AuthPowerBI env vars v4 – keeping only workspace_id

Author: szabozoltan69

api/test_views.py

@@ -85,7 +85,8 @@ def test_authenticated_powerbi_values_when_configured(self):
                     return_value=(expected["embed_url"], expected["report_id"], expected["embed_token"], expected["expires_at"]),
                 ) as p_info,
             ):
-                resp = self.client.get(self.url)
+                # Pass report_id via query parameter per new behavior
+                resp = self.client.get(f"{self.url}?report_id={expected['report_id']}")
 
         self.assertEqual(resp.status_code, 200)
         data = resp.json()
@@ -95,7 +96,7 @@ def test_authenticated_powerbi_values_when_configured(self):
         self.assertEqual(data.get("user"), "carol")
         # helpers were called
         p_token.assert_called_once()
-        p_info.assert_called_once()
+        p_info.assert_called_once_with("access-token", "ws-abc", expected["report_id"])
 
 
 class SecureFileFieldTest(APITestCase):

api/views.py

@@ -22,7 +22,12 @@
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.views import View
 from django.views.generic.edit import FormView
-from drf_spectacular.utils import extend_schema, extend_schema_view
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiTypes,
+    extend_schema,
+    extend_schema_view,
+)
 from haystack.query import SQ, SearchQuerySet
 from rest_framework import authentication, permissions
 from rest_framework.authtoken.models import Token
@@ -1080,11 +1085,10 @@ def logout_user(request):
 def _pbi_token_via_managed_identity() -> str | None:
     """
     Acquire an AAD access token for Power BI using the AKS managed identity.
-    If POWERBI_AZURE_CLIENT_ID is provided, target that user-assigned MI.
-    (There is another AZURE_CLIENT_ID among env vars, that is why this distinctive name is used.)
+    If AZURE_CLIENT_ID is provided, target that user-assigned Managed Identity.
     """
     try:
-        client_id = getattr(settings, "POWERBI_AZURE_CLIENT_ID", None) or os.getenv("POWERBI_AZURE_CLIENT_ID")
+        client_id = getattr(settings, "AZURE_CLIENT_ID", None) or os.getenv("AZURE_CLIENT_ID")
         if client_id:
             cred = ManagedIdentityCredential(client_id=client_id)
         else:
@@ -1169,31 +1173,47 @@ class AuthPowerBI(APIView):
     authentication_classes = (authentication.TokenAuthentication,)  # later to SessionAuthentication
     permission_classes = (permissions.IsAuthenticated,)
 
+    @extend_schema(
+        parameters=[
+            OpenApiParameter(
+                name="report_id",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                required=False,
+                description=("Power BI report identifier. If omitted, the first report in the configured workspace is used."),
+            ),
+            OpenApiParameter(
+                name="debug",
+                type=OpenApiTypes.BOOL,
+                location=OpenApiParameter.QUERY,
+                required=False,
+                description=("Enable debug-lite logging of safe token claim metadata (tid, appid, oid, aud, exp)."),
+            ),
+        ]
+    )
     def get(self, request):
         # Try real Power BI via managed identity
-        # Accept config from settings or environment for parity with diagnostics command
+        # Workspace can come from settings or environment; report_id must come from query param
         workspace_id = getattr(settings, "POWERBI_WORKSPACE_ID", None) or os.getenv("POWERBI_WORKSPACE_ID")
-        # Support both POWERBI_REPORT_ID (preferred) and legacy REPORT_ID, plus env override
-        report_id_cfg = (
-            getattr(settings, "POWERBI_REPORT_ID", None) or getattr(settings, "REPORT_ID", None) or os.getenv("POWERBI_REPORT_ID")
-        )
+        # Receive report id from GET parameter only; do not use env/settings
+        report_id_param = request.query_params.get("report_id")
         access_token = _pbi_token_via_managed_identity()
 
         # Optional debug-lite: log selected token claims and config when requested
         debug_flag = str(request.query_params.get("debug", "")).lower() in {"1", "true", "yes", "on"}
         if debug_flag:
             logger.info(
-                "AuthPowerBI debug-lite enabled: workspace_id=%s report_id_cfg=%s has_token=%s",
+                "AuthPowerBI debug-lite enabled: workspace_id=%s report_id_param=%s has_token=%s",
                 workspace_id,
-                report_id_cfg,
+                report_id_param,
                 bool(access_token),
             )
             if access_token:
                 _log_token_claims_safe(access_token)
 
         if access_token and workspace_id:
             try:
-                embed_url, report_id, embed_token, expires_at = _pbi_get_embed_info(access_token, workspace_id, report_id_cfg)
+                embed_url, report_id, embed_token, expires_at = _pbi_get_embed_info(access_token, workspace_id, report_id_param)
                 return Response(
                     {
                         "detail": "ok",

deploy/helm/ifrcgo-helm/templates/config/secret.yaml

@@ -79,8 +79,6 @@ stringData:
   OIDC_RSA_PRIVATE_KEY_BASE64_ENCODED: "{{ .Values.env.OIDC_RSA_PRIVATE_KEY_BASE64_ENCODED }}"
   OIDC_RSA_PUBLIC_KEY_BASE64_ENCODED: "{{ .Values.env.OIDC_RSA_PUBLIC_KEY_BASE64_ENCODED }}"
   RELIEF_WEB_APP_NAME: "{{ .Values.env.RELIEF_WEB_APP_NAME}}"
-  POWERBI_AZURE_CLIENT_ID: "{{ .Values.env.POWERBI_AZURE_CLIENT_ID}}"
-  POWERBI_REPORT_ID: "{{ .Values.env.POWERBI_REPORT_ID}}"
   POWERBI_WORKSPACE_ID: "{{ .Values.env.POWERBI_WORKSPACE_ID}}"
 
   # Additional secrets

deploy/helm/ifrcgo-helm/values.yaml

@@ -66,8 +66,6 @@ env:
   OIDC_RSA_PRIVATE_KEY_BASE64_ENCODED:
   OIDC_RSA_PUBLIC_KEY_BASE64_ENCODED:
   RELIEF_WEB_APP_NAME: ''
-  POWERBI_AZURE_CLIENT_ID: ''
-  POWERBI_REPORT_ID: ''
   POWERBI_WORKSPACE_ID: ''
 
 # NOTE: Used to pass additional configs to api/worker containers

docker-compose.yml

@@ -52,9 +52,7 @@ x-server: &base_server_setup
     IFRC_TRANSLATION_HEADER_API_KEY: ${IFRC_TRANSLATION_HEADER_API_KEY:-}
     # ReliefWeb appname
     RELIEF_WEB_APP_NAME: ${RELIEF_WEB_APP_NAME:-}
-    # Azure CLIENT_ID (PrincipalId) + PowerBI IDs
-    POWERBI_AZURE_CLIENT_ID: ${POWERBI_AZURE_CLIENT_ID:-}
-    POWERBI_REPORT_ID: ${POWERBI_REPORT_ID:-}
+    # PowerBI
     POWERBI_WORKSPACE_ID: ${POWERBI_WORKSPACE_ID:-}
 
   extra_hosts:

main/settings.py

@@ -147,9 +147,7 @@
     AZURE_OPENAI_DEPLOYMENT_NAME=(str, None),
     # ReliefWeb appname
     RELIEF_WEB_APP_NAME=(str, None),
-    # Azure CLIENT_ID (PrincipalId) + PowerBI IDs
-    POWERBI_AZURE_CLIENT_ID=(str, None),
-    POWERBI_REPORT_ID=(str, None),
+    # PowerBI
     POWERBI_WORKSPACE_ID=(str, None),
 )
 
@@ -884,9 +882,7 @@ def decode_base64(env_key, fallback_env_key):
 # ReliefWeb (for databank cronjob)
 RELIEF_WEB_APP_NAME = env("RELIEF_WEB_APP_NAME")
 
-# Azure CLIENT_ID (PrincipalId for Power BI usage)
-POWERBI_AZURE_CLIENT_ID = env("POWERBI_AZURE_CLIENT_ID")
-POWERBI_REPORT_ID = env("POWERBI_REPORT_ID")
+# PowerBI
 POWERBI_WORKSPACE_ID = env("POWERBI_WORKSPACE_ID")
 
 # Manual checks