What this does

This adds the initial AuthzQuerier implementation as an experiment. It has negative latency impacts to the api at this point, but it is correct* (bugs not withstanding).

The goal of this PR is to push a working implementation.

Testing

Prior to this PR we used AuthorizeAllEndpoints as our rbac assertions. This was weak (see #5204). There is a similar unit test in authzquery that asserts all interface methods have been tested with the proper rbac checks:

So we can remove these tests in a future PR:

• coder/coderd/coderdtest/authorize.go

  Line 28 in e6d5c2f

  func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {

• coder/coderd/coderdtest/authorize_test.go

  Line 10 in e6d5c2f

  func TestAuthorizeAllEndpoints(t *testing.T) {

• coder/enterprise/coderd/coderdenttest/coderdenttest_test.go

  Line 24 in e6d5c2f

  func TestAuthorizeAllEndpoints(t *testing.T) {

Fixes #5204

Future Work

In no particular order

• Implement authz call caching (optimization)
  • Then load testing
• Optimize certain routes (job cancel)
• Use joins to make more tables first class rbac objects (dependant on certain tooling changes)
• Refactor AuthzStore to not be 1:1 with db.Store. Make a new interface for it.
• Fully implement scoped system roles

• coder/coderd/database/modelmethods.go

  Lines 104 to 106 in 4e6b43f

  	// TODO: This feels incorrect as we are really returning a list of orgmembers.
  	// This return type should be refactored to return a list of orgmembers, not this
  	// special type.

Optimizations

• Do workspaceData in this layer.