404: Decrypt student password (#451)

## Status

- Related to
RaspberryPiFoundation/editor-standalone#404

## What's changed?

Passwords from editor-standalone will be encrypted for security, this
decrypts them in editor-api

## Steps to perform after deploying to production

- Needs encryption key in terraform

Author: danhalson

.circleci/config.yml

@@ -1,7 +1,7 @@
 jobs:
   rubocop:
     docker:
-      - image: 'cimg/ruby:3.2'
+      - image: "cimg/ruby:3.2"
     steps:
       - checkout
       - ruby/install-deps
@@ -11,18 +11,18 @@ jobs:
 
   test:
     docker:
-      - image: 'cimg/ruby:3.2-browsers'
-      - image: 'circleci/postgres:12.0-alpine-ram'
+      - image: "cimg/ruby:3.2-browsers"
+      - image: "circleci/postgres:12.0-alpine-ram"
         environment:
           POSTGRES_DB: choco_cake_test
           POSTGRES_PASSWORD: password
           POSTGRES_USER: choco
-      - image: 'circleci/redis:6.2-alpine'
+      - image: "circleci/redis:6.2-alpine"
 
     environment:
-      BUNDLE_JOBS: '3'
-      BUNDLE_RETRY: '3'
-      PAGER: ''
+      BUNDLE_JOBS: "3"
+      BUNDLE_RETRY: "3"
+      PAGER: ""
       POSTGRES_DB: choco_cake_test
       POSTGRES_PASSWORD: password
       POSTGRES_USER: choco
@@ -31,19 +31,20 @@ jobs:
       ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: primary-key
       ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: deterministic-key
       ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: derivation-salt
+      EDITOR_ENCRYPTION_KEY: a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0
     steps:
       - checkout
       - browser-tools/install-firefox
       - ruby/install-deps:
           key: gems-v2-
       - run:
-          command: 'dockerize -wait tcp://localhost:5432 -timeout 1m'
+          command: "dockerize -wait tcp://localhost:5432 -timeout 1m"
           name: Wait for DB
       - run:
-          command: 'sudo apt-get update && sudo apt-get install --yes --no-install-recommends postgresql-client jq curl imagemagick'
+          command: "sudo apt-get update && sudo apt-get install --yes --no-install-recommends postgresql-client jq curl imagemagick"
           name: Install postgres client, jq, curl, imagemagick
       - run:
-          command: 'bin/rails db:setup --trace'
+          command: "bin/rails db:setup --trace"
           name: Database setup
       - ruby/rspec-test
       - store_artifacts:

.env.example

@@ -45,3 +45,5 @@ PROFILE_API_KEY=test # This has to match the value set in Profile (https://githu
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=primary-key
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=deterministic-key
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=derivation-salt
+
+EDITOR_ENCRYPTION_KEY=a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0

Gemfile

@@ -33,7 +33,6 @@ gem 'postmark-rails'
 gem 'puma', '~> 6'
 gem 'rack-cors'
 gem 'rails', '~> 7.1'
-gem 'roo'
 gem 'scout_apm'
 gem 'sentry-rails'
 

Gemfile.lock

@@ -372,9 +372,6 @@ GEM
       rack (>= 1.4)
     rexml (3.3.0)
       strscan
-    roo (2.10.1)
-      nokogiri (~> 1)
-      rubyzip (>= 1.3.0, < 3.0.0)
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
@@ -551,7 +548,6 @@ DEPENDENCIES
   puma (~> 6)
   rack-cors
   rails (~> 7.1)
-  roo
   rspec
   rspec-rails
   rspec_junit_formatter

README.md

@@ -71,13 +71,13 @@ If needed manually the following task will create all projects:
 
 `docker compose run --rm api rails projects:create_all`
 
-For classroom management the following scenarios modelled by the tasks:
+For CEfE the following scenarios are modelled by the tasks:
 
 `docker compose run --rm api rails for_education:seed_an_unverified_school` - seeds an unverified school to test the onboarding flow
 `docker compose run --rm api rails for_education:seed_a_verified_school` - seeds only a verified school
 `docker compose run --rm api rails for_education:seed_a_school_with_lessons_and_students` - seeds a school with a class, two lessons, a project in each, and two students
 
-To clear classroom management data the following cmd will remove the school associated with the `[email protected]` user, and associated school data:
+To clear CEfE data the following cmd will remove the school associated with the `[email protected]` user, and associated school data:
 
 `rails for_education:destroy_seed_data`
 

app/jobs/create_students_job.rb

@@ -28,7 +28,10 @@ def self.attempt_perform_later(school_id:, students:, token:, user_id:)
   end
 
   def perform(school_id:, students:, token:)
-    students = Array(students)
+    students = Array(students).map do |student|
+      student[:password] = DecryptionHelpers.decrypt_password(student[:password])
+      student
+    end
 
     responses = ProfileApiClient.create_school_students(token:, students:, school_id:)
     return if responses[:created].blank?

config/application.rb

@@ -30,6 +30,9 @@ class Application < Rails::Application
 
     config.autoload_paths << "#{root}/lib/concepts"
     Rails.autoloaders.main.collapse('lib/concepts/*/operations')
+
+    config.autoload_paths << "#{root}/lib/helpers"
+
     config.autoload_lib(ignore: %w[assets tasks])
 
     # Configuration for the application, engines, and railties goes here.

lib/concepts/school_student/create.rb

@@ -18,7 +18,8 @@ def call(school:, school_student_params:, token:)
       def create_student(school, school_student_params, token)
         school_id = school.id
         username = school_student_params.fetch(:username)
-        password = school_student_params.fetch(:password)
+        encrypted_password = school_student_params.fetch(:password)
+        password = DecryptionHelpers.decrypt_password(encrypted_password)
         name = school_student_params.fetch(:name)
 
         validate(school:, username:, password:, name:)

lib/concepts/school_student/create_batch.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'roo'
-
 module SchoolStudent
   class CreateBatch
     class << self

lib/concepts/school_student/update.rb

@@ -17,7 +17,8 @@ def call(school:, student_id:, school_student_params:, token:)
 
       def update_student(school, student_id, school_student_params, token)
         username = school_student_params.fetch(:username, nil)
-        password = school_student_params.fetch(:password, nil)
+        encrypted_password = school_student_params.fetch(:password, nil)
+        password = DecryptionHelpers.decrypt_password(encrypted_password)
         name = school_student_params.fetch(:name, nil)
 
         validate(username:, password:, name:)

lib/helpers/decryption_helpers.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+
+class DecryptionHelpers
+  def self.decrypt_password(encrypted_password)
+    hex_key = ENV.fetch('EDITOR_ENCRYPTION_KEY')
+    key = [hex_key].pack('H*') # Convert the hex key to binary
+
+    begin
+      cipher = OpenSSL::Cipher.new('aes-256-cbc')
+      cipher.decrypt
+      cipher.key = key
+
+      encrypted_data = Base64.decode64(encrypted_password)
+      iv = encrypted_data[0, 16]
+      encrypted_password = encrypted_data[16..]
+
+      cipher.iv = iv
+      cipher.update(encrypted_password) + cipher.final
+    rescue StandardError => e
+      raise "Decryption failed: #{e.message}"
+    end
+  end
+end

lib/tasks/classroom_management.rake lib/tasks/for_education.rake

@@ -10,7 +10,7 @@
   let(:school_student_params) do
     {
       username: 'student-to-create',
-      password: 'at-least-8-characters',
+      password: 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=',
       name: 'School Student'
     }
   end
@@ -29,7 +29,7 @@
 
     # TODO: Replace with WebMock assertion once the profile API has been built.
     expect(ProfileApiClient).to have_received(:create_school_student)
-      .with(token:, username: 'student-to-create', password: 'at-least-8-characters', name: 'School Student', school_id: school.id)
+      .with(token:, username: 'student-to-create', password: 'Student2024', name: 'School Student', school_id: school.id)
   end
 
   it 'creates a role associating the student with the school' do
@@ -46,7 +46,7 @@
     let(:school_student_params) do
       {
         username: '',
-        password: 'at-least-8-characters',
+        password: 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=',
         name: 'School Student'
       }
     end

spec/concepts/school_student/create_spec.rb

@@ -10,7 +10,7 @@
   let(:school_student_params) do
     {
       username: 'new-username',
-      password: 'new-password',
+      password: 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=',
       name: 'New Name'
     }
   end
@@ -29,14 +29,14 @@
 
     # TODO: Replace with WebMock assertion once the profile API has been built.
     expect(ProfileApiClient).to have_received(:update_school_student)
-      .with(token:, username: 'new-username', password: 'new-password', name: 'New Name', school_id: school.id, student_id:)
+      .with(token:, username: 'new-username', password: 'Student2024', name: 'New Name', school_id: school.id, student_id:)
   end
 
   context 'when updating fails' do
     let(:school_student_params) do
       {
         username: ' ',
-        password: 'new-password',
+        password: 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=',
         name: 'New Name'
       }
     end

spec/concepts/school_student/update_spec.rb

@@ -24,12 +24,12 @@
       school_students: [
         {
           username: 'student-to-create',
-          password: 'at-least-8-characters',
+          password: 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=',
           name: 'School Student'
         },
         {
           username: 'second-student-to-create',
-          password: 'at-least-8-characters',
+          password: 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=',
           name: 'School Student 2'
         }
       ]

spec/features/school_student/creating_a_batch_of_school_students_spec.rb

@@ -17,7 +17,7 @@
     {
       school_student: {
         username: 'student123',
-        password: 'at-least-8-characters',
+        password: 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=',
         name: 'School Student'
       }
     }

spec/features/school_student/creating_a_school_student_spec.rb

@@ -18,7 +18,7 @@
     {
       school_student: {
         username: 'new-username',
-        password: 'new-password',
+        password: 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=',
         name: 'New Name'
       }
     }

spec/features/school_student/updating_a_school_student_spec.rb

@@ -12,7 +12,7 @@
   let(:students) do
     [{
       username: 'student-to-create',
-      password: 'at-least-8-characters',
+      password: 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=',
       name: 'School Student'
     }]
   end
@@ -33,7 +33,7 @@
     described_class.perform_now(school_id: school.id, students:, token:)
 
     expect(ProfileApiClient).to have_received(:create_school_students)
-      .with(token:, students: [{ username: 'student-to-create', password: 'at-least-8-characters', name: 'School Student' }], school_id: school.id)
+      .with(token:, students: [{ username: 'student-to-create', password: 'Student2024', name: 'School Student' }], school_id: school.id)
   end
 
   it 'creates a new student role' do

spec/jobs/create_students_job_spec.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'openssl'
+require 'base64'
+
+RSpec.describe DecryptionHelpers do
+  let(:key) { 'a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0' } # 256-bit key in hex
+  let(:password) { 'Student2024' }
+  let(:encrypted_password) { 'SaoXlDBAyiAFoMH3VsddhdA7JWnM8P8by1wOjBUWH2g=' } # An encrypted password
+
+  before do
+    allow(ENV).to receive(:fetch).with('EDITOR_ENCRYPTION_KEY').and_return(key)
+  end
+
+  it 'decrypts the password successfully' do
+    expect(described_class.decrypt_password(encrypted_password)).to eq(password)
+  end
+
+  it 'raises an error with an incorrect key' do
+    allow(ENV).to receive(:fetch).with('EDITOR_ENCRYPTION_KEY').and_return('b' * 64)
+    expect { described_class.decrypt_password(encrypted_password) }.to raise_error(RuntimeError, /Decryption failed/)
+  end
+
+  it 'raises an error with invalid encrypted data' do
+    invalid_encrypted_password = Base64.encode64('invalid_data')
+    expect { described_class.decrypt_password(invalid_encrypted_password) }.to raise_error(RuntimeError, /Decryption failed/)
+  end
+end