AuthPowerBI – v0.2

szabozoltan69 · szabozoltan69 · commit 8854578733f8 · 2025-10-21T14:01:30.000+02:00
diff --git a/api/test_views.py b/api/test_views.py
@@ -1,7 +1,10 @@
+import re
 import uuid
+from unittest.mock import patch
 
 from django.contrib.auth.models import User
 from django.core.files.uploadedfile import SimpleUploadedFile
+from django.test import override_settings
 from django.urls import reverse
 
 import api.models as models
@@ -37,6 +40,59 @@ def test_authenticated_returns_ok(self):
         self.assertEqual(data.get("detail"), "ok")
         self.assertEqual(data.get("user"), user.username)
 
+    def test_authenticated_returns_mock_values_shape(self):
+        user = User.objects.create_user(username="bob", password="pass1234")
+        self.assertEqual("bob", user.username)
+        self.client.login(username="bob", password="pass1234")
+
+        # Force mock path regardless of settings by returning no MI token
+        with patch("api.views._pbi_token_via_managed_identity", return_value=None):
+            resp = self.client.get(self.url)
+        self.assertEqual(resp.status_code, 200)
+        data = resp.json()
+
+        # embed_token: 16 hex chars
+        self.assertIsInstance(data.get("embed_token"), str)
+        self.assertTrue(re.fullmatch(r"[0-9a-f]{16}", data["embed_token"]))
+        # embed_url: 10-char random string
+        self.assertIsInstance(data.get("embed_url"), str)
+        self.assertEqual(len(data["embed_url"]), 10)
+        # report_id: positive int
+        self.assertIsInstance(data.get("report_id"), int)
+        self.assertGreater(data["report_id"], 0)
+
+    def test_authenticated_powerbi_values_when_configured(self):
+        user = User.objects.create_user(username="carol", password="pass1234")
+        self.assertEqual("carol", user.username)
+        self.client.login(username="carol", password="pass1234")
+
+        expected = {
+            "embed_url": "https://app.powerbi.com/reportEmbed?reportId=rep-123",
+            "report_id": "rep-123",
+            "embed_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",  # dummy string
+            "expires_at": "2099-01-01T00:00:00Z",
+        }
+
+        with override_settings(POWERBI_WORKSPACE_ID="ws-abc"):
+            with (
+                patch("api.views._pbi_token_via_managed_identity", return_value="access-token") as p_token,
+                patch(
+                    "api.views._pbi_get_embed_info",
+                    return_value=(expected["embed_url"], expected["report_id"], expected["embed_token"], expected["expires_at"]),
+                ) as p_info,
+            ):
+                resp = self.client.get(self.url)
+
+        self.assertEqual(resp.status_code, 200)
+        data = resp.json()
+        self.assertEqual(data.get("embed_url"), expected["embed_url"])
+        self.assertEqual(data.get("report_id"), expected["report_id"])
+        self.assertEqual(data.get("embed_token"), expected["embed_token"])
+        self.assertEqual(data.get("user"), "carol")
+        # helpers were called
+        p_token.assert_called_once()
+        p_info.assert_called_once()
+
 
 class SecureFileFieldTest(APITestCase):
     def is_valid_uuid(self, uuid_to_test):
diff --git a/api/views.py b/api/views.py
@@ -1,8 +1,11 @@
 import json
+import os
 import secrets
 from datetime import datetime, timedelta
 from urllib.parse import urlparse
 
+import requests
+from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
 from django.conf import settings
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth.models import User
@@ -1068,32 +1071,110 @@ def logout_user(request):
     return redirect(reverse(settings.LOGIN_URL))
 
 
+# Power BI embedding via managed identity
+PBI_SCOPE = "https://analysis.windows.net/powerbi/api/.default"
+PBI_BASE = "https://api.powerbi.com/v1.0/ifrc"  # myorg?
+
+
+def _pbi_token_via_managed_identity() -> str | None:
+    """
+    Acquire an AAD access token for Power BI using the AKS managed identity.
+    If AZURE_CLIENT_ID is provided, target that user-assigned MI.
+    """
+    try:
+        client_id = getattr(settings, "AZURE_CLIENT_ID", None) or os.getenv("AZURE_CLIENT_ID")
+        client_id = "8876ce49-0952-4fc5-b648-b1695bd03ebd"  # Staging, Prod: "f1d59a17-c79e-4f18-b444-5eb95730868f"
+        if client_id:
+            cred = ManagedIdentityCredential(client_id=client_id)
+        else:
+            # Will use workload identity / MSI / Azure CLI (in dev) automatically
+            cred = DefaultAzureCredential(exclude_interactive_browser_credential=True)
+        return cred.get_token(PBI_SCOPE).token
+    except Exception as exc:
+        logger.exception("Power BI MI token acquisition failed: %s", exc)
+        return None
+
+
+def _pbi_get_embed_info(access_token: str, workspace_id: str, report_id: str | None = None, timeout: int = 10):
+    """
+    Get report embedUrl and generate an embed token (embed-for-your-organization).
+    Requires the service principal (managed identity) to be a member of the workspace.
+    """
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    # Resolve report metadata
+    if report_id:
+        r = requests.get(f"{PBI_BASE}/groups/{workspace_id}/reports/{report_id}", headers=headers, timeout=timeout)
+        r.raise_for_status()
+        rep = r.json()
+    else:
+        r = requests.get(f"{PBI_BASE}/groups/{workspace_id}/reports", headers=headers, timeout=timeout)
+        r.raise_for_status()
+        items = r.json().get("value", [])
+        if not items:
+            raise RuntimeError("No reports found in workspace.")
+        rep = items[0]
+        report_id = rep["id"]
+
+    embed_url = rep["embedUrl"]
+
+    # Generate embed token (view access)
+    payload = {"accessLevel": "View"}
+    t = requests.post(
+        f"{PBI_BASE}/groups/{workspace_id}/reports/{report_id}/GenerateToken",
+        headers={**headers, "Content-Type": "application/json"},
+        json=payload,
+        timeout=timeout,
+    )
+    t.raise_for_status()
+    token_json = t.json()
+    embed_token = token_json["token"]
+    expires = token_json.get("expiration")
+
+    return embed_url, report_id, embed_token, expires
+
+
 class AuthPowerBI(APIView):
     authentication_classes = (authentication.SessionAuthentication,)
     permission_classes = (permissions.IsAuthenticated,)
 
     def get(self, request):
-        # Temporary mock values until Power BI REST integration is added
+        # Try real Power BI via managed identity
+        workspace_id = getattr(
+            settings, "POWERBI_WORKSPACE_ID", "ac23af44-f635-40e4-9091-5e6ba88bdaf3"
+        )  # Should be no default, FIXME
+        report_id_cfg = getattr(settings, "POWERBI_REPORT_ID", None)  # ? 029be7d5-36c6-496e-a613-8fcf051f4ed6
+        access_token = _pbi_token_via_managed_identity()
+
+        if access_token and workspace_id:
+            try:
+                embed_url, report_id, embed_token, expires_at = _pbi_get_embed_info(access_token, workspace_id, report_id_cfg)
+                return Response(
+                    {
+                        "detail": "ok",
+                        "embed_url": embed_url,
+                        "report_id": report_id,
+                        "embed_token": embed_token,
+                        "expires_at": expires_at,
+                        "user": request.user.username,
+                    }
+                )
+            except Exception as e:
+                logger.exception("Power BI REST call failed, falling back to mock: %s", e)
+
+        # Fallback mock if not configured or failed
         embed_token = secrets.token_hex(8)  # 16-char hex
+        embed_url = get_random_string(10)
+        report_id = secrets.randbelow(2_147_483_647) + 1
         expires_at = (timezone.now() + timedelta(hours=1)).isoformat()
-        group_id = get_random_string(36)  # UUID-like random slug – workspace id
-        group_id = "ac23af44-f635-40e4-9091-5e6ba88bdaf3"  # fixed for testing
-        report_id = get_random_string(36)  # UUID-like random slug
-        report_id = "029be7d5-36c6-496e-a613-8fcf051f4ed6"  # fixed for testing
-        report_section = get_random_string(16)  # default section
-        report_section = "067c44735dc44119482e"  # fixed for testing
-        # embed_url = f"https://app.powerbi.com/reportEmbed?reportId={report_id}&groupId={group_id}"
-        embed_url = f"https://app.powerbi.com/groups/{group_id}/reports/{report_id}/{report_section}"
 
         return Response(
             {
                 "detail": "ok",
-                "embed_token": embed_token,
                 "embed_url": embed_url,
-                "expires_at": expires_at,
-                "group_id": group_id,
                 "report_id": report_id,
-                "report_section": report_section,
+                "embed_token": embed_token,
+                "expires_at": expires_at,
                 "user": request.user.username,
             }
         )
