coder
diff --git a/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 2 additions & 3 deletions b/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 2 additions & 3 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 48 additions & 12 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 48 additions & 12 deletions
diff --git a/‎coderd/httpmw/apikey.go
Lines changed: 8 additions & 8 deletions b/‎coderd/httpmw/apikey.go
Lines changed: 8 additions & 8 deletions
diff --git a/‎coderd/httpmw/system_auth_ctx.go
Lines changed: 6 additions & 13 deletions b/‎coderd/httpmw/system_auth_ctx.go
Lines changed: 6 additions & 13 deletions
diff --git a/‎coderd/httpmw/userparam.go
Lines changed: 6 additions & 8 deletions b/‎coderd/httpmw/userparam.go
Lines changed: 6 additions & 8 deletions
diff --git a/‎coderd/httpmw/workspaceagent.go
Lines changed: 5 additions & 4 deletions b/‎coderd/httpmw/workspaceagent.go
Lines changed: 5 additions & 4 deletions
diff --git a/‎coderd/metricscache/metricscache.go
Lines changed: 5 additions & 6 deletions b/‎coderd/metricscache/metricscache.go
Lines changed: 5 additions & 6 deletions
@@ -13,7 +13,6 @@ import (
 	"github.com/coder/coder/coderd/autobuild/schedule"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/dbauthz"
-	"github.com/coder/coder/coderd/rbac"
 )
 
 // Executor automatically starts or stops workspaces.
@@ -35,8 +34,8 @@ type Stats struct {
 // New returns a new autobuild executor.
 func New(ctx context.Context, db database.Store, log slog.Logger, tick <-chan time.Time) *Executor {
 	le := &Executor{
-		// Use an authorized context with an autostart system actor.
-		ctx:  dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAutostartSystem()),
+		// Use an authorized context
+		ctx:  dbauthz.AsSystem(ctx),
 		db:   db,
 		tick: tick,
 		log:  log,
 
@@ -105,20 +105,56 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {
 	return a, ok
 }
 
-func WithAuthorizeContext(ctx context.Context, actor rbac.Subject) context.Context {
-	return context.WithValue(ctx, authContextKey{}, actor)
+// func WithAuthorizeContext(ctx context.Context, actor rbac.Subject) context.Context {
+// 	return context.WithValue(ctx, authContextKey{}, actor)
+// }
+
+// func WithAuthorizeSystemContext(ctx context.Context, roles rbac.ExpandableRoles) context.Context {
+// 	// TODO: Add protections to search for user roles. If user roles are found,
+// 	// this should panic. That is a developer error that should be caught
+// 	// in unit tests.
+// 	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
+// 		ID:     uuid.Nil.String(),
+// 		Roles:  roles,
+// 		Scope:  rbac.ScopeAll,
+// 		Groups: []string{},
+// 	})
+// }
+
+// AsSystem returns a context with a system actor. This is used for internal
+// system operations that do not require authorization.
+//
+// We trust you have received the usual lecture from the local System
+// Administrator. It usually boils down to these three things:
+// #1) Respect the privacy of others.
+// #2) Think before you type.
+// #3) With great power comes great responsibility.
+func AsSystem(ctx context.Context) context.Context {
+	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
+		ID: uuid.Nil.String(),
+		Roles: rbac.Roles([]rbac.Role{
+			{
+				Name:        "system",
+				DisplayName: "System",
+				Site: []rbac.Permission{
+					{
+						ResourceType: rbac.ResourceWildcard.Type,
+						Action:       rbac.WildcardSymbol,
+					},
+				},
+				Org:  map[string][]rbac.Permission{},
+				User: []rbac.Permission{},
+			},
+		}),
+	},
+	)
 }
 
-func WithAuthorizeSystemContext(ctx context.Context, roles rbac.ExpandableRoles) context.Context {
-	// TODO: Add protections to search for user roles. If user roles are found,
-	// this should panic. That is a developer error that should be caught
-	// in unit tests.
-	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
-		ID:     uuid.Nil.String(),
-		Roles:  roles,
-		Scope:  rbac.ScopeAll,
-		Groups: []string{},
-	})
+// As returns a context with the given actor stored in the context.
+// This is used for cases where the actor touching the database is not the
+// actor stored in the context.
+func As(ctx context.Context, actor rbac.Subject) context.Context {
+	return context.WithValue(ctx, authContextKey{}, actor)
 }
 
 //
 
@@ -116,7 +116,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			systemCtx := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
+			// systemCtx := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
 			// Write wraps writing a response to redirect if the handler
 			// specified it should. This redirect is used for user-facing pages
 			// like workspace applications.
@@ -161,7 +161,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				return
 			}
 
-			key, err := cfg.DB.GetAPIKeyByID(systemCtx, keyID)
+			key, err := cfg.DB.GetAPIKeyByID(dbauthz.AsSystem(ctx), keyID)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
 					optionalWrite(http.StatusUnauthorized, codersdk.Response{
@@ -194,7 +194,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				changed = false
 			)
 			if key.LoginType == database.LoginTypeGithub || key.LoginType == database.LoginTypeOIDC {
-				link, err = cfg.DB.GetUserLinkByUserIDLoginType(systemCtx, database.GetUserLinkByUserIDLoginTypeParams{
+				link, err = cfg.DB.GetUserLinkByUserIDLoginType(dbauthz.AsSystem(ctx), database.GetUserLinkByUserIDLoginTypeParams{
 					UserID:    key.UserID,
 					LoginType: key.LoginType,
 				})
@@ -277,7 +277,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				}
 			}
 			if changed {
-				err := cfg.DB.UpdateAPIKeyByID(systemCtx, database.UpdateAPIKeyByIDParams{
+				err := cfg.DB.UpdateAPIKeyByID(dbauthz.AsSystem(ctx), database.UpdateAPIKeyByIDParams{
 					ID:        key.ID,
 					LastUsed:  key.LastUsed,
 					ExpiresAt: key.ExpiresAt,
@@ -293,7 +293,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// If the API Key is associated with a user_link (e.g. Github/OIDC)
 				// then we want to update the relevant oauth fields.
 				if link.UserID != uuid.Nil {
-					link, err = cfg.DB.UpdateUserLink(systemCtx, database.UpdateUserLinkParams{
+					link, err = cfg.DB.UpdateUserLink(dbauthz.AsSystem(ctx), database.UpdateUserLinkParams{
 						UserID:            link.UserID,
 						LoginType:         link.LoginType,
 						OAuthAccessToken:  link.OAuthAccessToken,
@@ -312,7 +312,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// We only want to update this occasionally to reduce DB write
 				// load. We update alongside the UserLink and APIKey since it's
 				// easier on the DB to colocate writes.
-				_, err = cfg.DB.UpdateUserLastSeenAt(systemCtx, database.UpdateUserLastSeenAtParams{
+				_, err = cfg.DB.UpdateUserLastSeenAt(dbauthz.AsSystem(ctx), database.UpdateUserLastSeenAtParams{
 					ID:         key.UserID,
 					LastSeenAt: database.Now(),
 					UpdatedAt:  database.Now(),
@@ -329,7 +329,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			// If the key is valid, we also fetch the user roles and status.
 			// The roles are used for RBAC authorize checks, and the status
 			// is to block 'suspended' users from accessing the platform.
-			roles, err := cfg.DB.GetAuthorizationUserRoles(systemCtx, key.UserID)
+			roles, err := cfg.DB.GetAuthorizationUserRoles(dbauthz.AsSystem(ctx), key.UserID)
 			if err != nil {
 				write(http.StatusUnauthorized, codersdk.Response{
 					Message: internalErrorMessage,
@@ -358,7 +358,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				Actor:    actor,
 			})
 			// Set the auth context for the authzquerier as well.
-			ctx = dbauthz.WithAuthorizeContext(ctx, actor)
+			ctx = dbauthz.As(ctx, actor)
 
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
 
@@ -1,17 +1,10 @@
 package httpmw
 
-import (
-	"net/http"
-
-	"github.com/coder/coder/coderd/database/dbauthz"
-	"github.com/coder/coder/coderd/rbac"
-)
-
 // SystemAuthCtx sets the system auth context for the request.
 // Use sparingly.
-func SystemAuthCtx(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		ctx := dbauthz.WithAuthorizeSystemContext(r.Context(), rbac.RolesAdminSystem())
-		next.ServeHTTP(rw, r.WithContext(ctx))
-	})
-}
+// func SystemAuthCtx(next http.Handler) http.Handler {
+// 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+// 		ctx := dbauthz.AsSystem(r.Context())
+// 		next.ServeHTTP(rw, r.WithContext(ctx))
+// 	})
+// }
@@ -13,7 +13,6 @@ import (
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/coderd/httpapi"
-	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
 )
 
@@ -43,10 +42,9 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			var (
-				ctx       = r.Context()
-				systemCtx = dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
-				user      database.User
-				err       error
+				ctx  = r.Context()
+				user database.User
+				err  error
 			)
 
 			// userQuery is either a uuid, a username, or 'me'
@@ -71,7 +69,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 					})
 					return
 				}
-				user, err = db.GetUserByID(systemCtx, apiKey.UserID)
+				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), apiKey.UserID)
 				if xerrors.Is(err, sql.ErrNoRows) {
 					httpapi.ResourceNotFound(rw)
 					return
@@ -85,7 +83,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 				}
 			} else if userID, err := uuid.Parse(userQuery); err == nil {
 				// If the userQuery is a valid uuid
-				user, err = db.GetUserByID(systemCtx, userID)
+				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), userID)
 				if err != nil {
 					httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 						Message: userErrorMessage,
@@ -94,7 +92,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 				}
 			} else {
 				// Try as a username last
-				user, err = db.GetUserByEmailOrUsername(systemCtx, database.GetUserByEmailOrUsernameParams{
+				user, err = db.GetUserByEmailOrUsername(dbauthz.AsSystem(ctx), database.GetUserByEmailOrUsernameParams{
 					Username: userQuery,
 				})
 				if err != nil {
 
@@ -32,7 +32,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			systemCtx := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
+			// dbauthz.AsSystem(ctx) := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
 			tokenValue := apiTokenFromRequest(r)
 			if tokenValue == "" {
 				httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
@@ -48,7 +48,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 				})
 				return
 			}
-			agent, err := db.GetWorkspaceAgentByAuthToken(systemCtx, token)
+			agent, err := db.GetWorkspaceAgentByAuthToken(dbauthz.AsSystem(ctx), token)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
 					httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
@@ -65,7 +65,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 				return
 			}
 
-			subject, err := getAgentSubject(systemCtx, db, agent)
+			subject, err := getAgentSubject(dbauthz.AsSystem(ctx), db, agent)
 			if err != nil {
 				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 					Message: "Internal error fetching workspace agent.",
@@ -75,7 +75,8 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 			}
 
 			ctx = context.WithValue(ctx, workspaceAgentContextKey{}, agent)
-			ctx = dbauthz.WithAuthorizeContext(ctx, subject)
+			// Also set the dbauthz actor for the request.
+			ctx = dbauthz.As(ctx, subject)
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}
 
@@ -15,7 +15,6 @@ import (
 	"cdr.dev/slog"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/dbauthz"
-	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/retry"
 )
@@ -144,8 +143,8 @@ func countUniqueUsers(rows []database.GetTemplateDAUsRow) int {
 }
 
 func (c *Cache) refresh(ctx context.Context) error {
-	systemCtx := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
-	err := c.database.DeleteOldAgentStats(systemCtx)
+	// dbauthz.AsSystem(ctx) := dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
+	err := c.database.DeleteOldAgentStats(dbauthz.AsSystem(ctx))
 	if err != nil {
 		return xerrors.Errorf("delete old stats: %w", err)
 	}
@@ -162,22 +161,22 @@ func (c *Cache) refresh(ctx context.Context) error {
 		templateAverageBuildTimes = make(map[uuid.UUID]database.GetTemplateAverageBuildTimeRow)
 	)
 
-	rows, err := c.database.GetDeploymentDAUs(systemCtx)
+	rows, err := c.database.GetDeploymentDAUs(dbauthz.AsSystem(ctx))
 	if err != nil {
 		return err
 	}
 	deploymentDAUs = convertDeploymentDAUResponse(rows)
 	c.deploymentDAUResponses.Store(&deploymentDAUs)
 
 	for _, template := range templates {
-		rows, err := c.database.GetTemplateDAUs(systemCtx, template.ID)
+		rows, err := c.database.GetTemplateDAUs(dbauthz.AsSystem(ctx), template.ID)
 		if err != nil {
 			return err
 		}
 		templateDAUs[template.ID] = convertDAUResponse(rows)
 		templateUniqueUsers[template.ID] = countUniqueUsers(rows)
 
-		templateAvgBuildTime, err := c.database.GetTemplateAverageBuildTime(systemCtx, database.GetTemplateAverageBuildTimeParams{
+		templateAvgBuildTime, err := c.database.GetTemplateAverageBuildTime(dbauthz.AsSystem(ctx), database.GetTemplateAverageBuildTimeParams{
 			TemplateID: uuid.NullUUID{
 				UUID:  template.ID,
 				Valid: true,