kanade-shared 0.11.0

Shared wire types, NATS subject helpers, KV constants, YAML manifest schema, and teravars-backed config loader for the kanade endpoint-management system
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

//! Registry-backed secret store for production credentials.
//!
//! Windows services run as LocalSystem and inherit Machine-scope env
//! vars, but those vars are readable by any logged-in user. Storing
//! the credential under HKLM with a hardened ACL (SYSTEM +
//! Administrators only) keeps it out of low-privilege reach.
//!
//! Layout in use across kanade:
//!
//! ```text
//! HKLM\SOFTWARE\kanade\
//!   agent\
//!     NatsToken      — shared NATS bearer token (agent + backend + CLI)
//!   backend\
//!     StaticToken    — KANADE_AUTH_STATIC_TOKEN counterpart
//!     JwtSecret      — KANADE_JWT_SECRET counterpart
//! ```
//!
//! `deploy-agent.ps1` / `deploy-backend.ps1` provision these keys and
//! apply the ACL. Non-Windows builds get an empty stub so the
//! workspace still cross-compiles for the CLI's Linux / macOS release
//! artifacts.

/// Read a `REG_SZ` value from `HKLM\<subkey>` and return it when
/// non-empty. Returns `None` for missing keys, missing values, empty
/// strings, or non-Windows targets.
#[cfg(windows)]
pub fn read_hklm_value(subkey: &str, value: &str) -> Option<String> {
    use winreg::RegKey;
    use winreg::enums::HKEY_LOCAL_MACHINE;

    let hklm = RegKey::predef(HKEY_LOCAL_MACHINE);
    let key = hklm.open_subkey(subkey).ok()?;
    let s: String = key.get_value(value).ok()?;
    if s.is_empty() { None } else { Some(s) }
}

#[cfg(not(windows))]
pub fn read_hklm_value(_subkey: &str, _value: &str) -> Option<String> {
    None
}