coder
diff --git a/‎coderd/coderd.go
Lines changed: 6 additions & 4 deletions b/‎coderd/coderd.go
Lines changed: 6 additions & 4 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 3 additions & 2 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 3 additions & 2 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/dbgen/dbgen.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 8 additions & 0 deletions b/‎coderd/database/dump.sql
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000326_add_api_key_scope_to_workspace_agents.down.sql
Lines changed: 6 additions & 0 deletions b/‎coderd/database/migrations/000326_add_api_key_scope_to_workspace_agents.down.sql
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000326_add_api_key_scope_to_workspace_agents.up.sql
Lines changed: 10 additions & 0 deletions b/‎coderd/database/migrations/000326_add_api_key_scope_to_workspace_agents.up.sql
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 60 additions & 0 deletions b/‎coderd/database/models.go
Lines changed: 60 additions & 0 deletions
@@ -802,6 +802,11 @@ func New(options *Options) *API {
 		PostAuthAdditionalHeadersFunc: options.PostAuthAdditionalHeadersFunc,
 	})
 
+	workspaceAgentInfo := httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{
+		DB:       options.Database,
+		Optional: false,
+	})
+
 	// API rate limit middleware. The counter is local and not shared between
 	// replicas or instances of this middleware.
 	apiRateLimiter := httpmw.RateLimit(options.APIRateLimit, time.Minute)
@@ -1289,10 +1294,7 @@ func New(options *Options) *API {
 				httpmw.RequireAPIKeyOrWorkspaceProxyAuth(),
 			).Get("/connection", api.workspaceAgentConnectionGeneric)
 			r.Route("/me", func(r chi.Router) {
-				r.Use(httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{
-					DB:       options.Database,
-					Optional: false,
-				}))
+				r.Use(workspaceAgentInfo)
 				r.Get("/rpc", api.workspaceAgentRPC)
 				r.Patch("/logs", api.patchWorkspaceAgentLogs)
 				r.Patch("/app-status", api.patchWorkspaceAgentAppStatus)
 
@@ -4018,8 +4018,9 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 	s.Run("InsertWorkspaceAgent", s.Subtest(func(db database.Store, check *expects) {
 		dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
 		check.Args(database.InsertWorkspaceAgentParams{
-			ID:   uuid.New(),
-			Name: "dev",
+			ID:          uuid.New(),
+			Name:        "dev",
+			APIKeyScope: database.AgentKeyScopeEnumAll,
 		}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
 	}))
 	s.Run("InsertWorkspaceApp", s.Subtest(func(db database.Store, check *expects) {
 
@@ -212,6 +212,7 @@ func WorkspaceAgent(t testing.TB, db database.Store, orig database.WorkspaceAgen
 		MOTDFile:                 takeFirst(orig.TroubleshootingURL, ""),
 		DisplayApps:              append([]database.DisplayApp{}, orig.DisplayApps...),
 		DisplayOrder:             takeFirst(orig.DisplayOrder, 1),
+		APIKeyScope:              takeFirst(orig.APIKeyScope, database.AgentKeyScopeEnumAll),
 	})
 	require.NoError(t, err, "insert workspace agent")
 	return agt
 
@@ -9620,6 +9620,7 @@ func (q *FakeQuerier) InsertWorkspaceAgent(_ context.Context, arg database.Inser
 		LifecycleState:           database.WorkspaceAgentLifecycleStateCreated,
 		DisplayApps:              arg.DisplayApps,
 		DisplayOrder:             arg.DisplayOrder,
+		APIKeyScope:              arg.APIKeyScope,
 	}
 
 	q.workspaceAgents = append(q.workspaceAgents, agent)
 
@@ -0,0 +1,6 @@
+-- Remove the api_key_scope column from the workspace_agents table
+ALTER TABLE workspace_agents
+DROP COLUMN IF EXISTS api_key_scope;
+
+-- Drop the enum type for API key scope
+DROP TYPE IF EXISTS agent_key_scope_enum;
@@ -0,0 +1,10 @@
+-- Create the enum type for API key scope
+CREATE TYPE agent_key_scope_enum AS ENUM ('all', 'no_user_data');
+
+-- Add the api_key_scope column to the workspace_agents table
+-- It defaults to 'all' to maintain existing behavior for current agents.
+ALTER TABLE workspace_agents
+ADD COLUMN api_key_scope agent_key_scope_enum NOT NULL DEFAULT 'all';
+
+-- Add a comment explaining the purpose of the column
+COMMENT ON COLUMN workspace_agents.api_key_scope IS 'Defines the scope of the API key associated with the agent. ''all'' allows access to everything, ''no_user_data'' restricts it to exclude user data.';
Original file line number	Diff line number	Diff line change
`@@ -9620,6 +9620,7 @@ func (q *FakeQuerier) InsertWorkspaceAgent(_ context.Context, arg database.Inser`
`9620`	`9620`	`LifecycleState: database.WorkspaceAgentLifecycleStateCreated,`
`9621`	`9621`	`DisplayApps: arg.DisplayApps,`
`9622`	`9622`	`DisplayOrder: arg.DisplayOrder,`
	`9623`	`+ APIKeyScope: arg.APIKeyScope,`
`9623`	`9624`	`}`
`9624`	`9625`
`9625`	`9626`	`q.workspaceAgents = append(q.workspaceAgents, agent)`