coder
diff --git a/‎coderd/database/dbauthz/apikey.go
Lines changed: 0 additions & 39 deletions b/‎coderd/database/dbauthz/apikey.go
Lines changed: 0 additions & 39 deletions
diff --git a/‎coderd/database/dbauthz/apikey_test.go
Lines changed: 0 additions & 51 deletions b/‎coderd/database/dbauthz/apikey_test.go
Lines changed: 0 additions & 51 deletions
diff --git a/‎coderd/database/dbauthz/audit.go
Lines changed: 0 additions & 22 deletions b/‎coderd/database/dbauthz/audit.go
Lines changed: 0 additions & 22 deletions
diff --git a/‎coderd/database/dbauthz/audit_test.go
Lines changed: 0 additions & 23 deletions b/‎coderd/database/dbauthz/audit_test.go
Lines changed: 0 additions & 23 deletions
diff --git a/‎coderd/database/dbauthz/authzquerier.go
Lines changed: 41 additions & 0 deletions b/‎coderd/database/dbauthz/authzquerier.go
Lines changed: 41 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/authz_test.go renamed to ‎coderd/database/dbauthz/authzquerier_test.go
Lines changed: 38 additions & 38 deletions b/‎coderd/database/dbauthz/authz_test.go renamed to ‎coderd/database/dbauthz/authzquerier_test.go
Lines changed: 38 additions & 38 deletions
diff --git a/‎coderd/database/dbauthz/authz.go renamed to ‎coderd/database/dbauthz/crud.go
Lines changed: 1 addition & 40 deletions b/‎coderd/database/dbauthz/authz.go renamed to ‎coderd/database/dbauthz/crud.go
Lines changed: 1 addition & 40 deletions
@@ -3,8 +3,11 @@ package dbauthz
 import (
 	"context"
 	"database/sql"
+	"fmt"
 	"time"
 
+	"golang.org/x/xerrors"
+
 	"cdr.dev/slog"
 
 	"github.com/coder/coder/coderd/database"
@@ -13,6 +16,44 @@ import (
 
 var _ database.Store = (*AuthzQuerier)(nil)
 
+var (
+	// NoActorError wraps ErrNoRows for the api to return a 404. This is the correct
+	// response when the user is not authorized.
+	NoActorError = xerrors.Errorf("no authorization actor in context: %w", sql.ErrNoRows)
+)
+
+// NotAuthorizedError is a sentinel error that unwraps to sql.ErrNoRows.
+// This allows the internal error to be read by the caller if needed. Otherwise
+// it will be handled as a 404.
+type NotAuthorizedError struct {
+	Err error
+}
+
+func (e NotAuthorizedError) Error() string {
+	return fmt.Sprintf("unauthorized: %s", e.Err.Error())
+}
+
+// Unwrap will always unwrap to a sql.ErrNoRows so the API returns a 404.
+// So 'errors.Is(err, sql.ErrNoRows)' will always be true.
+func (NotAuthorizedError) Unwrap() error {
+	return sql.ErrNoRows
+}
+
+func LogNotAuthorizedError(ctx context.Context, logger slog.Logger, err error) error {
+	// Only log the errors if it is an UnauthorizedError error.
+	internalError := new(rbac.UnauthorizedError)
+	if err != nil && xerrors.As(err, internalError) {
+		logger.Debug(ctx, "unauthorized",
+			slog.F("internal", internalError.Internal()),
+			slog.F("input", internalError.Input()),
+			slog.Error(err),
+		)
+	}
+	return NotAuthorizedError{
+		Err: err,
+	}
+}
+
 // AuthzQuerier is a wrapper around the database store that performs authorization
 // checks before returning data. All AuthzQuerier methods expect an authorization
 // subject present in the context. If no subject is present, most methods will
 
@@ -6,20 +6,54 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/xerrors"
+	"cdr.dev/slog/sloggers/slogtest"
 
 	"cdr.dev/slog"
-	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/coderd/database/dbfake"
 	"github.com/coder/coder/coderd/database/dbgen"
 	"github.com/coder/coder/coderd/rbac"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/xerrors"
 )
 
+func TestPing(t *testing.T) {
+	t.Parallel()
+
+	q := dbauthz.New(dbfake.New(), &coderdtest.RecordingAuthorizer{}, slog.Make())
+	_, err := q.Ping(context.Background())
+	require.NoError(t, err, "must not error")
+}
+
+// TestInTX is not perfect, just checks that it properly checks auth.
+func TestInTX(t *testing.T) {
+	t.Parallel()
+
+	db := dbfake.New()
+	q := dbauthz.New(db, &coderdtest.RecordingAuthorizer{
+		Wrapped: &coderdtest.FakeAuthorizer{AlwaysReturn: xerrors.New("custom error")},
+	}, slog.Make())
+	actor := rbac.Subject{
+		ID:     uuid.NewString(),
+		Roles:  rbac.RoleNames{rbac.RoleOwner()},
+		Groups: []string{},
+		Scope:  rbac.ScopeAll,
+	}
+
+	w := dbgen.Workspace(t, db, database.Workspace{})
+	ctx := dbauthz.WithAuthorizeContext(context.Background(), actor)
+	err := q.InTx(func(tx database.Store) error {
+		// The inner tx should use the parent's authz
+		_, err := tx.GetWorkspaceByID(ctx, w.ID)
+		return err
+	}, nil)
+	require.Error(t, err, "must error")
+	require.ErrorAs(t, err, &dbauthz.NotAuthorizedError{}, "must be an authorized error")
+}
+
 func TestNotAuthorizedError(t *testing.T) {
 	t.Parallel()
 
@@ -81,40 +115,6 @@ func TestDBAuthzRecursive(t *testing.T) {
 	}
 }
 
-func TestPing(t *testing.T) {
-	t.Parallel()
-
-	q := dbauthz.New(dbfake.New(), &coderdtest.RecordingAuthorizer{}, slog.Make())
-	_, err := q.Ping(context.Background())
-	require.NoError(t, err, "must not error")
-}
-
-// TestInTX is not perfect, just checks that it properly checks auth.
-func TestInTX(t *testing.T) {
-	t.Parallel()
-
-	db := dbfake.New()
-	q := dbauthz.New(db, &coderdtest.RecordingAuthorizer{
-		Wrapped: &coderdtest.FakeAuthorizer{AlwaysReturn: xerrors.New("custom error")},
-	}, slog.Make())
-	actor := rbac.Subject{
-		ID:     uuid.NewString(),
-		Roles:  rbac.RoleNames{rbac.RoleOwner()},
-		Groups: []string{},
-		Scope:  rbac.ScopeAll,
-	}
-
-	w := dbgen.Workspace(t, db, database.Workspace{})
-	ctx := dbauthz.WithAuthorizeContext(context.Background(), actor)
-	err := q.InTx(func(tx database.Store) error {
-		// The inner tx should use the parent's authz
-		_, err := tx.GetWorkspaceByID(ctx, w.ID)
-		return err
-	}, nil)
-	require.Error(t, err, "must error")
-	require.ErrorAs(t, err, &dbauthz.NotAuthorizedError{}, "must be an authorized error")
-}
-
 func must[T any](value T, err error) T {
 	if err != nil {
 		panic(err)
 
@@ -1,54 +1,15 @@
 package dbauthz
 
 import (
-	"context"
-	"database/sql"
-	"fmt"
-
 	"cdr.dev/slog"
+	"context"
 
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/coderd/rbac"
 )
 
-var (
-	// NoActorError wraps ErrNoRows for the api to return a 404. This is the correct
-	// response when the user is not authorized.
-	NoActorError = xerrors.Errorf("no authorization actor in context: %w", sql.ErrNoRows)
-)
 
-// NotAuthorizedError is a sentinel error that unwraps to sql.ErrNoRows.
-// This allows the internal error to be read by the caller if needed. Otherwise
-// it will be handled as a 404.
-type NotAuthorizedError struct {
-	Err error
-}
-
-func (e NotAuthorizedError) Error() string {
-	return fmt.Sprintf("unauthorized: %s", e.Err.Error())
-}
-
-// Unwrap will always unwrap to a sql.ErrNoRows so the API returns a 404.
-// So 'errors.Is(err, sql.ErrNoRows)' will always be true.
-func (NotAuthorizedError) Unwrap() error {
-	return sql.ErrNoRows
-}
-
-func LogNotAuthorizedError(ctx context.Context, logger slog.Logger, err error) error {
-	// Only log the errors if it is an UnauthorizedError error.
-	internalError := new(rbac.UnauthorizedError)
-	if err != nil && xerrors.As(err, internalError) {
-		logger.Debug(ctx, "unauthorized",
-			slog.F("internal", internalError.Internal()),
-			slog.F("input", internalError.Input()),
-			slog.Error(err),
-		)
-	}
-	return NotAuthorizedError{
-		Err: err,
-	}
-}
 
 // insert runs an rbac.ActionCreate on the rbac object argument before
 // running the insertFunc. The insertFunc is expected to return the object that