"github.com/coder/coder/v2/coderd/prebuilds"

subjectPrebuildsOrchestrator = rbac.Subject{

FriendlyName: "Prebuilds Orchestrator",

ID: prebuilds.OwnerID.String(),

Roles: rbac.Roles([]rbac.Role{

{

Identifier: rbac.RoleIdentifier{Name: "prebuilds-orchestrator"},

DisplayName: "Coder",

Site: rbac.Permissions(map[string][]policy.Action{

// May use template, read template-related info, & insert template-related resources (preset prebuilds).

rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionUse},

// May CRUD workspaces, and start/stop them.

rbac.ResourceWorkspace.Type: {

policy.ActionCreate, policy.ActionDelete, policy.ActionRead, policy.ActionUpdate,

policy.ActionWorkspaceStart, policy.ActionWorkspaceStop,

},

}),

},

}),

Scope: rbac.ScopeAll,

}.WithCachedASTValue()

func AsPrebuildsOrchestrator(ctx context.Context) context.Context {

return context.WithValue(ctx, authContextKey{}, subjectPrebuildsOrchestrator)

}

DELETE FROM organization_members

WHERE user_id = 'c42fdf75-3097-471c-8c33-fb52454d81c0';

DROP TRIGGER IF EXISTS prevent_system_user_updates ON users;

DROP TRIGGER IF EXISTS prevent_system_user_deletions ON users;

DROP FUNCTION IF EXISTS prevent_system_user_changes();

DELETE FROM users

WHERE id = 'c42fdf75-3097-471c-8c33-fb52454d81c0';

DROP INDEX IF EXISTS user_is_system_idx;

ALTER TABLE users DROP COLUMN IF EXISTS is_system;

ALTER TABLE users

ADD COLUMN is_system bool DEFAULT false;

CREATE INDEX user_is_system_idx ON users USING btree (is_system);

COMMENT ON COLUMN users.is_system IS 'Determines if a user is a system user, and therefore cannot login or perform normal actions';

INSERT INTO users (id, email, username, name, created_at, updated_at, status, rbac_roles, hashed_password, is_system, login_type)

VALUES ('c42fdf75-3097-471c-8c33-fb52454d81c0', 'prebuilds@system', 'prebuilds', 'Prebuilds Owner', now(), now(),

'active', '{}', 'none', true, 'password'::login_type);

CREATE OR REPLACE FUNCTION prevent_system_user_changes()

RETURNS TRIGGER AS

$$

IF OLD.is_system = true THEN

RAISE EXCEPTION 'Cannot modify or delete system users';

END IF;

RETURN OLD;

END;

$$ LANGUAGE plpgsql;

CREATE TRIGGER prevent_system_user_updates

BEFORE UPDATE ON users

FOR EACH ROW

WHEN (OLD.is_system = true)

EXECUTE FUNCTION prevent_system_user_changes();

CREATE TRIGGER prevent_system_user_deletions

BEFORE DELETE ON users

FOR EACH ROW

WHEN (OLD.is_system = true)

EXECUTE FUNCTION prevent_system_user_changes();

WITH default_org AS (SELECT id

FROM organizations

WHERE is_default = true

LIMIT 1)

INSERT

INTO organization_members (organization_id, user_id, created_at, updated_at)

SELECT default_org.id,

'c42fdf75-3097-471c-8c33-fb52454d81c0', -- The system user responsible for prebuilds.

NOW(),

NOW()

FROM default_org;

IsSystem: r.IsSystem,

&i.IsSystem,