Skip to main content

kanade_shared/
secrets.rs

1//! Registry-backed secret store for production credentials.
2//!
3//! Windows services run as LocalSystem and inherit Machine-scope env
4//! vars, but those vars are readable by any logged-in user. Storing
5//! the credential under HKLM with a hardened ACL (SYSTEM +
6//! Administrators only) keeps it out of low-privilege reach.
7//!
8//! Layout in use across kanade:
9//!
10//! ```text
11//! HKLM\SOFTWARE\kanade\
12//!   agent\
13//!     NatsToken      — shared NATS bearer token (agent + backend + CLI)
14//!   backend\
15//!     StaticToken    — KANADE_AUTH_STATIC_TOKEN counterpart
16//!     JwtSecret      — KANADE_JWT_SECRET counterpart
17//! ```
18//!
19//! `deploy-agent.ps1` / `deploy-backend.ps1` provision these keys and
20//! apply the ACL. Non-Windows builds get an empty stub so the
21//! workspace still cross-compiles for the CLI's Linux / macOS release
22//! artifacts.
23
24/// Read a `REG_SZ` value from `HKLM\<subkey>` and return it when
25/// non-empty. Returns `None` for missing keys, missing values, empty
26/// strings, or non-Windows targets.
27#[cfg(windows)]
28pub fn read_hklm_value(subkey: &str, value: &str) -> Option<String> {
29    use winreg::RegKey;
30    use winreg::enums::HKEY_LOCAL_MACHINE;
31
32    let hklm = RegKey::predef(HKEY_LOCAL_MACHINE);
33    let key = hklm.open_subkey(subkey).ok()?;
34    let s: String = key.get_value(value).ok()?;
35    if s.is_empty() { None } else { Some(s) }
36}
37
38#[cfg(not(windows))]
39pub fn read_hklm_value(_subkey: &str, _value: &str) -> Option<String> {
40    None
41}