Inorishio/I-SecretUpdate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
Home
I-SecretUpdate/README.md
T
Inorishio 64d707bd8b Rust
2026-01-29 09:57:44 +01:00

226 lines
5.9 KiB
Markdown
Raw Permalink Blame History

# Azure App Registration Manager
A cross-platform Rust GUI application for managing Azure App Registrations and Key Vault secrets.
## Features
- **Interactive Azure Authentication**: Browser-based OAuth 2.0 login flow
- **App Registration Management**: View and manage your Azure App Registrations
- **Client Secret Creation**: Generate new client secrets with automatic expiration
- **Key Vault Integration**: Securely store secrets in Azure Key Vault
- **Cross-Platform**: Works on Windows, Linux, and macOS
- **Secure Token Storage**: Uses OS-level secure storage (Credential Manager/Keychain)
- **Zero Configuration**: No app registration or credential files needed
## Prerequisites
- Rust 1.70+ (install from [rustup.rs](https://rustup.rs))
- Azure subscription with appropriate permissions
## Quick Start
### Installation and Run
```bash
git clone <your-repo-url>
cd azure-app-manager
cargo run --release
```
That's it! No configuration needed. Click "Sign In with Azure" and authenticate.
### How It Works
This application uses Microsoft's **Azure CLI public client ID**, which is pre-approved for accessing Microsoft Graph and Azure Management APIs. You authenticate with your own Azure AD account and permissions. No app registration or configuration files needed.
## Usage
### Run the Application
```bash
cargo run --release
```
Or run the compiled binary:
```bash
./target/release/azure-app-manager
```
### Workflow
1. **Sign In**: Click "Sign In with Azure" and complete authentication in your browser
2. **Select App**: Browse your app registrations and select one
3. **Create Secret**: Click "Create Secret" and enter a description
4. **Save to Vault**: Select a Key Vault and enter a name for the secret
5. **Done**: The secret is securely stored in your Key Vault
## Architecture
### Technology Stack
- **GUI Framework**: egui/eframe (immediate-mode, cross-platform)
- **Azure SDKs**:
- `graph-rs-sdk`: Microsoft Graph API integration
- `azure_security_keyvault_secrets`: Key Vault operations
- `azure_mgmt_keyvault`: Key Vault discovery
- **Async Runtime**: Tokio
- **Async-GUI Bridge**: poll-promise
- **Secure Storage**: keyring (OS-level credential storage)
### Project Structure
```
src/
├── main.rs # Application entry point
├── app.rs # Main app logic (eframe::App implementation)
├── error.rs # Error types
├── auth/ # Authentication
│ ├── azure_auth.rs # OAuth flow
│ └── token_cache.rs # Secure token storage
├── azure/ # Azure API clients
│ ├── graph_client.rs # Microsoft Graph API
│ ├── keyvault_client.rs # Key Vault operations
│ ├── vault_discovery.rs # Key Vault listing
│ └── models.rs # Data models
├── state/ # Application state
│ ├── app_state.rs # Central state management
│ └── async_operations.rs # Async operation tracking
└── ui/ # UI views
├── auth_view.rs # Login screen
├── app_list_view.rs # App registration list
├── secret_create_view.rs # Secret creation form
├── keyvault_select_view.rs # Key Vault selection
└── components.rs # Reusable UI components
```
## Security Features
### Token Security
- Access tokens stored in OS-level secure storage:
- **Windows**: Credential Manager
- **macOS**: Keychain
- **Linux**: Secret Service (gnome-keyring/kwallet)
- Automatic token refresh before expiration
- Secure memory clearing with `zeroize`
### Secret Handling
- Secrets wrapped in `SensitiveString` with automatic memory zeroing
- No disk persistence of secrets
- Custom Debug implementation prevents accidental logging
- Immediate prompt to save to Key Vault
## Platform-Specific Notes
### macOS
Due to limitations in the graph-rs-sdk, macOS uses **device code flow** instead of interactive browser flow:
1. A code will be displayed in the application
2. Open the provided URL in your browser
3. Enter the code and complete authentication
4. Return to the application
### Linux
Requires a secret service backend (gnome-keyring or kwallet) for secure token storage:
```bash
# Ubuntu/Debian
sudo apt install gnome-keyring
# Arch Linux
sudo pacman -S gnome-keyring
```
### Windows
No additional dependencies required. Uses Windows Credential Manager.
## Troubleshooting
### Authentication Fails
- Ensure you have appropriate permissions in your Azure AD tenant
- Check your internet connection
- Review logs with `LOG_LEVEL=debug cargo run`
- Some organizations may have conditional access policies that require MFA or compliant devices
### No Key Vaults Found
- Verify you have Key Vaults in your subscription
- Check that your user has appropriate RBAC permissions
- Ensure the Management API scope was granted
### Token Cache Errors
- On Linux: Install and start gnome-keyring or kwallet
- On macOS: Check Keychain Access permissions
- On Windows: Check Windows Credential Manager
## Development
### Run in Debug Mode
```bash
cargo run
```
### Run Tests
```bash
cargo test
```
### Enable Debug Logging
```bash
LOG_LEVEL=debug cargo run
```
## Building for Release
### Current Platform
```bash
cargo build --release
```
### Cross-Platform (requires setup)
```bash
# Windows
cargo build --release --target x86_64-pc-windows-msvc
# Linux
cargo build --release --target x86_64-unknown-linux-gnu
# macOS
cargo build --release --target x86_64-apple-darwin
```
## Contributing
Contributions are welcome. Please ensure:
- Code follows Rust best practices
- All tests pass
- Security considerations are maintained
- Documentation is updated
## License
MIT License - See LICENSE file for details
## Acknowledgments
- Microsoft Graph SDK team for graph-rs-sdk
- Azure SDK for Rust team
- egui framework creators
## Support
For issues and feature requests, please use the GitHub issue tracker.
Reference in New Issue View Git Blame Copy Permalink