feat: add keys to organization provision daemons (#14627)

enterprise/coderd/provisionerkeys_test.go

@@ -64,6 +64,20 @@ func TestProvisionerKeys(t *testing.T) {
 	err = outsideOrgAdmin.DeleteProvisionerKey(ctx, owner.OrganizationID, "key")
 	require.ErrorContains(t, err, "Resource not found")
 
+	// org admin cannot create reserved provisioner keys
+	_, err = orgAdmin.CreateProvisionerKey(ctx, owner.OrganizationID, codersdk.CreateProvisionerKeyRequest{
+		Name: codersdk.ProvisionerKeyNameBuiltIn,
+	})
+	require.ErrorContains(t, err, "reserved")
+	_, err = orgAdmin.CreateProvisionerKey(ctx, owner.OrganizationID, codersdk.CreateProvisionerKeyRequest{
+		Name: codersdk.ProvisionerKeyNameUserAuth,
+	})
+	require.ErrorContains(t, err, "reserved")
+	_, err = orgAdmin.CreateProvisionerKey(ctx, owner.OrganizationID, codersdk.CreateProvisionerKeyRequest{
+		Name: codersdk.ProvisionerKeyNamePSK,
+	})
+	require.ErrorContains(t, err, "reserved")
+
 	// org admin can list provisioner keys and get an empty list
 	keys, err := orgAdmin.ListProvisionerKeys(ctx, owner.OrganizationID)
 	require.NoError(t, err, "org admin list provisioner keys")
@@ -111,4 +125,12 @@ func TestProvisionerKeys(t *testing.T) {
 	// org admin cannot delete a provisioner key that doesn't exist
 	err = orgAdmin.DeleteProvisionerKey(ctx, owner.OrganizationID, "key")
 	require.ErrorContains(t, err, "Resource not found")
+
+	// org admin cannot delete reserved provisioner keys
+	err = orgAdmin.DeleteProvisionerKey(ctx, owner.OrganizationID, codersdk.ProvisionerKeyNameBuiltIn)
+	require.ErrorContains(t, err, "reserved")
+	err = orgAdmin.DeleteProvisionerKey(ctx, owner.OrganizationID, codersdk.ProvisionerKeyNameUserAuth)
+	require.ErrorContains(t, err, "reserved")
+	err = orgAdmin.DeleteProvisionerKey(ctx, owner.OrganizationID, codersdk.ProvisionerKeyNamePSK)
+	require.ErrorContains(t, err, "reserved")
 }