chore: remove rbac psuedo resources, add custom verbs (#13276)

Removes our pseudo rbac resources like `WorkspaceApplicationConnect` in favor of additional verbs like `ssh`. This is to make more intuitive permissions for building custom roles.

The source of truth is now `policy.go`

coderd/coderdtest/authorize.go

@@ -416,23 +416,16 @@ func RandomRBACObject() rbac.Object {
 func randomRBACType() string {
 	all := []string{
 		rbac.ResourceWorkspace.Type,
-		rbac.ResourceWorkspaceExecution.Type,
-		rbac.ResourceWorkspaceApplicationConnect.Type,
 		rbac.ResourceAuditLog.Type,
 		rbac.ResourceTemplate.Type,
 		rbac.ResourceGroup.Type,
 		rbac.ResourceFile.Type,
 		rbac.ResourceProvisionerDaemon.Type,
 		rbac.ResourceOrganization.Type,
-		rbac.ResourceRoleAssignment.Type,
-		rbac.ResourceOrgRoleAssignment.Type,
-		rbac.ResourceAPIKey.Type,
 		rbac.ResourceUser.Type,
-		rbac.ResourceUserData.Type,
 		rbac.ResourceOrganizationMember.Type,
 		rbac.ResourceWildcard.Type,
 		rbac.ResourceLicense.Type,
-		rbac.ResourceDeploymentValues.Type,
 		rbac.ResourceReplicas.Type,
 		rbac.ResourceDebugInfo.Type,
 	}

coderd/coderdtest/coderdtest.go

@@ -221,7 +221,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 	}
 
 	if options.Authorizer == nil {
-		defAuth := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
+		defAuth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 		if _, ok := t.(*testing.T); ok {
 			options.Authorizer = &RecordingAuthorizer{
 				Wrapped: defAuth,