testmycode · Redande · Jul 10, 2025 · Jul 10, 2025 · Jul 10, 2025 · Jul 10, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
-        with: 
+        with:
           submodules: false
       - name: Setup git submodules
         run: |
@@ -29,7 +29,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
-        with: 
+        with:
           submodules: false
       - name: Setup git submodules
         run: |
@@ -47,7 +47,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
-        with: 
+        with:
           submodules: false
       - name: Setup git submodules
         run: |
@@ -65,7 +65,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
-        with: 
+        with:
           submodules: false
       - name: Setup git submodules
         run: |
@@ -83,7 +83,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
-        with: 
+        with:
           submodules: false
       - name: Setup git submodules
         run: |
@@ -101,7 +101,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
-        with: 
+        with:
           submodules: false
       - name: Setup git submodules
         run: |
@@ -112,4 +112,4 @@ jobs:
       - name: Setup database & test env
         run: docker compose run web bin/rake db:create db:schema:load RAILS_ENV=test
       - name: Run spec_integration tests
-        run: docker compose run web bin/spec_integration
+        run: docker compose run web bin/spec_integration
diff --git a/app/controllers/api/v8/users_controller.rb b/app/controllers/api/v8/users_controller.rb
@@ -56,6 +56,28 @@ class UsersController < Api::V8::BaseController
         end
       end
 
+      swagger_path '/api/v8/users/{user_id}/set_password_managed_by_courses_mooc_fi' do
+        operation :post do
+          key :description, 'Sets the boolean password_managed_by_courses_mooc_fi for the user with the given id to true.'
+          key :operationId, 'setPasswordManagedByCoursesMoocFi'
+          key :produces, ['application/json']
+          key :tags, ['user']
+          parameter '$ref': '#/parameters/user_id'
+          response 403, '$ref': '#/responses/error'
+          response 404, '$ref': '#/responses/error'
+          response 200 do
+            key :description, "status 'ok' and sets the boolean password_managed_by_courses_mooc_fi to true"
+            schema do
+              key :title, :status
+              key :required, [:status]
+              property :status, type: :string, example: 'Password managed by courses.mooc.fi set to true and password deleted.'
+            end
+          end
+        end
+      end
+
+      skip_authorization_check only: %i[set_password_managed_by_courses_mooc_fi]
+
       def show
         unauthorize_guest! if current_user.guest?
         user = current_user
@@ -149,6 +171,26 @@ def update
         }, status: :bad_request
       end
 
+      def set_password_managed_by_courses_mooc_fi
+        only_admins!
+
+        User.transaction do
+          user = User.find_by!(id: params[:id])
+          user.password_managed_by_courses_mooc_fi = true
+          user.password_hash = nil
+          user.salt = nil
+          user.argon_hash = nil
+          user.courses_mooc_fi_user_id = params[:courses_mooc_fi_user_id]
+          raise ActiveRecord::Rollback if !user.errors.empty? || !user.save
+          return render json: {
+            status: 'Password managed by courses.mooc.fi set to true and password deleted.'
+          }
+        end
+        render json: {
+          errors: @user.errors
+        }, status: :bad_request
+      end
+
       private
         def set_email
           user_params = params[:user]
@@ -189,6 +231,10 @@ def set_password
         end
 
         def maybe_update_password
+          if @user.password_managed_by_courses_mooc_fi && @user.courses_mooc_fi_user_id.present?
+            return @user.update_password_via_courses_mooc_fi(@user.courses_mooc_fi_user_id, user_params[:old_password], user_params[:password])
+          end
+
           if params[:old_password].present? && params[:password].present?
             if [email protected]_password?(params[:old_password])
               @user.errors.add(:old_password, 'incorrect')

diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
@@ -86,6 +86,10 @@ def set_email
     end
 
     def maybe_update_password(user, user_params)
+      if user.password_managed_by_courses_mooc_fi && user.courses_mooc_fi_user_id.present?
+        return user.update_password_via_courses_mooc_fi(user.courses_mooc_fi_user_id, user_params[:old_password], user_params[:password])
+      end
+
       if user_params[:old_password].present? || user_params[:password].present?
         if !user.has_password?(user_params[:old_password])
           user.errors.add(:old_password, 'incorrect')

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -179,6 +179,10 @@ def set_password
     end
 
     def maybe_update_password(user, user_params)
+      if user.password_managed_by_courses_mooc_fi && user.courses_mooc_fi_user_id.present?
+        return user.update_password_via_courses_mooc_fi(user.courses_mooc_fi_user_id, user_params[:old_password], user_params[:password])
+      end
+
       if user_params[:old_password].present? || user_params[:password].present?
         if !user.has_password?(user_params[:old_password])
           user.errors.add(:old_password, 'incorrect')

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'rest-client'
+
 class User < ApplicationRecord
   include Comparable
   include Gravtastic
@@ -146,9 +148,72 @@ def self.authenticate(login, submitted_password)
     user = find_by(login: login)
     user ||= find_by('lower(email) = ?', login.downcase)
     return nil if user.nil?
+    user if user.password_managed_by_courses_mooc_fi && user.courses_mooc_fi_user_id.present? && authenticate_via_courses_mooc_fi(user.courses_mooc_fi_user_id, submitted_password)
     user if user.has_password?(submitted_password)
   end
 
+  def authenticate_via_courses_mooc_fi(courses_mooc_fi_user_id, submitted_password)
+    auth_url = SiteSetting.value('courses_mooc_fi_auth_url')
+    response = RestClient.post(
+      auth_url,
+      {
+        user_id: courses_mooc_fi_user_id,
+        password: submitted_password }.to_json,
+      {
+        content_type: :json,
+        accept: :json,
+        Authorization: Rails.application.secrets.tmc_server_secret_for_communicating_to_secret_project,
+      }
+    )
+
+    data = JSON.parse(response.body)
+    unless data['authenticated'] == true
+      raise "Authentication via courses.mooc.fi failed for #{email}"
+    end
+
+    true
+  rescue RestClient::Unauthorized, RestClient::Forbidden
+    raise "Authentication rejected by courses.mooc.fi for #{email}"
+  rescue RestClient::ExceptionWithResponse => e
+    Rails.logger.error("Authentication via courses.mooc.fi error: #{e.response}")
+    raise "Authentication via courses.mooc.fi failed: #{e.message}"
+  rescue => e
+    Rails.logger.error("Unexpected error during authentication via courses.mooc.fi: #{e.message}")
+    raise "Unexpected error while authenticating via courses.mooc.fi: #{e.message}"
+  end
+
+  def update_password_via_courses_mooc_fi(courses_mooc_fi_user_id, old_password, new_password)
+    update_url = SiteSetting.value('courses_mooc_fi_update_password_url')
+
+    response = RestClient.put(
+      update_url,
+      {
+        user_id: courses_mooc_fi_user_id,
+        old_password: old_password,
+        new_password: new_password,
+      }.to_json,
+      {
+        content_type: :json,
+        accept: :json,
+        Authorization: Rails.application.secrets.tmc_server_secret_for_communicating_to_secret_project,
+      }
+    )
+
+    data = JSON.parse(response.body)
+
+    unless data['updated'] == true
+      raise "Updating password via courses.mooc.fi failed for user with courses.mooc.fi-user-id #{courses_mooc_fi_user_id}"
+    end
+
+    true
+  rescue RestClient::ExceptionWithResponse => e
+    Rails.logger.error("Updating password via courses.mooc.fi failed for user with courses.mooc.fi-user-id #{courses_mooc_fi_user_id}: #{e.response}")
+    false
+  rescue => e
+    Rails.logger.error("Unexpected error updating password via courses.mooc.fi for user with courses.mooc.fi-user-id #{courses_mooc_fi_user_id}: #{e.message}")
+    false
+  end
+
   def password_reset_key
     action_tokens.find { |t| t.action == 'reset_password' }
   end

diff --git a/config/routes.rb b/config/routes.rb
@@ -59,6 +59,7 @@
         resources :request_deletion, only: [:create], module: :users
         resources :assistantships, module: :users, only: :index
         resources :teacherships, module: :users, only: :index
+        post :set_password_managed_by_courses_mooc_fi, on: :member
       end
 
       resources :user_app_datum, only: [:index]

diff --git a/db/migrate/20250711214850_add_password_managed_by_courses_mooc_fi_to_users.rb b/db/migrate/20250711214850_add_password_managed_by_courses_mooc_fi_to_users.rb
@@ -0,0 +1,5 @@
+class AddPasswordManagedByCoursesMoocFiToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :password_managed_by_courses_mooc_fi, :boolean, default: false, null: false
+  end
+end
diff --git a/db/migrate/20250723122117_add_courses_mooc_fi_user_id_to_users.rb b/db/migrate/20250723122117_add_courses_mooc_fi_user_id_to_users.rb
@@ -0,0 +1,6 @@
+class AddCoursesMoocFiUserIdToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :courses_mooc_fi_user_id, :string
+    add_index :users, :courses_mooc_fi_user_id, unique: true
+  end
+end