coder
diff --git a/‎coderd/coderd.go
+28-9 b/‎coderd/coderd.go
+28-9
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
+3-2 b/‎coderd/database/dbauthz/dbauthz_test.go
+3-2
diff --git a/‎coderd/database/dbgen/dbgen.go
+1 b/‎coderd/database/dbgen/dbgen.go
+1
diff --git a/‎coderd/database/dbmem/dbmem.go
+1 b/‎coderd/database/dbmem/dbmem.go
+1
diff --git a/‎coderd/database/dump.sql
+8 b/‎coderd/database/dump.sql
+8
diff --git a/‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.down.sql
+6 b/‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.down.sql
+6
diff --git a/‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.up.sql
+10 b/‎coderd/database/migrations/000320_add_api_key_scope_to_workspace_agents.up.sql
+10
diff --git a/‎coderd/database/models.go
+60 b/‎coderd/database/models.go
+60
@@ -800,6 +800,17 @@ func New(options *Options) *API {
 		PostAuthAdditionalHeadersFunc: options.PostAuthAdditionalHeadersFunc,
 	})
 
+	workspaceAgentInfo := httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{
+		DB:       options.Database,
+		Optional: false,
+	})
+	// Same as above but optional
+	workspaceAgentInfoOptional := httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{
+		DB:       options.Database,
+		Optional: true,
+	})
+	workspaceAgentAPIKeyScopeCheck := httpmw.AgentAPIKeyScopeCheckMW()
+
 	// API rate limit middleware. The counter is local and not shared between
 	// replicas or instances of this middleware.
 	apiRateLimiter := httpmw.RateLimit(options.APIRateLimit, time.Minute)
@@ -1019,6 +1030,8 @@ func New(options *Options) *API {
 		r.Route("/external-auth", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
+				workspaceAgentInfoOptional,
+				workspaceAgentAPIKeyScopeCheck,
 			)
 			// Get without a specific external auth ID will return all external auths.
 			r.Get("/", api.listUserExternalAuths)
@@ -1254,8 +1267,14 @@ func New(options *Options) *API {
 							r.Get("/", api.workspaceByOwnerAndName)
 							r.Get("/builds/{buildnumber}", api.workspaceBuildByBuildNumber)
 						})
-						r.Get("/gitsshkey", api.gitSSHKey)
-						r.Put("/gitsshkey", api.regenerateGitSSHKey)
+						r.With(
+							workspaceAgentInfoOptional,
+							workspaceAgentAPIKeyScopeCheck,
+						).Get("/gitsshkey", api.gitSSHKey)
+						r.With(
+							workspaceAgentInfoOptional,
+							workspaceAgentAPIKeyScopeCheck,
+						).Put("/gitsshkey", api.regenerateGitSSHKey)
 						r.Route("/notifications", func(r chi.Router) {
 							r.Route("/preferences", func(r chi.Router) {
 								r.Get("/", api.userNotificationPreferences)
@@ -1284,17 +1303,17 @@ func New(options *Options) *API {
 				httpmw.RequireAPIKeyOrWorkspaceProxyAuth(),
 			).Get("/connection", api.workspaceAgentConnectionGeneric)
 			r.Route("/me", func(r chi.Router) {
-				r.Use(httpmw.ExtractWorkspaceAgentAndLatestBuild(httpmw.ExtractWorkspaceAgentAndLatestBuildConfig{
-					DB:       options.Database,
-					Optional: false,
-				}))
+				r.Use(workspaceAgentInfo)
 				r.Get("/rpc", api.workspaceAgentRPC)
 				r.Patch("/logs", api.patchWorkspaceAgentLogs)
 				r.Patch("/app-status", api.patchWorkspaceAgentAppStatus)
 				// Deprecated: Required to support legacy agents
-				r.Get("/gitauth", api.workspaceAgentsGitAuth)
-				r.Get("/external-auth", api.workspaceAgentsExternalAuth)
-				r.Get("/gitsshkey", api.agentGitSSHKey)
+				r.With(workspaceAgentAPIKeyScopeCheck).
+					Get("/gitauth", api.workspaceAgentsGitAuth)
+				r.With(workspaceAgentAPIKeyScopeCheck).
+					Get("/external-auth", api.workspaceAgentsExternalAuth)
+				r.With(workspaceAgentAPIKeyScopeCheck).
+					Get("/gitsshkey", api.agentGitSSHKey)
 				r.Post("/log-source", api.workspaceAgentPostLogSource)
 			})
 			r.Route("/{workspaceagent}", func(r chi.Router) {
 
@@ -3986,8 +3986,9 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 	s.Run("InsertWorkspaceAgent", s.Subtest(func(db database.Store, check *expects) {
 		dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
 		check.Args(database.InsertWorkspaceAgentParams{
-			ID:   uuid.New(),
-			Name: "dev",
+			ID:          uuid.New(),
+			Name:        "dev",
+			APIKeyScope: database.ApiKeyScopeEnumDefault,
 		}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
 	}))
 	s.Run("InsertWorkspaceApp", s.Subtest(func(db database.Store, check *expects) {
 
@@ -210,6 +210,7 @@ func WorkspaceAgent(t testing.TB, db database.Store, orig database.WorkspaceAgen
 		MOTDFile:                 takeFirst(orig.TroubleshootingURL, ""),
 		DisplayApps:              append([]database.DisplayApp{}, orig.DisplayApps...),
 		DisplayOrder:             takeFirst(orig.DisplayOrder, 1),
+		APIKeyScope:              takeFirst(orig.APIKeyScope, database.ApiKeyScopeEnumDefault),
 	})
 	require.NoError(t, err, "insert workspace agent")
 	return agt
 
@@ -9587,6 +9587,7 @@ func (q *FakeQuerier) InsertWorkspaceAgent(_ context.Context, arg database.Inser
 		LifecycleState:           database.WorkspaceAgentLifecycleStateCreated,
 		DisplayApps:              arg.DisplayApps,
 		DisplayOrder:             arg.DisplayOrder,
+		APIKeyScope:              arg.APIKeyScope,
 	}
 
 	q.workspaceAgents = append(q.workspaceAgents, agent)
 
@@ -0,0 +1,6 @@
+-- Remove the api_key_scope column from the workspace_agents table
+ALTER TABLE workspace_agents
+DROP COLUMN IF EXISTS api_key_scope;
+
+-- Drop the enum type for API key scope
+DROP TYPE IF EXISTS api_key_scope_enum;
@@ -0,0 +1,10 @@
+-- Create the enum type for API key scope
+CREATE TYPE api_key_scope_enum AS ENUM ('default', 'no_user_data');
+
+-- Add the api_key_scope column to the workspace_agents table
+-- It defaults to 'default' to maintain existing behavior for current agents.
+ALTER TABLE workspace_agents
+ADD COLUMN api_key_scope api_key_scope_enum NOT NULL DEFAULT 'default';
+
+-- Add a comment explaining the purpose of the column
+COMMENT ON COLUMN workspace_agents.api_key_scope IS 'Defines the scope of the API key associated with the agent. ''default'' allows access to everything, ''no_user_data'' restricts it to exclude user data.';
Original file line number	Diff line number	Diff line change
`@@ -9587,6 +9587,7 @@ func (q *FakeQuerier) InsertWorkspaceAgent(_ context.Context, arg database.Inser`
`9587`	`9587`	`LifecycleState: database.WorkspaceAgentLifecycleStateCreated,`
`9588`	`9588`	`DisplayApps: arg.DisplayApps,`
`9589`	`9589`	`DisplayOrder: arg.DisplayOrder,`
	`9590`	`+ APIKeyScope: arg.APIKeyScope,`
`9590`	`9591`	`}`
`9591`	`9592`
`9592`	`9593`	`q.workspaceAgents = append(q.workspaceAgents, agent)`