feat: BED-6674 add Auditor role

[sirisjo]

Description

Adds an Auditor role with read-only permissions, plus permissions to view the audit log. Includes a database migration to add the new permission and the new role.

Motivation and Context

Resolves BED-6674

This role has all of the permissions of the existing Read Only role, plus the ability to view the audit log (/api/v2/audit). Previously, only admins could view the audit log.

How Has This Been Tested?

• Database migration applied locally
• New user created with the Auditor permissions
• Able to query the audit endpoint with this new user
• Confirmed this user is able to view the audit log via the API

Screenshots (optional):

Types of changes

• New feature (non-breaking change which adds functionality)
• Database Migrations

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• New Features

  • Added an "Auditor" role that grants read access to audit logs, reports, app configuration, and user data.

• Changes

  • Audit endpoints now require a dedicated audit-log read permission for finer-grained access control.
  • Database updated to include the new audit-log read permission and the Auditor role (migration applied).

[coderabbitai]

Walkthrough

Adds an AuditLogRead permission, registers an Auditor role that includes it, updates the v2 audit endpoint to require AuditLogRead, and adds an SQL migration to insert the permission, role, and role→permission mappings.

Changes

Cohort / File(s)	Summary
Permissions cmd/api/src/auth/permission.go	Added AuditLogRead to PermissionSet, initialized in Permissions() and included in All().
Roles cmd/api/src/auth/role.go	Added RoleAuditor constant and Auditor role template with AuditLogRead plus other read-related permissions.
API registration cmd/api/src/api/registration/v2.go	Changed v2 audit route permission requirement from AuthManageUsers to AuditLogRead and removed the surrounding TODO.
Database migration cmd/api/src/database/migration/migrations/v8.4.0.sql	SQL inserts to create audit_log Read permission, create Auditor role, map role→permissions, and grant audit_log Read to Administrator (uses ON CONFLICT DO NOTHING).

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant API as API Server
  participant Auth as Auth Middleware
  participant Audit as AuditHandler
  rect rgb(245, 250, 255)
    Client->>API: GET /api/v2/audit
    API->>Auth: validate token & check permission
    Auth->>Auth: requires "AuditLogRead"
    alt has AuditLogRead
      Auth-->>API: authorized
      API->>Audit: handle audit request
      Audit-->>API: audit data
      API-->>Client: 200 OK + data
    else missing permission
      Auth-->>API: unauthorized
      API-->>Client: 403 Forbidden
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Check permission registration and inclusion in enumerations.
• Verify the Auditor role's permission list for correctness and least privilege.
• Inspect SQL migration for correct lookups, idempotency, and mappings.
• Confirm no remaining references assume AuthManageUsers for the audit route.

Suggested reviewers

• mvlipka
• mistahj67

Poem

🐰 I hop through logs with careful feet,
A tiny badge makes audits neat,
I chase the traces, soft and fleet,
Mapping roles where records meet,
Crunching bytes while nibbling a treat.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "feat: BED-6674 add Auditor role" directly and clearly summarizes the main change in the changeset. It is concise, specific, and uses standard commit conventions (feat: prefix) to indicate a new feature. The title accurately reflects the primary objective of adding an Auditor role with specific permissions, which aligns with all the code changes across the registration, permission, role, and migration files.
Description Check	✅ Passed	The pull request description satisfies all required sections from the template. It includes a clear description of the changes, motivation and context with the ticket reference (BED-6674), detailed testing steps showing how the changes were validated locally, and properly categorized the change types as both a new feature and database migration. The checklist is fully completed with all items checked, and the author provided concrete testing evidence including migration verification, user creation, and API endpoint validation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BED-6674

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sirisjo]

note: this is a pfc change that was missed in a previous PR, unrelated to my changes here

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

cmd/api/src/database/migration/migrations/v8.4.0.sql (1)

23-44: Consider refactoring JOIN...ON to use WHERE for more idiomatic SQL.

The JOIN with row-filtering conditions in the ON clause is valid PostgreSQL but less idiomatic than using a WHERE clause. This makes the query less readable and suggests the intent is not a traditional join relationship.

Apply this diff for clearer SQL idiomaticity:

  INSERT INTO roles_permissions (role_id, permission_id)
  SELECT r.id, p.id
- FROM roles r
- JOIN permissions p
-   ON (
-     (r.name = 'Auditor' AND (p.authority, p.name) IN (
-         ('app', 'ReadAppConfig'),
-         ('risks', 'GenerateReport'),
-         ('audit_log', 'Read'),
-         ('auth', 'CreateToken'),
-         ('auth', 'ManageSelf'),
-         ('auth', 'ReadUsers'),
-         ('graphdb', 'Read'),
-         ('saved_queries', 'Read'),
-         ('clients', 'Read')
-     ))
-     OR 
-     (r.name = 'Administrator' AND (p.authority, p.name) IN (
-                ('audit_log', 'Read')
-     ))    
-   ) 
+ FROM roles r
+ CROSS JOIN permissions p
+ WHERE (
+   (r.name = 'Auditor' AND (p.authority, p.name) IN (
+       ('app', 'ReadAppConfig'),
+       ('risks', 'GenerateReport'),
+       ('audit_log', 'Read'),
+       ('auth', 'CreateToken'),
+       ('auth', 'ManageSelf'),
+       ('auth', 'ReadUsers'),
+       ('graphdb', 'Read'),
+       ('saved_queries', 'Read'),
+       ('clients', 'Read')
+   ))
+   OR 
+   (r.name = 'Administrator' AND (p.authority, p.name) IN (
+              ('audit_log', 'Read')
+   ))
+ )
  ON CONFLICT DO NOTHING;

Using CROSS JOIN with WHERE makes it explicit that you're filtering a Cartesian product rather than joining on a relationship, and is the more standard pattern for this type of query.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ee4f8b8 and ee37557.

📒 Files selected for processing (2)

• cmd/api/src/auth/role.go (2 hunks)
• cmd/api/src/database/migration/migrations/v8.4.0.sql (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• cmd/api/src/auth/role.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build BloodHound Container Image / Build and Package Container
• GitHub Check: run-analysis
• GitHub Check: build-ui
• GitHub Check: run-tests

🔇 Additional comments (1)

cmd/api/src/database/migration/migrations/v8.4.0.sql (1)

17-21: Permission and role inserts look correct.

The permission insert (line 18) and role insert (lines 20-21) are straightforward and syntactically correct. The use of ON CONFLICT DO NOTHING ensures idempotency. The description "Can read data and audit logs" accurately reflects the Auditor role's intended permissions.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

cmd/api/src/auth/permission.go (1)

63-63: LGTM! Permission included in All() method.

The AuditLogRead permission is correctly included in the All() method.

Optional: Consider verifying AuthAcceptEULA inclusion.

AuthAcceptEULA is defined in Permissions() at line 95 but doesn't appear in the All() method. This may be intentional, but worth confirming:

#!/bin/bash
# Description: Check if AuthAcceptEULA is used elsewhere or if its omission from All() is intentional

# Search for AuthAcceptEULA usage across the codebase
rg -n "AuthAcceptEULA" --type go -C 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ee37557 and a4ee879.

⛔ Files ignored due to path filters (1)

• cmd/api/src/test/integration/harnesses/citrixRDPHarness.svg is excluded by !**/*.svg

📒 Files selected for processing (4)

• cmd/api/src/api/registration/v2.go (1 hunks)
• cmd/api/src/auth/permission.go (3 hunks)
• cmd/api/src/auth/role.go (2 hunks)
• cmd/api/src/database/migration/migrations/v8.4.0.sql (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• cmd/api/src/auth/role.go
• cmd/api/src/database/migration/migrations/v8.4.0.sql

🧰 Additional context used

🧬 Code graph analysis (1)

cmd/api/src/auth/permission.go (1)

cmd/api/src/model/auth.go (2)

• Permission (35-40)
• NewPermission (42-47)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: run-tests
• GitHub Check: Build BloodHound Container Image / Build and Package Container
• GitHub Check: run-analysis
• GitHub Check: build-ui

🔇 Additional comments (3)

cmd/api/src/auth/permission.go (2)

30-31: LGTM! Permission field properly defined.

The AuditLogRead field is correctly added to the PermissionSet struct with the appropriate type and maintains alphabetical ordering.

---

93-94: LGTM! Permission properly initialized.

The AuditLogRead permission is correctly initialized with NewPermission("audit_log", "Read"), following the established naming convention and pattern. The placement maintains alphabetical ordering.

cmd/api/src/api/registration/v2.go (1)

149-149: Verification complete - all changes are correct and consistent.

The migration in v8.4.0.sql properly assigns AuditLogRead to both the Administrator and Auditor roles, ensuring existing administrators retain access while enabling the new Auditor role. The permission constant is correctly defined in cmd/api/src/auth/permission.go and maps to ("audit_log", "Read"), the Auditor role is properly defined in cmd/api/src/auth/role.go with the appropriate permissions, and the endpoint in v2.go correctly uses permissions.AuditLogRead.

[mistahj67]

Code LGTM, local testing worked as well. Great job, 🚀