coder
diff --git a/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion b/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 2 additions & 1 deletion b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/dbauthz/setup_test.go
Lines changed: 1 addition & 2 deletions b/‎coderd/database/dbauthz/setup_test.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎coderd/httpmw/apikey.go
Lines changed: 6 additions & 1 deletion b/‎coderd/httpmw/apikey.go
Lines changed: 6 additions & 1 deletion
diff --git a/‎coderd/httpmw/authz.go
Lines changed: 6 additions & 3 deletions b/‎coderd/httpmw/authz.go
Lines changed: 6 additions & 3 deletions
diff --git a/‎coderd/httpmw/authz_test.go
Lines changed: 4 additions & 2 deletions b/‎coderd/httpmw/authz_test.go
Lines changed: 4 additions & 2 deletions
diff --git a/‎coderd/httpmw/userparam.go
Lines changed: 3 additions & 2 deletions b/‎coderd/httpmw/userparam.go
Lines changed: 3 additions & 2 deletions
diff --git a/‎coderd/httpmw/workspaceagent.go
Lines changed: 2 additions & 1 deletion b/‎coderd/httpmw/workspaceagent.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/metricscache/metricscache.go
Lines changed: 6 additions & 5 deletions b/‎coderd/metricscache/metricscache.go
Lines changed: 6 additions & 5 deletions
diff --git a/‎coderd/provisionerdserver/provisionerdserver.go
Lines changed: 6 additions & 4 deletions b/‎coderd/provisionerdserver/provisionerdserver.go
Lines changed: 6 additions & 4 deletions
@@ -34,7 +34,7 @@ type Stats struct {
 // New returns a new autobuild executor.
 func New(ctx context.Context, db database.Store, log slog.Logger, tick <-chan time.Time) *Executor {
 	le := &Executor{
-		// Use an authorized context
+		//nolint:gocritic // TODO: make an autostart role instead of using System
 		ctx:  dbauthz.AsSystem(ctx),
 		db:   db,
 		tick: tick,
 
@@ -8,10 +8,11 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
+	"github.com/open-policy-agent/opa/topdown"
+
 	"cdr.dev/slog"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/rbac"
-	"github.com/open-policy-agent/opa/topdown"
 )
 
 var _ database.Store = (*querier)(nil)
 
@@ -151,8 +151,7 @@ func (s *MethodTestSuite) Subtest(testCaseF func(db database.Store, check *expec
 				"GetAuthorizedWorkspaces",
 				"GetAuthorizedTemplates",
 			}, methodName) {
-
-			// Some methods do no make rbac assertions because they use
+			// Some methods do not make RBAC assertions because they use
 			// SQL. We still want to test that they return an error if the
 			// actor is not set.
 			s.NoActorErrorTest(callMethod)
 
@@ -116,7 +116,6 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			// systemCtx := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
 			// Write wraps writing a response to redirect if the handler
 			// specified it should. This redirect is used for user-facing pages
 			// like workspace applications.
@@ -161,6 +160,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				return
 			}
 
+			//nolint:gocritic // System needs to fetch API key to check if it's valid.
 			key, err := cfg.DB.GetAPIKeyByID(dbauthz.AsSystem(ctx), keyID)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
@@ -194,6 +194,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				changed = false
 			)
 			if key.LoginType == database.LoginTypeGithub || key.LoginType == database.LoginTypeOIDC {
+				//nolint:gocritic // System needs to fetch UserLink to check if it's valid.
 				link, err = cfg.DB.GetUserLinkByUserIDLoginType(dbauthz.AsSystem(ctx), database.GetUserLinkByUserIDLoginTypeParams{
 					UserID:    key.UserID,
 					LoginType: key.LoginType,
@@ -277,6 +278,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				}
 			}
 			if changed {
+				//nolint:gocritic // System needs to update API Key LastUsed
 				err := cfg.DB.UpdateAPIKeyByID(dbauthz.AsSystem(ctx), database.UpdateAPIKeyByIDParams{
 					ID:        key.ID,
 					LastUsed:  key.LastUsed,
@@ -293,6 +295,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// If the API Key is associated with a user_link (e.g. Github/OIDC)
 				// then we want to update the relevant oauth fields.
 				if link.UserID != uuid.Nil {
+					// nolint:gocritic
 					link, err = cfg.DB.UpdateUserLink(dbauthz.AsSystem(ctx), database.UpdateUserLinkParams{
 						UserID:            link.UserID,
 						LoginType:         link.LoginType,
@@ -312,6 +315,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// We only want to update this occasionally to reduce DB write
 				// load. We update alongside the UserLink and APIKey since it's
 				// easier on the DB to colocate writes.
+				// nolint:gocritic
 				_, err = cfg.DB.UpdateUserLastSeenAt(dbauthz.AsSystem(ctx), database.UpdateUserLastSeenAtParams{
 					ID:         key.UserID,
 					LastSeenAt: database.Now(),
@@ -329,6 +333,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			// If the key is valid, we also fetch the user roles and status.
 			// The roles are used for RBAC authorize checks, and the status
 			// is to block 'suspended' users from accessing the platform.
+			// nolint:gocritic
 			roles, err := cfg.DB.GetAuthorizationUserRoles(dbauthz.AsSystem(ctx), key.UserID)
 			if err != nil {
 				write(http.StatusUnauthorized, codersdk.Response{
 
@@ -8,11 +8,13 @@ import (
 	"github.com/go-chi/chi/v5"
 )
 
-// AsAuthzSystem is a bit of a kludge for now. Some middleware functions require
-// usage as a system user in some cases, but not all cases. To avoid large
-// refactors, we use this middleware to temporarily set the context to a system.
+// AsAuthzSystem is a chained handler that temporarily sets the dbauthz context
+// to System for the inner handlers, and resets the context afterwards.
 //
 // TODO: Refactor the middleware functions to not require this.
+// This is a bit of a kludge for now as some middleware functions require
+// usage as a system user in some cases, but not all cases. To avoid large
+// refactors, we use this middleware to temporarily set the context to a system.
 func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) http.Handler {
 	chain := chi.Chain(mws...)
 	return func(next http.Handler) http.Handler {
@@ -24,6 +26,7 @@ func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) ht
 				before = dbauthz.AsRemoveActor
 			}
 
+			// nolint:gocritic // AsAuthzSystem needs to do this.
 			r = r.WithContext(dbauthz.AsSystem(ctx))
 			chain.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 				r = r.WithContext(dbauthz.As(r.Context(), before))
 
@@ -14,6 +14,7 @@ import (
 )
 
 func TestAsAuthzSystem(t *testing.T) {
+	t.Parallel()
 	userActor := coderdtest.RandomRBACSubject()
 
 	base := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
@@ -62,6 +63,7 @@ func TestAsAuthzSystem(t *testing.T) {
 				mwAssertSystem,
 				mwAssertSystem,
 			),
+			// Assert no user present outside of the AsAuthzSystem chain
 			mwAssertNoUser,
 			// ----
 			// Set to the user actor
@@ -85,10 +87,10 @@ func TestAsAuthzSystem(t *testing.T) {
 	handler.ServeHTTP(res, req)
 }
 
-func mwAssert(assert func(req *http.Request)) func(next http.Handler) http.Handler {
+func mwAssert(assertF func(req *http.Request)) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			assert(r)
+			assertF(r)
 			next.ServeHTTP(rw, r)
 		})
 	}
 
@@ -69,6 +69,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 					})
 					return
 				}
+				//nolint:gocritic // System needs to be able to get user from param.
 				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), apiKey.UserID)
 				if xerrors.Is(err, sql.ErrNoRows) {
 					httpapi.ResourceNotFound(rw)
@@ -82,7 +83,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 					return
 				}
 			} else if userID, err := uuid.Parse(userQuery); err == nil {
-				// If the userQuery is a valid uuid
+				//nolint:gocritic // If the userQuery is a valid uuid
 				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), userID)
 				if err != nil {
 					httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
@@ -91,7 +92,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 					return
 				}
 			} else {
-				// Try as a username last
+				// nolint:gocritic // Try as a username last
 				user, err = db.GetUserByEmailOrUsername(dbauthz.AsSystem(ctx), database.GetUserByEmailOrUsernameParams{
 					Username: userQuery,
 				})
 
@@ -32,7 +32,6 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			// dbauthz.AsSystem(ctx) := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
 			tokenValue := apiTokenFromRequest(r)
 			if tokenValue == "" {
 				httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
@@ -48,6 +47,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 				})
 				return
 			}
+			//nolint:gocritic // System needs to be able to get workspace agents.
 			agent, err := db.GetWorkspaceAgentByAuthToken(dbauthz.AsSystem(ctx), token)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
@@ -65,6 +65,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 				return
 			}
 
+			//nolint:gocritic // System needs to be able to get workspace agents.
 			subject, err := getAgentSubject(dbauthz.AsSystem(ctx), db, agent)
 			if err != nil {
 				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 
@@ -143,8 +143,9 @@ func countUniqueUsers(rows []database.GetTemplateDAUsRow) int {
 }
 
 func (c *Cache) refresh(ctx context.Context) error {
-	// dbauthz.AsSystem(ctx) := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
-	err := c.database.DeleteOldAgentStats(dbauthz.AsSystem(ctx))
+	//nolint:gocritic // This is a system service.
+	ctx = dbauthz.AsSystem(ctx)
+	err := c.database.DeleteOldAgentStats(ctx)
 	if err != nil {
 		return xerrors.Errorf("delete old stats: %w", err)
 	}
@@ -161,22 +162,22 @@ func (c *Cache) refresh(ctx context.Context) error {
 		templateAverageBuildTimes = make(map[uuid.UUID]database.GetTemplateAverageBuildTimeRow)
 	)
 
-	rows, err := c.database.GetDeploymentDAUs(dbauthz.AsSystem(ctx))
+	rows, err := c.database.GetDeploymentDAUs(ctx)
 	if err != nil {
 		return err
 	}
 	deploymentDAUs = convertDeploymentDAUResponse(rows)
 	c.deploymentDAUResponses.Store(&deploymentDAUs)
 
 	for _, template := range templates {
-		rows, err := c.database.GetTemplateDAUs(dbauthz.AsSystem(ctx), template.ID)
+		rows, err := c.database.GetTemplateDAUs(ctx, template.ID)
 		if err != nil {
 			return err
 		}
 		templateDAUs[template.ID] = convertDAUResponse(rows)
 		templateUniqueUsers[template.ID] = countUniqueUsers(rows)
 
-		templateAvgBuildTime, err := c.database.GetTemplateAverageBuildTime(dbauthz.AsSystem(ctx), database.GetTemplateAverageBuildTimeParams{
+		templateAvgBuildTime, err := c.database.GetTemplateAverageBuildTime(ctx, database.GetTemplateAverageBuildTimeParams{
 			TemplateID: uuid.NullUUID{
 				UUID:  template.ID,
 				Valid: true,
 
@@ -57,7 +57,7 @@ type Server struct {
 
 // AcquireJob queries the database to lock a job.
 func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.AcquiredJob, error) {
-	// TODO: make a provisionerd role
+	//nolint:gocritic //TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	// This prevents loads of provisioner daemons from consistently
 	// querying the database when no jobs are available.
@@ -273,6 +273,7 @@ func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.Ac
 }
 
 func (server *Server) CommitQuota(ctx context.Context, request *proto.CommitQuotaRequest) (*proto.CommitQuotaResponse, error) {
+	//nolint:gocritic //TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	jobID, err := uuid.Parse(request.JobId)
 	if err != nil {
@@ -303,7 +304,7 @@ func (server *Server) CommitQuota(ctx context.Context, request *proto.CommitQuot
 }
 
 func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobRequest) (*proto.UpdateJobResponse, error) {
-	// TODO: make a provisionerd role
+	//nolint:gocritic //TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	parsedID, err := uuid.Parse(request.JobId)
 	if err != nil {
@@ -351,6 +352,7 @@ func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobReq
 				slog.F("stage", log.Stage),
 				slog.F("output", log.Output))
 		}
+		//nolint:gocritic //TODO: make a provisionerd role
 		logs, err := server.Database.InsertProvisionerJobLogs(dbauthz.AsSystem(context.Background()), insertParams)
 		if err != nil {
 			server.Logger.Error(ctx, "failed to insert job logs", slog.F("job_id", parsedID), slog.Error(err))
@@ -476,7 +478,7 @@ func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobReq
 }
 
 func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*proto.Empty, error) {
-	// TODO: make a provisionerd role
+	//nolint:gocritic // TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	jobID, err := uuid.Parse(failJob.JobId)
 	if err != nil {
@@ -604,7 +606,7 @@ func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*p
 
 // CompleteJob is triggered by a provision daemon to mark a provisioner job as completed.
 func (server *Server) CompleteJob(ctx context.Context, completed *proto.CompletedJob) (*proto.Empty, error) {
-	// TODO: make a provisionerd role
+	//nolint:gocritic // TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	jobID, err := uuid.Parse(completed.JobId)
 	if err != nil {