coder
diff --git a/‎coderd/activitybump.go
+8-5 b/‎coderd/activitybump.go
+8-5
diff --git a/‎coderd/authorize.go
+22 b/‎coderd/authorize.go
+22
diff --git a/‎coderd/autobuild/executor/lifecycle_executor.go
+3-1 b/‎coderd/autobuild/executor/lifecycle_executor.go
+3-1
diff --git a/‎coderd/coderd.go
+20-14 b/‎coderd/coderd.go
+20-14
diff --git a/‎coderd/coderdtest/authorize.go
+6-11 b/‎coderd/coderdtest/authorize.go
+6-11
diff --git a/‎coderd/coderdtest/authorize_test.go
+6 b/‎coderd/coderdtest/authorize_test.go
+6
diff --git a/‎coderd/coderdtest/coderdtest.go
+9-6 b/‎coderd/coderdtest/coderdtest.go
+9-6
@@ -15,10 +15,10 @@ import (
 
 // activityBumpWorkspace automatically bumps the workspace's auto-off timer
 // if it is set to expire soon.
-func activityBumpWorkspace(log slog.Logger, db database.Store, workspaceID uuid.UUID) {
+func activityBumpWorkspace(ctx context.Context, log slog.Logger, db database.Store, workspaceID uuid.UUID) {
 	// We set a short timeout so if the app is under load, these
 	// low priority operations fail first.
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*15)
+	ctx, cancel := context.WithTimeout(ctx, time.Second*15)
 	defer cancel()
 
 	err := db.InTx(func(s database.Store) error {
@@ -82,9 +82,12 @@ func activityBumpWorkspace(log slog.Logger, db database.Store, workspaceID uuid.
 		return nil
 	}, nil)
 	if err != nil {
-		log.Error(ctx, "bump failed", slog.Error(err),
-			slog.F("workspace_id", workspaceID),
-		)
+		if !xerrors.Is(err, context.Canceled) {
+			// Bump will fail if the context is cancelled, but this is ok.
+			log.Error(ctx, "bump failed", slog.Error(err),
+				slog.F("workspace_id", workspaceID),
+			)
+		}
 		return
 	}
 
 
@@ -51,6 +51,28 @@ type HTTPAuthorizer struct {
 //		return
 //	}
 func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
+	// The experiment does not replace ALL rbac checks, but does replace most.
+	// This statement aborts early on the checks that will be removed in the
+	// future when this experiment is default.
+	if api.Experiments.Enabled(codersdk.ExperimentAuthzQuerier) {
+		// Some resource types do not interact with the persistent layer and
+		// we need to keep these checks happening in the API layer.
+		switch object.RBACObject().Type {
+		case rbac.ResourceWorkspaceExecution.Type:
+			// This is not a db resource, always in API layer
+		case rbac.ResourceDeploymentConfig.Type:
+			// For metric cache items like DAU, we do not hit the DB.
+			// Some db actions are in asserted in the authz layer.
+		case rbac.ResourceReplicas.Type:
+			// Replica rbac is checked for adding and removing replicas.
+		case rbac.ResourceProvisionerDaemon.Type:
+			// Provisioner rbac is checked for adding and removing provisioners.
+		case rbac.ResourceDebugInfo.Type:
+			// This is not a db resource, always in API layer.
+		default:
+			return true
+		}
+	}
 	return api.HTTPAuth.Authorize(r, action, object)
 }
 
 
@@ -12,6 +12,7 @@ import (
 	"cdr.dev/slog"
 	"github.com/coder/coder/coderd/autobuild/schedule"
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbauthz"
 )
 
 // Executor automatically starts or stops workspaces.
@@ -33,7 +34,8 @@ type Stats struct {
 // New returns a new autobuild executor.
 func New(ctx context.Context, db database.Store, log slog.Logger, tick <-chan time.Time) *Executor {
 	le := &Executor{
-		ctx:  ctx,
+		//nolint:gocritic // TODO: make an autostart role instead of using System
+		ctx:  dbauthz.AsSystem(ctx),
 		db:   db,
 		tick: tick,
 		log:  log,
 
@@ -42,6 +42,7 @@ import (
 	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/awsidentity"
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/coderd/database/dbtype"
 	"github.com/coder/coder/coderd/gitauth"
 	"github.com/coder/coder/coderd/gitsshkey"
@@ -157,13 +158,6 @@ func New(options *Options) *API {
 		options = &Options{}
 	}
 	experiments := initExperiments(options.Logger, options.DeploymentConfig.Experiments.Value, options.DeploymentConfig.Experimental.Value)
-	// TODO: remove this once we promote authz_querier out of experiments.
-	if experiments.Enabled(codersdk.ExperimentAuthzQuerier) {
-		panic("Coming soon!")
-		// if _, ok := (options.Database).(*authzquery.AuthzQuerier); !ok {
-		// 	options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer)
-		// }
-	}
 	if options.AppHostname != "" && options.AppHostnameRegex == nil || options.AppHostname == "" && options.AppHostnameRegex != nil {
 		panic("coderd: both AppHostname and AppHostnameRegex must be set or unset")
 	}
@@ -204,6 +198,14 @@ func New(options *Options) *API {
 	if options.Auditor == nil {
 		options.Auditor = audit.NewNop()
 	}
+	// TODO: remove this once we promote authz_querier out of experiments.
+	if experiments.Enabled(codersdk.ExperimentAuthzQuerier) {
+		options.Database = dbauthz.New(
+			options.Database,
+			options.Authorizer,
+			options.Logger.Named("authz_querier"),
+		)
+	}
 	if options.SetUserGroups == nil {
 		options.SetUserGroups = func(context.Context, database.Store, uuid.UUID, []string) error { return nil }
 	}
@@ -304,8 +306,10 @@ func New(options *Options) *API {
 				DisableSessionExpiryRefresh: options.DeploymentConfig.DisableSessionExpiryRefresh.Value,
 				Optional:                    true,
 			}),
-			httpmw.ExtractUserParam(api.Database, false),
-			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
+			httpmw.AsAuthzSystem(
+				httpmw.ExtractUserParam(api.Database, false),
+				httpmw.ExtractWorkspaceAndAgentParam(api.Database),
+			),
 		),
 		// Build-Version is helpful for debugging.
 		func(next http.Handler) http.Handler {
@@ -332,11 +336,13 @@ func New(options *Options) *API {
 				DisableSessionExpiryRefresh: options.DeploymentConfig.DisableSessionExpiryRefresh.Value,
 				Optional:                    true,
 			}),
-			// Redirect to the login page if the user tries to open an app with
-			// "me" as the username and they are not logged in.
-			httpmw.ExtractUserParam(api.Database, true),
-			// Extracts the <workspace.agent> from the url
-			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
+			httpmw.AsAuthzSystem(
+				// Redirect to the login page if the user tries to open an app with
+				// "me" as the username and they are not logged in.
+				httpmw.ExtractUserParam(api.Database, true),
+				// Extracts the <workspace.agent> from the url
+				httpmw.ExtractWorkspaceAndAgentParam(api.Database),
+			),
 		)
 		r.HandleFunc("/*", api.workspaceAppsProxyPath)
 	}
 
@@ -12,16 +12,16 @@ import (
 	"testing"
 	"time"
 
-	"github.com/coder/coder/cryptorand"
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 	"github.com/moby/moby/pkg/namesgenerator"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/cryptorand"
+
 	"github.com/coder/coder/coderd"
-	"github.com/coder/coder/coderd/database/dbfake"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/rbac/regosql"
 	"github.com/coder/coder/codersdk"
@@ -30,12 +30,6 @@ import (
 )
 
 func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
-	// For any route using SQL filters, we need to know if the database is an
-	// in memory fake. This is because the in memory fake does not use SQL, and
-	// still uses rego. So this boolean indicates how to assert the expected
-	// behavior.
-	_, isMemoryDB := a.api.Database.(dbfake.FakeDatabase)
-
 	// Some quick reused objects
 	workspaceRBACObj := rbac.ResourceWorkspace.WithID(a.Workspace.ID).InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())
 	workspaceExecObj := rbac.ResourceWorkspaceExecution.WithID(a.Workspace.ID).InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())
@@ -269,16 +263,17 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 		"POST:/api/v2/workspaces/{workspace}/builds":                    {StatusCode: http.StatusBadRequest, NoAuthorize: true},
 		"POST:/api/v2/organizations/{organization}/templateversions":    {StatusCode: http.StatusBadRequest, NoAuthorize: true},
 
-		// Endpoints that use the SQLQuery filter.
+		// For any route using SQL filters, we do not check authorization.
+		// This is because the in memory fake does not use SQL.
 		"GET:/api/v2/workspaces/": {
 			StatusCode:   http.StatusOK,
-			NoAuthorize:  !isMemoryDB,
+			NoAuthorize:  true,
 			AssertAction: rbac.ActionRead,
 			AssertObject: rbac.ResourceWorkspace,
 		},
 		"GET:/api/v2/organizations/{organization}/templates": {
 			StatusCode:   http.StatusOK,
-			NoAuthorize:  !isMemoryDB,
+			NoAuthorize:  true,
 			AssertAction: rbac.ActionRead,
 			AssertObject: rbac.ResourceTemplate,
 		},
 
@@ -2,15 +2,21 @@ package coderdtest_test
 
 import (
 	"context"
+	"os"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/codersdk"
 )
 
 func TestAuthorizeAllEndpoints(t *testing.T) {
+	if strings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"), string(codersdk.ExperimentAuthzQuerier)) {
+		t.Skip("Skipping TestAuthorizeAllEndpoints for authz_querier experiment")
+	}
 	t.Parallel()
 	client, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
 		// Required for any subdomain-based proxy tests to pass.
 
@@ -35,6 +35,7 @@ import (
 	"github.com/golang-jwt/jwt"
 	"github.com/google/uuid"
 	"github.com/moby/moby/pkg/namesgenerator"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/spf13/afero"
 	"github.com/spf13/pflag"
 	"github.com/stretchr/testify/assert"
@@ -58,6 +59,7 @@ import (
 	"github.com/coder/coder/coderd/autobuild/executor"
 	"github.com/coder/coder/coderd/awsidentity"
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/coderd/database/dbtestutil"
 	"github.com/coder/coder/coderd/gitauth"
 	"github.com/coder/coder/coderd/gitsshkey"
@@ -179,12 +181,13 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can
 		options.Database, options.Pubsub = dbtestutil.NewDB(t)
 	}
 	// TODO: remove this once we're ready to enable authz querier by default.
-	if strings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"), "authz_querier") {
-		panic("Coming soon!")
-		// if options.Authorizer != nil {
-		// 	options.Authorizer = &RecordingAuthorizer{}
-		// }
-		// options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer)
+	if strings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"), string(codersdk.ExperimentAuthzQuerier)) {
+		if options.Authorizer == nil {
+			options.Authorizer = &RecordingAuthorizer{
+				Wrapped: rbac.NewAuthorizer(prometheus.NewRegistry()),
+			}
+		}
+		options.Database = dbauthz.New(options.Database, options.Authorizer, slogtest.Make(t, nil).Leveled(slog.LevelDebug))
 	}
 	if options.DeploymentConfig == nil {
 		options.DeploymentConfig = DeploymentConfig(t)