RFC: Windows identity and settings storage mechanism

[dividedmind]

Windows has never been our primary platform of focus. This has rarely been an issue, but increasingly we've been asked to support legacy systems and deployments with an established Windows presence.

Current default credential storage (in ~/.netrc or /etc/conjur.identity) is Unix-centric and while in principle it should work on Windows with minimal changes, it's definitely out-of-place. We should devise a more native scheme of storing Conjur credentials that could be used across different clients.

Same can be said of Conjur settings storage in ~/.conjurrc and /etc/conjur.conf.

Note this work is motivated primarily by efforts to support Windows in the Conjur puppet module (cf. https://github.com/cyberark/conjur-puppet/issues/21 ), and the support won't come into the CLI initially. Still, I felt this is the best place for a focused discussion, since it's the CLI that has been where the netrc credential storage has first been implemented before being subsequently adopted by other projects.

Proposed mechanism

Settings

Windows registry is the usual method of storing settings in Windows. I suggest using keys {HKEY_LOCAL_MACHINE,HKEY_CURRENT_USER}\Software\CyberArk\Conjur for storing settings system-wide and per-user respectively. The string entries under the key should correspond to the keys used in conjurrc.

Credentials

There seems to be no clearly recommended or documented API or method for credential storage on Windows. However, Microsoft's own Git Credential Manager for Windows seems to use wincred API for a similar purpose. There is a newer Windows.Security.Credentials API but it seems to be a higher-level abstraction over the former and seems to only be supported in Windows 10.

Since credentials are bound to a specific user, I suggest using local SYSTEM account to carry machine credentials by default.