reconbug
diff --git a/‎cli/testdata/coder_list_--output_json.golden
Lines changed: 2 additions & 1 deletion b/‎cli/testdata/coder_list_--output_json.golden
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 60 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 60 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 54 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 54 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 1 addition & 0 deletions b/‎coderd/coderd.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 21 additions & 11 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 21 additions & 11 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 2 additions & 2 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/database/dbfake/dbfake.go
Lines changed: 20 additions & 0 deletions b/‎coderd/database/dbfake/dbfake.go
Lines changed: 20 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 14 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000131_workspace_locked.down.sql
Lines changed: 3 additions & 0 deletions b/‎coderd/database/migrations/000131_workspace_locked.down.sql
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000131_workspace_locked.up.sql
Lines changed: 3 additions & 0 deletions b/‎coderd/database/migrations/000131_workspace_locked.up.sql
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 33 additions & 0 deletions b/‎coderd/database/modelmethods.go
Lines changed: 33 additions & 0 deletions
diff --git a/‎coderd/database/modelqueries.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/modelqueries.go
Lines changed: 1 addition & 0 deletions
@@ -51,6 +51,7 @@
     "autostart_schedule": "CRON_TZ=US/Central 30 9 * * 1-5",
     "ttl_ms": 28800000,
     "last_used_at": "[timestamp]",
-    "deleting_at": null
+    "deleting_at": null,
+    "locked_at": null
   }
 ]
@@ -735,6 +735,7 @@ func New(options *Options) *API {
 				})
 				r.Get("/watch", api.watchWorkspace)
 				r.Put("/extend", api.putExtendWorkspace)
+				r.Put("/lock", api.putWorkspaceLock)
 			})
 		})
 		r.Route("/workspacebuilds/{workspacebuild}", func(r chi.Router) {
 
@@ -143,13 +143,14 @@ var (
 				DisplayName: "Provisioner Daemon",
 				Site: rbac.Permissions(map[string][]rbac.Action{
 					// TODO: Add ProvisionerJob resource type.
-					rbac.ResourceFile.Type:      {rbac.ActionRead},
-					rbac.ResourceSystem.Type:    {rbac.WildcardSymbol},
-					rbac.ResourceTemplate.Type:  {rbac.ActionRead, rbac.ActionUpdate},
-					rbac.ResourceUser.Type:      {rbac.ActionRead},
-					rbac.ResourceWorkspace.Type: {rbac.ActionRead, rbac.ActionUpdate, rbac.ActionDelete},
-					rbac.ResourceUserData.Type:  {rbac.ActionRead, rbac.ActionUpdate},
-					rbac.ResourceAPIKey.Type:    {rbac.WildcardSymbol},
+					rbac.ResourceFile.Type:           {rbac.ActionRead},
+					rbac.ResourceSystem.Type:         {rbac.WildcardSymbol},
+					rbac.ResourceTemplate.Type:       {rbac.ActionRead, rbac.ActionUpdate},
+					rbac.ResourceUser.Type:           {rbac.ActionRead},
+					rbac.ResourceWorkspace.Type:      {rbac.ActionRead, rbac.ActionUpdate, rbac.ActionDelete},
+					rbac.ResourceWorkspaceBuild.Type: {rbac.ActionRead, rbac.ActionUpdate, rbac.ActionDelete},
+					rbac.ResourceUserData.Type:       {rbac.ActionRead, rbac.ActionUpdate},
+					rbac.ResourceAPIKey.Type:         {rbac.WildcardSymbol},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
@@ -165,9 +166,10 @@ var (
 				Name:        "autostart",
 				DisplayName: "Autostart Daemon",
 				Site: rbac.Permissions(map[string][]rbac.Action{
-					rbac.ResourceSystem.Type:    {rbac.WildcardSymbol},
-					rbac.ResourceTemplate.Type:  {rbac.ActionRead, rbac.ActionUpdate},
-					rbac.ResourceWorkspace.Type: {rbac.ActionRead, rbac.ActionUpdate},
+					rbac.ResourceSystem.Type:         {rbac.WildcardSymbol},
+					rbac.ResourceTemplate.Type:       {rbac.ActionRead, rbac.ActionUpdate},
+					rbac.ResourceWorkspace.Type:      {rbac.ActionRead, rbac.ActionUpdate},
+					rbac.ResourceWorkspaceBuild.Type: {rbac.ActionRead, rbac.ActionUpdate, rbac.ActionDelete},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
@@ -213,6 +215,7 @@ var (
 					rbac.ResourceUser.Type:               {rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
 					rbac.ResourceUserData.Type:           {rbac.ActionCreate, rbac.ActionUpdate},
 					rbac.ResourceWorkspace.Type:          {rbac.ActionUpdate},
+					rbac.ResourceWorkspaceBuild.Type:     {rbac.ActionUpdate},
 					rbac.ResourceWorkspaceExecution.Type: {rbac.ActionCreate},
 					rbac.ResourceWorkspaceProxy.Type:     {rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
 				}),
@@ -1998,7 +2001,7 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		action = rbac.ActionDelete
 	}
 
-	if err = q.authorizeContext(ctx, action, w); err != nil {
+	if err = q.authorizeContext(ctx, action, w.WorkspaceBuildRBAC(arg.Transition)); err != nil {
 		return database.WorkspaceBuild{}, err
 	}
 
@@ -2530,6 +2533,13 @@ func (q *querier) UpdateWorkspaceLastUsedAt(ctx context.Context, arg database.Up
 	return update(q.log, q.auth, fetch, q.db.UpdateWorkspaceLastUsedAt)(ctx, arg)
 }
 
+func (q *querier) UpdateWorkspaceLockedAt(ctx context.Context, arg database.UpdateWorkspaceLockedAtParams) error {
+	fetch := func(ctx context.Context, arg database.UpdateWorkspaceLockedAtParams) (database.Workspace, error) {
+		return q.db.GetWorkspaceByID(ctx, arg.ID)
+	}
+	return update(q.log, q.auth, fetch, q.db.UpdateWorkspaceLockedAt)(ctx, arg)
+}
+
 func (q *querier) UpdateWorkspaceProxy(ctx context.Context, arg database.UpdateWorkspaceProxyParams) (database.WorkspaceProxy, error) {
 	fetch := func(ctx context.Context, arg database.UpdateWorkspaceProxyParams) (database.WorkspaceProxy, error) {
 		return q.db.GetWorkspaceProxyByID(ctx, arg.ID)
 
@@ -1196,15 +1196,15 @@ func (s *MethodTestSuite) TestWorkspace() {
 			WorkspaceID: w.ID,
 			Transition:  database.WorkspaceTransitionStart,
 			Reason:      database.BuildReasonInitiator,
-		}).Asserts(w, rbac.ActionUpdate)
+		}).Asserts(w.WorkspaceBuildRBAC(database.WorkspaceTransitionStart), rbac.ActionUpdate)
 	}))
 	s.Run("Delete/InsertWorkspaceBuild", s.Subtest(func(db database.Store, check *expects) {
 		w := dbgen.Workspace(s.T(), db, database.Workspace{})
 		check.Args(database.InsertWorkspaceBuildParams{
 			WorkspaceID: w.ID,
 			Transition:  database.WorkspaceTransitionDelete,
 			Reason:      database.BuildReasonInitiator,
-		}).Asserts(w, rbac.ActionDelete)
+		}).Asserts(w.WorkspaceBuildRBAC(database.WorkspaceTransitionDelete), rbac.ActionDelete)
 	}))
 	s.Run("InsertWorkspaceBuildParameters", s.Subtest(func(db database.Store, check *expects) {
 		w := dbgen.Workspace(s.T(), db, database.Workspace{})
 
@@ -5197,6 +5197,26 @@ func (q *fakeQuerier) UpdateWorkspaceLastUsedAt(_ context.Context, arg database.
 	return sql.ErrNoRows
 }
 
+func (q *fakeQuerier) UpdateWorkspaceLockedAt(_ context.Context, arg database.UpdateWorkspaceLockedAtParams) error {
+	if err := validateDatabaseType(arg); err != nil {
+		return err
+	}
+
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	for index, workspace := range q.workspaces {
+		if workspace.ID != arg.ID {
+			continue
+		}
+		workspace.LockedAt = arg.LockedAt
+		q.workspaces[index] = workspace
+		return nil
+	}
+
+	return sql.ErrNoRows
+}
+
 func (q *fakeQuerier) UpdateWorkspaceProxy(_ context.Context, arg database.UpdateWorkspaceProxyParams) (database.WorkspaceProxy, error) {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
@@ -0,0 +1,3 @@
+BEGIN;
+ALTER TABLE workspaces DROP COLUMN locked_at;
+COMMIT;
@@ -0,0 +1,3 @@
+BEGIN;
+ALTER TABLE workspaces ADD COLUMN locked_at timestamptz NULL;
+COMMIT;
@@ -145,19 +145,52 @@ func (w Workspace) RBACObject() rbac.Object {
 }
 
 func (w Workspace) ExecutionRBAC() rbac.Object {
+	// If a workspace is locked it cannot be accessed.
+	if w.LockedAt.Valid {
+		return w.LockedRBAC()
+	}
+
 	return rbac.ResourceWorkspaceExecution.
 		WithID(w.ID).
 		InOrg(w.OrganizationID).
 		WithOwner(w.OwnerID.String())
 }
 
 func (w Workspace) ApplicationConnectRBAC() rbac.Object {
+	// If a workspace is locked it cannot be accessed.
+	if w.LockedAt.Valid {
+		return w.LockedRBAC()
+	}
+
 	return rbac.ResourceWorkspaceApplicationConnect.
 		WithID(w.ID).
 		InOrg(w.OrganizationID).
 		WithOwner(w.OwnerID.String())
 }
 
+func (w Workspace) WorkspaceBuildRBAC(transition WorkspaceTransition) rbac.Object {
+	// If a workspace is locked it cannot be built.
+	// However we need to allow stopping a workspace by a caller once a workspace
+	// is locked (e.g. for autobuild). Additionally, if a user wants to delete
+	// a locked workspace, they shouldn't have to have it unlocked first.
+	if w.LockedAt.Valid && transition != WorkspaceTransitionStop &&
+		transition != WorkspaceTransitionDelete {
+		return w.LockedRBAC()
+	}
+
+	return rbac.ResourceWorkspaceBuild.
+		WithID(w.ID).
+		InOrg(w.OrganizationID).
+		WithOwner(w.OwnerID.String())
+}
+
+func (w Workspace) LockedRBAC() rbac.Object {
+	return rbac.ResourceWorkspaceLocked.
+		WithID(w.ID).
+		InOrg(w.OrganizationID).
+		WithOwner(w.OwnerID.String())
+}
+
 func (m OrganizationMember) RBACObject() rbac.Object {
 	return rbac.ResourceOrganizationMember.
 		WithID(m.UserID).
 
@@ -235,6 +235,7 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 			&i.AutostartSchedule,
 			&i.Ttl,
 			&i.LastUsedAt,
+			&i.LockedAt,
 			&i.Count,
 		); err != nil {
 			return nil, err
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@`
`51`	`51`	`"autostart_schedule": "CRON_TZ=US/Central 30 9 * * 1-5",`
`52`	`52`	`"ttl_ms": 28800000,`
`53`	`53`	`"last_used_at": "[timestamp]",`
`54`		`- "deleting_at": null`
	`54`	`+ "deleting_at": null,`
	`55`	`+ "locked_at": null`
`55`	`56`	`}`
`56`	`57`	`]`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+BEGIN;`
	`2`	`+ALTER TABLE workspaces DROP COLUMN locked_at;`
	`3`	`+COMMIT;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+BEGIN;`
	`2`	`+ALTER TABLE workspaces ADD COLUMN locked_at timestamptz NULL;`
	`3`	`+COMMIT;`