perf(coderd/dbauthz): bypass authorization cascade for system-restricted contexts

Callum Styan · Callum Styan · commit abddcbe6cfa2 · 2025-12-15T22:19:39.000Z
GetWorkspaceResourceWithJobByID now checks if the context is
system-restricted and, if so, directly calls the raw database query
without going through the authorization cascade.

This completely eliminates the GetWorkspaceBuildByJobID call for
system-restricted contexts (like handleAuthInstanceID) by skipping
the GetProvisionerJobByID authorization chain.

Before: GetWorkspaceResourceWithJobByID → GetWorkspaceResourceByID →
        GetProvisionerJobByID → GetWorkspaceBuildByJobID (1 call)

After: GetWorkspaceResourceWithJobByID → direct db query (0 calls)

The function returns an error if called without system-restricted
context to ensure it's only used in appropriate scenarios.
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -3925,24 +3925,19 @@ func (q *querier) GetWorkspaceResourceByID(ctx context.Context, id uuid.UUID) (d
 }
 
 // GetWorkspaceResourceWithJobByID is an optimized version that fetches both
-// the resource and job information in a single query. This reduces the number
-// of database calls compared to GetWorkspaceResourceByID + GetProvisionerJobByID.
-// The authorization check cascades through the job to the workspace build.
+// the resource and job information in a single query. This is specifically
+// designed for system-restricted contexts (like agent authentication) where
+// we can bypass the authorization cascade that would normally call
+// GetWorkspaceBuildByJobID.
 func (q *querier) GetWorkspaceResourceWithJobByID(ctx context.Context, id uuid.UUID) (database.GetWorkspaceResourceWithJobByIDRow, error) {
-	// First, get just the resource to extract the job_id for authorization.
-	resource, err := q.db.GetWorkspaceResourceByID(ctx, id)
-	if err != nil {
-		return database.GetWorkspaceResourceWithJobByIDRow{}, err
-	}
-
-	// Authorize the provisioner job before fetching sensitive data (this will
-	// cascade to GetWorkspaceBuildByJobID).
-	_, err = q.GetProvisionerJobByID(ctx, resource.JobID)
-	if err != nil {
-		return database.GetWorkspaceResourceWithJobByIDRow{}, err
+	// Check if this is a system-restricted context.
+	actor, ok := ActorFromContext(ctx)
+	if !ok || actor.Type != rbac.SubjectTypeSystemRestricted {
+		return database.GetWorkspaceResourceWithJobByIDRow{}, xerrors.New("GetWorkspaceResourceWithJobByID requires system-restricted context")
 	}
 
-	// Now fetch the full data including job details.
+	// With system-restricted context, we can safely bypass the authorization
+	// cascade and call the database directly.
 	return q.db.GetWorkspaceResourceWithJobByID(ctx, id)
 }
 
