coder
diff --git a/‎coderd/activitybump.go
+1-1 b/‎coderd/activitybump.go
+1-1
diff --git a/‎coderd/autobuild/executor/lifecycle_executor.go
+2-2 b/‎coderd/autobuild/executor/lifecycle_executor.go
+2-2
diff --git a/‎coderd/coderd.go
+2-1 b/‎coderd/coderd.go
+2-1
diff --git a/‎coderd/coderdtest/coderdtest.go
+1-1 b/‎coderd/coderdtest/coderdtest.go
+1-1
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+65-21 b/‎coderd/database/dbauthz/dbauthz.go
+65-21
diff --git a/‎coderd/database/dbauthz/querier.go
-26 b/‎coderd/database/dbauthz/querier.go
-26
diff --git a/‎coderd/database/dbauthz/querier_test.go
-13 b/‎coderd/database/dbauthz/querier_test.go
-13
diff --git a/‎coderd/database/dbauthz/setup_test.go
+2-2 b/‎coderd/database/dbauthz/setup_test.go
+2-2
diff --git a/‎coderd/database/dbauthz/system.go
+15 b/‎coderd/database/dbauthz/system.go
+15
diff --git a/‎coderd/httpmw/apikey.go
+6-6 b/‎coderd/httpmw/apikey.go
+6-6
diff --git a/‎coderd/httpmw/authz.go
+17-3 b/‎coderd/httpmw/authz.go
+17-3
diff --git a/‎coderd/httpmw/hsts_test.go
+1-1 b/‎coderd/httpmw/hsts_test.go
+1-1
diff --git a/‎coderd/httpmw/userparam.go
+3-3 b/‎coderd/httpmw/userparam.go
+3-3
@@ -83,7 +83,7 @@ func activityBumpWorkspace(ctx context.Context, log slog.Logger, db database.Sto
 	}, nil)
 	if err != nil {
 		if !xerrors.Is(err, context.Canceled) {
-			// Bump will fail if the context is cancelled, but this is ok.
+			// Bump will fail if the context is canceled, but this is ok.
 			log.Error(ctx, "bump failed", slog.Error(err),
 				slog.F("workspace_id", workspaceID),
 			)
 
@@ -35,8 +35,8 @@ type Stats struct {
 // New returns a new autobuild executor.
 func New(ctx context.Context, db database.Store, log slog.Logger, tick <-chan time.Time) *Executor {
 	le := &Executor{
-		//nolint:gocritic // TODO: make an autostart role instead of using System
-		ctx:  dbauthz.AsSystem(ctx),
+		//nolint:gocritic // Autostart has a limited set of permissions.
+		ctx:  dbauthz.AsAutostart(ctx),
 		db:   db,
 		tick: tick,
 		log:  log,
 
@@ -187,7 +187,7 @@ func New(options *Options) *API {
 		options.PrometheusRegistry = prometheus.NewRegistry()
 	}
 	if options.Authorizer == nil {
-		options.Authorizer = rbac.NewAuthorizer(options.PrometheusRegistry)
+		options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)
 	}
 	if options.TailnetCoordinator == nil {
 		options.TailnetCoordinator = tailnet.NewCoordinator()
@@ -289,6 +289,7 @@ func New(options *Options) *API {
 		tracing.StatusWriterMiddleware,
 		tracing.Middleware(api.TracerProvider),
 		httpmw.AttachRequestID,
+		httpmw.AttachAuthzCache,
 		httpmw.ExtractRealIP(api.RealIPConfig),
 		httpmw.Logger(api.Logger),
 		httpmw.Prometheus(options.PrometheusRegistry),
 
@@ -184,7 +184,7 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can
 	if strings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"), string(codersdk.ExperimentAuthzQuerier)) {
 		if options.Authorizer == nil {
 			options.Authorizer = &RecordingAuthorizer{
-				Wrapped: rbac.NewAuthorizer(prometheus.NewRegistry()),
+				Wrapped: rbac.NewCachingAuthorizer(prometheus.NewRegistry()),
 			}
 		}
 		options.Database = dbauthz.New(options.Database, options.Authorizer, slogtest.Make(t, nil).Leveled(slog.LevelDebug))
 
@@ -46,12 +46,12 @@ func logNotAuthorizedError(ctx context.Context, logger slog.Logger, err error) e
 	if err != nil && xerrors.As(err, &internalError) {
 		e := new(topdown.Error)
 		if xerrors.As(err, &e) || e.Code == topdown.CancelErr {
-			// For some reason rego changes a cancelled context to a topdown.CancelErr. We
-			// expect to check for cancelled context errors if the user cancels the request,
+			// For some reason rego changes a canceled context to a topdown.CancelErr. We
+			// expect to check for canceled context errors if the user cancels the request,
 			// so we should change the error to a context.Canceled error.
 			//
 			// NotAuthorizedError is == to sql.ErrNoRows, which is not correct
-			// if it's actually a cancelled context.
+			// if it's actually a canceled context.
 			internalError.SetInternal(context.Canceled)
 			return internalError
 		}
@@ -117,29 +117,73 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {
 	return a, ok
 }
 
-// AsSystem returns a context with a system actor. This is used for internal
-// system operations that are not tied to any particular actor.
-// When you use this function, be sure to add a //nolint comment
-// explaining why it is necessary.
-//
-// We trust you have received the usual lecture from the local System
-// Administrator. It usually boils down to these three things:
-// #1) Respect the privacy of others.
-// #2) Think before you type.
-// #3) With great power comes great responsibility.
-func AsSystem(ctx context.Context) context.Context {
+// AsProvisionerd returns a context with an actor that has permissions required
+// for provisionerd to function.
+func AsProvisionerd(ctx context.Context) context.Context {
+	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
+		ID: uuid.Nil.String(),
+		Roles: rbac.Roles([]rbac.Role{
+			{
+				Name:        "provisionerd",
+				DisplayName: "Provisioner Daemon",
+				Site: rbac.Permissions(map[string][]rbac.Action{
+					rbac.ResourceFile.Type:      {rbac.ActionRead},
+					rbac.ResourceTemplate.Type:  {rbac.ActionRead, rbac.ActionUpdate},
+					rbac.ResourceUser.Type:      {rbac.ActionRead},
+					rbac.ResourceWorkspace.Type: {rbac.ActionRead, rbac.ActionUpdate, rbac.ActionDelete},
+				}),
+				Org:  map[string][]rbac.Permission{},
+				User: []rbac.Permission{},
+			},
+		}),
+		Scope: rbac.ScopeAll,
+	},
+	)
+}
+
+// AsAutostart returns a context with an actor that has permissions required
+// for autostart to function.
+func AsAutostart(ctx context.Context) context.Context {
+	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
+		ID: uuid.Nil.String(),
+		Roles: rbac.Roles([]rbac.Role{
+			{
+				Name:        "autostart",
+				DisplayName: "Autostart Daemon",
+				Site: rbac.Permissions(map[string][]rbac.Action{
+					rbac.ResourceTemplate.Type:  {rbac.ActionRead, rbac.ActionUpdate},
+					rbac.ResourceWorkspace.Type: {rbac.ActionRead, rbac.ActionUpdate},
+				}),
+				Org:  map[string][]rbac.Permission{},
+				User: []rbac.Permission{},
+			},
+		}),
+		Scope: rbac.ScopeAll,
+	},
+	)
+}
+
+// AsSystemRestricted returns a context with an actor that has permissions
+// required for various system operations (login, logout, metrics cache).
+func AsSystemRestricted(ctx context.Context) context.Context {
 	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
 		ID: uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
 			{
 				Name:        "system",
-				DisplayName: "System",
-				Site: []rbac.Permission{
-					{
-						ResourceType: rbac.ResourceWildcard.Type,
-						Action:       rbac.WildcardSymbol,
-					},
-				},
+				DisplayName: "Coder",
+				Site: rbac.Permissions(map[string][]rbac.Action{
+					rbac.ResourceWildcard.Type:           {rbac.ActionRead},
+					rbac.ResourceAPIKey.Type:             {rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
+					rbac.ResourceGroup.Type:              {rbac.ActionCreate, rbac.ActionUpdate},
+					rbac.ResourceRoleAssignment.Type:     {rbac.ActionCreate},
+					rbac.ResourceOrganization.Type:       {rbac.ActionCreate},
+					rbac.ResourceOrganizationMember.Type: {rbac.ActionCreate},
+					rbac.ResourceOrgRoleAssignment.Type:  {rbac.ActionCreate},
+					rbac.ResourceUser.Type:               {rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
+					rbac.ResourceUserData.Type:           {rbac.ActionCreate, rbac.ActionUpdate},
+					rbac.ResourceWorkspace.Type:          {rbac.ActionUpdate},
+				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
 			},
 
@@ -327,13 +327,6 @@ func (q *querier) GetProvisionerDaemons(ctx context.Context) ([]database.Provisi
 	return fetchWithPostFilter(q.auth, fetch)(ctx, nil)
 }
 
-func (q *querier) GetDeploymentDAUs(ctx context.Context) ([]database.GetDeploymentDAUsRow, error) {
-	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.All()); err != nil {
-		return nil, err
-	}
-	return q.db.GetDeploymentDAUs(ctx)
-}
-
 func (q *querier) GetGroupsByOrganizationID(ctx context.Context, organizationID uuid.UUID) ([]database.Group, error) {
 	return fetchWithPostFilter(q.auth, q.db.GetGroupsByOrganizationID)(ctx, organizationID)
 }
@@ -622,16 +615,6 @@ func (q *querier) GetPreviousTemplateVersion(ctx context.Context, arg database.G
 	return q.db.GetPreviousTemplateVersion(ctx, arg)
 }
 
-func (q *querier) GetTemplateAverageBuildTime(ctx context.Context, arg database.GetTemplateAverageBuildTimeParams) (database.GetTemplateAverageBuildTimeRow, error) {
-	// An actor can read the average build time if they can read the related template.
-	// It doesn't make any sense to get the average build time for a template that doesn't
-	// exist, so omitting this check here.
-	if _, err := q.GetTemplateByID(ctx, arg.TemplateID.UUID); err != nil {
-		return database.GetTemplateAverageBuildTimeRow{}, err
-	}
-	return q.db.GetTemplateAverageBuildTime(ctx, arg)
-}
-
 func (q *querier) GetTemplateByID(ctx context.Context, id uuid.UUID) (database.Template, error) {
 	return fetch(q.log, q.auth, q.db.GetTemplateByID)(ctx, id)
 }
@@ -640,15 +623,6 @@ func (q *querier) GetTemplateByOrganizationAndName(ctx context.Context, arg data
 	return fetch(q.log, q.auth, q.db.GetTemplateByOrganizationAndName)(ctx, arg)
 }
 
-func (q *querier) GetTemplateDAUs(ctx context.Context, templateID uuid.UUID) ([]database.GetTemplateDAUsRow, error) {
-	// An actor can read the DAUs if they can read the related template.
-	// Again, it doesn't make sense to get DAUs for a template that doesn't exist.
-	if _, err := q.GetTemplateByID(ctx, templateID); err != nil {
-		return nil, err
-	}
-	return q.db.GetTemplateDAUs(ctx, templateID)
-}
-
 func (q *querier) GetTemplateVersionByID(ctx context.Context, tvid uuid.UUID) (database.TemplateVersion, error) {
 	tv, err := q.db.GetTemplateVersionByID(ctx, tvid)
 	if err != nil {
 
@@ -540,12 +540,6 @@ func (s *MethodTestSuite) TestTemplate() {
 			TemplateID:     uuid.NullUUID{UUID: t1.ID, Valid: true},
 		}).Asserts(t1, rbac.ActionRead).Returns(b)
 	}))
-	s.Run("GetTemplateAverageBuildTime", s.Subtest(func(db database.Store, check *expects) {
-		t1 := dbgen.Template(s.T(), db, database.Template{})
-		check.Args(database.GetTemplateAverageBuildTimeParams{
-			TemplateID: uuid.NullUUID{UUID: t1.ID, Valid: true},
-		}).Asserts(t1, rbac.ActionRead)
-	}))
 	s.Run("GetTemplateByID", s.Subtest(func(db database.Store, check *expects) {
 		t1 := dbgen.Template(s.T(), db, database.Template{})
 		check.Args(t1.ID).Asserts(t1, rbac.ActionRead).Returns(t1)
@@ -560,10 +554,6 @@ func (s *MethodTestSuite) TestTemplate() {
 			OrganizationID: o1.ID,
 		}).Asserts(t1, rbac.ActionRead).Returns(t1)
 	}))
-	s.Run("GetTemplateDAUs", s.Subtest(func(db database.Store, check *expects) {
-		t1 := dbgen.Template(s.T(), db, database.Template{})
-		check.Args(t1.ID).Asserts(t1, rbac.ActionRead)
-	}))
 	s.Run("GetTemplateVersionByJobID", s.Subtest(func(db database.Store, check *expects) {
 		t1 := dbgen.Template(s.T(), db, database.Template{})
 		tv := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
@@ -1220,7 +1210,4 @@ func (s *MethodTestSuite) TestExtraMethods() {
 		s.NoError(err, "insert provisioner daemon")
 		check.Args().Asserts(d, rbac.ActionRead)
 	}))
-	s.Run("GetDeploymentDAUs", s.Subtest(func(db database.Store, check *expects) {
-		check.Args().Asserts(rbac.ResourceUser.All(), rbac.ActionRead)
-	}))
 }
@@ -226,8 +226,8 @@ func (s *MethodTestSuite) NotAuthorizedErrorTest(ctx context.Context, az *coderd
 		}
 	})
 
-	s.Run("Cancelled", func() {
-		// Pass in a cancelled context
+	s.Run("Canceled", func() {
+		// Pass in a canceled context
 		ctx, cancel := context.WithCancel(ctx)
 		cancel()
 		az.AlwaysReturn = rbac.ForbiddenWithInternal(&topdown.Error{Code: topdown.CancelErr},
 
@@ -96,6 +96,21 @@ func (q *querier) GetTemplates(ctx context.Context) ([]database.Template, error)
 	return q.db.GetTemplates(ctx)
 }
 
+// Only used by metrics cache.
+func (q *querier) GetTemplateAverageBuildTime(ctx context.Context, arg database.GetTemplateAverageBuildTimeParams) (database.GetTemplateAverageBuildTimeRow, error) {
+	return q.db.GetTemplateAverageBuildTime(ctx, arg)
+}
+
+// Only used by metrics cache.
+func (q *querier) GetTemplateDAUs(ctx context.Context, templateID uuid.UUID) ([]database.GetTemplateDAUsRow, error) {
+	return q.db.GetTemplateDAUs(ctx, templateID)
+}
+
+// Only used by metrics cache.
+func (q *querier) GetDeploymentDAUs(ctx context.Context) ([]database.GetDeploymentDAUsRow, error) {
+	return q.db.GetDeploymentDAUs(ctx)
+}
+
 // UpdateWorkspaceBuildCostByID is used by the provisioning system to update the cost of a workspace build.
 func (q *querier) UpdateWorkspaceBuildCostByID(ctx context.Context, arg database.UpdateWorkspaceBuildCostByIDParams) (database.WorkspaceBuild, error) {
 	return q.db.UpdateWorkspaceBuildCostByID(ctx, arg)
 
@@ -161,7 +161,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			}
 
 			//nolint:gocritic // System needs to fetch API key to check if it's valid.
-			key, err := cfg.DB.GetAPIKeyByID(dbauthz.AsSystem(ctx), keyID)
+			key, err := cfg.DB.GetAPIKeyByID(dbauthz.AsSystemRestricted(ctx), keyID)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
 					optionalWrite(http.StatusUnauthorized, codersdk.Response{
@@ -195,7 +195,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			)
 			if key.LoginType == database.LoginTypeGithub || key.LoginType == database.LoginTypeOIDC {
 				//nolint:gocritic // System needs to fetch UserLink to check if it's valid.
-				link, err = cfg.DB.GetUserLinkByUserIDLoginType(dbauthz.AsSystem(ctx), database.GetUserLinkByUserIDLoginTypeParams{
+				link, err = cfg.DB.GetUserLinkByUserIDLoginType(dbauthz.AsSystemRestricted(ctx), database.GetUserLinkByUserIDLoginTypeParams{
 					UserID:    key.UserID,
 					LoginType: key.LoginType,
 				})
@@ -279,7 +279,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			}
 			if changed {
 				//nolint:gocritic // System needs to update API Key LastUsed
-				err := cfg.DB.UpdateAPIKeyByID(dbauthz.AsSystem(ctx), database.UpdateAPIKeyByIDParams{
+				err := cfg.DB.UpdateAPIKeyByID(dbauthz.AsSystemRestricted(ctx), database.UpdateAPIKeyByIDParams{
 					ID:        key.ID,
 					LastUsed:  key.LastUsed,
 					ExpiresAt: key.ExpiresAt,
@@ -296,7 +296,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// then we want to update the relevant oauth fields.
 				if link.UserID != uuid.Nil {
 					// nolint:gocritic
-					link, err = cfg.DB.UpdateUserLink(dbauthz.AsSystem(ctx), database.UpdateUserLinkParams{
+					link, err = cfg.DB.UpdateUserLink(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLinkParams{
 						UserID:            link.UserID,
 						LoginType:         link.LoginType,
 						OAuthAccessToken:  link.OAuthAccessToken,
@@ -316,7 +316,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// load. We update alongside the UserLink and APIKey since it's
 				// easier on the DB to colocate writes.
 				// nolint:gocritic
-				_, err = cfg.DB.UpdateUserLastSeenAt(dbauthz.AsSystem(ctx), database.UpdateUserLastSeenAtParams{
+				_, err = cfg.DB.UpdateUserLastSeenAt(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLastSeenAtParams{
 					ID:         key.UserID,
 					LastSeenAt: database.Now(),
 					UpdatedAt:  database.Now(),
@@ -334,7 +334,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			// The roles are used for RBAC authorize checks, and the status
 			// is to block 'suspended' users from accessing the platform.
 			// nolint:gocritic
-			roles, err := cfg.DB.GetAuthorizationUserRoles(dbauthz.AsSystem(ctx), key.UserID)
+			roles, err := cfg.DB.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), key.UserID)
 			if err != nil {
 				write(http.StatusUnauthorized, codersdk.Response{
 					Message: internalErrorMessage,
 
@@ -3,9 +3,10 @@ package httpmw
 import (
 	"net/http"
 
-	"github.com/coder/coder/coderd/database/dbauthz"
-
 	"github.com/go-chi/chi/v5"
+
+	"github.com/coder/coder/coderd/database/dbauthz"
+	"github.com/coder/coder/coderd/rbac"
 )
 
 // AsAuthzSystem is a chained handler that temporarily sets the dbauthz context
@@ -27,11 +28,24 @@ func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) ht
 			}
 
 			// nolint:gocritic // AsAuthzSystem needs to do this.
-			r = r.WithContext(dbauthz.AsSystem(ctx))
+			r = r.WithContext(dbauthz.AsSystemRestricted(ctx))
 			chain.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 				r = r.WithContext(dbauthz.As(r.Context(), before))
 				next.ServeHTTP(rw, r)
 			})).ServeHTTP(rw, r)
 		})
 	}
 }
+
+// AttachAuthzCache enables the authz cache for the authorizer. All rbac checks will
+// run against the cache, meaning duplicate checks will not be performed.
+//
+// Note the cache is safe for multiple actors. So mixing user and system checks
+// is ok.
+func AttachAuthzCache(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		ctx := rbac.WithCacheCtx(r.Context())
+
+		next.ServeHTTP(rw, r.WithContext(ctx))
+	})
+}
@@ -96,7 +96,7 @@ func TestHSTS(t *testing.T) {
 			req := httptest.NewRequest("GET", "/", nil)
 			res := httptest.NewRecorder()
 			got.ServeHTTP(res, req)
-			
+
 			require.Equal(t, tt.expectHeader, res.Header().Get("Strict-Transport-Security"), "expected header value")
 		})
 	}
 
@@ -70,7 +70,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 					return
 				}
 				//nolint:gocritic // System needs to be able to get user from param.
-				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), apiKey.UserID)
+				user, err = db.GetUserByID(dbauthz.AsSystemRestricted(ctx), apiKey.UserID)
 				if xerrors.Is(err, sql.ErrNoRows) {
 					httpapi.ResourceNotFound(rw)
 					return
@@ -84,7 +84,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 				}
 			} else if userID, err := uuid.Parse(userQuery); err == nil {
 				//nolint:gocritic // If the userQuery is a valid uuid
-				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), userID)
+				user, err = db.GetUserByID(dbauthz.AsSystemRestricted(ctx), userID)
 				if err != nil {
 					httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 						Message: userErrorMessage,
@@ -93,7 +93,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 				}
 			} else {
 				// nolint:gocritic // Try as a username last
-				user, err = db.GetUserByEmailOrUsername(dbauthz.AsSystem(ctx), database.GetUserByEmailOrUsernameParams{
+				user, err = db.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{
 					Username: userQuery,
 				})
 				if err != nil {
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ func activityBumpWorkspace(ctx context.Context, log slog.Logger, db database.Sto`
`83`	`83`	`}, nil)`
`84`	`84`	`if err != nil {`
`85`	`85`	`if !xerrors.Is(err, context.Canceled) {`
`86`		`- // Bump will fail if the context is cancelled, but this is ok.`
	`86`	`+ // Bump will fail if the context is canceled, but this is ok.`
`87`	`87`	`log.Error(ctx, "bump failed", slog.Error(err),`
`88`	`88`	`slog.F("workspace_id", workspaceID),`
`89`	`89`	`)`
Original file line number	Diff line number	Diff line change
`@@ -184,7 +184,7 @@ func NewOptions(t testing.T, options Options) (func(http.Handler), context.Can`
`184`	`184`	`if strings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"), string(codersdk.ExperimentAuthzQuerier)) {`
`185`	`185`	`if options.Authorizer == nil {`
`186`	`186`	`options.Authorizer = &RecordingAuthorizer{`
`187`		`- Wrapped: rbac.NewAuthorizer(prometheus.NewRegistry()),`
	`187`	`+ Wrapped: rbac.NewCachingAuthorizer(prometheus.NewRegistry()),`
`188`	`188`	`}`
`189`	`189`	`}`
`190`	`190`	`options.Database = dbauthz.New(options.Database, options.Authorizer, slogtest.Make(t, nil).Leveled(slog.LevelDebug))`
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ func TestHSTS(t *testing.T) {`
`96`	`96`	`req := httptest.NewRequest("GET", "/", nil)`
`97`	`97`	`res := httptest.NewRecorder()`
`98`	`98`	`got.ServeHTTP(res, req)`
`99`		`-`
	`99`	`+`
`100`	`100`	`require.Equal(t, tt.expectHeader, res.Header().Get("Strict-Transport-Security"), "expected header value")`
`101`	`101`	`})`
`102`	`102`	`}`