What this does

This adds the initial AuthzQuerier implementation as an experiment. It has negative latency impacts to the api at this point, but it is correct* (bugs not withstanding).

The goal of this PR is to push a working implementation.

Testing

Prior to this PR we usedAuthorizeAllEndpoints as our rbac assertions. This was weak (see#5204). There is a similar unit test inauthzquery that asserts all interface methods have been tested with the proper rbac checks:

So we can remove these testsin a future PR:

• coder/coderd/coderdtest/authorize.go

  Line 28 ine6d5c2f

  funcAGPLRoutes(a*AuthTester) (map[string]string,map[string]RouteCheck) {

• coder/coderd/coderdtest/authorize_test.go

  Line 10 ine6d5c2f

  funcTestAuthorizeAllEndpoints(t*testing.T) {

• coder/enterprise/coderd/coderdenttest/coderdenttest_test.go

  Line 24 ine6d5c2f

  funcTestAuthorizeAllEndpoints(t*testing.T) {

Fixes#5204

Future Work

In no particular order

• Implement authz call caching (optimization)
  • Then load testing
• Optimize certain routes (job cancel)
• Use joins to make more tables first class rbac objects (dependant on certain tooling changes)
• Refactor AuthzStore to not be 1:1 withdb.Store. Make a new interface for it.
• Fully implement scoped system roles

• coder/coderd/database/modelmethods.go

  Lines 104 to 106 in4e6b43f

  	// TODO: This feels incorrect as we are really returning a list of orgmembers.
  	// This return type should be refactored to return a list of orgmembers, not this
  	// special type.

Optimizations

• DoworkspaceData in this layer.