Sep 2, 2025 · Aug 29, 2025 · Sep 2, 2025
diff --git a/coderd/apikey.go b/coderd/apikey.go
 "github.com/moby/moby/pkg/namesgenerator"
 "golang.org/x/xerrors"

 "cdr.dev/slog"

 "github.com/coder/coder/v2/coderd/apikey"
 "github.com/coder/coder/v2/coderd/audit"
 "github.com/coder/coder/v2/coderd/database"
 return
 }

 // TODO(Cian): System users technically just have the 'member' role
 // and we don't want to disallow all members from creating API keys.
 if user.IsSystem {
 api.Logger.Warn(ctx, "disallowed creating api key for system user", slog.F("user_id", user.ID))
 httpapi.Forbidden(rw)
 return
 }

 scope := database.APIKeyScopeAll
 if scope != "" {
 scope = database.APIKeyScope(createToken.Scope)
 ctx := r.Context()
 user := httpmw.UserParam(r)

 // TODO(Cian): System users technically just have the 'member' role
 // and we don't want to disallow all members from creating API keys.
 if user.IsSystem {
 api.Logger.Warn(ctx, "disallowed creating api key for system user", slog.F("user_id", user.ID))
 httpapi.Forbidden(rw)
 return
 }

 cookie, _, err := api.createAPIKey(ctx, apikey.CreateParams{
 UserID:          user.ID,
 DefaultLifetime: api.DeploymentValues.Sessions.DefaultTokenDuration.Value(),
diff --git a/coderd/apikey_test.go b/coderd/apikey_test.go
 "github.com/coder/coder/v2/coderd/audit"
 "github.com/coder/coder/v2/coderd/coderdtest"
 "github.com/coder/coder/v2/coderd/database"
 "github.com/coder/coder/v2/coderd/database/dbgen"
 "github.com/coder/coder/v2/coderd/database/dbtestutil"
 "github.com/coder/coder/v2/coderd/database/dbtime"
 "github.com/coder/coder/v2/coderd/httpapi"
 "github.com/coder/coder/v2/codersdk"
 "github.com/coder/coder/v2/testutil"
 "github.com/coder/serpent"
 require.NoError(t, err)
 require.EqualValues(t, dc.Sessions.DefaultTokenDuration.Value().Seconds(), apiKey1.LifetimeSeconds)
 }

 func TestAPIKey_PrebuildsNotAllowed(t *testing.T) {
 t.Parallel()

 db, pubsub := dbtestutil.NewDB(t)
 dc := coderdtest.DeploymentValues(t)
 dc.Sessions.DefaultTokenDuration = serpent.Duration(time.Hour * 12)
 client := coderdtest.New(t, &coderdtest.Options{
 Database:         db,
 Pubsub:           pubsub,
 DeploymentValues: dc,
 })

 ctx := testutil.Context(t, testutil.WaitLong)

 // Given: an existing api token for the prebuilds user
 _, prebuildsToken := dbgen.APIKey(t, db, database.APIKey{
 UserID: database.PrebuildsSystemUserID,
 })
 client.SetSessionToken(prebuildsToken)

 // When: the prebuilds user tries to create an API key
 _, err := client.CreateAPIKey(ctx, database.PrebuildsSystemUserID.String())
 // Then: denied.
 require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)

 // When: the prebuilds user tries to create a token
 _, err = client.CreateToken(ctx, database.PrebuildsSystemUserID.String(), codersdk.CreateTokenRequest{})
 // Then: also denied.
 require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)
 }
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
 return q.db.EnqueueNotificationMessage(ctx, arg)
 }

 func (q *querier) ExpirePrebuildsAPIKeys(ctx context.Context, now time.Time) error {
 if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceApiKey); err != nil {
 return err
 }
 return q.db.ExpirePrebuildsAPIKeys(ctx, now)
 }

 func (q *querier) FavoriteWorkspace(ctx context.Context, id uuid.UUID) error {
 fetch := func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
 return q.db.GetWorkspaceByID(ctx, id)
 }

 func (q *querier) InsertAPIKey(ctx context.Context, arg database.InsertAPIKeyParams) (database.APIKey, error) {
 // TODO(Cian): ideally this would be encoded in the policy, but system users are just members and we
 // don't currently have a capability to conditionally deny creating resources by owner ID in a role.
 // We also need to enrich rbac.Actor with IsSystem so that we can distinguish all system users.
 // For now, there is only one system user (prebuilds).
 if act, ok := ActorFromContext(ctx); ok && act.ID == database.PrebuildsSystemUserID.String() {
 return database.APIKey{}, logNotAuthorizedError(ctx, q.log, NotAuthorizedError{Err: xerrors.Errorf("prebuild user may not create api keys")})
 }

 return insert(q.log, q.auth,
 rbac.ResourceApiKey.WithOwner(arg.UserID.String()),
 q.db.InsertAPIKey)(ctx, arg)
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
 "golang.org/x/xerrors"

 "cdr.dev/slog"
 "cdr.dev/slog/sloggers/slogtest"
 "github.com/coder/coder/v2/coderd/coderdtest"
 "github.com/coder/coder/v2/coderd/database"
 "github.com/coder/coder/v2/coderd/database/db2sdk"
 dbm.EXPECT().DeleteAPIKeysByUserID(gomock.Any(), key.UserID).Return(nil).AnyTimes()
 check.Args(key.UserID).Asserts(rbac.ResourceApiKey.WithOwner(key.UserID.String()), policy.ActionDelete).Returns()
 }))
 s.Run("ExpirePrebuildsAPIKeys", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 dbm.EXPECT().ExpirePrebuildsAPIKeys(gomock.Any(), gomock.Any()).Times(1).Return(nil)
 check.Args(dbtime.Now()).Asserts(rbac.ResourceApiKey, policy.ActionDelete).Returns()
 }))
 s.Run("GetQuotaAllowanceForUser", s.Mocked(func(dbm *dbmock.MockStore, faker *gofakeit.Faker, check *expects) {
 u := testutil.Fake(s.T(), faker, database.User{})
 arg := database.GetQuotaAllowanceForUserParams{UserID: u.ID, OrganizationID: uuid.New()}
 }).Asserts(rbac.ResourceUsageEvent, policy.ActionRead)
 }))
 }

 // Ensures that the prebuilds actor may never insert an api key.
 func TestInsertAPIKey_AsPrebuildsUser(t *testing.T) {
 t.Parallel()
 prebuildsSubj := rbac.Subject{
 ID: database.PrebuildsSystemUserID.String(),
 }
 ctx := dbauthz.As(testutil.Context(t, testutil.WaitShort), prebuildsSubj)
 mDB := dbmock.NewMockStore(gomock.NewController(t))
 log := slogtest.Make(t, nil)
 mDB.EXPECT().Wrappers().Times(1).Return([]string{})
 dbz := dbauthz.New(mDB, nil, log, nil)
 faker := gofakeit.New(0)
 _, err := dbz.InsertAPIKey(ctx, testutil.Fake(t, faker, database.InsertAPIKeyParams{}))
 require.True(t, dbauthz.IsNotAuthorizedError(err))
 }
diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go
 return template
 }

 func APIKey(t testing.TB, db database.Store, seed database.APIKey) (key database.APIKey, token string) {
 func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func(*database.InsertAPIKeyParams)) (key database.APIKey, token string) {
 id, _ := cryptorand.String(10)
 secret, _ := cryptorand.String(22)
 hashed := sha256.Sum256([]byte(secret))
 }
 }

 key, err := db.InsertAPIKey(genCtx, database.InsertAPIKeyParams{
 params := database.InsertAPIKeyParams{
 ID: takeFirst(seed.ID, id),
 // 0 defaults to 86400 at the db layer
 LifetimeSeconds: takeFirst(seed.LifetimeSeconds, 0),
 LoginType:       takeFirst(seed.LoginType, database.LoginTypePassword),
 Scope:           takeFirst(seed.Scope, database.APIKeyScopeAll),
 TokenName:       takeFirst(seed.TokenName),
 })
 }
 for _, fn := range munge {
 fn(&params)
 }
 key, err := db.InsertAPIKey(genCtx, params)
 require.NoError(t, err, "insert api key")
 return key, fmt.Sprintf("%s-%s", key.ID, secret)
 }
diff --git a/coderd/database/dbmetrics/querymetrics.go b/coderd/database/dbmetrics/querymetrics.go
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
diff --git a/coderd/database/dbpurge/dbpurge.go b/coderd/database/dbpurge/dbpurge.go
 if err := tx.DeleteOldNotificationMessages(ctx); err != nil {
 return xerrors.Errorf("failed to delete old notification messages: %w", err)
 }
 if err := tx.ExpirePrebuildsAPIKeys(ctx, dbtime.Time(start)); err != nil {
 return xerrors.Errorf("failed to expire prebuilds user api keys: %w", err)
 }

 deleteOldAuditLogConnectionEventsBefore := start.Add(-maxAuditLogConnectionEventAge)
 if err := tx.DeleteOldAuditLogConnectionEvents(ctx, database.DeleteOldAuditLogConnectionEventsParams{
diff --git a/coderd/database/dbpurge/dbpurge_test.go b/coderd/database/dbpurge/dbpurge_test.go
 "github.com/coder/coder/v2/coderd/database/dbrollup"
 "github.com/coder/coder/v2/coderd/database/dbtestutil"
 "github.com/coder/coder/v2/coderd/database/dbtime"
 "github.com/coder/coder/v2/coderd/provisionerdserver"
 "github.com/coder/coder/v2/codersdk"
 "github.com/coder/coder/v2/provisionerd/proto"
 "github.com/coder/coder/v2/provisionersdk"

 require.Len(t, logs, 0)
 }

 func TestExpireOldAPIKeys(t *testing.T) {
 t.Parallel()

 // Given: a number of workspaces and API keys owned by a regular user and the prebuilds system user.
 var (
 ctx    = testutil.Context(t, testutil.WaitShort)
 now    = dbtime.Now()
 db, _  = dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
 org    = dbgen.Organization(t, db, database.Organization{})
 user   = dbgen.User(t, db, database.User{})
 tpl    = dbgen.Template(t, db, database.Template{OrganizationID: org.ID, CreatedBy: user.ID})
 userWs = dbgen.Workspace(t, db, database.WorkspaceTable{
 OwnerID:    user.ID,
 TemplateID: tpl.ID,
 })
 prebuildsWs = dbgen.Workspace(t, db, database.WorkspaceTable{
 OwnerID:    database.PrebuildsSystemUserID,
 TemplateID: tpl.ID,
 })
 createAPIKey = func(userID uuid.UUID, name string) database.APIKey {
 k, _ := dbgen.APIKey(t, db, database.APIKey{UserID: userID, TokenName: name, ExpiresAt: now.Add(time.Hour)}, func(iap *database.InsertAPIKeyParams) {
 iap.TokenName = name
 })
 return k
 }
 assertKeyActive = func(kid string) {
 k, err := db.GetAPIKeyByID(ctx, kid)
 require.NoError(t, err)
 assert.True(t, k.ExpiresAt.After(now))
 }
 assertKeyExpired = func(kid string) {
 k, err := db.GetAPIKeyByID(ctx, kid)
 require.NoError(t, err)
 assert.True(t, k.ExpiresAt.Equal(now))
 }
 unnamedUserAPIKey         = createAPIKey(user.ID, "")
 unnamedPrebuildsAPIKey    = createAPIKey(database.PrebuildsSystemUserID, "")
 namedUserAPIKey           = createAPIKey(user.ID, "my-token")
 namedPrebuildsAPIKey      = createAPIKey(database.PrebuildsSystemUserID, "also-my-token")
 userWorkspaceAPIKey1      = createAPIKey(user.ID, provisionerdserver.WorkspaceSessionTokenName(user.ID, userWs.ID))
 userWorkspaceAPIKey2      = createAPIKey(user.ID, provisionerdserver.WorkspaceSessionTokenName(user.ID, prebuildsWs.ID))
 prebuildsWorkspaceAPIKey1 = createAPIKey(database.PrebuildsSystemUserID, provisionerdserver.WorkspaceSessionTokenName(database.PrebuildsSystemUserID, prebuildsWs.ID))
 prebuildsWorkspaceAPIKey2 = createAPIKey(database.PrebuildsSystemUserID, provisionerdserver.WorkspaceSessionTokenName(database.PrebuildsSystemUserID, userWs.ID))
 )

 // When: we call ExpirePrebuildsAPIKeys
 err := db.ExpirePrebuildsAPIKeys(ctx, now)
 // Then: no errors is reported.
 require.NoError(t, err)

 // We do not touch user API keys.
 assertKeyActive(unnamedUserAPIKey.ID)
 assertKeyActive(namedUserAPIKey.ID)
 assertKeyActive(userWorkspaceAPIKey1.ID)
 assertKeyActive(userWorkspaceAPIKey2.ID)
 // Unnamed prebuilds API keys get expired.
 assertKeyExpired(unnamedPrebuildsAPIKey.ID)
 // API keys for workspaces still owned by prebuilds user remain active until claimed.
 assertKeyActive(prebuildsWorkspaceAPIKey1.ID)
 // API keys for workspaces no longer owned by prebuilds user get expired.
 assertKeyExpired(prebuildsWorkspaceAPIKey2.ID)
 // Out of an abundance of caution, we do not expire explicitly named prebuilds API keys.
 assertKeyActive(namedPrebuildsAPIKey.ID)
 }
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
Original file line number	Diff line number	Diff line change
Expand Up		@@ -12,6 +12,8 @@ import (
		"github.com/moby/moby/pkg/namesgenerator"
		"golang.org/x/xerrors"

		"cdr.dev/slog"

		"github.com/coder/coder/v2/coderd/apikey"
		"github.com/coder/coder/v2/coderd/audit"
		"github.com/coder/coder/v2/coderd/database"
Expand DownExpand Up		@@ -56,6 +58,14 @@ func (api API) postToken(rw http.ResponseWriter, r http.Request) {
		return
		}

		// TODO(Cian): System users technically just have the 'member' role
		// and we don't want to disallow all members from creating API keys.
		if user.IsSystem {
		api.Logger.Warn(ctx, "disallowed creating api key for system user", slog.F("user_id", user.ID))
		httpapi.Forbidden(rw)
		return
		}

		scope := database.APIKeyScopeAll
		if scope != "" {
		scope = database.APIKeyScope(createToken.Scope)
Expand DownExpand Up		@@ -124,6 +134,14 @@ func (api API) postAPIKey(rw http.ResponseWriter, r http.Request) {
		ctx := r.Context()
		user := httpmw.UserParam(r)

		// TODO(Cian): System users technically just have the 'member' role
		// and we don't want to disallow all members from creating API keys.
		if user.IsSystem {
		api.Logger.Warn(ctx, "disallowed creating api key for system user", slog.F("user_id", user.ID))
		httpapi.Forbidden(rw)
		return
		}

		cookie, _, err := api.createAPIKey(ctx, apikey.CreateParams{
		UserID: user.ID,
		DefaultLifetime: api.DeploymentValues.Sessions.DefaultTokenDuration.Value(),
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -13,8 +13,10 @@ import (
		"github.com/coder/coder/v2/coderd/audit"
		"github.com/coder/coder/v2/coderd/coderdtest"
		"github.com/coder/coder/v2/coderd/database"
		"github.com/coder/coder/v2/coderd/database/dbgen"
		"github.com/coder/coder/v2/coderd/database/dbtestutil"
		"github.com/coder/coder/v2/coderd/database/dbtime"
		"github.com/coder/coder/v2/coderd/httpapi"
		"github.com/coder/coder/v2/codersdk"
		"github.com/coder/coder/v2/testutil"
		"github.com/coder/serpent"
Expand DownExpand Up		@@ -351,3 +353,34 @@ func TestAPIKey_SetDefault(t *testing.T) {
		require.NoError(t, err)
		require.EqualValues(t, dc.Sessions.DefaultTokenDuration.Value().Seconds(), apiKey1.LifetimeSeconds)
		}

		func TestAPIKey_PrebuildsNotAllowed(t *testing.T) {
		t.Parallel()

		db, pubsub := dbtestutil.NewDB(t)
		dc := coderdtest.DeploymentValues(t)
		dc.Sessions.DefaultTokenDuration = serpent.Duration(time.Hour * 12)
		client := coderdtest.New(t, &coderdtest.Options{
		Database: db,
		Pubsub: pubsub,
		DeploymentValues: dc,
		})

		ctx := testutil.Context(t, testutil.WaitLong)

		// Given: an existing api token for the prebuilds user
		_, prebuildsToken := dbgen.APIKey(t, db, database.APIKey{
		UserID: database.PrebuildsSystemUserID,
		})
		client.SetSessionToken(prebuildsToken)

		// When: the prebuilds user tries to create an API key
		_, err := client.CreateAPIKey(ctx, database.PrebuildsSystemUserID.String())
		// Then: denied.
		require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)

		// When: the prebuilds user tries to create a token
		_, err = client.CreateToken(ctx, database.PrebuildsSystemUserID.String(), codersdk.CreateTokenRequest{})
		// Then: also denied.
		require.ErrorContains(t, err, httpapi.ResourceForbiddenResponse.Message)
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -1787,6 +1787,13 @@ func (q *querier) EnqueueNotificationMessage(ctx context.Context, arg database.E
		return q.db.EnqueueNotificationMessage(ctx, arg)
		}

		func (q *querier) ExpirePrebuildsAPIKeys(ctx context.Context, now time.Time) error {
		if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceApiKey); err != nil {
		return err
		}
		return q.db.ExpirePrebuildsAPIKeys(ctx, now)
		}

		func (q *querier) FavoriteWorkspace(ctx context.Context, id uuid.UUID) error {
		fetch := func(ctx context.Context, id uuid.UUID) (database.Workspace, error) {
		return q.db.GetWorkspaceByID(ctx, id)
Expand DownExpand Up		@@ -3727,6 +3734,14 @@ func (q *querier) GetWorkspacesEligibleForTransition(ctx context.Context, now ti
		}

		func (q *querier) InsertAPIKey(ctx context.Context, arg database.InsertAPIKeyParams) (database.APIKey, error) {
		// TODO(Cian): ideally this would be encoded in the policy, but system users are just members and we
		// don't currently have a capability to conditionally deny creating resources by owner ID in a role.
		// We also need to enrich rbac.Actor with IsSystem so that we can distinguish all system users.
		// For now, there is only one system user (prebuilds).
		if act, ok := ActorFromContext(ctx); ok && act.ID == database.PrebuildsSystemUserID.String() {
		return database.APIKey{}, logNotAuthorizedError(ctx, q.log, NotAuthorizedError{Err: xerrors.Errorf("prebuild user may not create api keys")})
		}

		return insert(q.log, q.auth,
		rbac.ResourceApiKey.WithOwner(arg.UserID.String()),
		q.db.InsertAPIKey)(ctx, arg)
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -18,6 +18,7 @@ import (
		"golang.org/x/xerrors"

		"cdr.dev/slog"
		"cdr.dev/slog/sloggers/slogtest"
		"github.com/coder/coder/v2/coderd/coderdtest"
		"github.com/coder/coder/v2/coderd/database"
		"github.com/coder/coder/v2/coderd/database/db2sdk"
Expand DownExpand Up		@@ -1297,6 +1298,10 @@ func (s *MethodTestSuite) TestUser() {
		dbm.EXPECT().DeleteAPIKeysByUserID(gomock.Any(), key.UserID).Return(nil).AnyTimes()
		check.Args(key.UserID).Asserts(rbac.ResourceApiKey.WithOwner(key.UserID.String()), policy.ActionDelete).Returns()
		}))
		s.Run("ExpirePrebuildsAPIKeys", s.Mocked(func(dbm dbmock.MockStore, faker gofakeit.Faker, check *expects) {
		dbm.EXPECT().ExpirePrebuildsAPIKeys(gomock.Any(), gomock.Any()).Times(1).Return(nil)
		check.Args(dbtime.Now()).Asserts(rbac.ResourceApiKey, policy.ActionDelete).Returns()
		}))
		s.Run("GetQuotaAllowanceForUser", s.Mocked(func(dbm dbmock.MockStore, faker gofakeit.Faker, check *expects) {
		u := testutil.Fake(s.T(), faker, database.User{})
		arg := database.GetQuotaAllowanceForUserParams{UserID: u.ID, OrganizationID: uuid.New()}
Expand DownExpand Up		@@ -4287,3 +4292,19 @@ func (s *MethodTestSuite) TestUsageEvents() {
		}).Asserts(rbac.ResourceUsageEvent, policy.ActionRead)
		}))
		}

		// Ensures that the prebuilds actor may never insert an api key.
		func TestInsertAPIKey_AsPrebuildsUser(t *testing.T) {
		t.Parallel()
		prebuildsSubj := rbac.Subject{
		ID: database.PrebuildsSystemUserID.String(),
		}
		ctx := dbauthz.As(testutil.Context(t, testutil.WaitShort), prebuildsSubj)
		mDB := dbmock.NewMockStore(gomock.NewController(t))
		log := slogtest.Make(t, nil)
		mDB.EXPECT().Wrappers().Times(1).Return([]string{})
		dbz := dbauthz.New(mDB, nil, log, nil)
		faker := gofakeit.New(0)
		_, err := dbz.InsertAPIKey(ctx, testutil.Fake(t, faker, database.InsertAPIKeyParams{}))
		require.True(t, dbauthz.IsNotAuthorizedError(err))
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -157,7 +157,7 @@ func Template(t testing.TB, db database.Store, seed database.Template) database.
		return template
		}

		func APIKey(t testing.TB, db database.Store, seed database.APIKey) (key database.APIKey, token string) {
		func APIKey(t testing.TB, db database.Store, seed database.APIKey, munge ...func(*database.InsertAPIKeyParams)) (key database.APIKey, token string) {
		id, _ := cryptorand.String(10)
		secret, _ := cryptorand.String(22)
		hashed := sha256.Sum256([]byte(secret))
Expand All		@@ -173,7 +173,7 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey) (key database
		}
		}

		key, err := db.InsertAPIKey(genCtx, database.InsertAPIKeyParams{
		params := database.InsertAPIKeyParams{
		ID: takeFirst(seed.ID, id),
		// 0 defaults to 86400 at the db layer
		LifetimeSeconds: takeFirst(seed.LifetimeSeconds, 0),
Expand All		@@ -187,7 +187,11 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey) (key database
		LoginType: takeFirst(seed.LoginType, database.LoginTypePassword),
		Scope: takeFirst(seed.Scope, database.APIKeyScopeAll),
		TokenName: takeFirst(seed.TokenName),
		})
		}
		for _, fn := range munge {
		fn(&params)
		}
		key, err := db.InsertAPIKey(genCtx, params)
		require.NoError(t, err, "insert api key")
		return key, fmt.Sprintf("%s-%s", key.ID, secret)
		}
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -68,6 +68,9 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, clk quartz.
		if err := tx.DeleteOldNotificationMessages(ctx); err != nil {
		return xerrors.Errorf("failed to delete old notification messages: %w", err)
		}
		if err := tx.ExpirePrebuildsAPIKeys(ctx, dbtime.Time(start)); err != nil {
		return xerrors.Errorf("failed to expire prebuilds user api keys: %w", err)
		}

		deleteOldAuditLogConnectionEventsBefore := start.Add(-maxAuditLogConnectionEventAge)
		if err := tx.DeleteOldAuditLogConnectionEvents(ctx, database.DeleteOldAuditLogConnectionEventsParams{
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -27,6 +27,7 @@ import (
		"github.com/coder/coder/v2/coderd/database/dbrollup"
		"github.com/coder/coder/v2/coderd/database/dbtestutil"
		"github.com/coder/coder/v2/coderd/database/dbtime"
		"github.com/coder/coder/v2/coderd/provisionerdserver"
		"github.com/coder/coder/v2/codersdk"
		"github.com/coder/coder/v2/provisionerd/proto"
		"github.com/coder/coder/v2/provisionersdk"
Expand DownExpand Up		@@ -638,3 +639,68 @@ func TestDeleteOldAuditLogConnectionEventsLimit(t *testing.T) {

		require.Len(t, logs, 0)
		}

		func TestExpireOldAPIKeys(t *testing.T) {
		t.Parallel()

		// Given: a number of workspaces and API keys owned by a regular user and the prebuilds system user.
		var (
		ctx = testutil.Context(t, testutil.WaitShort)
		now = dbtime.Now()
		db, _ = dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
		org = dbgen.Organization(t, db, database.Organization{})
		user = dbgen.User(t, db, database.User{})
		tpl = dbgen.Template(t, db, database.Template{OrganizationID: org.ID, CreatedBy: user.ID})
		userWs = dbgen.Workspace(t, db, database.WorkspaceTable{
		OwnerID: user.ID,
		TemplateID: tpl.ID,
		})
		prebuildsWs = dbgen.Workspace(t, db, database.WorkspaceTable{
		OwnerID: database.PrebuildsSystemUserID,
		TemplateID: tpl.ID,
		})
		createAPIKey = func(userID uuid.UUID, name string) database.APIKey {
		k, _ := dbgen.APIKey(t, db, database.APIKey{UserID: userID, TokenName: name, ExpiresAt: now.Add(time.Hour)}, func(iap *database.InsertAPIKeyParams) {
		iap.TokenName = name
		})
		return k
		}
		assertKeyActive = func(kid string) {
		k, err := db.GetAPIKeyByID(ctx, kid)
		require.NoError(t, err)
		assert.True(t, k.ExpiresAt.After(now))
		}
		assertKeyExpired = func(kid string) {
		k, err := db.GetAPIKeyByID(ctx, kid)
		require.NoError(t, err)
		assert.True(t, k.ExpiresAt.Equal(now))
		}
		unnamedUserAPIKey = createAPIKey(user.ID, "")
		unnamedPrebuildsAPIKey = createAPIKey(database.PrebuildsSystemUserID, "")
		namedUserAPIKey = createAPIKey(user.ID, "my-token")
		namedPrebuildsAPIKey = createAPIKey(database.PrebuildsSystemUserID, "also-my-token")
		userWorkspaceAPIKey1 = createAPIKey(user.ID, provisionerdserver.WorkspaceSessionTokenName(user.ID, userWs.ID))
		userWorkspaceAPIKey2 = createAPIKey(user.ID, provisionerdserver.WorkspaceSessionTokenName(user.ID, prebuildsWs.ID))
		prebuildsWorkspaceAPIKey1 = createAPIKey(database.PrebuildsSystemUserID, provisionerdserver.WorkspaceSessionTokenName(database.PrebuildsSystemUserID, prebuildsWs.ID))
		prebuildsWorkspaceAPIKey2 = createAPIKey(database.PrebuildsSystemUserID, provisionerdserver.WorkspaceSessionTokenName(database.PrebuildsSystemUserID, userWs.ID))
		)

		// When: we call ExpirePrebuildsAPIKeys
		err := db.ExpirePrebuildsAPIKeys(ctx, now)
		// Then: no errors is reported.
		require.NoError(t, err)

		// We do not touch user API keys.
		assertKeyActive(unnamedUserAPIKey.ID)
		assertKeyActive(namedUserAPIKey.ID)
		assertKeyActive(userWorkspaceAPIKey1.ID)
		assertKeyActive(userWorkspaceAPIKey2.ID)
		// Unnamed prebuilds API keys get expired.
		assertKeyExpired(unnamedPrebuildsAPIKey.ID)
		// API keys for workspaces still owned by prebuilds user remain active until claimed.
		assertKeyActive(prebuildsWorkspaceAPIKey1.ID)
		// API keys for workspaces no longer owned by prebuilds user get expired.
		assertKeyExpired(prebuildsWorkspaceAPIKey2.ID)
		// Out of an abundance of caution, we do not expire explicitly named prebuilds API keys.
		assertKeyActive(namedPrebuildsAPIKey.ID)
		}