feat: BED-6674 add Auditor role (#2016)

* database migration for new auditor role and permissions

* new auditor role and permissions

* pfc

* remove createToken permission; sql refactor

* add back CreateToken permissions

Author: sirisjo

cmd/api/src/api/registration/v2.go

@@ -146,8 +146,7 @@ func NewV2API(resources v2.Resources, routerInst *router.Router) {
 		routerInst.GET("/api/v2/available-domains", resources.GetAvailableDomains).RequirePermissions(permissions.GraphDBRead),
 
 		// Audit API
-		// TODO: This might actually need its own permission that's assigned to the Administrator user by default
-		routerInst.GET("/api/v2/audit", resources.ListAuditLogs).RequirePermissions(permissions.AuthManageUsers),
+		routerInst.GET("/api/v2/audit", resources.ListAuditLogs).RequirePermissions(permissions.AuditLogRead),
 
 		// App Config API
 		routerInst.GET("/api/v2/config", resources.GetApplicationConfigurations).RequirePermissions(permissions.AppReadApplicationConfiguration),

cmd/api/src/auth/permission.go

@@ -27,6 +27,8 @@ type PermissionSet struct {
 	APsGenerateReport model.Permission
 	APsManageAPs      model.Permission
 
+	AuditLogRead model.Permission
+
 	AuthAcceptEULA                      model.Permission
 	AuthCreateToken                     model.Permission
 	AuthManageApplicationConfigurations model.Permission
@@ -58,6 +60,7 @@ func (s PermissionSet) All() model.Permissions {
 		s.AppWriteApplicationConfiguration,
 		s.APsGenerateReport,
 		s.APsManageAPs,
+		s.AuditLogRead,
 		s.AuthCreateToken,
 		s.AuthManageApplicationConfigurations,
 		s.AuthManageProviders,
@@ -87,6 +90,8 @@ func Permissions() PermissionSet {
 		APsGenerateReport: model.NewPermission("risks", "GenerateReport"),
 		APsManageAPs:      model.NewPermission("risks", "ManageRisks"),
 
+		AuditLogRead: model.NewPermission("audit_log", "Read"),
+
 		AuthAcceptEULA:                      model.NewPermission("auth", "AcceptEULA"),
 		AuthCreateToken:                     model.NewPermission("auth", "CreateToken"),
 		AuthManageApplicationConfigurations: model.NewPermission("auth", "ManageAppConfig"),

cmd/api/src/auth/role.go

@@ -23,6 +23,7 @@ import (
 const (
 	RoleUploadOnly    = "Upload-Only"
 	RoleReadOnly      = "Read-Only"
+	RoleAuditor       = "Auditor"
 	RoleUser          = "User"
 	RolePowerUser     = "Power User"
 	RoleAdministrator = "Administrator"
@@ -59,6 +60,21 @@ func Roles() map[string]RoleTemplate {
 				permissions.GraphDBIngest,
 			},
 		},
+		RoleAuditor: {
+			Name:        RoleAuditor,
+			Description: "Can read data and audit logs",
+			Permissions: model.Permissions{
+				permissions.AppReadApplicationConfiguration,
+				permissions.APsGenerateReport,
+				permissions.AuthCreateToken,
+				permissions.AuditLogRead,
+				permissions.AuthManageSelf,
+				permissions.AuthReadUsers,
+				permissions.ClientsRead,
+				permissions.GraphDBRead,
+				permissions.SavedQueriesRead,
+			},
+		},
 		RoleUser: {
 			Name:        RoleUser,
 			Description: "Can read data, modify asset group memberships",

cmd/api/src/database/migration/migrations/v8.4.0.sql

@@ -0,0 +1,44 @@
+-- Copyright 2025 Specter Ops, Inc.
+--
+-- Licensed under the Apache License, Version 2.0
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+-- SPDX-License-Identifier: Apache-2.0
+
+-- Add Audit Log permission and Auditor role 
+INSERT INTO permissions (authority, name, created_at, updated_at) VALUES ('audit_log', 'Read', current_timestamp, current_timestamp) ON CONFLICT DO NOTHING;
+
+INSERT INTO roles (name, description, created_at, updated_at) VALUES 
+ ('Auditor', 'Can read data and audit logs', current_timestamp, current_timestamp) ON CONFLICT DO NOTHING;
+
+INSERT INTO roles_permissions (role_id, permission_id)
+SELECT r.id, p.id
+FROM roles r
+JOIN permissions p
+  ON (
+    (r.name = 'Auditor' AND (p.authority, p.name) IN (
+        ('app', 'ReadAppConfig'),
+        ('risks', 'GenerateReport'),
+        ('audit_log', 'Read'),
+        ('auth', 'CreateToken'),
+        ('auth', 'ManageSelf'),
+        ('auth', 'ReadUsers'),
+        ('graphdb', 'Read'),
+        ('saved_queries', 'Read'),
+        ('clients', 'Read')
+    ))
+    OR 
+    (r.name = 'Administrator' AND (p.authority, p.name) IN (
+               ('audit_log', 'Read')
+    ))    
+) 
+ON CONFLICT DO NOTHING;