feat: add edx certificate webhook

[Anas12091101]

What are the relevant tickets?

https://github.com/mitodl/hq/issues/10777

Description (What does it do?)

This PR adds a webhook API endpoint (POST /api/certificate_webhook/) that receives certificate creation events from an Open edX plugin. When edX creates a certificate, the plugin (WIP, see: mitodl/open-edx-plugins#684) sends the user's email and course run ID; this endpoint fetches the grade from edX, syncs it locally, and creates the corresponding certificate in MITx Online.

Screenshots (if appropriate):

• Desktop screenshots
• Mobile width screenshots

How can this be tested?

1. Set up OAuth2 credentials

Create an OAuth2 access token in Django admin (/admin/oauth2_provider/accesstoken/) or use an existing access token.

2. Prerequisites

Ensure the user has a verified enrollment in the course run, and the course run exists in edX with a passing grade for the user.

3. Test certificate creation (201)

curl -s -w "\nHTTP_STATUS: %{http_code}\n" -X POST \
  http://localhost:9080/api/process_certificate_webhook/ \
  -H "Authorization: Bearer <your_access_token>" \
  -H "Content-Type: application/json" \
  -d '{"user_id": "<user_email>", "course_id": "<course_run_courseware_id>"}'

Expected response:

{"certificate_status": "created"}
HTTP_STATUS: 200

4. Test idempotency — duplicate call (200)

Run the same curl command again. Expected response:

{"certificate_status": "exists"}
HTTP_STATUS: 200

5. Test unauthenticated request (401)

curl -s -w "\nHTTP_STATUS: %{http_code}\n" -X POST \
  http://localhost:9080/api/process_certificate_webhook/ \
  -H "Content-Type: application/json" \
  -d '{"user_id": "test@example.com", "course_id": "course-v1:MITx+1+2024"}'

Expected: HTTP_STATUS: 401

6. Test missing fields (400)

curl -s -w "\nHTTP_STATUS: %{http_code}\n" -X POST \
  http://localhost:9080/api/process_certificate_webhook/ \
  -H "Authorization: Bearer <your_access_token>" \
  -H "Content-Type: application/json" \
  -d '{"user_id": "test@example.com"}'

Expected: HTTP_STATUS: 400 with error about missing course_id.

Additional Context

[github-actions]

OpenAPI Changes

Show/hide ## Changes for v0.yaml:

## Changes for v0.yaml:
No changes detected

## Changes for v1.yaml:
No changes detected

## Changes for v2.yaml:
No changes detected

Unexpected changes? Ensure your branch is up-to-date with main (consider rebasing).

[sentry]

Bug: The call to get_edx_grades_with_users in the webhook path is not wrapped in an exception handler, which can lead to unhandled exceptions from the external grades API.
_{Severity: HIGH}

Suggested Fix

Wrap the get_edx_grades_with_users(run, user=user) call in the webhook path with the exception_logging_generator, similar to how it is handled in the periodic task path. This will ensure exceptions from the external API are caught and logged, preventing 500 errors.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: openedx/views_test.py#L57-L66

Potential issue: In the webhook path for certificate generation, the call to
`get_edx_grades_with_users` is not wrapped in an exception handler. This function makes
an external API call to the edX grades service. If this external call fails due to
network issues, an invalid `user.edx_username`, or other API errors, the exception will
propagate unhandled. This will cause the webhook endpoint to return a 500 server error
instead of gracefully handling the failure.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[arslanashraf7]

Should be admin level permissions. IsAdminUser

[arslanashraf7]

Don't need this condition if the passed user is None. So, in both cases, we should be able to do get_edx_grades_with_users(run, user=user) where when user=None, it would automatically run for every user.

[arslanashraf7]

nit: this rename isn't needed really.

[arslanashraf7]

Aren't they always going to be available together? I checked process_course_run_grade_certificate and it would only return a certificate object when it creates one.

[arslanashraf7]

The idea of the webhook is to trigger the processing of the certificate. I don't think we specifically need to return the created/deleted status from the actual certificate creation. So, if a valid request is received, it would return 200 that the request if being processed.
Additionally, Open edX is not going to look for the actual status and do something about it unless it is 40x or 50x.

[arslanashraf7]

No need for this certificate_status = None and the related complexity, The view should just call this method and assume the certificate processing started.

[arslanashraf7]

Suggested change

	"api/certificate_webhook/",
	"api/process_certificate_webhook/",

[arslanashraf7]

Suggested change

	class CertificateWebhookView(APIView):
	class ProcessCertificateWebhookView(APIView):

[arslanashraf7]

At this point, the view can check for an existing certificate before calling generate_course_run_certificates for idempotency.

[arslanashraf7]

Now that I think more about this, it would be kind of an anti-pattern. e.g., if someone is passing a course_run explicitly, we should still let them do the desired thing. So, if a run or a user is passed, the function should work on that independently. The webhook check is just to bypass the conditions below. In fact, I think the name of this boolean should be bypass_validation or force, which will allow running the cert generation without the dates and eligibility check.

In the end, I think we should handle every parameter separately:

1. If a course run is passed, we process only that course run
2. If a user is passed, we process only that user
3. If bypass_validation or force is passed, we bypass the dates, eligibility, etc. checks
   This way the method would be more flexible.

[arslanashraf7]

Also let's call it email:

Suggested change

	user_email = request.data.get("user_id")
	user_email = request.data.get("email")

[arslanashraf7]

@Anas12091101 This still needs to be applied.

[arslanashraf7]

Suggested change

	- If course_run is provided, only that course run is processed (skipping eligibility filtering).
	- If course_run is provided, only that course run is processed (skipping course runs eligibility filtering).

[arslanashraf7]

No need for this check. If there is just one course run in the loop, it will automatically stop at this point after continue.

[arslanashraf7]

Let's make the URL pattern similar to "api/openedx_webhook/enrollment/" above, to keep it standard with other webhook(s).

[arslanashraf7]

Let's add more log statements in different code paths. Currently there is no log in the application that tells what happened to the request.

[arslanashraf7]

This log should be at the start of the view, indicating that the webhook request has been received. In this place, we can log something like "Validation completed, the webook will be processed. etc"

[arslanashraf7]

nit: let's use decorator based functional view here as well just like we did in enrollment webhook.