prevent creation and modification of system users

coderd/database/dump.sql

@@ -445,6 +445,17 @@ BEGIN
 END;
 $$;
 
+CREATE FUNCTION prevent_system_user_changes() RETURNS trigger
+    LANGUAGE plpgsql
+    AS $$
+BEGIN
+	IF OLD.is_system = true THEN
+		RAISE EXCEPTION 'Cannot modify or delete system users';
+	END IF;
+	RETURN OLD;
+END;
+$$;
+
 CREATE FUNCTION protect_deleting_organizations() RETURNS trigger
     LANGUAGE plpgsql
     AS $$
@@ -2617,6 +2628,10 @@ CREATE OR REPLACE VIEW workspace_prebuilds AS
 
 CREATE TRIGGER inhibit_enqueue_if_disabled BEFORE INSERT ON notification_messages FOR EACH ROW EXECUTE FUNCTION inhibit_enqueue_if_disabled();
 
+CREATE TRIGGER prevent_system_user_deletions BEFORE DELETE ON users FOR EACH ROW WHEN ((old.is_system = true)) EXECUTE FUNCTION prevent_system_user_changes();
+
+CREATE TRIGGER prevent_system_user_updates BEFORE UPDATE ON users FOR EACH ROW WHEN ((old.is_system = true)) EXECUTE FUNCTION prevent_system_user_changes();
+
 CREATE TRIGGER protect_deleting_organizations BEFORE UPDATE ON organizations FOR EACH ROW WHEN (((new.deleted = true) AND (old.deleted = false))) EXECUTE FUNCTION protect_deleting_organizations();
 
 CREATE TRIGGER remove_organization_member_custom_role BEFORE DELETE ON custom_roles FOR EACH ROW EXECUTE FUNCTION remove_organization_member_role();

coderd/database/migrations/000302_prebuilds.down.sql

@@ -3,6 +3,11 @@ DROP VIEW IF EXISTS workspace_prebuild_builds;
 DROP VIEW IF EXISTS workspace_prebuilds;
 DROP VIEW IF EXISTS workspace_latest_build;
 
+-- Undo the restriction on deleting system users
+DROP TRIGGER IF EXISTS prevent_system_user_updates ON users;
+DROP TRIGGER IF EXISTS prevent_system_user_deletions ON users;
+DROP FUNCTION IF EXISTS prevent_system_user_changes();
+
 -- Revert user operations
 -- c42fdf75-3097-471c-8c33-fb52454d81c0 is the identifier for the system user responsible for prebuilds.
 DELETE FROM user_status_changes WHERE user_id = 'c42fdf75-3097-471c-8c33-fb52454d81c0';

coderd/database/migrations/000302_prebuilds.up.sql

@@ -3,6 +3,32 @@ INSERT INTO users (id, email, username, name, created_at, updated_at, status, rb
 VALUES ('c42fdf75-3097-471c-8c33-fb52454d81c0', 'prebuilds@system', 'prebuilds', 'Prebuilds Owner', now(), now(),
 		'active', '{}', 'none', true);
 
+-- Create function to check system user modifications
+CREATE OR REPLACE FUNCTION prevent_system_user_changes()
+	RETURNS TRIGGER AS
+$$
+BEGIN
+	IF OLD.is_system = true THEN
+		RAISE EXCEPTION 'Cannot modify or delete system users';
+	END IF;
+	RETURN OLD;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Create trigger to prevent updates to system users
+CREATE TRIGGER prevent_system_user_updates
+	BEFORE UPDATE ON users
+	FOR EACH ROW
+	WHEN (OLD.is_system = true)
+	EXECUTE FUNCTION prevent_system_user_changes();
+
+-- Create trigger to prevent deletion of system users
+CREATE TRIGGER prevent_system_user_deletions
+	BEFORE DELETE ON users
+	FOR EACH ROW
+	WHEN (OLD.is_system = true)
+	EXECUTE FUNCTION prevent_system_user_changes();
+
 -- TODO: do we *want* to use the default org here? how do we handle multi-org?
 WITH default_org AS (SELECT id
 					 FROM organizations

enterprise/coderd/groups_test.go

@@ -823,6 +823,7 @@ func TestGroup(t *testing.T) {
 
 	t.Run("everyoneGroupReturnsEmpty", func(t *testing.T) {
 		// TODO (sasswart): this test seems to have drifted from its original intention. evaluate and remove/fix
+		// "everyone group returns empty", but it returns 5 members?
 		t.Parallel()
 
 		// TODO: we should not be returning the prebuilds user in Group, and this is not returned in dbmem.