chore: add prebuilds system user (#16916)

Pre-requisite for https://github.com/coder/coder/pull/16891

Closes https://github.com/coder/internal/issues/515

This PR introduces a new concept of a "system" user.

Our data model requires that all workspaces have an owner (a `users`
relation), and prebuilds is a feature that will spin up workspaces to be
claimed later by actual users - and thus needs to own the workspaces in
the interim.

Naturally, introducing a change like this touches a few aspects around
the codebase and we've taken the approach _default hidden_ here; in
other words, queries for users will by default _exclude_ all system
users, but there is a flag to ensure they can be displayed. This keeps
the changeset relatively small.

This user has minimal permissions (it's equivalent to a `member` since
it has no roles). It will be associated with the default org in the
initial migration, and thereafter we'll need to somehow ensure its
membership aligns with templates (which are org-scoped) for which it'll
need to provision prebuilds; that's a solution we'll have in a
subsequent PR.

---------

Signed-off-by: Danny Kopping <dannykopping@gmail.com>
Co-authored-by: Sas Swart <sas.swart.cdk@gmail.com>

coderd/database/querier_test.go

@@ -25,6 +25,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/database/migrations"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/prebuilds"
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/provisionersdk"
@@ -1364,6 +1365,113 @@ func TestUserLastSeenFilter(t *testing.T) {
 	})
 }
 
+func TestGetUsers_IncludeSystem(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name           string
+		includeSystem  bool
+		wantSystemUser bool
+	}{
+		{
+			name:           "include system users",
+			includeSystem:  true,
+			wantSystemUser: true,
+		},
+		{
+			name:           "exclude system users",
+			includeSystem:  false,
+			wantSystemUser: false,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			ctx := testutil.Context(t, testutil.WaitLong)
+
+			// Given: a system user
+			// postgres: introduced by migration coderd/database/migrations/00030*_system_user.up.sql
+			// dbmem: created in dbmem/dbmem.go
+			db, _ := dbtestutil.NewDB(t)
+			other := dbgen.User(t, db, database.User{})
+			users, err := db.GetUsers(ctx, database.GetUsersParams{
+				IncludeSystem: tt.includeSystem,
+			})
+			require.NoError(t, err)
+
+			// Should always find the regular user
+			foundRegularUser := false
+			foundSystemUser := false
+
+			for _, u := range users {
+				if u.IsSystem {
+					foundSystemUser = true
+					require.Equal(t, prebuilds.SystemUserID, u.ID)
+				} else {
+					foundRegularUser = true
+					require.Equalf(t, other.ID.String(), u.ID.String(), "found unexpected regular user")
+				}
+			}
+
+			require.True(t, foundRegularUser, "regular user should always be found")
+			require.Equal(t, tt.wantSystemUser, foundSystemUser, "system user presence should match includeSystem setting")
+			require.Equal(t, tt.wantSystemUser, len(users) == 2, "should have 2 users when including system user, 1 otherwise")
+		})
+	}
+}
+
+func TestUpdateSystemUser(t *testing.T) {
+	t.Parallel()
+
+	// TODO (sasswart): We've disabled the protection that prevents updates to system users
+	// while we reassess the mechanism to do so. Rather than skip the test, we've just inverted
+	// the assertions to ensure that the behavior is as desired.
+	// Once we've re-enabeld the system user protection, we'll revert the assertions.
+
+	ctx := testutil.Context(t, testutil.WaitLong)
+
+	// Given: a system user introduced by migration coderd/database/migrations/00030*_system_user.up.sql
+	db, _ := dbtestutil.NewDB(t)
+	users, err := db.GetUsers(ctx, database.GetUsersParams{
+		IncludeSystem: true,
+	})
+	require.NoError(t, err)
+	var systemUser database.GetUsersRow
+	for _, u := range users {
+		if u.IsSystem {
+			systemUser = u
+		}
+	}
+	require.NotNil(t, systemUser)
+
+	// When: attempting to update a system user's name.
+	_, err = db.UpdateUserProfile(ctx, database.UpdateUserProfileParams{
+		ID:   systemUser.ID,
+		Name: "not prebuilds",
+	})
+	// Then: the attempt is rejected by a postgres trigger.
+	// require.ErrorContains(t, err, "Cannot modify or delete system users")
+	require.NoError(t, err)
+
+	// When: attempting to delete a system user.
+	err = db.UpdateUserDeletedByID(ctx, systemUser.ID)
+	// Then: the attempt is rejected by a postgres trigger.
+	// require.ErrorContains(t, err, "Cannot modify or delete system users")
+	require.NoError(t, err)
+
+	// When: attempting to update a user's roles.
+	_, err = db.UpdateUserRoles(ctx, database.UpdateUserRolesParams{
+		ID:           systemUser.ID,
+		GrantedRoles: []string{rbac.RoleAuditor().String()},
+	})
+	// Then: the attempt is rejected by a postgres trigger.
+	// require.ErrorContains(t, err, "Cannot modify or delete system users")
+	require.NoError(t, err)
+}
+
 func TestUserChangeLoginType(t *testing.T) {
 	t.Parallel()
 	if testing.Short() {
@@ -1505,7 +1613,10 @@ func TestWorkspaceQuotas(t *testing.T) {
 		})
 
 		// Fetch the 'Everyone' group members
-		everyoneMembers, err := db.GetGroupMembersByGroupID(ctx, org.ID)
+		everyoneMembers, err := db.GetGroupMembersByGroupID(ctx, database.GetGroupMembersByGroupIDParams{
+			GroupID:       everyoneGroup.ID,
+			IncludeSystem: false,
+		})
 		require.NoError(t, err)
 
 		require.ElementsMatch(t, db2sdk.List(everyoneMembers, groupMemberIDs),