coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 27 additions & 22 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 27 additions & 22 deletions
diff --git a/‎coderd/database/dbauthz/querier_test.go
Lines changed: 0 additions & 74 deletions b/‎coderd/database/dbauthz/querier_test.go
Lines changed: 0 additions & 74 deletions
@@ -115,17 +115,16 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {
 	return a, ok
 }
 
-// AsProvisionerd returns a context with an actor that has permissions required
-// for provisionerd to function.
-func AsProvisionerd(ctx context.Context) context.Context {
-	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
+var (
+	subjectProvisionerd = rbac.Subject{
 		ID: uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
 			{
 				Name:        "provisionerd",
 				DisplayName: "Provisioner Daemon",
 				Site: rbac.Permissions(map[string][]rbac.Action{
 					rbac.ResourceFile.Type:      {rbac.ActionRead},
+					rbac.ResourceSystem.Type:    {rbac.WildcardSymbol},
 					rbac.ResourceTemplate.Type:  {rbac.ActionRead, rbac.ActionUpdate},
 					rbac.ResourceUser.Type:      {rbac.ActionRead},
 					rbac.ResourceWorkspace.Type: {rbac.ActionRead, rbac.ActionUpdate, rbac.ActionDelete},
@@ -135,14 +134,8 @@ func AsProvisionerd(ctx context.Context) context.Context {
 			},
 		}),
 		Scope: rbac.ScopeAll,
-	},
-	)
-}
-
-// AsAutostart returns a context with an actor that has permissions required
-// for autostart to function.
-func AsAutostart(ctx context.Context) context.Context {
-	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
+	}
+	subjectAutostart = rbac.Subject{
 		ID: uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
 			{
@@ -157,14 +150,8 @@ func AsAutostart(ctx context.Context) context.Context {
 			},
 		}),
 		Scope: rbac.ScopeAll,
-	},
-	)
-}
-
-// AsSystemRestricted returns a context with an actor that has permissions
-// required for various system operations (login, logout, metrics cache).
-func AsSystemRestricted(ctx context.Context) context.Context {
-	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
+	}
+	subjectSystemRestricted = rbac.Subject{
 		ID: uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
 			{
@@ -175,6 +162,7 @@ func AsSystemRestricted(ctx context.Context) context.Context {
 					rbac.ResourceAPIKey.Type:             {rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
 					rbac.ResourceGroup.Type:              {rbac.ActionCreate, rbac.ActionUpdate},
 					rbac.ResourceRoleAssignment.Type:     {rbac.ActionCreate},
+					rbac.ResourceSystem.Type:             {rbac.WildcardSymbol},
 					rbac.ResourceOrganization.Type:       {rbac.ActionCreate},
 					rbac.ResourceOrganizationMember.Type: {rbac.ActionCreate},
 					rbac.ResourceOrgRoleAssignment.Type:  {rbac.ActionCreate},
@@ -187,8 +175,25 @@ func AsSystemRestricted(ctx context.Context) context.Context {
 			},
 		}),
 		Scope: rbac.ScopeAll,
-	},
-	)
+	}
+)
+
+// AsProvisionerd returns a context with an actor that has permissions required
+// for provisionerd to function.
+func AsProvisionerd(ctx context.Context) context.Context {
+	return context.WithValue(ctx, authContextKey{}, subjectProvisionerd)
+}
+
+// AsAutostart returns a context with an actor that has permissions required
+// for autostart to function.
+func AsAutostart(ctx context.Context) context.Context {
+	return context.WithValue(ctx, authContextKey{}, subjectAutostart)
+}
+
+// AsSystemRestricted returns a context with an actor that has permissions
+// required for various system operations (login, logout, metrics cache).
+func AsSystemRestricted(ctx context.Context) context.Context {
+	return context.WithValue(ctx, authContextKey{}, subjectSystemRestricted)
 }
 
 var AsRemoveActor = rbac.Subject{
 
@@ -282,11 +282,6 @@ func (s *MethodTestSuite) TestProvsionerJob() {
 		check.Args(database.UpdateProvisionerJobWithCancelByIDParams{ID: j.ID}).
 			Asserts(v.RBACObject(tpl), []rbac.Action{rbac.ActionRead, rbac.ActionUpdate}).Returns()
 	}))
-	s.Run("GetProvisionerJobsByIDs", s.Subtest(func(db database.Store, check *expects) {
-		a := dbgen.ProvisionerJob(s.T(), db, database.ProvisionerJob{})
-		b := dbgen.ProvisionerJob(s.T(), db, database.ProvisionerJob{})
-		check.Args([]uuid.UUID{a.ID, b.ID}).Asserts().Returns(slice.New(a, b))
-	}))
 	s.Run("GetProvisionerLogsByIDBetween", s.Subtest(func(db database.Store, check *expects) {
 		w := dbgen.Workspace(s.T(), db, database.Workspace{})
 		j := dbgen.ProvisionerJob(s.T(), db, database.ProvisionerJob{
@@ -619,22 +614,6 @@ func (s *MethodTestSuite) TestTemplate() {
 		})
 		check.Args(tv.ID).Asserts(t1, rbac.ActionRead).Returns(tv)
 	}))
-	s.Run("GetTemplateVersionsByIDs", s.Subtest(func(db database.Store, check *expects) {
-		t1 := dbgen.Template(s.T(), db, database.Template{})
-		t2 := dbgen.Template(s.T(), db, database.Template{})
-		tv1 := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
-			TemplateID: uuid.NullUUID{UUID: t1.ID, Valid: true},
-		})
-		tv2 := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
-			TemplateID: uuid.NullUUID{UUID: t2.ID, Valid: true},
-		})
-		tv3 := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
-			TemplateID: uuid.NullUUID{UUID: t2.ID, Valid: true},
-		})
-		check.Args([]uuid.UUID{tv1.ID, tv2.ID, tv3.ID}).
-			Asserts( /*t1, rbac.ActionRead, t2, rbac.ActionRead*/ ).
-			Returns(slice.New(tv1, tv2, tv3))
-	}))
 	s.Run("GetTemplateVersionsByTemplateID", s.Subtest(func(db database.Store, check *expects) {
 		t1 := dbgen.Template(s.T(), db, database.Template{})
 		a := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
@@ -803,13 +782,6 @@ func (s *MethodTestSuite) TestUser() {
 		b := dbgen.User(s.T(), db, database.User{CreatedAt: database.Now()})
 		check.Args(database.GetUsersParams{}).Asserts(a, rbac.ActionRead, b, rbac.ActionRead)
 	}))
-	s.Run("GetUsersByIDs", s.Subtest(func(db database.Store, check *expects) {
-		a := dbgen.User(s.T(), db, database.User{CreatedAt: database.Now().Add(-time.Hour)})
-		b := dbgen.User(s.T(), db, database.User{CreatedAt: database.Now()})
-		check.Args([]uuid.UUID{a.ID, b.ID}).
-			Asserts( /*a, rbac.ActionRead, b, rbac.ActionRead*/ ).
-			Returns(slice.New(a, b))
-	}))
 	s.Run("InsertUser", s.Subtest(func(db database.Store, check *expects) {
 		check.Args(database.InsertUserParams{
 			ID:        uuid.New(),
@@ -977,14 +949,6 @@ func (s *MethodTestSuite) TestWorkspace() {
 		agt := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
 		check.Args(agt.AuthInstanceID.String).Asserts(ws, rbac.ActionRead).Returns(agt)
 	}))
-	s.Run("GetWorkspaceAgentsByResourceIDs", s.Subtest(func(db database.Store, check *expects) {
-		ws := dbgen.Workspace(s.T(), db, database.Workspace{})
-		build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: uuid.New()})
-		res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: build.JobID})
-		agt := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
-		check.Args([]uuid.UUID{res.ID}).Asserts( /*ws, rbac.ActionRead*/ ).
-			Returns([]database.WorkspaceAgent{agt})
-	}))
 	s.Run("UpdateWorkspaceAgentLifecycleStateByID", s.Subtest(func(db database.Store, check *expects) {
 		ws := dbgen.Workspace(s.T(), db, database.Workspace{})
 		build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: uuid.New()})
@@ -1026,23 +990,6 @@ func (s *MethodTestSuite) TestWorkspace() {
 
 		check.Args(agt.ID).Asserts(ws, rbac.ActionRead).Returns(slice.New(a, b))
 	}))
-	s.Run("GetWorkspaceAppsByAgentIDs", s.Subtest(func(db database.Store, check *expects) {
-		aWs := dbgen.Workspace(s.T(), db, database.Workspace{})
-		aBuild := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: aWs.ID, JobID: uuid.New()})
-		aRes := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: aBuild.JobID})
-		aAgt := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: aRes.ID})
-		a := dbgen.WorkspaceApp(s.T(), db, database.WorkspaceApp{AgentID: aAgt.ID})
-
-		bWs := dbgen.Workspace(s.T(), db, database.Workspace{})
-		bBuild := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: bWs.ID, JobID: uuid.New()})
-		bRes := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: bBuild.JobID})
-		bAgt := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: bRes.ID})
-		b := dbgen.WorkspaceApp(s.T(), db, database.WorkspaceApp{AgentID: bAgt.ID})
-
-		check.Args([]uuid.UUID{a.AgentID, b.AgentID}).
-			Asserts( /*aWs, rbac.ActionRead, bWs, rbac.ActionRead*/ ).
-			Returns([]database.WorkspaceApp{a, b})
-	}))
 	s.Run("GetWorkspaceBuildByID", s.Subtest(func(db database.Store, check *expects) {
 		ws := dbgen.Workspace(s.T(), db, database.Workspace{})
 		build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID})
@@ -1096,15 +1043,6 @@ func (s *MethodTestSuite) TestWorkspace() {
 		res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: build.JobID})
 		check.Args(res.ID).Asserts(ws, rbac.ActionRead).Returns(res)
 	}))
-	s.Run("GetWorkspaceResourceMetadataByResourceIDs", s.Subtest(func(db database.Store, check *expects) {
-		ws := dbgen.Workspace(s.T(), db, database.Workspace{})
-		build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: uuid.New()})
-		_ = dbgen.ProvisionerJob(s.T(), db, database.ProvisionerJob{ID: build.JobID, Type: database.ProvisionerJobTypeWorkspaceBuild})
-		a := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: build.JobID})
-		b := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: build.JobID})
-		check.Args([]uuid.UUID{a.ID, b.ID}).
-			Asserts( /*ws, []rbac.Action{rbac.ActionRead, rbac.ActionRead}*/ )
-	}))
 	s.Run("Build/GetWorkspaceResourcesByJobID", s.Subtest(func(db database.Store, check *expects) {
 		ws := dbgen.Workspace(s.T(), db, database.Workspace{})
 		build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: uuid.New()})
@@ -1117,18 +1055,6 @@ func (s *MethodTestSuite) TestWorkspace() {
 		job := dbgen.ProvisionerJob(s.T(), db, database.ProvisionerJob{ID: v.JobID, Type: database.ProvisionerJobTypeTemplateVersionImport})
 		check.Args(job.ID).Asserts(v.RBACObject(tpl), []rbac.Action{rbac.ActionRead, rbac.ActionRead}).Returns([]database.WorkspaceResource{})
 	}))
-	s.Run("GetWorkspaceResourcesByJobIDs", s.Subtest(func(db database.Store, check *expects) {
-		tpl := dbgen.Template(s.T(), db, database.Template{})
-		v := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{TemplateID: uuid.NullUUID{UUID: tpl.ID, Valid: true}, JobID: uuid.New()})
-		tJob := dbgen.ProvisionerJob(s.T(), db, database.ProvisionerJob{ID: v.JobID, Type: database.ProvisionerJobTypeTemplateVersionImport})
-
-		ws := dbgen.Workspace(s.T(), db, database.Workspace{})
-		build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: uuid.New()})
-		wJob := dbgen.ProvisionerJob(s.T(), db, database.ProvisionerJob{ID: build.JobID, Type: database.ProvisionerJobTypeWorkspaceBuild})
-		check.Args([]uuid.UUID{tJob.ID, wJob.ID}).
-			Asserts( /*v.RBACObject(tpl), rbac.ActionRead, ws, rbac.ActionRead*/ ).
-			Returns([]database.WorkspaceResource{})
-	}))
 	s.Run("InsertWorkspace", s.Subtest(func(db database.Store, check *expects) {
 		u := dbgen.User(s.T(), db, database.User{})
 		o := dbgen.Organization(s.T(), db, database.Organization{})