coder
diff --git a/‎coderd/apidoc/docs.go
+1-1 b/‎coderd/apidoc/docs.go
+1-1
diff --git a/‎coderd/apidoc/swagger.json
+1-1 b/‎coderd/apidoc/swagger.json
+1-1
diff --git a/‎coderd/autobuild/lifecycle_executor.go
+1-1 b/‎coderd/autobuild/lifecycle_executor.go
+1-1
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+2-2 b/‎coderd/database/dbauthz/dbauthz.go
+2-2
diff --git a/‎coderd/database/dbfake/dbfake.go
+15-5 b/‎coderd/database/dbfake/dbfake.go
+15-5
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
+3-3 b/‎coderd/database/dbmetrics/dbmetrics.go
+3-3
diff --git a/‎coderd/database/dbmock/dbmock.go
+4-3 b/‎coderd/database/dbmock/dbmock.go
+4-3
diff --git a/‎coderd/database/modelqueries.go
+1 b/‎coderd/database/modelqueries.go
+1
diff --git a/‎coderd/database/querier.go
+1-1 b/‎coderd/database/querier.go
+1-1
diff --git a/‎coderd/database/queries.sql.go
+34-7 b/‎coderd/database/queries.sql.go
+34-7
diff --git a/‎coderd/database/queries/workspaces.sql
+11-2 b/‎coderd/database/queries/workspaces.sql
+11-2
diff --git a/‎coderd/searchquery/search.go
+6 b/‎coderd/searchquery/search.go
+6
diff --git a/‎coderd/workspaces.go
+17-9 b/‎coderd/workspaces.go
+17-9
diff --git a/‎coderd/workspaces_test.go
+40 b/‎coderd/workspaces_test.go
+40
@@ -178,7 +178,7 @@ func (e *Executor) runOnce(t time.Time) Stats {
 				// Lock the workspace if it has breached the template's
 				// threshold for inactivity.
 				if reason == database.BuildReasonAutolock {
-					err = tx.UpdateWorkspaceLockedDeletingAt(e.ctx, database.UpdateWorkspaceLockedDeletingAtParams{
+					ws, err = tx.UpdateWorkspaceLockedDeletingAt(e.ctx, database.UpdateWorkspaceLockedDeletingAtParams{
 						ID: ws.ID,
 						LockedAt: sql.NullTime{
 							Time:  database.Now(),
 
@@ -2587,11 +2587,11 @@ func (q *querier) UpdateWorkspaceLastUsedAt(ctx context.Context, arg database.Up
 	return update(q.log, q.auth, fetch, q.db.UpdateWorkspaceLastUsedAt)(ctx, arg)
 }
 
-func (q *querier) UpdateWorkspaceLockedDeletingAt(ctx context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) error {
+func (q *querier) UpdateWorkspaceLockedDeletingAt(ctx context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) (database.Workspace, error) {
 	fetch := func(ctx context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) (database.Workspace, error) {
 		return q.db.GetWorkspaceByID(ctx, arg.ID)
 	}
-	return update(q.log, q.auth, fetch, q.db.UpdateWorkspaceLockedDeletingAt)(ctx, arg)
+	return updateWithReturn(q.log, q.auth, fetch, q.db.UpdateWorkspaceLockedDeletingAt)(ctx, arg)
 }
 
 func (q *querier) UpdateWorkspaceProxy(ctx context.Context, arg database.UpdateWorkspaceProxyParams) (database.WorkspaceProxy, error) {
 
@@ -5250,9 +5250,9 @@ func (q *FakeQuerier) UpdateWorkspaceLastUsedAt(_ context.Context, arg database.
 	return sql.ErrNoRows
 }
 
-func (q *FakeQuerier) UpdateWorkspaceLockedDeletingAt(_ context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) error {
+func (q *FakeQuerier) UpdateWorkspaceLockedDeletingAt(_ context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) (database.Workspace, error) {
 	if err := validateDatabaseType(arg); err != nil {
-		return err
+		return database.Workspace{}, err
 	}
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
@@ -5274,7 +5274,7 @@ func (q *FakeQuerier) UpdateWorkspaceLockedDeletingAt(_ context.Context, arg dat
 				}
 			}
 			if template.ID == uuid.Nil {
-				return xerrors.Errorf("unable to find workspace template")
+				return database.Workspace{}, xerrors.Errorf("unable to find workspace template")
 			}
 			if template.LockedTTL > 0 {
 				workspace.DeletingAt = sql.NullTime{
@@ -5284,9 +5284,9 @@ func (q *FakeQuerier) UpdateWorkspaceLockedDeletingAt(_ context.Context, arg dat
 			}
 		}
 		q.workspaces[index] = workspace
-		return nil
+		return workspace, nil
 	}
-	return sql.ErrNoRows
+	return database.Workspace{}, sql.ErrNoRows
 }
 
 func (q *FakeQuerier) UpdateWorkspaceProxy(_ context.Context, arg database.UpdateWorkspaceProxyParams) (database.WorkspaceProxy, error) {
@@ -5730,6 +5730,16 @@ func (q *FakeQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg database.
 			}
 		}
 
+		// We omit locked workspaces by default.
+		if arg.LockedAt.IsZero() && workspace.LockedAt.Valid {
+			continue
+		}
+
+		// Filter out workspaces that are locked after the timestamp.
+		if !arg.LockedAt.IsZero() && workspace.LockedAt.Time.Before(arg.LockedAt) {
+			continue
+		}
+
 		if len(arg.TemplateIDs) > 0 {
 			match := false
 			for _, id := range arg.TemplateIDs {
 
@@ -217,6 +217,7 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 		arg.Name,
 		arg.HasAgent,
 		arg.AgentInactiveDisconnectTimeoutSeconds,
+		arg.LockedAt,
 		arg.Offset,
 		arg.Limit,
 	)
 
@@ -259,6 +259,14 @@ WHERE
 			) > 0
 		ELSE true
 	END
+	-- Filter by locked workspaces. By default we do not return locked
+	-- workspaces since they are considered soft-deleted.
+	AND CASE
+		WHEN @locked_at :: timestamptz > '0001-01-01 00:00:00+00'::timestamptz THEN
+			locked_at IS NOT NULL AND locked_at >= @locked_at
+		ELSE
+			locked_at IS NULL
+	END
 	-- Authorize Filter clause will be injected below in GetAuthorizedWorkspaces
 	-- @authorize_filter
 ORDER BY
@@ -474,7 +482,7 @@ WHERE
 		)
 	) AND workspaces.deleted = 'false';
 
--- name: UpdateWorkspaceLockedDeletingAt :exec
+-- name: UpdateWorkspaceLockedDeletingAt :one
 UPDATE
 	workspaces
 SET
@@ -490,7 +498,8 @@ FROM
 WHERE
 	workspaces.template_id = templates.id
 AND
-	workspaces.id = $1;
+	workspaces.id = $1
+RETURNING workspaces.*;
 
 -- name: UpdateWorkspacesDeletingAtByTemplateID :exec
 UPDATE
 
@@ -114,9 +114,15 @@ func Workspaces(query string, page codersdk.Pagination, agentInactiveDisconnectT
 	filter.Name = parser.String(values, "", "name")
 	filter.Status = string(httpapi.ParseCustom(parser, values, "", "status", httpapi.ParseEnum[database.WorkspaceStatus]))
 	filter.HasAgent = parser.String(values, "", "has-agent")
+	filter.LockedAt = parser.Time(values, time.Time{}, "locked_at", "2006-01-02")
 
 	if _, ok := values["deleting_by"]; ok {
 		postFilter.DeletingBy = ptr.Ref(parser.Time(values, time.Time{}, "deleting_by", "2006-01-02"))
+		// We want to make sure to grab locked workspaces since they
+		// are omitted by default.
+		if filter.LockedAt.IsZero() {
+			filter.LockedAt = time.Date(1970, time.January, 1, 0, 0, 0, 0, time.UTC)
+		}
 	}
 
 	parser.ErrorExcessParams(values)
 
@@ -768,7 +768,7 @@ func (api *API) putWorkspaceTTL(rw http.ResponseWriter, r *http.Request) {
 // @Tags Workspaces
 // @Param workspace path string true "Workspace ID" format(uuid)
 // @Param request body codersdk.UpdateWorkspaceLock true "Lock or unlock a workspace"
-// @Success 200 {object} codersdk.Response
+// @Success 200 {object} codersdk.Workspace
 // @Router /workspaces/{workspace}/lock [put]
 func (api *API) putWorkspaceLock(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
@@ -779,9 +779,6 @@ func (api *API) putWorkspaceLock(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	code := http.StatusOK
-	resp := codersdk.Response{}
-
 	// If the workspace is already in the desired state do nothing!
 	if workspace.LockedAt.Valid == req.Lock {
 		httpapi.Write(ctx, rw, http.StatusNotModified, codersdk.Response{
@@ -797,7 +794,7 @@ func (api *API) putWorkspaceLock(rw http.ResponseWriter, r *http.Request) {
 		lockedAt.Time = database.Now()
 	}
 
-	err := api.Database.UpdateWorkspaceLockedDeletingAt(ctx, database.UpdateWorkspaceLockedDeletingAtParams{
+	workspace, err := api.Database.UpdateWorkspaceLockedDeletingAt(ctx, database.UpdateWorkspaceLockedDeletingAtParams{
 		ID:       workspace.ID,
 		LockedAt: lockedAt,
 	})
@@ -809,10 +806,21 @@ func (api *API) putWorkspaceLock(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// TODO should we kick off a build to stop the workspace if it's started
-	// from this endpoint? I'm leaning no to keep things simple and kick
-	// the responsibility back to the client.
-	httpapi.Write(ctx, rw, code, resp)
+	data, err := api.workspaceData(ctx, []database.Workspace{workspace})
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching workspace resources.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, convertWorkspace(
+		workspace,
+		data.builds[0],
+		data.templates[0],
+		findUser(workspace.OwnerID, data.users),
+	))
 }
 
 // @Summary Extend workspace deadline by ID
 
@@ -1407,6 +1407,46 @@ func TestWorkspaceFilterManual(t *testing.T) {
 		// and template.InactivityTTL should be 0
 		assert.Len(t, res.Workspaces, 0)
 	})
+
+	t.Run("LockedAt", func(t *testing.T) {
+		// this test has a licensed counterpart in enterprise/coderd/workspaces_test.go: FilterQueryHasDeletingByAndLicensed
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{
+			IncludeProvisionerDaemon: true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		authToken := uuid.NewString()
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          echo.ParseComplete,
+			ProvisionPlan:  echo.ProvisionComplete,
+			ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		_ = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+
+		// update template with inactivity ttl
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		lockedWorkspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		_ = coderdtest.AwaitWorkspaceBuildJob(t, client, lockedWorkspace.LatestBuild.ID)
+
+		// Create another workspace to validate that we do not return unlocked workspaces.
+		_ = coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		_ = coderdtest.AwaitWorkspaceBuildJob(t, client, lockedWorkspace.LatestBuild.ID)
+
+		err := client.UpdateWorkspaceLock(ctx, lockedWorkspace.ID, codersdk.UpdateWorkspaceLock{
+			Lock: true,
+		})
+		require.NoError(t, err)
+
+		res, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
+			FilterQuery: fmt.Sprintf("locked_at:%s", time.Now().Add(-time.Minute).Format("2006-01-02")),
+		})
+		require.NoError(t, err)
+		require.Len(t, res.Workspaces, 1)
+		require.NotNil(t, res.Workspaces[0].LockedAt)
+	})
 }
 
 func TestOffsetLimit(t *testing.T) {
Original file line number	Diff line number	Diff line change
`@@ -2587,11 +2587,11 @@ func (q *querier) UpdateWorkspaceLastUsedAt(ctx context.Context, arg database.Up`
`2587`	`2587`	`return update(q.log, q.auth, fetch, q.db.UpdateWorkspaceLastUsedAt)(ctx, arg)`
`2588`	`2588`	`}`
`2589`	`2589`
`2590`		`-func (q *querier) UpdateWorkspaceLockedDeletingAt(ctx context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) error {`
	`2590`	`+func (q *querier) UpdateWorkspaceLockedDeletingAt(ctx context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) (database.Workspace, error) {`
`2591`	`2591`	`fetch := func(ctx context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) (database.Workspace, error) {`
`2592`	`2592`	`return q.db.GetWorkspaceByID(ctx, arg.ID)`
`2593`	`2593`	`}`
`2594`		`- return update(q.log, q.auth, fetch, q.db.UpdateWorkspaceLockedDeletingAt)(ctx, arg)`
	`2594`	`+ return updateWithReturn(q.log, q.auth, fetch, q.db.UpdateWorkspaceLockedDeletingAt)(ctx, arg)`
`2595`	`2595`	`}`
`2596`	`2596`
`2597`	`2597`	`func (q *querier) UpdateWorkspaceProxy(ctx context.Context, arg database.UpdateWorkspaceProxyParams) (database.WorkspaceProxy, error) {`
Original file line number	Diff line number	Diff line change
`@@ -5250,9 +5250,9 @@ func (q *FakeQuerier) UpdateWorkspaceLastUsedAt(_ context.Context, arg database.`
`5250`	`5250`	`return sql.ErrNoRows`
`5251`	`5251`	`}`
`5252`	`5252`
`5253`		`-func (q *FakeQuerier) UpdateWorkspaceLockedDeletingAt(_ context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) error {`
	`5253`	`+func (q *FakeQuerier) UpdateWorkspaceLockedDeletingAt(_ context.Context, arg database.UpdateWorkspaceLockedDeletingAtParams) (database.Workspace, error) {`
`5254`	`5254`	`if err := validateDatabaseType(arg); err != nil {`
`5255`		`- return err`
	`5255`	`+ return database.Workspace{}, err`
`5256`	`5256`	`}`
`5257`	`5257`	`q.mutex.Lock()`
`5258`	`5258`	`defer q.mutex.Unlock()`
`@@ -5274,7 +5274,7 @@ func (q *FakeQuerier) UpdateWorkspaceLockedDeletingAt(_ context.Context, arg dat`
`5274`	`5274`	`}`
`5275`	`5275`	`}`
`5276`	`5276`	`if template.ID == uuid.Nil {`
`5277`		`- return xerrors.Errorf("unable to find workspace template")`
	`5277`	`+ return database.Workspace{}, xerrors.Errorf("unable to find workspace template")`
`5278`	`5278`	`}`
`5279`	`5279`	`if template.LockedTTL > 0 {`
`5280`	`5280`	`workspace.DeletingAt = sql.NullTime{`
`@@ -5284,9 +5284,9 @@ func (q *FakeQuerier) UpdateWorkspaceLockedDeletingAt(_ context.Context, arg dat`
`5284`	`5284`	`}`
`5285`	`5285`	`}`
`5286`	`5286`	`q.workspaces[index] = workspace`
`5287`		`- return nil`
	`5287`	`+ return workspace, nil`
`5288`	`5288`	`}`
`5289`		`- return sql.ErrNoRows`
	`5289`	`+ return database.Workspace{}, sql.ErrNoRows`
`5290`	`5290`	`}`
`5291`	`5291`
`5292`	`5292`	`func (q *FakeQuerier) UpdateWorkspaceProxy(_ context.Context, arg database.UpdateWorkspaceProxyParams) (database.WorkspaceProxy, error) {`
`@@ -5730,6 +5730,16 @@ func (q *FakeQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg database.`
`5730`	`5730`	`}`
`5731`	`5731`	`}`
`5732`	`5732`
	`5733`	`+ // We omit locked workspaces by default.`
	`5734`	`+ if arg.LockedAt.IsZero() && workspace.LockedAt.Valid {`
	`5735`	`+ continue`
	`5736`	`+ }`
	`5737`	`+`
	`5738`	`+ // Filter out workspaces that are locked after the timestamp.`
	`5739`	`+ if !arg.LockedAt.IsZero() && workspace.LockedAt.Time.Before(arg.LockedAt) {`
	`5740`	`+ continue`
	`5741`	`+ }`
	`5742`	`+`
`5733`	`5743`	`if len(arg.TemplateIDs) > 0 {`
`5734`	`5744`	`match := false`
`5735`	`5745`	`for _, id := range arg.TemplateIDs {`
Original file line number	Diff line number	Diff line change
`@@ -217,6 +217,7 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa`
`217`	`217`	`arg.Name,`
`218`	`218`	`arg.HasAgent,`
`219`	`219`	`arg.AgentInactiveDisconnectTimeoutSeconds,`
	`220`	`+ arg.LockedAt,`
`220`	`221`	`arg.Offset,`
`221`	`222`	`arg.Limit,`
`222`	`223`	`)`