Add CSP script-src directive and remove inline event handlers (CO-2720)

.editorconfig

@@ -0,0 +1,23 @@
+; This file is for unifying the coding style for different editors and IDEs.
+; More information at https://editorconfig.org
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+insert_final_newline = false
+trim_trailing_whitespace = false
+
+[*.bat]
+end_of_line = crlf
+
+[*.yml]
+indent_size = 2
+
+[*.twig]
+insert_final_newline = false
+
+[Makefile]
+indent_style = tab

app/src/Controller/AppController.php

@@ -135,6 +135,9 @@ public function beforeRender(EventInterface $event) {
       $this->set('vv_menu_permissions',
                  $this->Authorization->menuPermissions($this->request->getSession()->read('Auth.User.username'), $mgid));
     }
+
+    // Generate a nonce for use in JavaScript tags with the Content-Security-Policy script-src directive
+    $this->set('vv_js_nonce', base64_encode(random_bytes(16)));
   }
 
   /**

app/templates/ApiUsers/fields.inc

@@ -26,18 +26,22 @@
  */
 
 $def = "";
-
 if(!empty($vv_cur_mg->table_name)) {
   // This prefix requirement is enforced in ApiUsersTable
   $def = $vv_cur_mg->table_name . ".";
 }
 
-// This view does not support read-only
-if($action == 'add' || $action == 'edit') {
-  print $this->Field->control('username', ['default' => $def]);
-  print $this->Field->control('password');
-  if(isset($vv_cur_mg)) {
-    // Don't require a system of record ID if we're not in a matchgrid context
-    print $this->Field->control('system_of_record_id', ['empty' => true], false);
-  }
+$fields = [
+  'username'  => [
+    'default' => $def
+  ],
+  'password'
+];
+
+if(isset($vv_cur_mg)) {
+  // Only include a system of record ID in a matchgrid context
+  $fields['system_of_record_id'] = [
+    'empty' => true, 
+    'required' => false
+  ];
 }

app/templates/AttributeGroups/fields.inc

@@ -24,8 +24,7 @@
  * @since         COmanage Match v1.0.0
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
-
-// This view does not support read-only
-if($action == 'add' || $action == 'edit') {
-  print $this->Field->control('name');
-}
+
+$fields = [
+  'name'
+];

app/templates/AttributeMappings/fields.inc

@@ -24,9 +24,14 @@
  * @since         COmanage Match v1.0.0
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
-
-// This view does not support read-only
-if($action == 'add' || $action == 'edit') {
-  print $this->Field->control('query');
-  print $this->Field->control('value');
-}
+
+$fields = [
+  'query',
+  'value'
+];
+
+// Subnavigation tabs
+$subnav = [
+  'name' => 'attribute_map',
+  'active' => 'mappings'
+];

app/templates/AttributeMaps/fields.inc

@@ -24,9 +24,16 @@
  * @since         COmanage Match v1.0.0
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
-
-// This view does not support read-only
-if($action == 'add' || $action == 'edit') {
-  print $this->Field->control('name');
-  print $this->Field->control('description', [], false);
-}
+
+$fields = [
+  'name',
+  'description' => [
+    'required' => false
+  ] 
+];
+
+// Subnavigation tabs
+$subnav = [
+  'name' => 'attribute_map',
+  'active' => 'properties'
+];

app/templates/Attributes/fields.inc

@@ -24,27 +24,45 @@
  * @since         COmanage Match v1.0.0
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
-
-// This view does not support read-only
-if($action == 'add' || $action == 'edit') {
-  print $this->Field->control('name');
-
-  print $this->Field->control('description', [], false);
-
-  print $this->Field->control('api_name');
-
-  print $this->Field->control('index_display', [], false);
-
-  print $this->Field->control('alphanumeric', [], false);
-  print $this->Field->control('case_sensitive', [], false);
-  print $this->Field->control('null_equivalents', [], false);
-
-  print $this->Field->control('search_distance', [], false);
-  print $this->Field->control('search_exact', [], false);
-  print $this->Field->control('search_substr_from', [], false);
-  print $this->Field->control('search_substr_for', [], false);
 
-  print $this->Field->control('attribute_map_id', ['empty' => true], false);
 
-  print $this->Field->control('attribute_group_id', ['empty' => true], false);
-}
+$fields = [
+  'name',
+  'description' => [
+    'required' => false
+  ],
+  'api_name',
+  'index_display' => [
+    'required' => false
+  ],
+  'alphanumeric' => [
+    'required' => false
+  ],
+  'case_sensitive' => [
+    'required' => false
+  ],
+  'null_equivalents' => [
+    'required' => false
+  ],
+  'search_distance' => [
+    'required' => false
+  ],
+  'search_exact' => [
+    'required' => false
+  ],
+  'search_substr_from' => [
+    'required' => false
+  ],
+  'search_substr_for' => [
+    'required' => false
+  ],
+  'attribute_map_id' => [
+    'empty' => true, 
+    'required' => false
+  ],
+  'attribute_group_id' => [
+    'empty' => true, 
+    'required' => false
+  ]
+];
+

app/templates/Endpoints/fields.inc

@@ -25,13 +25,13 @@
  * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
  */
 
-// This view does not support read-only
-if($action == 'add' || $action == 'edit') {
-  print $this->Field->control('description');
-
-  print $this->Field->control('url');
-
-  print $this->Field->control('username', [], false);
-
-  print $this->Field->control('password', [], false);
-}
+$fields = [
+  'description',
+  'url',
+  'username' => [
+    'required' => false
+  ],
+  'password' => [
+    'required' => false
+  ],
+];

app/templates/MatchgridHistoryRecords/fields.inc

@@ -28,31 +28,42 @@
 ?>
 <?php
 // Unlike most Match views, this one supports read only (but not edit)
+
+$fields = [];  
 
 if($action == 'add') {
+
+  // Define hidden fields
   $hidden = [
     'action'            => \App\Lib\Enum\MatchgridActionEnum::CommentAdded,
     'actor_identifier'  => $vv_user['username'],
     'remote_ip'         => $this->request->getEnv('REMOTE_ADDR')
   ];
 
-  print $this->Field->control('sor', ['readonly' => true, 'value' => $this->request->getQuery('sor')]);
-
-  print $this->Field->control('sorid', ['readonly' => true, 'value' => $this->request->getQuery('sorid')]);
-
-  print $this->Field->control('comment');
-} elseif($action == 'view') {
-  print $this->Field->control('comment');
+  // Define interactive fields
+  $fields = [
+    'sor' => [
+      'readonly' => true, 
+      'value' => $this->request->getQuery('sor')
+    ],
+    'sorid' => [
+      'readonly' => true, 
+      'value' => $this->request->getQuery('sorid')
+    ],
+    'comment'
+  ];
 
-  print $this->Field->control('action');
+} elseif($action == 'view') {
 
-  print $this->Field->control('sor');
-
-  print $this->Field->control('sorid');
-
-  print $this->Field->control('remote_ip');
-
-  print $this->Field->control('actor_identifier');
+  // Define fields for read-only display
+  $fields = [
+    'comment',
+    'action',
+    'sor',
+    'sorid',
+    'remote_ip',
+    'actor_identifier',
+    'created'
+  ];
 
-  print $this->Field->control('created');
 }