chore: break down dbauthz.System into smaller roles (#6218)

- rbac: export rbac.Permissions
- dbauthz: move GetDeploymentDAUs, GetTemplateDAUs,
  GetTemplateAverageBuildTime from querier.go to system.go
  and removes auth checks
- dbauthz: remove AsSystem(), add individual roles for
  autostart, provisionerd, add restricted system role for 
  everything else

coderd/provisionerdserver/provisionerdserver.go

@@ -57,8 +57,8 @@ type Server struct {
 
 // AcquireJob queries the database to lock a job.
 func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.AcquiredJob, error) {
-	//nolint:gocritic //TODO: make a provisionerd role
-	ctx = dbauthz.AsSystem(ctx)
+	//nolint:gocritic // Provisionerd has specific authz rules.
+	ctx = dbauthz.AsProvisionerd(ctx)
 	// This prevents loads of provisioner daemons from consistently
 	// querying the database when no jobs are available.
 	//
@@ -273,8 +273,8 @@ func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.Ac
 }
 
 func (server *Server) CommitQuota(ctx context.Context, request *proto.CommitQuotaRequest) (*proto.CommitQuotaResponse, error) {
-	//nolint:gocritic //TODO: make a provisionerd role
-	ctx = dbauthz.AsSystem(ctx)
+	//nolint:gocritic // Provisionerd has specific authz rules.
+	ctx = dbauthz.AsProvisionerd(ctx)
 	jobID, err := uuid.Parse(request.JobId)
 	if err != nil {
 		return nil, xerrors.Errorf("parse job id: %w", err)
@@ -304,8 +304,8 @@ func (server *Server) CommitQuota(ctx context.Context, request *proto.CommitQuot
 }
 
 func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobRequest) (*proto.UpdateJobResponse, error) {
-	//nolint:gocritic //TODO: make a provisionerd role
-	ctx = dbauthz.AsSystem(ctx)
+	//nolint:gocritic // Provisionerd has specific authz rules.
+	ctx = dbauthz.AsProvisionerd(ctx)
 	parsedID, err := uuid.Parse(request.JobId)
 	if err != nil {
 		return nil, xerrors.Errorf("parse job id: %w", err)
@@ -352,8 +352,8 @@ func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobReq
 				slog.F("stage", log.Stage),
 				slog.F("output", log.Output))
 		}
-		//nolint:gocritic //TODO: make a provisionerd role
-		logs, err := server.Database.InsertProvisionerJobLogs(dbauthz.AsSystem(context.Background()), insertParams)
+		//nolint:gocritic // Provisionerd has specific authz rules.
+		logs, err := server.Database.InsertProvisionerJobLogs(dbauthz.AsProvisionerd(context.Background()), insertParams)
 		if err != nil {
 			server.Logger.Error(ctx, "failed to insert job logs", slog.F("job_id", parsedID), slog.Error(err))
 			return nil, xerrors.Errorf("insert job logs: %w", err)
@@ -478,8 +478,8 @@ func (server *Server) UpdateJob(ctx context.Context, request *proto.UpdateJobReq
 }
 
 func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*proto.Empty, error) {
-	//nolint:gocritic // TODO: make a provisionerd role
-	ctx = dbauthz.AsSystem(ctx)
+	//nolint:gocritic // Provisionerd has specific authz rules.
+	ctx = dbauthz.AsProvisionerd(ctx)
 	jobID, err := uuid.Parse(failJob.JobId)
 	if err != nil {
 		return nil, xerrors.Errorf("parse job id: %w", err)
@@ -606,8 +606,8 @@ func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*p
 
 // CompleteJob is triggered by a provision daemon to mark a provisioner job as completed.
 func (server *Server) CompleteJob(ctx context.Context, completed *proto.CompletedJob) (*proto.Empty, error) {
-	//nolint:gocritic // TODO: make a provisionerd role
-	ctx = dbauthz.AsSystem(ctx)
+	//nolint:gocritic // Provisionerd has specific authz rules.
+	ctx = dbauthz.AsProvisionerd(ctx)
 	jobID, err := uuid.Parse(completed.JobId)
 	if err != nil {
 		return nil, xerrors.Errorf("parse job id: %w", err)