MindWorkAI/AI-Studio
MindWorkAI/AI-Studio
1
0
Fork 0
mirror of https://github.com/MindWorkAI/AI-Studio.git synced 2026-03-29 15:51:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improved enterprise config by considering policy files & read values from multiple keys

Browse Source
This commit is contained in:
Thorsten Sommer 2026-03-22 17:31:31 +01:00
parent 90d65bb7d6
commit 1190326f34
Signed by untrusted user who does not match committer: tsommer
GPG Key ID: 371BBA77A02C0108
2 changed files with 736 additions and 299 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

200
documentation/Enterprise IT.md
View File

@ -15,123 +15,116 @@ AI Studio checks about every 16 minutes to see if the configuration ID, the serv
## Configure the devices
So that MindWork AI Studio knows where to load which configuration, this information must be provided as metadata on employees' devices. Currently, the following options are available:
- **Registry** (only available for Microsoft Windows): On Windows devices, AI Studio first tries to read the information from the registry. The registry information can be managed and distributed centrally as a so-called Group Policy Object (GPO).
- **Windows Registry / GPO**: On Windows, AI Studio first tries to read the enterprise configuration metadata from the registry. This is the preferred option for centrally managed Windows devices.
- **Environment variables**: On all operating systems (on Windows as a fallback after the registry), AI Studio tries to read the configuration metadata from environment variables.
- **Policy files**: AI Studio can read simple YAML policy files from a system-wide directory. On Linux and macOS, this is the preferred option. On Windows, it is used as a fallback after the registry.
- **Environment variables**: Environment variables are still supported on all operating systems, but they are now only used as the last fallback.
### Source order and fallback behavior
AI Studio does **not** merge the registry, policy files, and environment variables. Instead, it checks them in order and uses the **first source that contains at least one valid enterprise configuration**:
- **Windows:** Registry -> Policy files -> Environment variables
- **Linux:** Policy files -> Environment variables
- **macOS:** Policy files -> Environment variables
The encryption secret follows the same rule. It is only used from the same source that provided the active enterprise configurations.
### Multiple configurations (recommended)
AI Studio supports loading multiple enterprise configurations simultaneously. This enables hierarchical configuration schemes, e.g., organization-wide settings combined with department-specific settings. The following keys and variables are used:
AI Studio supports loading multiple enterprise configurations simultaneously. This enables hierarchical configuration schemes, such as organization-wide settings combined with institute- or department-specific settings.
- Key `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT`, value `configs` or variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIGS`: A combined format containing one or more configuration entries. Each entry consists of a configuration ID and a server URL separated by `@`. Multiple entries are separated by `;`. The format is: `id1@url1;id2@url2;id3@url3`. The configuration ID must be a valid [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier#Globally_unique_identifier).
The preferred format is a fixed set of indexed pairs:
- Key `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT`, value `config_encryption_secret` or variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET`: A base64-encoded 32-byte encryption key for decrypting API keys in configuration plugins. This is optional and only needed if you want to include encrypted API keys in your configuration. All configurations share the same encryption secret.
- Registry values `config_id0` to `config_id9` together with `config_server_url0` to `config_server_url9`
- Environment variables `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID0` to `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID9` together with `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL0` to `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL9`
- Policy files `config0.yaml` to `config9.yaml`
**Example:** To configure two enterprise configurations (one for the organization and one for a department):
Each configuration ID must be a valid [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier#Globally_unique_identifier). Up to ten configurations are supported per device.
```
MINDWORK_AI_STUDIO_ENTERPRISE_CONFIGS=9072b77d-ca81-40da-be6a-861da525ef7b@https://intranet.my-company.com:30100/ai-studio/configuration;a1b2c3d4-e5f6-7890-abcd-ef1234567890@https://intranet.my-company.com:30100/ai-studio/department-config
If multiple configurations define the same setting, the first definition wins. For indexed pairs and policy files, the order is slot `0`, then `1`, and so on up to `9`.
### Windows registry example
The Windows registry path is:
`HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT`
Example values:
- `config_id0` = `9072b77d-ca81-40da-be6a-861da525ef7b`
- `config_server_url0` = `https://intranet.example.org/ai-studio/configuration`
- `config_id1` = `a1b2c3d4-e5f6-7890-abcd-ef1234567890`
- `config_server_url1` = `https://intranet.example.org/ai-studio/department-config`
- `config_encryption_secret` = `BASE64...`
This approach works well with GPOs because each slot can be managed independently without rewriting a shared combined string.
### Policy files
#### Windows policy directory
`%ProgramData%\MindWorkAI\AI-Studio\`
#### Linux policy directories
AI Studio checks each directory listed in `$XDG_CONFIG_DIRS` and looks for a `mindwork-ai-studio` subdirectory in each one. If `$XDG_CONFIG_DIRS` is empty or not set, AI Studio falls back to:
`/etc/xdg/mindwork-ai-studio/`
The directories from `$XDG_CONFIG_DIRS` are processed in order.
#### macOS policy directory
`/Library/Application Support/MindWork/AI Studio/`
#### Policy file names and content
Configuration files:
- `config0.yaml`
- `config1.yaml`
- ...
- `config9.yaml`
Each configuration file contains one configuration ID and one server URL:
```yaml
id: "9072b77d-ca81-40da-be6a-861da525ef7b"
server_url: "https://intranet.example.org/ai-studio/configuration"
```
**Priority:** When multiple configurations define the same setting (e.g., a provider with the same ID), the first definition wins. The order of entries in the variable determines priority. Place the organization-wide configuration first, followed by department-specific configurations if the organization should have higher priority.
Optional encryption secret file:
### Windows GPO / PowerShell example for `configs`
- `config_encryption_secret.yaml`
If you distribute multiple GPOs, each GPO should read and write the same registry value (`configs`) and only update its own `id@url` entry. Other entries must stay untouched.
The following PowerShell example provides helper functions for appending and removing entries safely:
```powershell
$RegistryPath = "HKCU:\Software\github\MindWork AI Studio\Enterprise IT"
$ConfigsValueName = "configs"
function Get-ConfigEntries {
param([string]$RawValue)
if ([string]::IsNullOrWhiteSpace($RawValue)) { return @() }
$entries = @()
foreach ($part in $RawValue.Split(';')) {
$trimmed = $part.Trim()
if ([string]::IsNullOrWhiteSpace($trimmed)) { continue }
$pair = $trimmed.Split('@', 2)
if ($pair.Count -ne 2) { continue }
$id = $pair[0].Trim().ToLowerInvariant()
$url = $pair[1].Trim()
if ([string]::IsNullOrWhiteSpace($id) -or [string]::IsNullOrWhiteSpace($url)) { continue }
$entries += [PSCustomObject]@{
Id = $id
Url = $url
}
}
return $entries
}
function ConvertTo-ConfigValue {
param([array]$Entries)
return ($Entries | ForEach-Object { "$($_.Id)@$($_.Url)" }) -join ';'
}
function Add-EnterpriseConfigEntry {
param(
[Parameter(Mandatory=$true)][Guid]$ConfigId,
[Parameter(Mandatory=$true)][string]$ServerUrl
)
if (-not (Test-Path $RegistryPath)) {
New-Item -Path $RegistryPath -Force | Out-Null
}
$raw = (Get-ItemProperty -Path $RegistryPath -Name $ConfigsValueName -ErrorAction SilentlyContinue).$ConfigsValueName
$entries = Get-ConfigEntries -RawValue $raw
$normalizedId = $ConfigId.ToString().ToLowerInvariant()
$normalizedUrl = $ServerUrl.Trim()
# Replace only this one ID, keep all other entries unchanged.
$entries = @($entries | Where-Object { $_.Id -ne $normalizedId })
$entries += [PSCustomObject]@{
Id = $normalizedId
Url = $normalizedUrl
}
Set-ItemProperty -Path $RegistryPath -Name $ConfigsValueName -Type String -Value (ConvertTo-ConfigValue -Entries $entries)
}
function Remove-EnterpriseConfigEntry {
param(
[Parameter(Mandatory=$true)][Guid]$ConfigId
)
if (-not (Test-Path $RegistryPath)) { return }
$raw = (Get-ItemProperty -Path $RegistryPath -Name $ConfigsValueName -ErrorAction SilentlyContinue).$ConfigsValueName
$entries = Get-ConfigEntries -RawValue $raw
$normalizedId = $ConfigId.ToString().ToLowerInvariant()
# Remove only this one ID, keep all other entries unchanged.
$updated = @($entries | Where-Object { $_.Id -ne $normalizedId })
Set-ItemProperty -Path $RegistryPath -Name $ConfigsValueName -Type String -Value (ConvertTo-ConfigValue -Entries $updated)
}
# Example usage:
# Add-EnterpriseConfigEntry -ConfigId "9072b77d-ca81-40da-be6a-861da525ef7b" -ServerUrl "https://intranet.example.org:30100/ai-studio/configuration"
# Remove-EnterpriseConfigEntry -ConfigId "9072b77d-ca81-40da-be6a-861da525ef7b"
```yaml
config_encryption_secret: "BASE64..."
```
### Single configuration (legacy)
### Environment variable example
The following single-configuration keys and variables are still supported for backwards compatibility. AI Studio always reads both the multi-config and legacy variables and merges all found configurations into one list. If a configuration ID appears in both, the entry from the multi-config format takes priority (first occurrence wins). This means you can migrate to the new format incrementally without losing existing configurations:
If you need the fallback environment-variable format, configure the values like this:
- Key `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT`, value `config_id` or variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID`: This must be a valid [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier#Globally_unique_identifier). It uniquely identifies the configuration. You can use an ID per department, institute, or even per person.
```bash
MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID0=9072b77d-ca81-40da-be6a-861da525ef7b
MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL0=https://intranet.example.org/ai-studio/configuration
MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID1=a1b2c3d4-e5f6-7890-abcd-ef1234567890
MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL1=https://intranet.example.org/ai-studio/department-config
MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET=BASE64...
```
- Key `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT`, value `config_server_url` or variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL`: An HTTP or HTTPS address using an IP address or DNS name. This is the web server from which AI Studio attempts to load the specified configuration as a ZIP file.
### Legacy formats (still supported)
- Key `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT`, value `config_encryption_secret` or variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET`: A base64-encoded 32-byte encryption key for decrypting API keys in configuration plugins. This is optional and only needed if you want to include encrypted API keys in your configuration.
The following older formats are still supported for backwards compatibility:
- Registry value `configs` or environment variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIGS`: Combined format `id1@url1;id2@url2;...`
- Registry value `config_id` or environment variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID`
- Registry value `config_server_url` or environment variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL`
- Registry value `config_encryption_secret` or environment variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET`
Within a single source, AI Studio reads the new indexed pairs first, then the combined legacy format, and finally the legacy single-configuration format. This makes it possible to migrate gradually without breaking older setups.
### How configurations are downloaded
@ -183,7 +176,7 @@ intranet.my-company.com:30100 {
## Important: Plugin ID must match the enterprise configuration ID
The `ID` field inside your configuration plugin (the Lua file) **must** be identical to the enterprise configuration ID used in the registry or environment variable. AI Studio uses this ID to match downloaded configurations to their plugins. If the IDs do not match, AI Studio will log a warning and the configuration may not be displayed correctly on the Information page.
The `ID` field inside your configuration plugin (the Lua file) **must** be identical to the enterprise configuration ID configured on the client device, whether it comes from the registry, a policy file, or an environment variable. AI Studio uses this ID to match downloaded configurations to their plugins. If the IDs do not match, AI Studio will log a warning and the configuration may not be displayed correctly on the Information page.
For example, if your enterprise configuration ID is `9072b77d-ca81-40da-be6a-861da525ef7b`, then your plugin must declare:
@ -233,9 +226,10 @@ You can include encrypted API keys in your configuration plugins for cloud provi
In AI Studio, enable the "Show administration settings" toggle in the app settings. Then click the "Generate encryption secret and copy to clipboard" button in the "Enterprise Administration" section. This generates a cryptographically secure 256-bit key and copies it to your clipboard as a base64 string.
2. **Deploy the encryption secret:**
Distribute the secret to all client machines via Group Policy (Windows Registry) or environment variables:
- Registry: `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT\config_encryption_secret`
- Environment: `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET`
Distribute the secret to all client machines using the same source you use for the enterprise configurations:
- Windows Registry / GPO: `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT\config_encryption_secret`
- Policy file: `config_encryption_secret.yaml`
- Environment fallback: `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET`
You must also deploy the same secret on the machine where you will export the encrypted API keys (step 3).

815
runtime/src/environment.rs
View File

@ -1,14 +1,24 @@
use std::env;
use std::sync::OnceLock;
use crate::api_token::APIToken;
use log::{debug, info, warn};
use rocket::get;
use rocket::serde::json::Json;
use serde::Serialize;
use std::collections::{HashMap, HashSet};
use std::env;
use std::fs;
use std::path::{Path, PathBuf};
use std::sync::OnceLock;
use sys_locale::get_locale;
use crate::api_token::APIToken;
const DEFAULT_LANGUAGE: &str = "en-US";
const ENTERPRISE_CONFIG_SLOT_COUNT: usize = 10;
#[cfg(target_os = "windows")]
const ENTERPRISE_REGISTRY_KEY_PATH: &str = r"Software\github\MindWork AI Studio\Enterprise IT";
const ENTERPRISE_POLICY_SECRET_FILE_NAME: &str = "config_encryption_secret.yaml";
/// The data directory where the application stores its data.
pub static DATA_DIRECTORY: OnceLock<String> = OnceLock::new();
@ -140,27 +150,6 @@ fn detect_user_language() -> (String, LanguageDetectionSource) {
)
}
#[cfg(test)]
mod tests {
use super::normalize_locale_tag;
#[test]
fn normalize_locale_tag_supports_common_linux_formats() {
assert_eq!(normalize_locale_tag("de_DE.UTF-8"), Some(String::from("de-DE")));
assert_eq!(normalize_locale_tag("de_DE@euro"), Some(String::from("de-DE")));
assert_eq!(normalize_locale_tag("de"), Some(String::from("de")));
assert_eq!(normalize_locale_tag("en-US"), Some(String::from("en-US")));
}
#[test]
fn normalize_locale_tag_rejects_non_language_locales() {
assert_eq!(normalize_locale_tag("C"), None);
assert_eq!(normalize_locale_tag("C.UTF-8"), None);
assert_eq!(normalize_locale_tag("POSIX"), None);
assert_eq!(normalize_locale_tag(""), None);
}
}
#[get("/system/language")]
pub fn read_user_language(_token: APIToken) -> String {
USER_LANGUAGE
@ -191,191 +180,645 @@ pub fn read_user_language(_token: APIToken) -> String {
.clone()
}
#[get("/system/enterprise/config/id")]
pub fn read_enterprise_env_config_id(_token: APIToken) -> String {
//
// When we are on a Windows machine, we try to read the enterprise config from
// the Windows registry. In case we can't find the registry key, or we are on a
// macOS or Linux machine, we try to read the enterprise config from the
// environment variables.
//
// The registry key is:
// HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT
//
// In this registry key, we expect the following values:
// - config_id
//
// The environment variable is:
// MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID
//
debug!("Trying to read the enterprise environment for some config ID.");
get_enterprise_configuration(
"config_id",
"MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID",
)
}
#[get("/system/enterprise/config/server")]
pub fn read_enterprise_env_config_server_url(_token: APIToken) -> String {
//
// When we are on a Windows machine, we try to read the enterprise config from
// the Windows registry. In case we can't find the registry key, or we are on a
// macOS or Linux machine, we try to read the enterprise config from the
// environment variables.
//
// The registry key is:
// HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT
//
// In this registry key, we expect the following values:
// - config_server_url
//
// The environment variable is:
// MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL
//
debug!("Trying to read the enterprise environment for the config server URL.");
get_enterprise_configuration(
"config_server_url",
"MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL",
)
}
#[get("/system/enterprise/config/encryption_secret")]
pub fn read_enterprise_env_config_encryption_secret(_token: APIToken) -> String {
//
// When we are on a Windows machine, we try to read the enterprise config from
// the Windows registry. In case we can't find the registry key, or we are on a
// macOS or Linux machine, we try to read the enterprise config from the
// environment variables.
//
// The registry key is:
// HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT
//
// In this registry key, we expect the following values:
// - config_encryption_secret
//
// The environment variable is:
// MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET
//
debug!("Trying to read the enterprise environment for the config encryption secret.");
get_enterprise_configuration(
"config_encryption_secret",
"MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET",
)
}
/// Represents a single enterprise configuration entry with an ID and server URL.
#[derive(Serialize)]
#[derive(Clone, Debug, PartialEq, Eq, Serialize)]
pub struct EnterpriseConfig {
pub id: String,
pub server_url: String,
}
/// Returns all enterprise configurations. Collects configurations from both the
/// new multi-config format (`id1@url1;id2@url2`) and the legacy single-config
/// environment variables, merging them into one list. Duplicates (by ID) are
/// skipped — the first occurrence wins.
#[derive(Clone, Debug, Default, PartialEq, Eq)]
struct EnterpriseSourceData {
source_name: String,
configs: Vec<EnterpriseConfig>,
encryption_secret: String,
}
#[get("/system/enterprise/config/id")]
pub fn read_enterprise_env_config_id(_token: APIToken) -> String {
debug!("Trying to read the effective enterprise configuration ID.");
resolve_effective_enterprise_source()
.configs
.into_iter()
.next()
.map(|config| config.id)
.unwrap_or_default()
}
#[get("/system/enterprise/config/server")]
pub fn read_enterprise_env_config_server_url(_token: APIToken) -> String {
debug!("Trying to read the effective enterprise configuration server URL.");
resolve_effective_enterprise_source()
.configs
.into_iter()
.next()
.map(|config| config.server_url)
.unwrap_or_default()
}
#[get("/system/enterprise/config/encryption_secret")]
pub fn read_enterprise_env_config_encryption_secret(_token: APIToken) -> String {
debug!("Trying to read the effective enterprise configuration encryption secret.");
resolve_effective_enterprise_source().encryption_secret
}
/// Returns all enterprise configurations from the effective source.
#[get("/system/enterprise/configs")]
pub fn read_enterprise_configs(_token: APIToken) -> Json<Vec<EnterpriseConfig>> {
info!("Trying to read the enterprise environment for all configurations.");
info!("Trying to read the effective enterprise configurations.");
Json(resolve_effective_enterprise_source().configs)
}
let mut configs: Vec<EnterpriseConfig> = Vec::new();
let mut seen_ids: std::collections::HashSet<String> = std::collections::HashSet::new();
fn resolve_effective_enterprise_source() -> EnterpriseSourceData {
select_effective_enterprise_source(gather_enterprise_sources())
}
// Read the new combined format:
let combined = get_enterprise_configuration(
fn select_effective_enterprise_source(sources: Vec<EnterpriseSourceData>) -> EnterpriseSourceData {
for source in sources {
if !source.configs.is_empty() {
info!("Using enterprise configuration source '{}'.", source.source_name);
return source;
}
info!("Enterprise configuration source '{}' did not provide any valid configurations.", source.source_name);
}
info!("No enterprise configuration source provided any valid configurations.");
EnterpriseSourceData::default()
}
fn gather_enterprise_sources() -> Vec<EnterpriseSourceData> {
cfg_if::cfg_if! {
if #[cfg(target_os = "windows")] {
vec![
load_registry_enterprise_source(),
load_policy_file_enterprise_source(),
load_environment_enterprise_source(),
]
} else if #[cfg(any(target_os = "linux", target_os = "macos"))] {
vec![
load_policy_file_enterprise_source(),
load_environment_enterprise_source(),
]
} else {
vec![load_environment_enterprise_source()]
}
}
}
#[cfg(target_os = "windows")]
fn load_registry_enterprise_source() -> EnterpriseSourceData {
use windows_registry::*;
info!(r"Trying to read enterprise configuration metadata from 'HKEY_CURRENT_USER\{}'.", ENTERPRISE_REGISTRY_KEY_PATH);
let mut values = HashMap::new();
let key = match CURRENT_USER.open(ENTERPRISE_REGISTRY_KEY_PATH) {
Ok(key) => key,
Err(_) => {
info!(r"Could not read 'HKEY_CURRENT_USER\{}'.", ENTERPRISE_REGISTRY_KEY_PATH);
return EnterpriseSourceData {
source_name: String::from("Windows registry"),
..EnterpriseSourceData::default()
};
}
};
for index in 0..ENTERPRISE_CONFIG_SLOT_COUNT {
insert_registry_value(&mut values, &key, &format!("config_id{index}"));
insert_registry_value(&mut values, &key, &format!("config_server_url{index}"));
}
for key_name in [
"configs",
"MINDWORK_AI_STUDIO_ENTERPRISE_CONFIGS",
);
"config_id",
"config_server_url",
"config_encryption_secret",
] {
insert_registry_value(&mut values, &key, key_name);
}
if !combined.is_empty() {
// Parse the new format: id1@url1;id2@url2;...
for entry in combined.split(';') {
let entry = entry.trim();
if entry.is_empty() {
parse_enterprise_source_values("Windows registry", &values)
}
#[cfg(target_os = "windows")]
fn insert_registry_value(
values: &mut HashMap<String, String>,
key: &windows_registry::Key,
key_name: &str,
) {
if let Ok(value) = key.get_string(key_name) {
values.insert(String::from(key_name), value);
}
}
fn load_policy_file_enterprise_source() -> EnterpriseSourceData {
let directories = enterprise_policy_directories();
info!("Trying to read enterprise configuration metadata from policy files in {} director{}.", directories.len(), if directories.len() == 1 { "y" } else { "ies" });
let values = load_policy_values_from_directories(&directories);
parse_enterprise_source_values("policy files", &values)
}
fn load_environment_enterprise_source() -> EnterpriseSourceData {
info!("Trying to read enterprise configuration metadata from environment variables.");
let mut values = HashMap::new();
for index in 0..ENTERPRISE_CONFIG_SLOT_COUNT {
insert_env_value(&mut values, &format!("MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID{index}"), &format!("config_id{index}"));
insert_env_value(&mut values, &format!("MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL{index}"), &format!("config_server_url{index}"));
}
insert_env_value(&mut values, "MINDWORK_AI_STUDIO_ENTERPRISE_CONFIGS", "configs");
insert_env_value(&mut values, "MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID", "config_id");
insert_env_value(&mut values, "MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL", "config_server_url");
insert_env_value(&mut values, "MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET", "config_encryption_secret");
parse_enterprise_source_values("environment variables", &values)
}
fn insert_env_value(values: &mut HashMap<String, String>, env_name: &str, key_name: &str) {
if let Ok(value) = env::var(env_name) {
values.insert(String::from(key_name), value);
}
}
#[cfg(target_os = "windows")]
fn enterprise_policy_directories() -> Vec<PathBuf> {
let base = env::var_os("ProgramData")
.map(PathBuf::from)
.unwrap_or_else(|| PathBuf::from(r"C:\ProgramData"));
vec![base.join("MindWorkAI").join("AI-Studio")]
}
#[cfg(target_os = "linux")]
fn enterprise_policy_directories() -> Vec<PathBuf> {
let xdg_config_dirs = env::var("XDG_CONFIG_DIRS").ok();
linux_policy_directories_from_xdg(xdg_config_dirs.as_deref())
}
#[cfg(target_os = "macos")]
fn enterprise_policy_directories() -> Vec<PathBuf> {
vec![PathBuf::from(
"/Library/Application Support/MindWork/AI Studio",
)]
}
#[cfg(not(any(target_os = "windows", target_os = "linux", target_os = "macos")))]
fn enterprise_policy_directories() -> Vec<PathBuf> {
Vec::new()
}
#[cfg(any(target_os = "linux", test))]
fn linux_policy_directories_from_xdg(xdg_config_dirs: Option<&str>) -> Vec<PathBuf> {
let mut directories = Vec::new();
if let Some(raw_directories) = xdg_config_dirs {
for path in raw_directories.split(':') {
if let Some(path) = normalize_enterprise_value(path) {
directories.push(PathBuf::from(path).join("mindwork-ai-studio"));
}
}
}
if directories.is_empty() {
directories.push(PathBuf::from("/etc/xdg/mindwork-ai-studio"));
}
directories
}
fn load_policy_values_from_directories(directories: &[PathBuf]) -> HashMap<String, String> {
let mut values = HashMap::new();
for directory in directories {
info!("Checking enterprise policy directory '{}'.", directory.display());
for index in 0..ENTERPRISE_CONFIG_SLOT_COUNT {
let path = directory.join(format!("config{index}.yaml"));
if let Some(config_values) = read_policy_yaml_mapping(&path) {
if let Some(id) = config_values.get("id") {
insert_first_non_empty_value(&mut values, &format!("config_id{index}"), id);
}
if let Some(server_url) = config_values.get("server_url") {
insert_first_non_empty_value(&mut values, &format!("config_server_url{index}"), server_url);
}
}
}
let secret_path = directory.join(ENTERPRISE_POLICY_SECRET_FILE_NAME);
if let Some(secret_values) = read_policy_yaml_mapping(&secret_path) {
if let Some(secret) = secret_values.get("config_encryption_secret") {
insert_first_non_empty_value(&mut values, "config_encryption_secret", secret);
}
}
}
values
}
fn read_policy_yaml_mapping(path: &Path) -> Option<HashMap<String, String>> {
if !path.exists() {
return None;
}
let content = match fs::read_to_string(path) {
Ok(content) => content,
Err(error) => {
warn!("Could not read enterprise policy file '{}': {}", path.display(), error);
return None;
}
};
match parse_policy_yaml_mapping(path, &content) {
Some(values) => Some(values),
None => {
warn!("Could not parse enterprise policy file '{}'.", path.display());
None
}
}
}
fn parse_policy_yaml_mapping(path: &Path, content: &str) -> Option<HashMap<String, String>> {
let mut values = HashMap::new();
for (line_number, line) in content.lines().enumerate() {
let trimmed = line.trim();
if trimmed.is_empty() || trimmed.starts_with('#') {
continue;
}
// Split at the first '@' (GUIDs never contain '@'):
if let Some((id, url)) = entry.split_once('@') {
let id = id.trim().to_lowercase();
let url = url.trim().to_string();
if !id.is_empty() && !url.is_empty() && seen_ids.insert(id.clone()) {
configs.push(EnterpriseConfig { id, server_url: url });
let (key, raw_value) = match trimmed.split_once(':') {
Some(parts) => parts,
None => {
warn!("Invalid enterprise policy file '{}': line {} does not contain ':'.", path.display(), line_number + 1);
return None;
}
}
}
}
// Also read the legacy single-config variables:
let config_id = get_enterprise_configuration(
"config_id",
"MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ID",
);
let config_server_url = get_enterprise_configuration(
"config_server_url",
"MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL",
);
if !config_id.is_empty() && !config_server_url.is_empty() {
let id = config_id.trim().to_lowercase();
if seen_ids.insert(id.clone()) {
configs.push(EnterpriseConfig { id, server_url: config_server_url });
}
}
Json(configs)
}
fn get_enterprise_configuration(_reg_value: &str, env_name: &str) -> String {
cfg_if::cfg_if! {
if #[cfg(target_os = "windows")] {
info!(r"Detected a Windows machine, trying to read the registry key 'HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT\{}' or the environment variable '{}'.", _reg_value, env_name);
use windows_registry::*;
let key_path = r"Software\github\MindWork AI Studio\Enterprise IT";
let key = match CURRENT_USER.open(key_path) {
Ok(key) => key,
Err(_) => {
info!(r"Could not read the registry key 'HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT\{}'. Falling back to the environment variable '{}'.", _reg_value, env_name);
return match env::var(env_name) {
Ok(val) => {
info!("Falling back to the environment variable '{}' was successful.", env_name);
val
},
Err(_) => {
info!("Falling back to the environment variable '{}' was not successful. It seems that there is no enterprise environment available.", env_name);
"".to_string()
},
}
},
};
match key.get_string(_reg_value) {
Ok(val) => val,
Err(_) => {
info!(r"We could read the registry key 'HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT', but the value '{}' could not be read. Falling back to the environment variable '{}'.", _reg_value, env_name);
match env::var(env_name) {
Ok(val) => {
info!("Falling back to the environment variable '{}' was successful.", env_name);
val
},
Err(_) => {
info!("Falling back to the environment variable '{}' was not successful. It seems that there is no enterprise environment available.", env_name);
"".to_string()
let key = key.trim();
if key.is_empty() {
warn!("Invalid enterprise policy file '{}': line {} contains an empty key.", path.display(), line_number + 1);
return None;
}
let value = match parse_policy_yaml_value(raw_value) {
Some(value) => value,
None => {
warn!("Invalid enterprise policy file '{}': line {} contains an unsupported YAML value.", path.display(), line_number + 1);
return None;
}
},
};
values.insert(String::from(key), value);
}
} else {
// In the case of macOS or Linux, we just read the environment variable:
info!(r"Detected a Unix machine, trying to read the environment variable '{}'.", env_name);
match env::var(env_name) {
Ok(val) => val,
Err(_) => {
info!("The environment variable '{}' was not found. It seems that there is no enterprise environment available.", env_name);
"".to_string()
Some(values)
}
fn parse_policy_yaml_value(raw_value: &str) -> Option<String> {
let trimmed = raw_value.trim();
if trimmed.is_empty() {
return Some(String::new());
}
if trimmed.starts_with('"') || trimmed.ends_with('"') {
if trimmed.len() >= 2 && trimmed.starts_with('"') && trimmed.ends_with('"') {
return Some(trimmed[1..trimmed.len() - 1].to_string());
}
return None;
}
if trimmed.starts_with('\'') || trimmed.ends_with('\'') {
if trimmed.len() >= 2 && trimmed.starts_with('\'') && trimmed.ends_with('\'') {
return Some(trimmed[1..trimmed.len() - 1].to_string());
}
return None;
}
Some(String::from(trimmed))
}
fn insert_first_non_empty_value(values: &mut HashMap<String, String>, key: &str, raw_value: &str) {
if let Some(value) = normalize_enterprise_value(raw_value) {
values.entry(String::from(key)).or_insert(value);
}
}
fn parse_enterprise_source_values(
source_name: &str,
values: &HashMap<String, String>,
) -> EnterpriseSourceData {
let mut configs = Vec::new();
let mut seen_ids = HashSet::new();
for index in 0..ENTERPRISE_CONFIG_SLOT_COUNT {
let id_key = format!("config_id{index}");
let server_url_key = format!("config_server_url{index}");
add_enterprise_config_pair(
source_name,
&format!("indexed slot {index}"),
values.get(&id_key).map(String::as_str),
values.get(&server_url_key).map(String::as_str),
&mut configs,
&mut seen_ids,
);
}
if let Some(combined) = values
.get("configs")
.and_then(|value| normalize_enterprise_value(value))
{
add_combined_enterprise_configs(source_name, &combined, &mut configs, &mut seen_ids);
}
add_enterprise_config_pair(
source_name,
"legacy single configuration",
values.get("config_id").map(String::as_str),
values.get("config_server_url").map(String::as_str),
&mut configs,
&mut seen_ids,
);
let encryption_secret = values
.get("config_encryption_secret")
.and_then(|value| normalize_enterprise_value(value))
.unwrap_or_default();
EnterpriseSourceData {
source_name: String::from(source_name),
configs,
encryption_secret,
}
}
fn add_enterprise_config_pair(
source_name: &str,
context: &str,
raw_id: Option<&str>,
raw_server_url: Option<&str>,
configs: &mut Vec<EnterpriseConfig>,
seen_ids: &mut HashSet<String>,
) {
let id = raw_id.and_then(normalize_enterprise_config_id);
let server_url = raw_server_url.and_then(normalize_enterprise_value);
match (id, server_url) {
(Some(id), Some(server_url)) => {
if seen_ids.insert(id.clone()) {
configs.push(EnterpriseConfig { id, server_url });
} else {
info!("Ignoring duplicate enterprise configuration '{}' from {} in '{}'.", id, source_name, context);
}
}
(Some(_), None) | (None, Some(_)) => {
warn!("Ignoring incomplete enterprise configuration from {} in '{}'.", source_name, context);
}
(None, None) => {}
}
}
fn add_combined_enterprise_configs(
source_name: &str,
combined: &str,
configs: &mut Vec<EnterpriseConfig>,
seen_ids: &mut HashSet<String>,
) {
for (index, entry) in combined.split(';').enumerate() {
let trimmed = entry.trim();
if trimmed.is_empty() {
continue;
}
let Some((raw_id, raw_server_url)) = trimmed.split_once('@') else {
warn!("Ignoring malformed enterprise configuration entry '{}' from {} in combined legacy format.", trimmed, source_name);
continue;
};
add_enterprise_config_pair(
source_name,
&format!("combined legacy entry {}", index + 1),
Some(raw_id),
Some(raw_server_url),
configs,
seen_ids,
);
}
}
fn normalize_enterprise_value(value: &str) -> Option<String> {
let trimmed = value.trim();
if trimmed.is_empty() {
None
} else {
Some(String::from(trimmed))
}
}
fn normalize_enterprise_config_id(value: &str) -> Option<String> {
normalize_enterprise_value(value).map(|value| value.to_lowercase())
}
#[cfg(test)]
mod tests {
use super::{
linux_policy_directories_from_xdg, load_policy_values_from_directories,
normalize_locale_tag, parse_enterprise_source_values, select_effective_enterprise_source,
EnterpriseConfig, EnterpriseSourceData,
};
use std::collections::HashMap;
use std::fs;
use std::path::PathBuf;
use tempfile::tempdir;
const TEST_ID_A: &str = "9072B77D-CA81-40DA-BE6A-861DA525EF7B";
const TEST_ID_B: &str = "a1b2c3d4-e5f6-7890-abcd-ef1234567890";
const TEST_ID_C: &str = "11111111-2222-3333-4444-555555555555";
#[test]
fn normalize_locale_tag_supports_common_linux_formats() {
assert_eq!(
normalize_locale_tag("de_DE.UTF-8"),
Some(String::from("de-DE"))
);
assert_eq!(
normalize_locale_tag("de_DE@euro"),
Some(String::from("de-DE"))
);
assert_eq!(normalize_locale_tag("de"), Some(String::from("de")));
assert_eq!(normalize_locale_tag("en-US"), Some(String::from("en-US")));
}
#[test]
fn normalize_locale_tag_rejects_non_language_locales() {
assert_eq!(normalize_locale_tag("C"), None);
assert_eq!(normalize_locale_tag("C.UTF-8"), None);
assert_eq!(normalize_locale_tag("POSIX"), None);
assert_eq!(normalize_locale_tag(""), None);
}
#[test]
fn parse_enterprise_source_values_prefers_indexed_then_combined_then_legacy() {
let mut values = HashMap::new();
values.insert(String::from("config_id0"), String::from(TEST_ID_A));
values.insert(
String::from("config_server_url0"),
String::from(" https://indexed.example.org "),
);
values.insert(
String::from("configs"),
format!(
"{TEST_ID_A}@https://duplicate.example.org;{TEST_ID_B}@https://combined.example.org"
),
);
values.insert(String::from("config_id"), String::from(TEST_ID_C));
values.insert(
String::from("config_server_url"),
String::from("https://legacy.example.org"),
);
values.insert(
String::from("config_encryption_secret"),
String::from(" secret "),
);
let source = parse_enterprise_source_values("test", &values);
assert_eq!(
source.configs,
vec![
EnterpriseConfig {
id: String::from("9072b77d-ca81-40da-be6a-861da525ef7b"),
server_url: String::from("https://indexed.example.org"),
},
EnterpriseConfig {
id: String::from(TEST_ID_B),
server_url: String::from("https://combined.example.org"),
},
EnterpriseConfig {
id: String::from(TEST_ID_C),
server_url: String::from("https://legacy.example.org"),
},
]
);
assert_eq!(source.encryption_secret, "secret");
}
#[test]
fn select_effective_enterprise_source_uses_first_source_with_configs_only() {
let selected = select_effective_enterprise_source(vec![
EnterpriseSourceData {
source_name: String::from("registry"),
configs: vec![EnterpriseConfig {
id: TEST_ID_A.to_lowercase(),
server_url: String::from("https://registry.example.org"),
}],
encryption_secret: String::new(),
},
EnterpriseSourceData {
source_name: String::from("environment"),
configs: vec![EnterpriseConfig {
id: String::from(TEST_ID_B),
server_url: String::from("https://env.example.org"),
}],
encryption_secret: String::from("ENV-SECRET"),
},
]);
assert_eq!(selected.source_name, "registry");
assert_eq!(selected.encryption_secret, "");
assert_eq!(selected.configs.len(), 1);
}
#[test]
fn linux_policy_directories_from_xdg_preserves_order_and_falls_back() {
assert_eq!(
linux_policy_directories_from_xdg(Some(" /opt/company:/etc/xdg ")),
vec![
PathBuf::from("/opt/company/mindwork-ai-studio"),
PathBuf::from("/etc/xdg/mindwork-ai-studio"),
]
);
assert_eq!(
linux_policy_directories_from_xdg(Some(" : ")),
vec![PathBuf::from("/etc/xdg/mindwork-ai-studio")]
);
assert_eq!(
linux_policy_directories_from_xdg(None),
vec![PathBuf::from("/etc/xdg/mindwork-ai-studio")]
);
}
#[test]
fn load_policy_values_from_directories_uses_first_directory_wins() {
let directory_a = tempdir().unwrap();
let directory_b = tempdir().unwrap();
fs::write(
directory_a.path().join("config0.yaml"),
"id: \"9072b77d-ca81-40da-be6a-861da525ef7b\"\nserver_url: \"https://org.example.org\"",
)
.unwrap();
fs::write(
directory_a.path().join("config_encryption_secret.yaml"),
"config_encryption_secret: \"SECRET-A\"",
)
.unwrap();
fs::write(
directory_b.path().join("config0.yaml"),
"id: \"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"\nserver_url: \"https://ignored.example.org\"",
)
.unwrap();
fs::write(
directory_b.path().join("config1.yaml"),
"id: \"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb\"\nserver_url: \"https://dept.example.org\"",
)
.unwrap();
fs::write(
directory_b.path().join("config_encryption_secret.yaml"),
"config_encryption_secret: \"SECRET-B\"",
)
.unwrap();
let values = load_policy_values_from_directories(&[
directory_a.path().to_path_buf(),
directory_b.path().to_path_buf(),
]);
assert_eq!(
values.get("config_id0").map(String::as_str),
Some("9072b77d-ca81-40da-be6a-861da525ef7b")
);
assert_eq!(
values.get("config_server_url0").map(String::as_str),
Some("https://org.example.org")
);
assert_eq!(
values.get("config_id1").map(String::as_str),
Some("bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb")
);
assert_eq!(
values.get("config_encryption_secret").map(String::as_str),
Some("SECRET-A")
);
}
#[test]
fn load_policy_values_from_directories_ignores_invalid_and_incomplete_files() {
let directory = tempdir().unwrap();
fs::write(directory.path().join("config0.yaml"), "id [broken").unwrap();
fs::write(
directory.path().join("config1.yaml"),
"id: \"9072b77d-ca81-40da-be6a-861da525ef7b\"",
)
.unwrap();
let values = load_policy_values_from_directories(&[directory.path().to_path_buf()]);
let source = parse_enterprise_source_values("policy files", &values);
assert!(source.configs.is_empty());
}
}