refactor(dbauthz): add authz for system-level functions (#6513)

- Introduces rbac.ResourceSystem
- Grants system.* to system and provisionerd rbac subjects
- Updates dbauthz system queries where applicable
- coderd: Avoid index out of bounds in api.workspaceBuilds
- dbauthz: move GetUsersByIDs out of system, modify RBAC check to ResourceUser
- workspaceapps: Add test case for when owner of app is not found

coderd/workspaceapps/auth_test.go

@@ -540,6 +540,26 @@ func Test_ResolveRequest(t *testing.T) {
 		require.Nil(t, ticket)
 	})
 
+	t.Run("UserNotFound", func(t *testing.T) {
+		t.Parallel()
+		req := workspaceapps.Request{
+			AccessMethod:      workspaceapps.AccessMethodPath,
+			BasePath:          "/app",
+			UsernameOrID:      "thisuserdoesnotexist",
+			WorkspaceNameOrID: workspace.Name,
+			AgentNameOrID:     agentName,
+			AppSlugOrPort:     appNameOwner,
+		}
+
+		rw := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/app", nil)
+		r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+
+		ticket, ok := api.WorkspaceAppsProvider.ResolveRequest(rw, r, req)
+		require.False(t, ok)
+		require.Nil(t, ticket)
+	})
+
 	t.Run("RedirectSubdomainAuth", func(t *testing.T) {
 		t.Parallel()