Merge branch 'develop' into feature/session_exp

.github/workflows/bandit.yml

@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Bandit is a security linter designed to find common security issues in Python code.
+# This action will run Bandit on your codebase.
+# The results of the scan will be found under the Security tab of your repository.
+
+# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
+# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
+
+name: Bandit
+on:
+  push:
+    branches: [ "develop" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "develop" ]
+  schedule:
+    - cron: '43 6 * * *'
+
+jobs:
+  bandit:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Bandit Scan
+        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
+        with: # optional arguments
+          # exit with 0, even with results found
+          exit_zero: true # optional, default is DEFAULT
+          # Github token of the repository (automatically created by Github)
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
+          # File or directory to run bandit on
+          # path: # optional, default is .
+          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          level: MEDIUM # optional, default is UNDEFINED
+          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # confidence: # optional, default is UNDEFINED
+          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+          # excluded_paths: # optional, default is DEFAULT
+          # comma-separated list of test IDs to skip
+          # skips: # optional, default is DEFAULT
+          # path to a .bandit file that supplies command line arguments
+          # ini_path: # optional, default is DEFAULT
+

.github/workflows/codeql-analysis.yml

@@ -2,12 +2,12 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [master]
+    branches: [develop]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [master]
+    branches: [develop]
   schedule:
-    - cron: '0 14 * * 2'
+    - cron: '0 6 * * *'
 
 jobs:
   analyze:
@@ -19,7 +19,7 @@ jobs:
       matrix:
         # Override automatic language detection by changing the below list
         # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
-        language: ['python', 'javascript']
+        language: ['python']
         # Learn more...
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 

.gitignore

@@ -7,6 +7,8 @@ AppleDouble
 *.sqlite*
 *.sass-cache
 env_vars.sh
+.env
+.env.*
 staticfiles*
 !staticfiles.py
 mediafiles/*

CHANGELOG.md

@@ -4,88 +4,103 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [7.1.0] - 2024-10-10
+- Use of settings vars instead of looking up env vars again.
+- Added audit trail for changing validated name.
+- Fix for informal MicroCredential (#147).
+- BOk2vwtM : Used env vars insteaf of social app db table.
+- Improper Input Validation (pentest 2024).
+- Disable graphql introspection.
+- Searching for badge instances leads to 500 error.
+- Tonen kwaliteitskader in de catalogus.
+- Uitbreiden query awarded edubadges overview.
+- Bugfix superuser.
+- Save required extensions if not present.
+- Merge pull request #142 from edubadges/feature/directaward_audit.
+- Bump cryptography from 42.0.4 to 43.0.1.
+
 ## [7.0.0] - 2024-08-14
 - fix: Add a type:image to the image payload in our credential request.
-- WIP for migration studyload to time-investment for non MBO badges
-- Formal badges are regular badges
-- Update requirements.txt
-- WIP for Banner on login screen
-- fix: New SSI-agent offer response is not JSON but plain text
-- fix: Rename forgotton variable
-- fix: use OfferId, instead of subjectId for impierce ssi-agent
-- fix: Make payload for verification request compatible with ssi-agent
-- Changed endpoint in reference with agent.poc9.eduwallet.nl
-- For private badges we don't require studyload / ects
-- Use JS constants for microcredentials in migration
-- As-is first draft of migration of micro-credential
-- Merge branch 'master' into develop
-- TimeInvestmentExtension is optional for Extra Curricular
-- Expose country_code in institution graphql
-- Added InstitutionCountryExtension
-- Added country code for institutions
-- Force login after logout
-- Added new performant query for requested edubadges
-- Re-enabled BadgeExtensionValidator
-- Temporarily disable validator for extenstions
-- WIP on no-cache for versions/info
-- Added new performant query for requested edubadges
-- Refactored tags
-- Quick - but not final - fix for slow Requested Badges query
-- added more metadata to public bagde class
-- Increased participation
-- Store assessment_types in one column instead of many-to-many
-- Updated gitignore
-- Save grade achieved from requestedbadges
-- Added grades to sample DA
-- Grade required flow
-- Allow for updates of new required fields after assertions are awarded
-- Server side badge class validation
-- WIP for refactoring validation
-- Added extra info for public badge endpoint
-- WIP for extended server side error handling
-- Insights new badge class types
+- WIP for migration studyload to time-investment for non MBO badges.
+- Formal badges are regular badges.
+- Update requirements.txt.
+- WIP for Banner on login screen.
+- fix: New SSI-agent offer response is not JSON but plain text.
+- fix: Rename forgotton variable.
+- fix: use OfferId, instead of subjectId for impierce ssi-agent.
+- fix: Make payload for verification request compatible with ssi-agent.
+- Changed endpoint in reference with agent.poc9.eduwallet.nl.
+- For private badges we don't require studyload / ects.
+- Use JS constants for microcredentials in migration.
+- As-is first draft of migration of micro-credential.
+- Merge branch 'master' into develop.
+- TimeInvestmentExtension is optional for Extra Curricular.
+- Expose country_code in institution graphql.
+- Added InstitutionCountryExtension.
+- Added country code for institutions.
+- Force login after logout.
+- Added new performant query for requested edubadges.
+- Re-enabled BadgeExtensionValidator.
+- Temporarily disable validator for extenstions.
+- WIP on no-cache for versions/info.
+- Added new performant query for requested edubadges.
+- Refactored tags.
+- Quick - but not final - fix for slow Requested Badges query.
+- added more metadata to public bagde class.
+- Increased participation.
+- Store assessment_types in one column instead of many-to-many.
+- Updated gitignore.
+- Save grade achieved from requestedbadges.
+- Added grades to sample DA.
+- Grade required flow.
+- Allow for updates of new required fields after assertions are awarded.
+- Server side badge class validation.
+- WIP for refactoring validation.
+- Added extra info for public badge endpoint.
+- WIP for extended server side error handling.
+- Insights new badge class types.
 - criteria_url is no more....
-- Tag values in badge overview
-- Added migration for institutions is_micro_credentials_enabled
-- WIP for new badge class forms
-- Institution has badge class tags
-- Extra badge class fields
-- Feature toggle micro_credential
-- Expose badge_class_type
-- Added badge_class_type for new forms
-- Narrow search issuers
-- Management query for issuers
-- Bugfix for query awarded badges
-- Added EPPN to admin views
-- Bump django from 3.2.24 to 3.2.25
-- Bump pillow from 10.2.0 to 10.3.0
-- Bump sqlparse from 0.4.4 to 0.5.0
-- Bump urllib3 from 1.26.18 to 1.26.19
-- Bump djangorestframework from 3.14.0 to 3.15.2
+- Tag values in badge overview.
+- Added migration for institutions is_micro_credentials_enabled.
+- WIP for new badge class forms.
+- Institution has badge class tags.
+- Extra badge class fields.
+- Feature toggle micro_credential.
+- Expose badge_class_type.
+- Added badge_class_type for new forms.
+- Narrow search issuers.
+- Management query for issuers.
+- Bugfix for query awarded badges.
+- Added EPPN to admin views.
+- Bump django from 3.2.24 to 3.2.25.
+- Bump pillow from 10.2.0 to 10.3.0.
+- Bump sqlparse from 0.4.4 to 0.5.0.
+- Bump urllib3 from 1.26.18 to 1.26.19.
+- Bump djangorestframework from 3.14.0 to 3.15.2.
 
 ## [6.10.0] - 2024-02-23
-- Synced insights query with management query
-- Upgraded to pillow 10.2.0
-- Optimise management query
-- Admins are super-users
-- Assertions overview query
-- Added total direct award #
-- Bugfix for 0 claimrate
-- Query for awarded backpacks
-- Upgraded to latest mysqlclient
-- Bump cryptography from 41.0.4 to 42.0.0
-- Bump django from 3.2.20 to 3.2.24
-- Added issuer and image info to the credential endpoint
-- JSON response for QRcode
-- Bump pycryptodome from 3.18.0 to 3.19.1
-- Added OB3 endpoint
-- Added feature flag for ob3 integration
-- Fix for broken badge query in admin view
-- Bump cryptography from 41.0.4 to 41.0.6
-- Micro-credentials badges
-- Assertion query
-- Added raw query for counts user / assertions
-- Added queries for re-use
+- Synced insights query with management query.
+- Upgraded to pillow 10.2.0.
+- Optimise management query.
+- Admins are super-users.
+- Assertions overview query.
+- Added total direct award.
+- Bugfix for 0 claimrate.
+- Query for awarded backpacks.
+- Upgraded to latest mysqlclient.
+- Bump cryptography from 41.0.4 to 42.0.0.
+- Bump django from 3.2.20 to 3.2.24.
+- Added issuer and image info to the credential endpoint.
+- JSON response for QRcode.
+- Bump pycryptodome from 3.18.0 to 3.19.1.
+- Added OB3 endpoint.
+- Added feature flag for ob3 integration.
+- Fix for broken badge query in admin view.
+- Bump cryptography from 41.0.4 to 41.0.6.
+- Micro-credentials badges.
+- Assertion query.
+- Added raw query for counts user / assertions.
+- Added queries for re-use.
 
 ## [6.9.0] - 2023-10-23
 - Added micro-credentials count query.

Dockerfile

@@ -0,0 +1,27 @@
+# Use the official Python image from the Docker Hub
+FROM python:3.8
+
+# Install system dependencies for cairo and MySQL client
+RUN apt-get update && apt-get install -y \
+    libcairo2-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Make the locale en_US.UTF-8 available which is needed for mysql client
+RUN apt-get update && apt-get install -y locales \
+    && locale-gen en_US.UTF-8 && dpkg-reconfigure locales \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set the working directory in the container
+WORKDIR /app
+
+# Copy the current directory contents into the container at /app
+COPY . /app
+
+# Install any needed packages specified in requirements.txt
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Make port 8000 available to the world outside this container
+EXPOSE 8000
+
+# Run the specified command within the container
+CMD ["sh", "/docker/entrypoint.sh"]

README.md

@@ -26,6 +26,49 @@ Read more on [edubadges.nl](https://www.surf.nl/en/edubadges-national-approach-t
 Badgr was developed by [Concentric Sky](https://concentricsky.com), starting in 2015 to serve as an open source reference implementation of the Open Badges Specification. It provides functionality to issue portable, verifiable Open Badges as well as to allow users to manage badges they have been awarded by any issuer that uses this open data standard. Since 2015, Badgr has grown to be used by hundreds of educational institutions and other people and organizations worldwide. See [Project Homepage](https://badgr.org) for more details about contributing to and integrating with Badgr.
 
 # Edubadges installation instructions
+
+Either choose local development, where everything is installed and running on the local machine. Or choose Docker
+
+## How to use Docker and docker compose.
+
+Prerequisites: 
+* Docker and Docker compose (current docker desktop ships them by default)
+
+### Prepare a dotenv file for running docker commands
+
+Make an .env.docker file with a few secrets. See docker-compose for the ENV vars that are referenced from
+the shell running docker compose commands. At time of writing these are:
+
+```
+BADGR_DB_PASSWORD=local-secret-only
+OIDC_RS_SECRET=
+EDU_ID_SECRET=
+SURF_CONEXT_SECRET=
+```
+
+The BADGR_DB_PASSWORD isn't critical as it's only used within the docker-compose cluster. The
+other secrets should be asked at a colleague as they are required to communicate with auth, profile
+and sso services.
+
+Load these in the shell where you run docker-compse. E.g by sourcing it, or with a tool like dotenv.
+
+### Run docker compose up
+
+This will build and run any docker images in the foreground. Ctrl-C to exit.
+Add the `-d` flag to run in the background.
+
+```
+docker compose up
+```
+
+This will:
+* Start Mysql
+* Start memcached
+* Build a container that can run and host the app.
+* Run that container and mount the local source code in the app.
+
+TODO: can we run the server so it reboots on detecting changes instead of having to reboot the image?
+
 ## How to get started on your local development environment.
 Prerequisites:
 

apps/badgeuser/models.py

@@ -618,6 +618,7 @@ def schac_homes(self):
 
     @property
     def direct_awards(self):
+        # TODO - add or query to use personal email address
         return DirectAward.objects.filter(eppn__in=self.eppns, status='Unaccepted')
 
     def match_provisionments(self):

apps/badgrlog/events/public.py

@@ -58,3 +58,7 @@ class IssuerImageRetrievedEvent(BaseBadgeAssertionEvent):
 
 class InstitutionImageRetrievedEvent(BaseBadgeAssertionEvent):
     pass
+
+
+class FacultyImageRetrievedEvent(BaseBadgeAssertionEvent):
+    pass