coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 0 additions & 9 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 0 additions & 9 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 0 additions & 4 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 0 additions & 4 deletions
diff --git a/‎coderd/database/dbfake/dbfake.go
Lines changed: 35 additions & 7 deletions b/‎coderd/database/dbfake/dbfake.go
Lines changed: 35 additions & 7 deletions
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 0 additions & 7 deletions b/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 0 additions & 7 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 0 additions & 1 deletion b/‎coderd/database/querier.go
Lines changed: 0 additions & 1 deletion
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 0 additions & 52 deletions b/‎coderd/database/queries.sql.go
Lines changed: 0 additions & 52 deletions
diff --git a/‎coderd/database/queries/workspaceagents.sql
Lines changed: 0 additions & 10 deletions b/‎coderd/database/queries/workspaceagents.sql
Lines changed: 0 additions & 10 deletions
diff --git a/‎coderd/httpmw/workspaceagent.go
Lines changed: 1 addition & 32 deletions b/‎coderd/httpmw/workspaceagent.go
Lines changed: 1 addition & 32 deletions
@@ -1482,15 +1482,6 @@ func (q *querier) GetWorkspaceAgentAndOwnerByAuthToken(ctx context.Context, agen
 	return q.db.GetWorkspaceAgentAndOwnerByAuthToken(ctx, agentID)
 }
 
-// GetWorkspaceAgentByAuthToken is used in http middleware to get the workspace agent.
-// This should only be used by a system user in that middleware.
-func (q *querier) GetWorkspaceAgentByAuthToken(ctx context.Context, authToken uuid.UUID) (database.WorkspaceAgent, error) {
-	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
-		return database.WorkspaceAgent{}, err
-	}
-	return q.db.GetWorkspaceAgentByAuthToken(ctx, authToken)
-}
-
 func (q *querier) GetWorkspaceAgentByID(ctx context.Context, id uuid.UUID) (database.WorkspaceAgent, error) {
 	if _, err := q.GetWorkspaceByAgentID(ctx, id); err != nil {
 		return database.WorkspaceAgent{}, err
 
@@ -1319,10 +1319,6 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{})
 		check.Args().Asserts(rbac.ResourceSystem, rbac.ActionRead)
 	}))
-	s.Run("GetWorkspaceAgentByAuthToken", s.Subtest(func(db database.Store, check *expects) {
-		agt := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{})
-		check.Args(agt.AuthToken).Asserts(rbac.ResourceSystem, rbac.ActionRead).Returns(agt)
-	}))
 	s.Run("GetActiveUserCount", s.Subtest(func(db database.Store, check *expects) {
 		check.Args().Asserts(rbac.ResourceSystem, rbac.ActionRead).Returns(int64(0))
 	}))
 
@@ -2833,18 +2833,46 @@ func (q *FakeQuerier) GetUsersByIDs(_ context.Context, ids []uuid.UUID) ([]datab
 	return users, nil
 }
 
-func (q *FakeQuerier) GetWorkspaceAgentByAuthToken(_ context.Context, authToken uuid.UUID) (database.WorkspaceAgent, error) {
+func (q *FakeQuerier) GetWorkspaceAgentAndOwnerByAuthToken(ctx context.Context, authToken uuid.UUID) (database.GetWorkspaceAgentAndOwnerByAuthTokenRow, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
+	var resp database.GetWorkspaceAgentAndOwnerByAuthTokenRow
+	var found bool
+	for _, agt := range q.workspaceAgents {
+		if agt.AuthToken == authToken {
+			resp.WorkspaceAgent = agt
+			found = true
+			break
+		}
+	}
+	if !found {
+		return resp, sql.ErrNoRows
+	}
 
-	// The schema sorts this by created at, so we iterate the array backwards.
-	for i := len(q.workspaceAgents) - 1; i >= 0; i-- {
-		agent := q.workspaceAgents[i]
-		if agent.AuthToken == authToken {
-			return agent, nil
+	// get the related workspace and user
+	for _, res := range q.workspaceResources {
+		if resp.WorkspaceAgent.ResourceID != res.ID {
+			continue
+		}
+		for _, build := range q.workspaceBuilds {
+			if build.JobID != res.JobID {
+				continue
+			}
+			for _, ws := range q.workspaces {
+				if build.WorkspaceID != ws.ID {
+					continue
+				}
+				resp.WorkspaceID = ws.ID
+				if usr, err := q.getUserByIDNoLock(ws.OwnerID); err == nil {
+					resp.OwnerID = usr.ID
+					resp.OwnerRoles = usr.RBACRoles
+					resp.OwnerName = usr.Username
+					return resp, nil
+				}
+			}
 		}
 	}
-	return database.WorkspaceAgent{}, sql.ErrNoRows
+	return database.GetWorkspaceAgentAndOwnerByAuthTokenRow{}, sql.ErrNoRows
 }
 
 func (q *FakeQuerier) GetWorkspaceAgentByID(ctx context.Context, id uuid.UUID) (database.WorkspaceAgent, error) {
 
@@ -1,13 +1,3 @@
--- name: GetWorkspaceAgentByAuthToken :one
-SELECT
-	*
-FROM
-	workspace_agents
-WHERE
-	auth_token = $1
-ORDER BY
-	created_at DESC;
-
 -- name: GetWorkspaceAgentByID :one
 SELECT
 	*
 
@@ -97,8 +97,7 @@ func ExtractWorkspaceAgent(opts ExtractWorkspaceAgentConfig) func(http.Handler)
 				ID:     row.OwnerID.String(),
 				Roles:  rbac.RoleNames(row.OwnerRoles),
 				Groups: row.OwnerGroups,
-				// Note: this is generated as a NullUUID even though it shouldn't be nullable based on the query.
-				Scope: rbac.WorkspaceAgentScope(row.WorkspaceID, row.OwnerID),
+				Scope:  rbac.WorkspaceAgentScope(row.WorkspaceID, row.OwnerID),
 			}.WithCachedASTValue()
 
 			ctx = context.WithValue(ctx, workspaceAgentContextKey{}, row.WorkspaceAgent)
@@ -108,33 +107,3 @@ func ExtractWorkspaceAgent(opts ExtractWorkspaceAgentConfig) func(http.Handler)
 		})
 	}
 }
-
-func getAgentSubject(ctx context.Context, db database.Store, agent database.WorkspaceAgent) (rbac.Subject, error) {
-	// TODO: make a different query that gets the workspace owner and roles along with the agent.
-	workspace, err := db.GetWorkspaceByAgentID(ctx, agent.ID)
-	if err != nil {
-		return rbac.Subject{}, err
-	}
-
-	user, err := db.GetUserByID(ctx, workspace.OwnerID)
-	if err != nil {
-		return rbac.Subject{}, err
-	}
-
-	roles, err := db.GetAuthorizationUserRoles(ctx, user.ID)
-	if err != nil {
-		return rbac.Subject{}, err
-	}
-
-	// A user that creates a workspace can use this agent auth token and
-	// impersonate the workspace. So to prevent privilege escalation, the
-	// subject inherits the roles of the user that owns the workspace.
-	// We then add a workspace-agent scope to limit the permissions
-	// to only what the workspace agent needs.
-	return rbac.Subject{
-		ID:     user.ID.String(),
-		Roles:  rbac.RoleNames(roles.Roles),
-		Groups: roles.Groups,
-		Scope:  rbac.WorkspaceAgentScope(workspace.ID, user.ID),
-	}.WithCachedASTValue(), nil
-}