coder
diff --git a/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion b/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 2 additions & 1 deletion b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/dbauthz/setup_test.go
Lines changed: 1 addition & 2 deletions b/‎coderd/database/dbauthz/setup_test.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎coderd/httpmw/apikey.go
Lines changed: 6 additions & 1 deletion b/‎coderd/httpmw/apikey.go
Lines changed: 6 additions & 1 deletion
diff --git a/‎coderd/httpmw/authz.go
Lines changed: 6 additions & 3 deletions b/‎coderd/httpmw/authz.go
Lines changed: 6 additions & 3 deletions
diff --git a/‎coderd/httpmw/authz_test.go
Lines changed: 4 additions & 2 deletions b/‎coderd/httpmw/authz_test.go
Lines changed: 4 additions & 2 deletions
diff --git a/‎coderd/httpmw/userparam.go
Lines changed: 3 additions & 2 deletions b/‎coderd/httpmw/userparam.go
Lines changed: 3 additions & 2 deletions
diff --git a/‎coderd/httpmw/workspaceagent.go
Lines changed: 2 additions & 1 deletion b/‎coderd/httpmw/workspaceagent.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/metricscache/metricscache.go
Lines changed: 6 additions & 5 deletions b/‎coderd/metricscache/metricscache.go
Lines changed: 6 additions & 5 deletions
diff --git a/‎coderd/provisionerdserver/provisionerdserver.go
Lines changed: 6 additions & 4 deletions b/‎coderd/provisionerdserver/provisionerdserver.go
Lines changed: 6 additions & 4 deletions
diff --git a/‎coderd/userauth.go
Lines changed: 12 additions & 4 deletions b/‎coderd/userauth.go
Lines changed: 12 additions & 4 deletions
@@ -34,7 +34,7 @@ type Stats struct {
 // New returns a new autobuild executor.
 func New(ctx context.Context, db database.Store, log slog.Logger, tick <-chan time.Time) *Executor {
 	le := &Executor{
-		// Use an authorized context
+		//nolint:gocritic // TODO: make an autostart role instead of using System
 		ctx:  dbauthz.AsSystem(ctx),
 		db:   db,
 		tick: tick,
 
@@ -8,10 +8,11 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
+	"github.com/open-policy-agent/opa/topdown"
+
 	"cdr.dev/slog"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/rbac"
-	"github.com/open-policy-agent/opa/topdown"
 )
 
 var _ database.Store = (*querier)(nil)
 
@@ -151,8 +151,7 @@ func (s *MethodTestSuite) Subtest(testCaseF func(db database.Store, check *expec
 				"GetAuthorizedWorkspaces",
 				"GetAuthorizedTemplates",
 			}, methodName) {
-
-			// Some methods do no make rbac assertions because they use
+			// Some methods do not make RBAC assertions because they use
 			// SQL. We still want to test that they return an error if the
 			// actor is not set.
 			s.NoActorErrorTest(callMethod)
 
@@ -116,7 +116,6 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			// systemCtx := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
 			// Write wraps writing a response to redirect if the handler
 			// specified it should. This redirect is used for user-facing pages
 			// like workspace applications.
@@ -161,6 +160,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				return
 			}
 
+			//nolint:gocritic // System needs to fetch API key to check if it's valid.
 			key, err := cfg.DB.GetAPIKeyByID(dbauthz.AsSystem(ctx), keyID)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
@@ -194,6 +194,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				changed = false
 			)
 			if key.LoginType == database.LoginTypeGithub || key.LoginType == database.LoginTypeOIDC {
+				//nolint:gocritic // System needs to fetch UserLink to check if it's valid.
 				link, err = cfg.DB.GetUserLinkByUserIDLoginType(dbauthz.AsSystem(ctx), database.GetUserLinkByUserIDLoginTypeParams{
 					UserID:    key.UserID,
 					LoginType: key.LoginType,
@@ -277,6 +278,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				}
 			}
 			if changed {
+				//nolint:gocritic // System needs to update API Key LastUsed
 				err := cfg.DB.UpdateAPIKeyByID(dbauthz.AsSystem(ctx), database.UpdateAPIKeyByIDParams{
 					ID:        key.ID,
 					LastUsed:  key.LastUsed,
@@ -293,6 +295,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// If the API Key is associated with a user_link (e.g. Github/OIDC)
 				// then we want to update the relevant oauth fields.
 				if link.UserID != uuid.Nil {
+					// nolint:gocritic
 					link, err = cfg.DB.UpdateUserLink(dbauthz.AsSystem(ctx), database.UpdateUserLinkParams{
 						UserID:            link.UserID,
 						LoginType:         link.LoginType,
@@ -312,6 +315,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// We only want to update this occasionally to reduce DB write
 				// load. We update alongside the UserLink and APIKey since it's
 				// easier on the DB to colocate writes.
+				// nolint:gocritic
 				_, err = cfg.DB.UpdateUserLastSeenAt(dbauthz.AsSystem(ctx), database.UpdateUserLastSeenAtParams{
 					ID:         key.UserID,
 					LastSeenAt: database.Now(),
@@ -329,6 +333,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			// If the key is valid, we also fetch the user roles and status.
 			// The roles are used for RBAC authorize checks, and the status
 			// is to block 'suspended' users from accessing the platform.
+			// nolint:gocritic
 			roles, err := cfg.DB.GetAuthorizationUserRoles(dbauthz.AsSystem(ctx), key.UserID)
 			if err != nil {
 				write(http.StatusUnauthorized, codersdk.Response{
 
@@ -8,11 +8,13 @@ import (
 	"github.com/go-chi/chi/v5"
 )
 
-// AsAuthzSystem is a bit of a kludge for now. Some middleware functions require
-// usage as a system user in some cases, but not all cases. To avoid large
-// refactors, we use this middleware to temporarily set the context to a system.
+// AsAuthzSystem is a chained handler that temporarily sets the dbauthz context
+// to System for the inner handlers, and resets the context afterwards.
 //
 // TODO: Refactor the middleware functions to not require this.
+// This is a bit of a kludge for now as some middleware functions require
+// usage as a system user in some cases, but not all cases. To avoid large
+// refactors, we use this middleware to temporarily set the context to a system.
 func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) http.Handler {
 	chain := chi.Chain(mws...)
 	return func(next http.Handler) http.Handler {
@@ -24,6 +26,7 @@ func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) ht
 				before = dbauthz.AsRemoveActor
 			}
 
+			// nolint:gocritic // AsAuthzSystem needs to do this.
 			r = r.WithContext(dbauthz.AsSystem(ctx))
 			chain.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 				r = r.WithContext(dbauthz.As(r.Context(), before))
 
@@ -14,6 +14,7 @@ import (
 )
 
 func TestAsAuthzSystem(t *testing.T) {
+	t.Parallel()
 	userActor := coderdtest.RandomRBACSubject()
 
 	base := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
@@ -62,6 +63,7 @@ func TestAsAuthzSystem(t *testing.T) {
 				mwAssertSystem,
 				mwAssertSystem,
 			),
+			// Assert no user present outside of the AsAuthzSystem chain
 			mwAssertNoUser,
 			// ----
 			// Set to the user actor
@@ -85,10 +87,10 @@ func TestAsAuthzSystem(t *testing.T) {
 	handler.ServeHTTP(res, req)
 }
 
-func mwAssert(assert func(req *http.Request)) func(next http.Handler) http.Handler {
+func mwAssert(assertF func(req *http.Request)) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			assert(r)
+			assertF(r)
 			next.ServeHTTP(rw, r)
 		})
 	}
 
@@ -69,6 +69,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 					})
 					return
 				}
+				//nolint:gocritic // System needs to be able to get user from param.
 				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), apiKey.UserID)
 				if xerrors.Is(err, sql.ErrNoRows) {
 					httpapi.ResourceNotFound(rw)
@@ -82,7 +83,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 					return
 				}
 			} else if userID, err := uuid.Parse(userQuery); err == nil {
-				// If the userQuery is a valid uuid
+				//nolint:gocritic // If the userQuery is a valid uuid
 				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), userID)
 				if err != nil {
 					httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
@@ -91,7 +92,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 					return
 				}
 			} else {
-				// Try as a username last
+				// nolint:gocritic // Try as a username last
 				user, err = db.GetUserByEmailOrUsername(dbauthz.AsSystem(ctx), database.GetUserByEmailOrUsernameParams{
 					Username: userQuery,
 				})
 
@@ -32,7 +32,6 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			// dbauthz.AsSystem(ctx) := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
 			tokenValue := apiTokenFromRequest(r)
 			if tokenValue == "" {
 				httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
@@ -48,6 +47,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 				})
 				return
 			}
+			//nolint:gocritic // System needs to be able to get workspace agents.
 			agent, err := db.GetWorkspaceAgentByAuthToken(dbauthz.AsSystem(ctx), token)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
@@ -65,6 +65,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 				return
 			}
 
+			//nolint:gocritic // System needs to be able to get workspace agents.
 			subject, err := getAgentSubject(dbauthz.AsSystem(ctx), db, agent)
 			if err != nil {
 				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 
@@ -143,8 +143,9 @@ func countUniqueUsers(rows []database.GetTemplateDAUsRow) int {
 }
 
 func (c *Cache) refresh(ctx context.Context) error {
-	// dbauthz.AsSystem(ctx) := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
-	err := c.database.DeleteOldAgentStats(dbauthz.AsSystem(ctx))
+	//nolint:gocritic // This is a system service.
+	ctx = dbauthz.AsSystem(ctx)
+	err := c.database.DeleteOldAgentStats(ctx)
 	if err != nil {
 		return xerrors.Errorf("delete old stats: %w", err)
 	}
@@ -161,22 +162,22 @@ func (c *Cache) refresh(ctx context.Context) error {
 		templateAverageBuildTimes = make(map[uuid.UUID]database.GetTemplateAverageBuildTimeRow)
 	)
 
-	rows, err := c.database.GetDeploymentDAUs(dbauthz.AsSystem(ctx))
+	rows, err := c.database.GetDeploymentDAUs(ctx)
 	if err != nil {
 		return err
 	}
 	deploymentDAUs = convertDeploymentDAUResponse(rows)
 	c.deploymentDAUResponses.Store(&deploymentDAUs)
 
 	for _, template := range templates {
-		rows, err := c.database.GetTemplateDAUs(dbauthz.AsSystem(ctx), template.ID)
+		rows, err := c.database.GetTemplateDAUs(ctx, template.ID)
 		if err != nil {
 			return err
 		}
 		templateDAUs[template.ID] = convertDAUResponse(rows)
 		templateUniqueUsers[template.ID] = countUniqueUsers(rows)
 
-		templateAvgBuildTime, err := c.database.GetTemplateAverageBuildTime(dbauthz.AsSystem(ctx), database.GetTemplateAverageBuildTimeParams{
+		templateAvgBuildTime, err := c.database.GetTemplateAverageBuildTime(ctx, database.GetTemplateAverageBuildTimeParams{
 			TemplateID: uuid.NullUUID{
 				UUID:  template.ID,
 				Valid: true,
 
@@ -57,7 +57,7 @@ type Server struct {
 
 // AcquireJob queries the database to lock a job.
 func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.AcquiredJob, error) {
-	// TODO: make a provisionerd role
+	//nolint:gocritic //TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	// This prevents loads of provisioner daemons from consistently
 	// querying the database when no jobs are available.
@@ -273,6 +273,7 @@ func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.Ac
 }
 
 func (server *Server) CommitQuota(ctx context.Context, request *proto.CommitQuotaRequest) (*proto.CommitQuotaResponse, error) {
+	//nolint:gocritic //TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	jobID, err := uuid.Parse(request.JobId)
 	if err != nil {
@@ -303,7 +304,7 @@ func (server *Server) CommitQuota(ctx context.Context, request *proto.CommitQuot
 }
 
 func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobRequest) (*proto.UpdateJobResponse, error) {
-	// TODO: make a provisionerd role
+	//nolint:gocritic //TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	parsedID, err := uuid.Parse(request.JobId)
 	if err != nil {
@@ -351,6 +352,7 @@ func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobReq
 				slog.F("stage", log.Stage),
 				slog.F("output", log.Output))
 		}
+		//nolint:gocritic //TODO: make a provisionerd role
 		logs, err := server.Database.InsertProvisionerJobLogs(dbauthz.AsSystem(context.Background()), insertParams)
 		if err != nil {
 			server.Logger.Error(ctx, "failed to insert job logs", slog.F("job_id", parsedID), slog.Error(err))
@@ -476,7 +478,7 @@ func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobReq
 }
 
 func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*proto.Empty, error) {
-	// TODO: make a provisionerd role
+	//nolint:gocritic // TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	jobID, err := uuid.Parse(failJob.JobId)
 	if err != nil {
@@ -604,7 +606,7 @@ func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*p
 
 // CompleteJob is triggered by a provision daemon to mark a provisioner job as completed.
 func (server *Server) CompleteJob(ctx context.Context, completed *proto.CompletedJob) (*proto.Empty, error) {
-	// TODO: make a provisionerd role
+	//nolint:gocritic // TODO: make a provisionerd role
 	ctx = dbauthz.AsSystem(ctx)
 	jobID, err := uuid.Parse(completed.JobId)
 	if err != nil {
 
@@ -40,8 +40,7 @@ import (
 // @Router /users/login [post]
 func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
 	var (
-		ctx = r.Context()
-		// dbauthz.AsSystem(ctx)         = dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
+		ctx               = r.Context()
 		auditor           = api.Auditor.Load()
 		aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
 			Audit:   *auditor,
@@ -58,6 +57,7 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	//nolint:gocritic // In order to login, we need to get the user first!
 	user, err := api.Database.GetUserByEmailOrUsername(dbauthz.AsSystem(ctx), database.GetUserByEmailOrUsernameParams{
 		Email: loginWithPassword.Email,
 	})
@@ -732,8 +732,7 @@ func (e httpError) Error() string {
 
 func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cookie, database.APIKey, error) {
 	var (
-		ctx = r.Context()
-		// dbauthz.AsSystem(ctx) = dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
+		ctx  = r.Context()
 		user database.User
 	)
 
@@ -767,6 +766,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 		// with OIDC for the first time.
 		if user.ID == uuid.Nil {
 			var organizationID uuid.UUID
+			//nolint:gocritic
 			organizations, _ := tx.GetOrganizations(dbauthz.AsSystem(ctx))
 			if len(organizations) > 0 {
 				// Add the user to the first organization. Once multi-organization
@@ -775,6 +775,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 				organizationID = organizations[0].ID
 			}
 
+			//nolint:gocritic
 			_, err := tx.GetUserByEmailOrUsername(dbauthz.AsSystem(ctx), database.GetUserByEmailOrUsernameParams{
 				Username: params.Username,
 			})
@@ -788,6 +789,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 
 					params.Username = httpapi.UsernameFrom(alternate)
 
+					//nolint:gocritic
 					_, err := tx.GetUserByEmailOrUsername(dbauthz.AsSystem(ctx), database.GetUserByEmailOrUsernameParams{
 						Username: params.Username,
 					})
@@ -807,6 +809,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 				}
 			}
 
+			//nolint:gocritic
 			user, _, err = api.CreateUser(dbauthz.AsSystem(ctx), tx, CreateUserRequest{
 				CreateUserRequest: codersdk.CreateUserRequest{
 					Email:          params.Email,
@@ -821,6 +824,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 		}
 
 		if link.UserID == uuid.Nil {
+			//nolint:gocritic
 			link, err = tx.InsertUserLink(dbauthz.AsSystem(ctx), database.InsertUserLinkParams{
 				UserID:            user.ID,
 				LoginType:         params.LoginType,
@@ -835,6 +839,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 		}
 
 		if link.UserID != uuid.Nil {
+			//nolint:gocritic
 			link, err = tx.UpdateUserLink(dbauthz.AsSystem(ctx), database.UpdateUserLinkParams{
 				UserID:            user.ID,
 				LoginType:         params.LoginType,
@@ -849,6 +854,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 
 		// Ensure groups are correct.
 		if len(params.Groups) > 0 {
+			//nolint:gocritic
 			err := api.Options.SetUserGroups(dbauthz.AsSystem(ctx), tx, user.ID, params.Groups)
 			if err != nil {
 				return xerrors.Errorf("set user groups: %w", err)
@@ -882,6 +888,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 			// In such cases in the current implementation this user can now no
 			// longer sign in until an administrator finds the offending built-in
 			// user and changes their username.
+			//nolint:gocritic
 			user, err = tx.UpdateUserProfile(dbauthz.AsSystem(ctx), database.UpdateUserProfileParams{
 				ID:        user.ID,
 				Email:     user.Email,
@@ -900,6 +907,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 		return nil, database.APIKey{}, xerrors.Errorf("in tx: %w", err)
 	}
 
+	//nolint:gocritic
 	cookie, key, err := api.createAPIKey(dbauthz.AsSystem(ctx), createAPIKeyParams{
 		UserID:     user.ID,
 		LoginType:  params.LoginType,