feat: add backend for jfrog xray support (#11829)

coderd/database/dbauthz/dbauthz.go

@@ -1111,6 +1111,13 @@ func (q *querier) GetHungProvisionerJobs(ctx context.Context, hungSince time.Tim
 	return q.db.GetHungProvisionerJobs(ctx, hungSince)
 }
 
+func (q *querier) GetJFrogXrayScanByWorkspaceAndAgentID(ctx context.Context, arg database.GetJFrogXrayScanByWorkspaceAndAgentIDParams) (database.JfrogXrayScan, error) {
+	if _, err := fetch(q.log, q.auth, q.db.GetWorkspaceByID)(ctx, arg.WorkspaceID); err != nil {
+		return database.JfrogXrayScan{}, err
+	}
+	return q.db.GetJFrogXrayScanByWorkspaceAndAgentID(ctx, arg)
+}
+
 func (q *querier) GetLastUpdateCheck(ctx context.Context) (string, error) {
 	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
 		return "", err
@@ -3153,6 +3160,27 @@ func (q *querier) UpsertHealthSettings(ctx context.Context, value string) error
 	return q.db.UpsertHealthSettings(ctx, value)
 }
 
+func (q *querier) UpsertJFrogXrayScanByWorkspaceAndAgentID(ctx context.Context, arg database.UpsertJFrogXrayScanByWorkspaceAndAgentIDParams) error {
+	// TODO: Having to do all this extra querying makes me a sad panda.
+	workspace, err := q.db.GetWorkspaceByID(ctx, arg.WorkspaceID)
+	if err != nil {
+		return xerrors.Errorf("get workspace by id: %w", err)
+	}
+
+	template, err := q.db.GetTemplateByID(ctx, workspace.TemplateID)
+	if err != nil {
+		return xerrors.Errorf("get template by id: %w", err)
+	}
+
+	// Only template admins should be able to write JFrog Xray scans to a workspace.
+	// We don't want this to be a workspace-level permission because then users
+	// could overwrite their own results.
+	if err := q.authorizeContext(ctx, rbac.ActionCreate, template); err != nil {
+		return err
+	}
+	return q.db.UpsertJFrogXrayScanByWorkspaceAndAgentID(ctx, arg)
+}
+
 func (q *querier) UpsertLastUpdateCheck(ctx context.Context, value string) error {
 	if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceSystem); err != nil {
 		return err