Inorishio/I-SecretUpdate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rust

Browse Source
This commit is contained in:
inorishio
2026-01-29 09:57:44 +01:00
parent afa053f006
commit 64d707bd8b
61 changed files with 3811 additions and 3543 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+168 -206
View File
@@ -1,263 +1,225 @@
# Azure Key Vault Secret Manager
# Azure App Registration Manager
> A modern, user-friendly GUI application for managing Azure App Registration secrets and Key Vault integration.
A cross-platform Rust GUI application for managing Azure App Registrations and Key Vault secrets.
![Python](https://img.shields.io/badge/python-3.8+-blue.svg)
![License](https://img.shields.io/badge/license-MIT-green.svg)
![Platform](https://img.shields.io/badge/platform-Windows%20%7C%20Linux%20%7C%20macOS-lightgrey.svg)
## Features
## ✨ Features
- **Interactive Azure Authentication**: Browser-based OAuth 2.0 login flow
- **App Registration Management**: View and manage your Azure App Registrations
- **Client Secret Creation**: Generate new client secrets with automatic expiration
- **Key Vault Integration**: Securely store secrets in Azure Key Vault
- **Cross-Platform**: Works on Windows, Linux, and macOS
- **Secure Token Storage**: Uses OS-level secure storage (Credential Manager/Keychain)
- **Zero Configuration**: No app registration or credential files needed
- 🔐 **Single Sign-On**: Interactive browser authentication - login once for both Microsoft Graph and Azure
- 🎯 **Auto-Detection**: Automatically detects your Azure tenant ID from logged-in account
- 📋 **Subscription Selection**: Choose your subscription from a dropdown (no more config files!)
- 🔍 **Smart Dropdowns**: Searchable, scrollable lists with keyboard navigation (Arrow keys, Page Up/Down, Home/End)
- 💡 **Tooltips**: Hover over items to see full names if truncated
- 🔑 **Secret Management**: Generate 50-year secrets with custom descriptions
- 🗑️ **Cleanup**: Optionally remove old secrets when creating new ones
- 💾 **Key Vault Integration**: Automatic storage with metadata tags
- 📋 **Copy to Clipboard**: One-click secret copying
- 🎨 **Modern UI**: Clean interface built with CustomTkinter (supports dark/light themes)
-**Smooth Performance**: Optimized scrolling and no nested scroll lag
## Prerequisites
## 📸 Screenshots
- Rust 1.70+ (install from [rustup.rs](https://rustup.rs))
- Azure subscription with appropriate permissions
<!-- Add your screenshots here -->
```
[App Selection] [Secret Generation] [Result View]
```
## Quick Start
## 🔧 Prerequisites
- **Python 3.8+** (Python 3.11 recommended)
- **Azure Permissions**:
- Application.ReadWrite.All (Microsoft Graph API)
- Directory.Read.All (Microsoft Graph API)
- Key Vault Secrets Officer role on target Key Vaults
- Reader role on subscription/resource groups
**Note**: No need to create an App Registration! The app uses the Azure CLI public client ID for authentication.
## 🎨 Customization
### Adding a Custom Icon
To replace the default Python icon with your own:
1. Create an icon file (`.ico` for Windows or `.png` for cross-platform)
2. Place it in one of these locations:
- `python-app/icon.ico` or `python-app/icon.png`
- `python-app/assets/icon.ico` or `python-app/assets/icon.png`
3. The application will automatically detect and use it on next launch
**Recommended icon size**: 256x256 pixels
## 📦 Installation
### 1. Clone the Repository
### Installation and Run
```bash
git clone https://github.com/yourusername/azure-keyvault-manager.git
cd azure-keyvault-manager/python-app
git clone <your-repo-url>
cd azure-app-manager
cargo run --release
```
### 2. Create Virtual Environment
That's it! No configuration needed. Click "Sign In with Azure" and authenticate.
**Windows:**
```bash
python -m venv venv
venv\Scripts\activate
```
### How It Works
**Linux/macOS:**
```bash
python3 -m venv venv
source venv/bin/activate
```
This application uses Microsoft's **Azure CLI public client ID**, which is pre-approved for accessing Microsoft Graph and Azure Management APIs. You authenticate with your own Azure AD account and permissions. No app registration or configuration files needed.
### 3. Install Dependencies
## Usage
### Run the Application
```bash
pip install -r requirements.txt
cargo run --release
```
### 4. Run the Application
Or run the compiled binary:
```bash
python main.py
./target/release/azure-app-manager
```
**That's it!** No configuration files to edit - the app auto-detects everything.
### Workflow
## 🚀 Usage
1. **Sign In**: Click "Sign In with Azure" and complete authentication in your browser
2. **Select App**: Browse your app registrations and select one
3. **Create Secret**: Click "Create Secret" and enter a description
4. **Save to Vault**: Select a Key Vault and enter a name for the secret
5. **Done**: The secret is securely stored in your Key Vault
### Quick Start Guide
## Architecture
1. **Connect to Azure**
- Click **"Connect to Azure"**
- Browser opens automatically
- Sign in with your Azure account (admin credentials)
- ✅ Authentication completes (single login!)
### Technology Stack
2. **Select Subscription**
- Choose your Azure subscription from the dropdown
- Apps and Key Vaults load automatically
- **GUI Framework**: egui/eframe (immediate-mode, cross-platform)
- **Azure SDKs**:
- `graph-rs-sdk`: Microsoft Graph API integration
- `azure_security_keyvault_secrets`: Key Vault operations
- `azure_mgmt_keyvault`: Key Vault discovery
- **Async Runtime**: Tokio
- **Async-GUI Bridge**: poll-promise
- **Secure Storage**: keyring (OS-level credential storage)
3. **Select App Registration**
- Click the App Registration dropdown
- Scroll through the list or use keyboard navigation:
- `↑` `↓` Arrow keys to navigate
- `Page Up` `Page Down` to jump
- `Home` `End` for first/last
- `Enter` to select
- `Esc` to close
- Hover for tooltips on long names
4. **Generate Secret**
- Enter a description (e.g., "Production API Key 2025")
- Select a Key Vault
- *(Optional)* Check "Remove old secrets"
- Click **"Generate Secret"**
5. **Copy & Save**
- Secret is displayed once
- Click **"Copy to Clipboard"**
- Secret is automatically stored in Key Vault with metadata
- Click **"Generate Another Secret"** to continue
### Keyboard Shortcuts
| Key | Action |
|-----|--------|
| `↓` `↑` | Navigate dropdown items |
| `Page Down` `Page Up` | Jump 5 items |
| `Home` `End` | First/Last item |
| `Enter` | Select item |
| `Escape` | Close dropdown |
| `Mouse Wheel` | Scroll in dropdown |
## 📁 Project Structure
### Project Structure
```
python-app/
├── main.py # Application entry point
├── config.py # App settings (no secrets!)
├── requirements.txt # Python dependencies
├── auth/
│ ├── graph_authenticator.py # Microsoft Graph authentication
│ └── azure_authenticator.py # Azure Resource Manager authentication
├── services/
│ ├── app_registration_service.py # App registration operations
│ ├── secret_service.py # Secret generation/management
── keyvault_service.py # Key Vault operations
├── ui/
│ ├── components/
│ ├── unified_dropdown.py # Custom dropdown component
│ └── tooltip.py # Tooltip utility
│ ├── main_window.py # Main application window
├── login_frame.py # Authentication UI
├── subscription_selection_frame.py
├── app_selection_frame.py # App selection UI
├── secret_generation_frame.py # Secret generation form
└── result_frame.py # Result display
└── utils/
├── sanitizer.py # Name sanitization
└── logger.py # Logging setup
src/
├── main.rs # Application entry point
├── app.rs # Main app logic (eframe::App implementation)
├── error.rs # Error types
├── auth/ # Authentication
│ ├── azure_auth.rs # OAuth flow
│ └── token_cache.rs # Secure token storage
├── azure/ # Azure API clients
│ ├── graph_client.rs # Microsoft Graph API
│ ├── keyvault_client.rs # Key Vault operations
── vault_discovery.rs # Key Vault listing
│ └── models.rs # Data models
├── state/ # Application state
│ ├── app_state.rs # Central state management
│ └── async_operations.rs # Async operation tracking
└── ui/ # UI views
├── auth_view.rs # Login screen
├── app_list_view.rs # App registration list
├── secret_create_view.rs # Secret creation form
├── keyvault_select_view.rs # Key Vault selection
└── components.rs # Reusable UI components
```
## 🐛 Troubleshooting
## Security Features
### Authentication Issues
### Token Security
**Problem**: "Authentication failed"
- **Solution**: Ensure you have the required permissions in Azure AD
- Clear cached credentials: Delete `.azure` folder in your home directory
- Verify your account has access to the Azure subscription
- Access tokens stored in OS-level secure storage:
- **Windows**: Credential Manager
- **macOS**: Keychain
- **Linux**: Secret Service (gnome-keyring/kwallet)
- Automatic token refresh before expiration
- Secure memory clearing with `zeroize`
**Problem**: Double login prompts
- **Solution**: This has been fixed in the latest version - you should only login once
### Secret Handling
### Permission Errors
- Secrets wrapped in `SensitiveString` with automatic memory zeroing
- No disk persistence of secrets
- Custom Debug implementation prevents accidental logging
- Immediate prompt to save to Key Vault
**Problem**: "Failed to list applications"
- **Solution**: Request `Application.ReadWrite.All` and `Directory.Read.All` permissions from your Azure AD admin
## Platform-Specific Notes
**Problem**: "Failed to store secret in Key Vault"
- **Solution**: Ensure you have **Key Vault Secrets Officer** role on the target vault
- Check Key Vault network settings allow your IP address
### macOS
### UI Issues
Due to limitations in the graph-rs-sdk, macOS uses **device code flow** instead of interactive browser flow:
**Problem**: Dropdown list won't scroll
- **Solution**: Updated in latest version - mouse wheel now scrolls the dropdown properly
1. A code will be displayed in the application
2. Open the provided URL in your browser
3. Enter the code and complete authentication
4. Return to the application
**Problem**: Can't see all applications
- **Solution**: Use keyboard navigation (arrow keys) or mouse wheel to scroll through large lists
### Linux
### General Issues
**Problem**: No subscriptions found
- **Solution**: Verify your account has at least Reader access to one Azure subscription
**Problem**: No Key Vaults appear
- **Solution**: Create a Key Vault in your subscription or request access to existing ones
## 📝 Logs
Application logs are stored in: `logs/app_YYYYMMDD.log`
Log levels:
- **INFO**: Normal operations
- **ERROR**: Failed operations with stack traces
## 🔒 Security Best Practices
- ✅ Secrets are **only displayed once** in the UI
- ✅ Secrets are **never logged** to files
- ✅ Authentication uses Azure Identity library (secure token caching)
- ✅ Uses Azure CLI public client ID (no app registration needed)
- ⚠️ **Always copy secrets immediately** - they cannot be retrieved later
- ⚠️ Store secrets in a secure password manager after generation
## 🏗️ Building Executable (Optional)
Create a standalone executable:
Requires a secret service backend (gnome-keyring or kwallet) for secure token storage:
```bash
pip install pyinstaller
pyinstaller --onefile --windowed --name AzureKeyVaultManager main.py
# Ubuntu/Debian
sudo apt install gnome-keyring
# Arch Linux
sudo pacman -S gnome-keyring
```
Output: `dist/AzureKeyVaultManager.exe` (Windows) or `dist/AzureKeyVaultManager` (Linux/macOS)
### Windows
**Note**: Executable size will be ~50-100MB due to bundled dependencies.
No additional dependencies required. Uses Windows Credential Manager.
## 🤝 Contributing
## Troubleshooting
Contributions are welcome! Please feel free to submit a Pull Request.
### Authentication Fails
1. Fork the repository
2. Create your feature branch (`git checkout -b feature/AmazingFeature`)
3. Commit your changes (`git commit -m 'Add some AmazingFeature'`)
4. Push to the branch (`git push origin feature/AmazingFeature`)
5. Open a Pull Request
- Ensure you have appropriate permissions in your Azure AD tenant
- Check your internet connection
- Review logs with `LOG_LEVEL=debug cargo run`
- Some organizations may have conditional access policies that require MFA or compliant devices
## 📄 License
### No Key Vaults Found
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
- Verify you have Key Vaults in your subscription
- Check that your user has appropriate RBAC permissions
- Ensure the Management API scope was granted
## 🙏 Acknowledgments
### Token Cache Errors
- Built with [CustomTkinter](https://github.com/TomSchimansky/CustomTkinter) by Tom Schimansky
- Uses [Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python)
- Uses [Microsoft Graph SDK for Python](https://github.com/microsoftgraph/msgraph-sdk-python)
- On Linux: Install and start gnome-keyring or kwallet
- On macOS: Check Keychain Access permissions
- On Windows: Check Windows Credential Manager
## 📮 Support
## Development
For issues, questions, or suggestions:
- 🐛 [Open an issue](https://github.com/yourusername/azure-keyvault-manager/issues)
- 💬 [Start a discussion](https://github.com/yourusername/azure-keyvault-manager/discussions)
### Run in Debug Mode
---
```bash
cargo run
```
**Made with ❤️ for Azure administrators**
### Run Tests
```bash
cargo test
```
### Enable Debug Logging
```bash
LOG_LEVEL=debug cargo run
```
## Building for Release
### Current Platform
```bash
cargo build --release
```
### Cross-Platform (requires setup)
```bash
# Windows
cargo build --release --target x86_64-pc-windows-msvc
# Linux
cargo build --release --target x86_64-unknown-linux-gnu
# macOS
cargo build --release --target x86_64-apple-darwin
```
## Contributing
Contributions are welcome. Please ensure:
- Code follows Rust best practices
- All tests pass
- Security considerations are maintained
- Documentation is updated
## License
MIT License - See LICENSE file for details
## Acknowledgments
- Microsoft Graph SDK team for graph-rs-sdk
- Azure SDK for Rust team
- egui framework creators
## Support
For issues and feature requests, please use the GitHub issue tracker.