coder
diff --git a/‎cli/testdata/coder_provisioner_list_--output_json.golden
+1-1 b/‎cli/testdata/coder_provisioner_list_--output_json.golden
+1-1
diff --git a/‎coderd/coderd.go
+2-12 b/‎coderd/coderd.go
+2-12
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
+1-1 b/‎coderd/database/dbauthz/dbauthz_test.go
+1-1
diff --git a/‎coderd/database/dbgen/dbgen.go
+1-1 b/‎coderd/database/dbgen/dbgen.go
+1-1
diff --git a/‎coderd/database/dump.sql
+7-7 b/‎coderd/database/dump.sql
+7-7
diff --git a/‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.down.sql
+1-1 b/‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.down.sql
+1-1
diff --git a/‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.up.sql
+4-4 b/‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.up.sql
+4-4
diff --git a/‎coderd/database/models.go
+24-24 b/‎coderd/database/models.go
+24-24
diff --git a/‎coderd/database/queries.sql.go
+1-1 b/‎coderd/database/queries.sql.go
+1-1
diff --git a/‎coderd/externalauth_test.go
+12-11 b/‎coderd/externalauth_test.go
+12-11
diff --git a/‎coderd/gitsshkey_test.go
+6-1 b/‎coderd/gitsshkey_test.go
+6-1
diff --git a/‎coderd/httpmw/workspaceagent.go
+1-1 b/‎coderd/httpmw/workspaceagent.go
+1-1
diff --git a/‎coderd/provisionerdserver/provisionerdserver.go
+3-3 b/‎coderd/provisionerdserver/provisionerdserver.go
+3-3
diff --git a/‎coderd/rbac/authz_internal_test.go
+2-30 b/‎coderd/rbac/authz_internal_test.go
+2-30
@@ -7,7 +7,7 @@
     "last_seen_at": "====[timestamp]=====",
     "name": "test",
     "version": "v0.0.0-devel",
-    "api_version": "1.4",
+    "api_version": "1.5",
     "provisioners": [
       "echo"
     ],
 
@@ -804,11 +804,6 @@ func New(options *Options) *API {
 		DB:       options.Database,
 		Optional: false,
 	})
-	// Same as above but optional
-	workspaceAgentInfoOptional := httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{
-		DB:       options.Database,
-		Optional: true,
-	})
 
 	// API rate limit middleware. The counter is local and not shared between
 	// replicas or instances of this middleware.
@@ -1029,7 +1024,6 @@ func New(options *Options) *API {
 		r.Route("/external-auth", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				workspaceAgentInfoOptional,
 			)
 			// Get without a specific external auth ID will return all external auths.
 			r.Get("/", api.listUserExternalAuths)
@@ -1265,12 +1259,8 @@ func New(options *Options) *API {
 							r.Get("/", api.workspaceByOwnerAndName)
 							r.Get("/builds/{buildnumber}", api.workspaceBuildByBuildNumber)
 						})
-						r.With(
-							workspaceAgentInfoOptional,
-						).Get("/gitsshkey", api.gitSSHKey)
-						r.With(
-							workspaceAgentInfoOptional,
-						).Put("/gitsshkey", api.regenerateGitSSHKey)
+						r.Get("/gitsshkey", api.gitSSHKey)
+						r.Put("/gitsshkey", api.regenerateGitSSHKey)
 						r.Route("/notifications", func(r chi.Router) {
 							r.Route("/preferences", func(r chi.Router) {
 								r.Get("/", api.userNotificationPreferences)
 
@@ -3988,7 +3988,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		check.Args(database.InsertWorkspaceAgentParams{
 			ID:          uuid.New(),
 			Name:        "dev",
-			APIKeyScope: database.ApiKeyScopeEnumDefault,
+			APIKeyScope: database.AgentKeyScopeEnumAll,
 		}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
 	}))
 	s.Run("InsertWorkspaceApp", s.Subtest(func(db database.Store, check *expects) {
 
@@ -210,7 +210,7 @@ func WorkspaceAgent(t testing.TB, db database.Store, orig database.WorkspaceAgen
 		MOTDFile:                 takeFirst(orig.TroubleshootingURL, ""),
 		DisplayApps:              append([]database.DisplayApp{}, orig.DisplayApps...),
 		DisplayOrder:             takeFirst(orig.DisplayOrder, 1),
-		APIKeyScope:              takeFirst(orig.APIKeyScope, database.ApiKeyScopeEnumDefault),
+		APIKeyScope:              takeFirst(orig.APIKeyScope, database.AgentKeyScopeEnumAll),
 	})
 	require.NoError(t, err, "insert workspace agent")
 	return agt
 
@@ -3,4 +3,4 @@ ALTER TABLE workspace_agents
 DROP COLUMN IF EXISTS api_key_scope;
 
 -- Drop the enum type for API key scope
-DROP TYPE IF EXISTS api_key_scope_enum;
+DROP TYPE IF EXISTS agent_key_scope_enum;
@@ -1,10 +1,10 @@
 -- Create the enum type for API key scope
-CREATE TYPE api_key_scope_enum AS ENUM ('default', 'no_user_data');
+CREATE TYPE agent_key_scope_enum AS ENUM ('all', 'no_user_data');
 
 -- Add the api_key_scope column to the workspace_agents table
--- It defaults to 'default' to maintain existing behavior for current agents.
+-- It defaults to 'all' to maintain existing behavior for current agents.
 ALTER TABLE workspace_agents
-ADD COLUMN api_key_scope api_key_scope_enum NOT NULL DEFAULT 'default';
+ADD COLUMN api_key_scope agent_key_scope_enum NOT NULL DEFAULT 'all';
 
 -- Add a comment explaining the purpose of the column
-COMMENT ON COLUMN workspace_agents.api_key_scope IS 'Defines the scope of the API key associated with the agent. ''default'' allows access to everything, ''no_user_data'' restricts it to exclude user data.';
+COMMENT ON COLUMN workspace_agents.api_key_scope IS 'Defines the scope of the API key associated with the agent. ''all'' allows access to everything, ''no_user_data'' restricts it to exclude user data.';
@@ -713,7 +713,7 @@ func TestExternalAuthCallback(t *testing.T) {
 			apiKeyScope  string
 			expectsError bool
 		}{
-			{apiKeyScope: "default", expectsError: false},
+			{apiKeyScope: "all", expectsError: false},
 			{apiKeyScope: "no_user_data", expectsError: true},
 		} {
 			t.Run(tt.apiKeyScope, func(t *testing.T) {
@@ -746,6 +746,15 @@ func TestExternalAuthCallback(t *testing.T) {
 				token, err := agentClient.ExternalAuth(t.Context(), agentsdk.ExternalAuthRequest{
 					Match: "github.com/asd/asd",
 				})
+
+				if tt.expectsError {
+					require.Error(t, err)
+					var sdkErr *codersdk.Error
+					require.ErrorAs(t, err, &sdkErr)
+					require.Equal(t, http.StatusForbidden, sdkErr.StatusCode())
+					return
+				}
+
 				require.NoError(t, err)
 				require.NotEmpty(t, token.URL)
 
@@ -756,13 +765,8 @@ func TestExternalAuthCallback(t *testing.T) {
 						Match:  "github.com/asd/asd",
 						Listen: true,
 					})
-					if tt.expectsError {
-						assert.Error(t, err)
-						close(tokenChan)
-					} else {
-						assert.NoError(t, err)
-						tokenChan <- token
-					}
+					assert.NoError(t, err)
+					tokenChan <- token
 				}()
 
 				time.Sleep(250 * time.Millisecond)
@@ -771,9 +775,6 @@ func TestExternalAuthCallback(t *testing.T) {
 				require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
 
 				token = <-tokenChan
-				if tt.expectsError {
-					return
-				}
 				require.Equal(t, "access_token", token.Username)
 
 				token, err = agentClient.ExternalAuth(t.Context(), agentsdk.ExternalAuthRequest{
 
@@ -2,6 +2,7 @@ package coderd_test
 
 import (
 	"context"
+	"net/http"
 	"testing"
 
 	"github.com/google/uuid"
@@ -12,6 +13,7 @@ import (
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/gitsshkey"
+	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/coder/coder/v2/provisioner/echo"
 	"github.com/coder/coder/v2/testutil"
@@ -134,7 +136,7 @@ func TestAgentGitSSHKey_APIKeyScopes(t *testing.T) {
 		apiKeyScope string
 		expectError bool
 	}{
-		{apiKeyScope: "default", expectError: false},
+		{apiKeyScope: "all", expectError: false},
 		{apiKeyScope: "no_user_data", expectError: true},
 	} {
 		t.Run(tt.apiKeyScope, func(t *testing.T) {
@@ -165,6 +167,9 @@ func TestAgentGitSSHKey_APIKeyScopes(t *testing.T) {
 
 			if tt.expectError {
 				require.Error(t, err)
+				var sdkErr *codersdk.Error
+				require.ErrorAs(t, err, &sdkErr)
+				require.Equal(t, http.StatusForbidden, sdkErr.StatusCode())
 			} else {
 				require.NoError(t, err)
 			}
 
@@ -118,7 +118,7 @@ func ExtractWorkspaceAgentAndLatestBuild(opts ExtractWorkspaceAgentAndLatestBuil
 					OwnerID:       row.WorkspaceTable.OwnerID,
 					TemplateID:    row.WorkspaceTable.TemplateID,
 					VersionID:     row.WorkspaceBuild.TemplateVersionID,
-					BlockUserData: row.WorkspaceAgent.APIKeyScope == database.ApiKeyScopeEnumNoUserData,
+					BlockUserData: row.WorkspaceAgent.APIKeyScope == database.AgentKeyScopeEnumNoUserData,
 				}),
 			)
 			if err != nil {
 
@@ -2003,9 +2003,9 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 			}
 		}
 
-		apiKeyScope := database.ApiKeyScopeEnumDefault
-		if prAgent.ApiKeyScope == string(database.ApiKeyScopeEnumNoUserData) {
-			apiKeyScope = database.ApiKeyScopeEnumNoUserData
+		apiKeyScope := database.AgentKeyScopeEnumAll
+		if prAgent.ApiKeyScope == string(database.AgentKeyScopeEnumNoUserData) {
+			apiKeyScope = database.AgentKeyScopeEnumNoUserData
 		}
 
 		agentID := uuid.New()
 
@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"slices"
 	"sync"
 	"testing"
 
@@ -1055,51 +1054,24 @@ func TestAuthorizeScope(t *testing.T) {
 		},
 	)
 
-	// This scope can only create workspaces
 	meID := uuid.New()
 	user = Subject{
 		ID: meID.String(),
 		Roles: Roles{
 			must(RoleByName(RoleMember())),
 			must(RoleByName(ScopedRoleOrgMember(defOrg))),
 		},
-		Scope: Scope{
-			Role: Role{
-				Identifier:  RoleIdentifier{Name: "no_personal_data"},
-				DisplayName: "No Personal Data",
-				Site: append(
-					// Workspace dormancy and workspace are omitted.
-					// Workspace is specifically handled based on the opts.NoOwnerWorkspaceExec
-					allPermsExcept(ResourceUser),
-					// This adds back in the Workspace permissions.
-					Permissions(map[string][]policy.Action{
-						ResourceUser.Type: {policy.ActionRead},
-					})...),
-				Org:  map[string][]Permission{},
-				User: []Permission{},
-			},
-			// Empty string allow_list is allowed for actions like 'create'
-			AllowIDList: []string{meID.String()},
-		},
+		Scope: must(ScopeNoUserData.Expand()),
 	}
-
 	testAuthorize(t, "ReadPersonalUser", user,
-		// All these cases will fail because a resource ID is set.
 		cases(func(c authTestCase) authTestCase {
-			c.actions = slices.DeleteFunc(ResourceUser.AvailableActions(), func(action policy.Action) bool {
-				return action == policy.ActionRead
-			})
+			c.actions = ResourceUser.AvailableActions()
 			c.allow = false
 			c.resource.ID = meID.String()
 			return c
 		}, []authTestCase{
 			{resource: ResourceUser.WithOwner(meID.String()).InOrg(defOrg).WithID(meID)},
 		}),
-
-		// Test create allowed by scope:
-		[]authTestCase{
-			{resource: ResourceUser.WithOwner(meID.String()).InOrg(defOrg).WithID(meID), actions: []policy.Action{policy.ActionRead}, allow: true},
-		},
 	)
 }
Original file line number	Diff line number	Diff line change
`@@ -118,7 +118,7 @@ func ExtractWorkspaceAgentAndLatestBuild(opts ExtractWorkspaceAgentAndLatestBuil`
`118`	`118`	`OwnerID: row.WorkspaceTable.OwnerID,`
`119`	`119`	`TemplateID: row.WorkspaceTable.TemplateID,`
`120`	`120`	`VersionID: row.WorkspaceBuild.TemplateVersionID,`
`121`		`- BlockUserData: row.WorkspaceAgent.APIKeyScope == database.ApiKeyScopeEnumNoUserData,`
	`121`	`+ BlockUserData: row.WorkspaceAgent.APIKeyScope == database.AgentKeyScopeEnumNoUserData,`
`122`	`122`	`}),`
`123`	`123`	`)`
`124`	`124`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -2003,9 +2003,9 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.`
`2003`	`2003`	`}`
`2004`	`2004`	`}`
`2005`	`2005`
`2006`		`- apiKeyScope := database.ApiKeyScopeEnumDefault`
`2007`		`- if prAgent.ApiKeyScope == string(database.ApiKeyScopeEnumNoUserData) {`
`2008`		`- apiKeyScope = database.ApiKeyScopeEnumNoUserData`
	`2006`	`+ apiKeyScope := database.AgentKeyScopeEnumAll`
	`2007`	`+ if prAgent.ApiKeyScope == string(database.AgentKeyScopeEnumNoUserData) {`
	`2008`	`+ apiKeyScope = database.AgentKeyScopeEnumNoUserData`
`2009`	`2009`	`}`
`2010`	`2010`
`2011`	`2011`	`agentID := uuid.New()`