coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+7 b/‎coderd/database/dbauthz/dbauthz.go
+7
diff --git a/‎coderd/database/dbmem/dbmem.go
+4 b/‎coderd/database/dbmem/dbmem.go
+4
diff --git a/‎coderd/database/dbmetrics/querymetrics.go
+7 b/‎coderd/database/dbmetrics/querymetrics.go
+7
diff --git a/‎coderd/database/querier.go
+1 b/‎coderd/database/querier.go
+1
diff --git a/‎coderd/database/queries.sql.go
+23 b/‎coderd/database/queries.sql.go
+23
diff --git a/‎coderd/database/queries/prebuilds.sql
+15 b/‎coderd/database/queries/prebuilds.sql
+15
diff --git a/‎coderd/prebuilds/claim.go
+35 b/‎coderd/prebuilds/claim.go
+35
diff --git a/‎coderd/prebuilds/controller.go
+1-1 b/‎coderd/prebuilds/controller.go
+1-1
diff --git a/‎coderd/workspaces.go
+67-20 b/‎coderd/workspaces.go
+67-20
diff --git a/‎codersdk/organizations.go
+3-2 b/‎codersdk/organizations.go
+3-2
diff --git a/‎site/src/api/typesGenerated.ts
+1 b/‎site/src/api/typesGenerated.ts
+1
@@ -1078,6 +1078,13 @@ func (q *querier) BulkMarkNotificationMessagesSent(ctx context.Context, arg data
 	return q.db.BulkMarkNotificationMessagesSent(ctx, arg)
 }
 
+func (q *querier) ClaimPrebuild(ctx context.Context, newOwnerID uuid.UUID) (uuid.UUID, error) {
+	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceWorkspace); err != nil {
+		return uuid.Nil, err
+	}
+	return q.db.ClaimPrebuild(ctx, newOwnerID)
+}
+
 func (q *querier) CleanTailnetCoordinators(ctx context.Context) error {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceTailnetCoordinator); err != nil {
 		return err
 
@@ -1585,6 +1585,10 @@ func (*FakeQuerier) BulkMarkNotificationMessagesSent(_ context.Context, arg data
 	return int64(len(arg.IDs)), nil
 }
 
+func (q *FakeQuerier) ClaimPrebuild(ctx context.Context, newOwnerID uuid.UUID) (uuid.UUID, error) {
+	panic("not implemented")
+}
+
 func (*FakeQuerier) CleanTailnetCoordinators(_ context.Context) error {
 	return ErrUnimplemented
 }
 
@@ -62,3 +62,18 @@ FROM templates_with_prebuilds t
 		 LEFT JOIN prebuilds_in_progress pip ON pip.template_version_id = t.template_version_id
 GROUP BY t.using_active_version, t.template_id, t.template_version_id, p.count, p.ids,
 		 p.template_version_id, t.deleted, t.deprecated;
+
+-- name: ClaimPrebuild :one
+UPDATE workspaces w
+SET owner_id = @new_owner_id::uuid, updated_at = NOW() -- TODO: annoying; having two input params breaks dbgen
+WHERE w.id IN (SELECT p.id
+			   FROM workspace_prebuilds p
+						INNER JOIN workspace_latest_build b ON b.workspace_id = p.id
+						INNER JOIN provisioner_jobs pj ON b.job_id = pj.id
+						INNER JOIN templates t ON p.template_id = t.id
+			   WHERE (b.transition = 'start'::workspace_transition
+				   AND pj.job_status IN ('succeeded'::provisioner_job_status))
+				 AND b.template_version_id = t.active_version_id
+			   ORDER BY random()
+			   LIMIT 1 FOR UPDATE OF p SKIP LOCKED)
+RETURNING w.id;
@@ -0,0 +1,35 @@
+package prebuilds
+
+import (
+	"context"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+)
+
+func Claim(ctx context.Context, store database.Store, userID uuid.UUID) (*uuid.UUID, error) {
+	var prebuildID *uuid.UUID
+	err := store.InTx(func(db database.Store) error {
+		// TODO: do we need this?
+		//// Ensure no other replica can claim a prebuild for this user simultaneously.
+		//err := store.AcquireLock(ctx, database.GenLockID(fmt.Sprintf("prebuild-user-claim-%s", userID.String())))
+		//if err != nil {
+		//	return xerrors.Errorf("acquire claim lock for user %q: %w", userID.String(), err)
+		//}
+
+		id, err := db.ClaimPrebuild(ctx, userID)
+		if err != nil {
+			return xerrors.Errorf("claim prebuild for user %q: %w", userID.String(), err)
+		}
+
+		if id != uuid.Nil {
+			prebuildID = &id
+		}
+
+		return nil
+	}, &database.TxOptions{
+		TxIdentifier: "prebuild-claim",
+	})
+
+	return prebuildID, err
+}
@@ -376,5 +376,5 @@ func generateName() (string, error) {
 	}
 
 	// Encode the bytes to Base32 (A-Z2-7), strip any '=' padding
-	return fmt.Sprintf("prebuild-%s", base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(b)), nil
+	return fmt.Sprintf("prebuild-%s", strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(b))), nil
 }
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/coder/coder/v2/coderd/prebuilds"
 	"net/http"
 	"slices"
 	"strconv"
@@ -628,32 +629,78 @@ func createWorkspace(
 		provisionerDaemons []database.GetEligibleProvisionerDaemonsByProvisionerJobIDsRow
 	)
 	err = api.Database.InTx(func(db database.Store) error {
+		var claimedWorkspace *database.Workspace
+
+		// TODO: implement matching logic
+		if true {
+			//if req.ClaimPrebuildIfAvailable {
+			// TODO: authz // Can't use existing profiles (i.e. AsSystemRestricted) because of dbauthz rules
+			var ownerCtx = dbauthz.As(ctx, rbac.Subject{
+				ID:     "owner",
+				Roles:  rbac.RoleIdentifiers{rbac.RoleOwner()},
+				Groups: []string{},
+				Scope:  rbac.ExpandableScope(rbac.ScopeAll),
+			})
+
+			claimCtx, cancel := context.WithTimeout(ownerCtx, time.Second*10) // TODO: don't use elevated authz context
+			defer cancel()
+
+			claimedID, err := prebuilds.Claim(claimCtx, db, owner.ID)
+			if err != nil {
+				// TODO: enhance this by clarifying whether this *specific* prebuild failed or whether there are none to claim.
+				api.Logger.Error(ctx, "failed to claim a prebuild", slog.Error(err))
+				goto regularPath
+			}
+
+			if claimedID == nil {
+				api.Logger.Warn(ctx, "no claimable prebuild available", slog.Error(err))
+				goto regularPath
+			}
+
+			lookup, err := api.Database.GetWorkspaceByID(ownerCtx, *claimedID) // TODO: don't use elevated authz context
+			if err != nil {
+				api.Logger.Warn(ctx, "unable to find claimed workspace by ID", slog.Error(err), slog.F("claimed_prebuild_id", (*claimedID).String()))
+				goto regularPath
+			}
+
+			claimedWorkspace = &lookup
+		}
+
+	regularPath:
 		now := dbtime.Now()
-		// Workspaces are created without any versions.
-		minimumWorkspace, err := db.InsertWorkspace(ctx, database.InsertWorkspaceParams{
-			ID:                uuid.New(),
-			CreatedAt:         now,
-			UpdatedAt:         now,
-			OwnerID:           owner.ID,
-			OrganizationID:    template.OrganizationID,
-			TemplateID:        template.ID,
-			Name:              req.Name,
-			AutostartSchedule: dbAutostartSchedule,
-			NextStartAt:       nextStartAt,
-			Ttl:               dbTTL,
-			// The workspaces page will sort by last used at, and it's useful to
-			// have the newly created workspace at the top of the list!
-			LastUsedAt:       dbtime.Now(),
-			AutomaticUpdates: dbAU,
-		})
-		if err != nil {
-			return xerrors.Errorf("insert workspace: %w", err)
+
+		var workspaceID uuid.UUID
+
+		if claimedWorkspace != nil {
+			workspaceID = claimedWorkspace.ID
+		} else {
+			// Workspaces are created without any versions.
+			minimumWorkspace, err := db.InsertWorkspace(ctx, database.InsertWorkspaceParams{
+				ID:                uuid.New(),
+				CreatedAt:         now,
+				UpdatedAt:         now,
+				OwnerID:           owner.ID,
+				OrganizationID:    template.OrganizationID,
+				TemplateID:        template.ID,
+				Name:              req.Name,
+				AutostartSchedule: dbAutostartSchedule,
+				NextStartAt:       nextStartAt,
+				Ttl:               dbTTL,
+				// The workspaces page will sort by last used at, and it's useful to
+				// have the newly created workspace at the top of the list!
+				LastUsedAt:       dbtime.Now(),
+				AutomaticUpdates: dbAU,
+			})
+			if err != nil {
+				return xerrors.Errorf("insert workspace: %w", err)
+			}
+			workspaceID = minimumWorkspace.ID
 		}
 
 		// We have to refetch the workspace for the joined in fields.
 		// TODO: We can use WorkspaceTable for the builder to not require
 		// this extra fetch.
-		workspace, err = db.GetWorkspaceByID(ctx, minimumWorkspace.ID)
+		workspace, err = db.GetWorkspaceByID(ctx, workspaceID)
 		if err != nil {
 			return xerrors.Errorf("get workspace by ID: %w", err)
 		}
 
@@ -207,8 +207,9 @@ type CreateWorkspaceRequest struct {
 	TTLMillis         *int64    `json:"ttl_ms,omitempty"`
 	// RichParameterValues allows for additional parameters to be provided
 	// during the initial provision.
-	RichParameterValues []WorkspaceBuildParameter `json:"rich_parameter_values,omitempty"`
-	AutomaticUpdates    AutomaticUpdates          `json:"automatic_updates,omitempty"`
+	RichParameterValues      []WorkspaceBuildParameter `json:"rich_parameter_values,omitempty"`
+	AutomaticUpdates         AutomaticUpdates          `json:"automatic_updates,omitempty"`
+	ClaimPrebuildIfAvailable bool                      `json:"claim_prebuild_if_available,omitempty"`
 }
 
 func (c *Client) OrganizationByName(ctx context.Context, name string) (Organization, error) {
Original file line number	Diff line number	Diff line change
`@@ -1585,6 +1585,10 @@ func (*FakeQuerier) BulkMarkNotificationMessagesSent(_ context.Context, arg data`
`1585`	`1585`	`return int64(len(arg.IDs)), nil`
`1586`	`1586`	`}`
`1587`	`1587`
	`1588`	`+func (q *FakeQuerier) ClaimPrebuild(ctx context.Context, newOwnerID uuid.UUID) (uuid.UUID, error) {`
	`1589`	`+ panic("not implemented")`
	`1590`	`+}`
	`1591`	`+`
`1588`	`1592`	`func (*FakeQuerier) CleanTailnetCoordinators(_ context.Context) error {`
`1589`	`1593`	`return ErrUnimplemented`
`1590`	`1594`	`}`
Original file line number	Diff line number	Diff line change
`@@ -376,5 +376,5 @@ func generateName() (string, error) {`
`376`	`376`	`}`
`377`	`377`
`378`	`378`	`// Encode the bytes to Base32 (A-Z2-7), strip any '=' padding`
`379`		`- return fmt.Sprintf("prebuild-%s", base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(b)), nil`
	`379`	`+ return fmt.Sprintf("prebuild-%s", strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(b))), nil`
`380`	`380`	`}`