coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 8 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/database/dbfake/dbfake.go
Lines changed: 42 additions & 0 deletions b/‎coderd/database/dbfake/dbfake.go
Lines changed: 42 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 112 additions & 0 deletions b/‎coderd/database/queries.sql.go
Lines changed: 112 additions & 0 deletions
diff --git a/‎coderd/database/queries/workspaceagents.sql
Lines changed: 54 additions & 0 deletions b/‎coderd/database/queries/workspaceagents.sql
Lines changed: 54 additions & 0 deletions
diff --git a/‎coderd/httpmw/workspaceagent.go
Lines changed: 11 additions & 12 deletions b/‎coderd/httpmw/workspaceagent.go
Lines changed: 11 additions & 12 deletions
@@ -1474,6 +1474,14 @@ func (q *querier) GetUsersByIDs(ctx context.Context, ids []uuid.UUID) ([]databas
 	return q.db.GetUsersByIDs(ctx, ids)
 }
 
+func (q *querier) GetWorkspaceAgentAndOwnerByAuthToken(ctx context.Context, agentID uuid.UUID) (database.GetWorkspaceAgentAndOwnerByAuthTokenRow, error) {
+	// This is a system function
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
+		return database.GetWorkspaceAgentAndOwnerByAuthTokenRow{}, err
+	}
+	return q.db.GetWorkspaceAgentAndOwnerByAuthToken(ctx, agentID)
+}
+
 // GetWorkspaceAgentByAuthToken is used in http middleware to get the workspace agent.
 // This should only be used by a system user in that middleware.
 func (q *querier) GetWorkspaceAgentByAuthToken(ctx context.Context, authToken uuid.UUID) (database.WorkspaceAgent, error) {
 
@@ -651,6 +651,48 @@ func (q *FakeQuerier) isEveryoneGroup(id uuid.UUID) bool {
 	return false
 }
 
+func (q *FakeQuerier) GetWorkspaceAgentAndOwnerByAuthToken(ctx context.Context, authToken uuid.UUID) (database.GetWorkspaceAgentAndOwnerByAuthTokenRow, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+	var resp database.GetWorkspaceAgentAndOwnerByAuthTokenRow
+	var found bool
+	for _, agt := range q.workspaceAgents {
+		if agt.AuthToken == authToken {
+			resp.WorkspaceAgent = agt
+			found = true
+			break
+		}
+	}
+	if !found {
+		return resp, sql.ErrNoRows
+	}
+
+	// get the related workspace and user
+	for _, res := range q.workspaceResources {
+		if resp.WorkspaceAgent.ResourceID != res.ID {
+			continue
+		}
+		for _, build := range q.workspaceBuilds {
+			if build.JobID != res.JobID {
+				continue
+			}
+			for _, ws := range q.workspaces {
+				if build.WorkspaceID != ws.ID {
+					continue
+				}
+				resp.WorkspaceID = ws.ID
+				if usr, err := q.getUserByIDNoLock(ws.OwnerID); err == nil {
+					resp.OwnerID = usr.ID
+					resp.OwnerRoles = usr.RBACRoles
+					resp.OwnerName = usr.Username
+					return resp, nil
+				}
+			}
+		}
+	}
+	return database.GetWorkspaceAgentAndOwnerByAuthTokenRow{}, sql.ErrNoRows
+}
+
 func (*FakeQuerier) AcquireLock(_ context.Context, _ int64) error {
 	return xerrors.New("AcquireLock must only be called within a transaction")
 }
 
@@ -200,3 +200,57 @@ WHERE
     	WHERE
 			wb.workspace_id = @workspace_id :: uuid
 	);
+
+-- name: GetWorkspaceAgentAndOwnerByAuthToken :one
+SELECT
+	sqlc.embed(workspace_agents),
+	workspaces.id AS workspace_id,
+	users.id AS owner_id,
+	users.username AS owner_name,
+	users.status AS owner_status,
+	array_cat(
+		-- All users are members
+		array_append(users.rbac_roles, 'member'),
+		(
+			SELECT
+				array_agg(org_roles)
+			FROM
+				organization_members,
+				-- All org_members get the org-member role for their orgs
+				unnest(
+					array_append(roles, 'organization-member:' || organization_members.organization_id::text)
+					) AS org_roles
+			WHERE
+					user_id = users.id
+		)
+		) :: text[] AS owner_roles,
+	(
+		SELECT
+			array_agg(
+				group_members.group_id :: text
+				)
+		FROM
+			group_members
+		WHERE
+				user_id = users.id
+	) :: text[] AS owner_groups
+FROM users
+		 INNER JOIN
+	 workspaces
+	 ON
+			 workspaces.owner_id = users.id
+		 INNER JOIN
+	 workspace_builds
+	 ON
+			 workspace_builds.workspace_id = workspaces.id
+		 INNER JOIN
+	 workspace_resources
+	 ON
+			 workspace_resources.job_id = workspace_builds.job_id
+		 INNER JOIN
+	 workspace_agents
+	 ON
+			 workspace_agents.resource_id = workspace_resources.id
+WHERE
+		workspace_agents.auth_token = @auth_token
+LIMIT 1;
@@ -74,8 +74,9 @@ func ExtractWorkspaceAgent(opts ExtractWorkspaceAgentConfig) func(http.Handler)
 				})
 				return
 			}
+
 			//nolint:gocritic // System needs to be able to get workspace agents.
-			agent, err := opts.DB.GetWorkspaceAgentByAuthToken(dbauthz.AsSystemRestricted(ctx), token)
+			row, err := opts.DB.GetWorkspaceAgentAndOwnerByAuthToken(dbauthz.AsSystemRestricted(ctx), token)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
 					optionalWrite(http.StatusUnauthorized, codersdk.Response{
@@ -86,23 +87,21 @@ func ExtractWorkspaceAgent(opts ExtractWorkspaceAgentConfig) func(http.Handler)
 				}
 
 				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-					Message: "Internal error fetching workspace agent.",
+					Message: "Internal error authorizing workspace agent.",
 					Detail:  err.Error(),
 				})
 				return
 			}
 
-			//nolint:gocritic // System needs to be able to get workspace agents.
-			subject, err := getAgentSubject(dbauthz.AsSystemRestricted(ctx), opts.DB, agent)
-			if err != nil {
-				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-					Message: "Internal error fetching workspace agent.",
-					Detail:  err.Error(),
-				})
-				return
-			}
+			subject := rbac.Subject{
+				ID:     row.OwnerID.String(),
+				Roles:  rbac.RoleNames(row.OwnerRoles),
+				Groups: row.OwnerGroups,
+				// Note: this is generated as a NullUUID even though it shouldn't be nullable based on the query.
+				Scope: rbac.WorkspaceAgentScope(row.WorkspaceID, row.OwnerID),
+			}.WithCachedASTValue()
 
-			ctx = context.WithValue(ctx, workspaceAgentContextKey{}, agent)
+			ctx = context.WithValue(ctx, workspaceAgentContextKey{}, row.WorkspaceAgent)
 			// Also set the dbauthz actor for the request.
 			ctx = dbauthz.As(ctx, subject)
 			next.ServeHTTP(rw, r.WithContext(ctx))