# Azure App Registration Manager

A cross-platform Rust GUI application for managing Azure App Registrations and Key Vault secrets.

## Features

- **Interactive Azure Authentication**: Browser-based OAuth 2.0 login flow
- **App Registration Management**: View and manage your Azure App Registrations
- **Client Secret Creation**: Generate new client secrets with automatic expiration
- **Key Vault Integration**: Securely store secrets in Azure Key Vault
- **Cross-Platform**: Works on Windows, Linux, and macOS
- **Secure Token Storage**: Uses OS-level secure storage (Credential Manager/Keychain)
- **Zero Configuration**: No app registration or credential files needed

## Prerequisites

- Rust 1.70+ (install from [rustup.rs](https://rustup.rs))
- Azure subscription with appropriate permissions

## Quick Start

### Installation and Run

```bash
git clone <your-repo-url>
cd azure-app-manager
cargo run --release
```

That's it! No configuration needed. Click "Sign In with Azure" and authenticate.

### How It Works

This application uses Microsoft's **Azure CLI public client ID**, which is pre-approved for accessing Microsoft Graph and Azure Management APIs. You authenticate with your own Azure AD account and permissions. No app registration or configuration files needed.

## Usage

### Run the Application

```bash
cargo run --release
```

Or run the compiled binary:

```bash
./target/release/azure-app-manager
```

### Workflow

1. **Sign In**: Click "Sign In with Azure" and complete authentication in your browser
2. **Select App**: Browse your app registrations and select one
3. **Create Secret**: Click "Create Secret" and enter a description
4. **Save to Vault**: Select a Key Vault and enter a name for the secret
5. **Done**: The secret is securely stored in your Key Vault

## Architecture

### Technology Stack

- **GUI Framework**: egui/eframe (immediate-mode, cross-platform)
- **Azure SDKs**:
  - `graph-rs-sdk`: Microsoft Graph API integration
  - `azure_security_keyvault_secrets`: Key Vault operations
  - `azure_mgmt_keyvault`: Key Vault discovery
- **Async Runtime**: Tokio
- **Async-GUI Bridge**: poll-promise
- **Secure Storage**: keyring (OS-level credential storage)

### Project Structure

```
src/
├── main.rs              # Application entry point
├── app.rs               # Main app logic (eframe::App implementation)
├── error.rs             # Error types
├── auth/                # Authentication
│   ├── azure_auth.rs    # OAuth flow
│   └── token_cache.rs   # Secure token storage
├── azure/               # Azure API clients
│   ├── graph_client.rs  # Microsoft Graph API
│   ├── keyvault_client.rs # Key Vault operations
│   ├── vault_discovery.rs # Key Vault listing
│   └── models.rs        # Data models
├── state/               # Application state
│   ├── app_state.rs     # Central state management
│   └── async_operations.rs # Async operation tracking
└── ui/                  # UI views
    ├── auth_view.rs     # Login screen
    ├── app_list_view.rs # App registration list
    ├── secret_create_view.rs # Secret creation form
    ├── keyvault_select_view.rs # Key Vault selection
    └── components.rs    # Reusable UI components
```

## Security Features

### Token Security

- Access tokens stored in OS-level secure storage:
  - **Windows**: Credential Manager
  - **macOS**: Keychain
  - **Linux**: Secret Service (gnome-keyring/kwallet)
- Automatic token refresh before expiration
- Secure memory clearing with `zeroize`

### Secret Handling

- Secrets wrapped in `SensitiveString` with automatic memory zeroing
- No disk persistence of secrets
- Custom Debug implementation prevents accidental logging
- Immediate prompt to save to Key Vault

## Platform-Specific Notes

### macOS

Due to limitations in the graph-rs-sdk, macOS uses **device code flow** instead of interactive browser flow:

1. A code will be displayed in the application
2. Open the provided URL in your browser
3. Enter the code and complete authentication
4. Return to the application

### Linux

Requires a secret service backend (gnome-keyring or kwallet) for secure token storage:

```bash
# Ubuntu/Debian
sudo apt install gnome-keyring

# Arch Linux
sudo pacman -S gnome-keyring
```

### Windows

No additional dependencies required. Uses Windows Credential Manager.

## Troubleshooting

### Authentication Fails

- Ensure you have appropriate permissions in your Azure AD tenant
- Check your internet connection
- Review logs with `LOG_LEVEL=debug cargo run`
- Some organizations may have conditional access policies that require MFA or compliant devices

### No Key Vaults Found

- Verify you have Key Vaults in your subscription
- Check that your user has appropriate RBAC permissions
- Ensure the Management API scope was granted

### Token Cache Errors

- On Linux: Install and start gnome-keyring or kwallet
- On macOS: Check Keychain Access permissions
- On Windows: Check Windows Credential Manager

## Development

### Run in Debug Mode

```bash
cargo run
```

### Run Tests

```bash
cargo test
```

### Enable Debug Logging

```bash
LOG_LEVEL=debug cargo run
```

## Building for Release

### Current Platform

```bash
cargo build --release
```

### Cross-Platform (requires setup)

```bash
# Windows
cargo build --release --target x86_64-pc-windows-msvc

# Linux
cargo build --release --target x86_64-unknown-linux-gnu

# macOS
cargo build --release --target x86_64-apple-darwin
```

## Contributing

Contributions are welcome. Please ensure:

- Code follows Rust best practices
- All tests pass
- Security considerations are maintained
- Documentation is updated

## License

MIT License - See LICENSE file for details

## Acknowledgments

- Microsoft Graph SDK team for graph-rs-sdk
- Azure SDK for Rust team
- egui framework creators

## Support

For issues and feature requests, please use the GitHub issue tracker.