event-name">supplier.risk_flagged</span>
<span class="event-desc">Fornitore IT flaggato alto rischio</span>
<span class="event-lg231">→ supply chain 231</span>
</div>
</div>
<div class="section-title">Registrare una subscription</div>
<div class="code-block"><span class="method-post">POST</span> https://nis2.agile.software/api/webhooks/subscriptions
Authorization: Bearer {jwt_token}
Content-Type: application/json
{
<span class="key">"url"</span>: <span class="str">"https://lg231.agile.software/api/integrations/nis2-webhook"</span>,
<span class="key">"events"</span>: [<span class="str">"incident.created"</span>, <span class="str">"incident.deadline_warning"</span>, <span class="str">"risk.created_high"</span>],
<span class="key">"description"</span>: <span class="str">"lg231 Agile integration"</span>
}
<span class="cmt">// Risposta:</span>
{ <span class="key">"id"</span>: 1, <span class="key">"secret"</span>: <span class="str">"whsec_abc123..."</span> }
<span class="cmt">// Salvare il secret in companies.metadata.nis2_webhook_secret</span></div>
<div class="section-title">Verifica firma HMAC (endpoint ricevente)</div>
<div class="code-block">$secret = $meta[<span class="str">'nis2_webhook_secret'</span>];
$body = file_get_contents(<span class="str">'php://input'</span>);
$expected = <span class="str">'sha256='</span> . hash_hmac(<span class="str">'sha256'</span>, $body, $secret);
$received = $_SERVER[<span class="str">'HTTP_X_NIS2_SIGNATURE'</span>] ?? <span class="str">''</span>;
<span class="kw">if</span> (!hash_equals($expected, $received)) {
http_response_code(401);
<span class="kw">exit</span>;
}
$event = $_SERVER[<span class="str">'HTTP_X_NIS2_EVENT'</span>] ?? <span class="str">''</span>;
$payload = json_decode($body, <span class="kw">true</span>);
<span class="kw">switch</span> ($event) {
<span class="kw">case</span> <span class="str">'incident.created'</span>:
<span class="cmt">// crea odv_activity...</span>
<span class="kw">break</span>;
<span class="kw">case</span> <span class="str">'risk.created_high'</span>:
<span class="cmt">// aggiungi a risk register...</span>
<span class="kw">break</span>;
}</div>
</div>
<!-- TAB: Quick Start -->
<div id="tab-quickstart" class="tab-pane">
<div class="section-title">Creare la prima API Key</div>
<ol class="steps-list">
<li>Login su <strong>NIS2 Agile</strong> con ruolo <code>org_admin</code> o superiore</li>
<li>Vai su <strong>Settings → API Keys</strong> (sezione Integrazioni)</li>
<li>Click <strong>"Nuova API Key"</strong> → nome descrittivo (es: "lg231 Integration") → scope: <code>read:all</code></li>
<li>Copia la chiave — formato <code>nis2_XXXX...</code> — visibile una sola volta</li>
<li>Nota l'<strong>Organization ID</strong> dal URL del dashboard (es: <code>/dashboard.html</code> dopo login)</li>
<li>In lg231: salva via <code>PATCH /companies/{id}/provider-config</code> con <code>nis2_api_key</code> e <code>nis2_org_id</code></li>
</ol>
<div class="section-title">Test rapido (curl)</div>
<div class="code-block"><span class="cmt"># 1. Verifica senza auth</span>
curl https://nis2.agile.software/api/services/status
<span class="cmt"># 2. Compliance summary</span>
curl -H <span class="str">"X-API-Key: nis2_TUA_CHIAVE"</span> \
https://nis2.agile.software/api/services/compliance-summary | python3 -m json.tool
<span class="cmt"># 3. Incidenti significativi aperti</span>
curl -H <span class="str">"X-API-Key: nis2_TUA_CHIAVE"</span> \
"https://nis2.agile.software/api/services/incidents/feed?significant=1&status=open"
<span class="cmt"># 4. Rischi high/critical</span>
curl -H <span class="str">"X-API-Key: nis2_TUA_CHIAVE"</span> \
"https://nis2.agile.software/api/services/risks/feed?level=high,critical"</div>
<div class="section-title">Contatti e riferimenti</div>
<table class="api-table">
<tbody>
<tr><td>App NIS2 Agile</td><td><a href="https://nis2.agile.software" style="color:var(--primary)">https://nis2.agile.software</a></td></tr>
<tr><td>Specifiche OpenAPI</td><td><code>GET /api/services/openapi.json</code></td></tr>
<tr><td>Test Runner</td><td><a href="/test-runner.php?t=Nis2Test2026" style="color:var(--primary)">test-runner.php</a></td></tr>
<tr><td>Amministratore</td><td>cristiano.benassati@gmail.com</td></tr>
<tr><td>Documento tecnico lg231</td><td><code>docs/integration/lg231-nis2-integration.md</code></td></tr>
</tbody>
</table>
</div>
</main>
<script src="js/common.js"></script>
<script src="js/i18n.js"></script>
<script>
function showTab(id) {
document.querySelectorAll('.tab-btn').forEach((b, i) => {
const ids = ['api', 'lg231', 'webhook', 'quickstart'];
b.classList.toggle('active', ids[i] === id);
});
document.querySelectorAll('.tab-pane').forEach(p => {
p.classList.toggle('active', p.id === 'tab-' + id);
});
// scroll to tabs
document.querySelector('.tab-nav').scrollIntoView({ behavior: 'smooth', block: 'start' });
}
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink