From 25f93767c0b1f5efcc89261efadfc33c37378666 Mon Sep 17 00:00:00 2001
From: migbh <116078922+migbh@users.noreply.github.com>
Date: Fri, 17 Feb 2023 16:08:22 +0100
Subject: [PATCH 1/2] let user authenticate via service principal

---
 includes/class-power-bi-endpoints.php    | 38 ++++++++++++
 includes/class-power-bi-oauth.php        | 76 +++++++++++++++++++++++-
 includes/class-power-bi-settings.php     | 16 +++++
 includes/functions-power-bi-settings.php | 55 ++++++++++++++++-
 4 files changed, 180 insertions(+), 5 deletions(-)

diff --git a/includes/class-power-bi-endpoints.php b/includes/class-power-bi-endpoints.php
index 9d19803..c5dc149 100644
--- a/includes/class-power-bi-endpoints.php
+++ b/includes/class-power-bi-endpoints.php
@@ -40,6 +40,35 @@ private function setup_actions() {
     //construct
     private function __construct(){}
 
+    /**
+	 * Get Embedded Token for report.
+	 *
+	 * @since  1.1.5
+	 * @access public
+	 * @return mixed
+	 */
+	public function get_embedded_token($workspace_id, $report_id, $ms_token, $dataset_id)	{
+		$username = (!empty(get_option('power_bi_settings')['powerbi_rls_effecitve_identity'])) ? get_option('power_bi_settings')['powerbi_rls_effecitve_identity'] : false;
+		$params = ['identities' => [['username' => $username, 'datasets' => [$dataset_id]],],  "accessLevel" => "View", "datasetId" => $dataset_id];
+
+		$url = "https://api.powerbi.com/v1.0/myorg/groups/$workspace_id/reports/$report_id/GenerateToken";
+
+		$postdata = json_encode($params);
+
+		$ch = curl_init($url);
+		curl_setopt($ch, CURLOPT_POST, 1);
+		curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
+		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+		curl_setopt($ch, CURLOPT_HTTPHEADER, 
+		array(
+			"Content-Type: application/json", 
+		"Authorization: Bearer $ms_token",));
+		$result = curl_exec($ch);
+		curl_close($ch);
+
+		return json_decode((string) $result);
+	}
+
     /**
 	 * Get Report Data to make api call.
 	 *
@@ -50,6 +79,8 @@ private function __construct(){}
     public function get_report_data($data){
         if(!isset($data['post_id'])) return false;
         $power_bi_credentials = get_option('power_bi_credentials');
+        $settings = get_option( 'power_bi_settings' );
+
         $response = [];
         if(!isset( $power_bi_credentials['access_token'])) return false;
         $response['access_token'] = $power_bi_credentials['access_token'];
@@ -109,6 +140,13 @@ public function get_report_data($data){
 			$response['tile_id']   = esc_attr(get_post_meta( $post_id, '_power_bi_tile_id', true ));
 			$response['embed_url'] = $response['api_url'] . "embed?dashboardId=" . $response['dashboard_id'] . "&tileId=" . $response['tile_id'] . "&groupId=" . $response['group_id'];
 		}
+	
+		if (  $settings['auth_type'] == 'service_principal' ) {
+			$result = $this->get_embedded_token($response['group_id'], $response['report_id'], $power_bi_credentials['access_token'], $response['dataset_id']);
+			$response['access_token'] = $result->token;
+			$response['embed_token'] = $result->token;
+			$response['token_type'] = 'Embed';
+		}
         nocache_headers();
         return new WP_REST_Response(!(empty($response)) ? $response : false);
     }
diff --git a/includes/class-power-bi-oauth.php b/includes/class-power-bi-oauth.php
index c52ebc0..6d4e8c0 100644
--- a/includes/class-power-bi-oauth.php
+++ b/includes/class-power-bi-oauth.php
@@ -41,8 +41,7 @@ private function setup_actions() {
 
     public function add_token() {
         $power_bi_credentials = get_option('power_bi_credentials');
-
-        if( isset( $power_bi_credentials['access_token'] ) || isset( $power_bi_credentials['error'] ) ) {
+        if( is_array($power_bi_credentials) && isset( $power_bi_credentials['access_token'] ) || isset( $power_bi_credentials['error'] ) ) {
             $token_credentials = $this->get_token();
             update_option('power_bi_credentials', $token_credentials);
 
@@ -77,7 +76,65 @@ public function add_management_azure_token() {
         }
     }
 
-    public function get_token() {
+    public function get_token_by_service_principal() {
+
+        $token_transient = get_transient( 't_token' );
+
+        if(! empty( $token_transient )) {
+            return $token_transient;
+        }
+
+        $user_credentials = get_option( 'power_bi_settings' );
+
+        $client_id         = $user_credentials['power_bi_client_id'];
+        $client_secret     = $user_credentials['power_bi_client_secret'];
+        $tenant_id         = $user_credentials['power_bi_azure_tenant_id'];
+
+ 
+        $curl = curl_init();
+        if(!$curl) {
+            die("Embedded PowerBi could not initialize a cURL handle.  Please have your hosting provider install curl");
+        }
+
+        curl_setopt_array($curl, array(
+            CURLOPT_URL => 'https://login.microsoftonline.com/' . $tenant_id . '/oauth2/token',
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_ENCODING => '',
+            CURLOPT_MAXREDIRS => 10,
+            CURLOPT_TIMEOUT => 0,
+            CURLOPT_FOLLOWLOCATION => true,
+            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
+            CURLOPT_CUSTOMREQUEST => 'POST',
+            'grant_type=client_credentials&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&client_id=' . $client_id . '&client_secret=' . $client_secret . '',
+            CURLOPT_POSTFIELDS => 'grant_type=client_credentials&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&client_id=b54b6bd0-3ccd-4d99-8dcd-a71d92ed4bb3%0A&client_secret=yYB8Q~YTb4AtabGEyQLjrpDmIrT6WHIAXVIwIaU~',
+            CURLOPT_HTTPHEADER => array(
+              'Content-Type: application/x-www-form-urlencoded',
+            ),
+        ));
+ 
+        $response = curl_exec($curl);
+ 
+        $err = curl_error($curl);
+ 
+        curl_close($curl);
+ 
+        if ($err) {
+            $err = json_decode($err, true);
+            return $err;
+        } 
+ 
+        $token = json_decode($response, true);
+
+        if ( isset($token['error']) ) {
+            return $token;
+        }
+
+        set_transient( 't_token', $token, HOUR_IN_SECONDS );
+        return $token;
+
+    }
+
+    public function get_token_by_master_user() {
 
         $token_transient = get_transient( 't_token' );
 
@@ -135,6 +192,19 @@ public function get_token() {
         return $token;
 
     }
+    
+    public function get_token()
+    {
+        $settings = get_option( 'power_bi_settings' );
+
+        if (  $settings['auth_type'] == 'master_user' ) {
+            $token = (array)$this->get_token_by_master_user();
+        }
+        else if ( $settings['auth_type'] == 'service_principal' ) {
+            $token = (array)$this->get_token_by_service_principal();
+        }
+        return $token;
+    }
 
     // Provided new get token request for https://management.azure.com/
     function get_token_management_azure() {
diff --git a/includes/class-power-bi-settings.php b/includes/class-power-bi-settings.php
index 92bff04..1d5d313 100644
--- a/includes/class-power-bi-settings.php
+++ b/includes/class-power-bi-settings.php
@@ -75,6 +75,14 @@ public function settings_init(  ) {
     		'power_bi'
     	);
 
+					add_settings_field(
+    		'powerbi_auth_type',
+    		__( 'Auth type', 'power-bi' ),
+    		'powerbi_auth_type_render',
+    		'power_bi',
+    		'power_bi_section'
+    	);
+
     	add_settings_field(
     		'power_bi_username',
     		__( 'User Name', 'power-bi' ),
@@ -107,6 +115,14 @@ public function settings_init(  ) {
     		'power_bi_section'
     	);
 
+					add_settings_field(
+    		'powerbi_rls_effecitve_identity',
+    		__( 'Username for Effective Identity (RLS)', 'power-bi' ),
+    		'powerbi_rls_effecitve_identity_render',
+    		'power_bi',
+    		'power_bi_section'
+    	);
+
 		add_settings_field(
     		'power_bi_oauth_success',
     		__( 'Oauth Status', 'power-bi' ),
diff --git a/includes/functions-power-bi-settings.php b/includes/functions-power-bi-settings.php
index cb931fd..5364f27 100644
--- a/includes/functions-power-bi-settings.php
+++ b/includes/functions-power-bi-settings.php
@@ -28,7 +28,7 @@ function powerbi_mobile_breakpoint_render() {
 function power_bi_username_render() {
 	$options = get_power_bi_plugin_settings();
 	?>
-	<input type='text' name='power_bi_settings[power_bi_username]' value='<?php echo $options['power_bi_username']; ?>'>
+	<input id="power_bi_username" type='text' name='power_bi_settings[power_bi_username]' value='<?php echo $options['power_bi_username']; ?>'>
 	<?php
 
 }
@@ -37,7 +37,7 @@ function power_bi_username_render() {
 function power_bi_password_render() {
 	$options = get_power_bi_plugin_settings();
 	?>
-	<input type='password' name='power_bi_settings[power_bi_password]' value='<?php echo $options['power_bi_password']; ?>'>
+	<input id="power_bi_password" type='password' name='power_bi_settings[power_bi_password]' value='<?php echo $options['power_bi_password']; ?>'>
 	<?php
 
 }
@@ -60,6 +60,57 @@ function power_bi_client_secret_render() {
 
 }
 
+
+function powerbi_rls_effecitve_identity_render() {
+	$options = get_power_bi_plugin_settings();
+	?>
+	<input id="powerbi_rls_effecitve_identity" type='text' name='power_bi_settings[powerbi_rls_effecitve_identity]' value='<?php echo $options['powerbi_rls_effecitve_identity']; ?>'>
+	<?php
+
+}
+
+function powerbi_auth_type_render() {
+	$options = get_power_bi_plugin_settings();
+	if ( empty($options['auth_type']) ) {
+		$options['auth_type'] = 'service_principal';
+	}
+	?>
+	<label for="master_user">
+		<input id="master_user" type='radio' name='power_bi_settings[auth_type]' <?php echo ($options['auth_type'] == 'master_user') ? 'checked' : ''; ?> value='master_user'>
+		<?php echo __('Master user', 'power-bi') ?>
+	</label>
+
+	<label for="service_principal">
+		<input id="service_principal" type='radio' name='power_bi_settings[auth_type]' <?php echo ($options['auth_type'] == 'service_principal') ? 'checked' : ''; ?> value='service_principal'>
+		<?php echo __('Service Principal', 'power-bi') ?>
+	</label>
+	<script>
+		var init = 0;
+		function checkAuthType() {
+			if(jQuery('#service_principal').is(':checked')) {
+				jQuery('#powerbi_rls_effecitve_identity').closest('tr').show();
+				jQuery('#power_bi_password, #power_bi_username').closest('tr').hide();
+			} else {
+				jQuery('#powerbi_rls_effecitve_identity').closest('tr').hide();
+				jQuery('#power_bi_password, #power_bi_username').closest('tr').show();
+			}
+		}
+		jQuery('#master_user, #service_principal').on('change', function () {
+			checkAuthType();
+		});
+
+		jQuery( document ).ready(function() {
+				checkAuthType();
+				setTimeout(function () {
+					checkAuthType();
+				}, 1000)
+		});
+	</script>
+	<?php
+
+}
+
+
 function power_bi_oauth_success_render() {
 
 	$power_bi_credentials = get_option('power_bi_credentials');

From 1b58420e068f71f54739d22067b919c37388bbc9 Mon Sep 17 00:00:00 2001
From: migbh <116078922+migbh@users.noreply.github.com>
Date: Thu, 2 Mar 2023 18:17:33 +0100
Subject: [PATCH 2/2] rm test details

---
 includes/class-power-bi-oauth.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/includes/class-power-bi-oauth.php b/includes/class-power-bi-oauth.php
index 6d4e8c0..333d6da 100644
--- a/includes/class-power-bi-oauth.php
+++ b/includes/class-power-bi-oauth.php
@@ -104,9 +104,7 @@ public function get_token_by_service_principal() {
             CURLOPT_TIMEOUT => 0,
             CURLOPT_FOLLOWLOCATION => true,
             CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
-            CURLOPT_CUSTOMREQUEST => 'POST',
-            'grant_type=client_credentials&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&client_id=' . $client_id . '&client_secret=' . $client_secret . '',
-            CURLOPT_POSTFIELDS => 'grant_type=client_credentials&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&client_id=b54b6bd0-3ccd-4d99-8dcd-a71d92ed4bb3%0A&client_secret=yYB8Q~YTb4AtabGEyQLjrpDmIrT6WHIAXVIwIaU~',
+            CURLOPT_POSTFIELDS => 'grant_type=client_credentials&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi&client_id=' . $client_id . '&client_secret=' . $client_secret . '',
             CURLOPT_HTTPHEADER => array(
               'Content-Type: application/x-www-form-urlencoded',
             ),