Merge branch 'main' into add-validator-page

Author: rshewitt

app/__init__.py

@@ -6,6 +6,7 @@
 from flask_bootstrap import Bootstrap
 from flask_htmx import HTMX
 from flask_migrate import Migrate
+from flask_talisman import Talisman
 
 from app.filters import else_na, usa_icon, utc_isoformat
 from database.models import db
@@ -70,6 +71,62 @@ def remove_auth(spec):
             # from the load manager but log them
             logger.warning("Load manager startup failed with exception: %s", repr(e))
 
+    # Content-Security-Policy headers
+    # single quotes need to appear in some of the strings
+    csp = {
+        "default-src": "'self'",
+        "script-src": " ".join(
+            [
+                "'self'",
+                "'unsafe-hashes'",
+                "https://code.jquery.com",  # Jquery (needed for bootstrap)
+                "https://stackpath.bootstrapcdn.com",  # bootstrap
+                "https://www.googletagmanager.com",
+            ]
+        ),
+        "font-src": " ".join(
+            [
+                "'self'",  # USWDS fonts
+                "https://cdnjs.cloudflare.com",  # font awesome
+            ]
+        ),
+        "img-src": " ".join(
+            [
+                "'self'",
+                "data:",
+                "https://s3-us-gov-west-1.amazonaws.com",  # GSA Starmark
+                "https://raw.githubusercontent.com",  # github logos repo
+            ]
+        ),
+        "connect-src": " ".join(
+            [
+                "'self'",
+            ]
+        ),
+        "frame-src": "https://www.googletagmanager.com",
+        "style-src-attr": " ".join(
+            [
+                "'self'",
+            ]
+        ),
+        "style-src-elem": " ".join(
+            [
+                "'self'",
+                "'unsafe-hashes'",  # local styles.css
+                "https://stackpath.bootstrapcdn.com",  # bootstrap
+                "https://cdnjs.cloudflare.com",  # font-awesome
+                "'sha256-faU7yAF8NxuMTNEwVmBz+VcYeIoBQ2EMHW3WaVxCvnk='",  # htmx.min.js
+            ]
+        ),
+    }
+    Talisman(
+        app,
+        content_security_policy=csp,
+        content_security_policy_nonce_in=["script-src", "style-src-elem"],
+        # our https connections are terminated outside this app
+        force_https=False,
+    )
+
     return app
 
 

app/forms.py

@@ -44,10 +44,13 @@ def strip_filter(data):
 
 def comma_separated_filter(data):
     """Turn the list or the repr of a list into just comma-separated values."""
-    # "[" isn't likely to be an alias so if we see it, it's probably the repr
-    # of a list
     if isinstance(data, list):
         return ", ".join(data)
+    # we need to string-process data, if we get anything else, pass it along
+    if not isinstance(data, str):
+        return data
+    # "[" isn't likely to be an alias so if we see it, it's probably the repr
+    # of a list
     if data.startswith("["):
         try:
             data_list = ast.literal_eval(data)

app/routes.py

@@ -924,7 +924,7 @@ def download_harvest_errors_by_job(job_id, error_type):
                 csv_writer.writerow(header)
 
                 # Write job errors
-                errors = db.get_harvest_job_errors_by_job(job_id)
+                errors = db._to_dict(db.get_harvest_job_errors_by_job(job_id))
                 for error_dict in errors:
                     row = [
                         str(error_dict.get("harvest_job_id", "")),

app/static/_scss/_uswds-theme-custom-styles.scss

@@ -39,6 +39,10 @@ ul.menu {
   }
 }
 
+.word-break-all {
+  word-break: break-all;
+}
+
 .view-buttons {
   button {
     margin-right: .5rem;

app/static/js/filter.js

@@ -0,0 +1,21 @@
+
+function filter(e) {
+    search = e.value.toLowerCase();
+    document.querySelectorAll('.site-component-card').forEach(function (row) {
+        text = row.getAttribute("data-meta").toLowerCase();
+        if (text.match(search)) {
+            row.classList.remove("display-none");
+        } else {
+            row.classList.add("display-none");
+        }
+    });
+    componentCount = document.querySelectorAll('.site-component-card:not(.display-none)').length;
+    var word = (componentCount === 1) ? "source" : "sources";
+    document.getElementById("component-count").innerHTML = `<strong>${componentCount}</strong> ${word} found`
+}
+
+document.addEventListener("DOMContentLoaded", () => {
+  // add onkeyup event handlers
+  const filterInput = document.getElementById("icon-filter");
+  if (filterInput) filterInput.addEventListener("keyup", function (e) {filter(this)});
+});

app/static/js/glossary-panel.js

@@ -0,0 +1,259 @@
+'use strict';
+
+var List = require('list.js');
+var objectAssign = require('object-assign');
+var Accordion = require('aria-accordion').Accordion;
+
+var KEYCODE_ENTER = 13;
+var KEYCODE_ESC = 27;
+
+// https://davidwalsh.name/element-matches-selector
+function selectorMatches(el, selector) {
+  var p = Element.prototype;
+  var f = p.matches || p.webkitMatchesSelector || p.mozMatchesSelector || p.msMatchesSelector || function(s) {
+    return [].indexOf.call(document.querySelectorAll(s), this) !== -1;
+  };
+  return f.call(el, selector);
+}
+
+
+// get nearest parent element matching selector
+function closest(el, selector) {
+  while (el) {
+    if (selectorMatches(el, selector)) {
+      break;
+    }
+    el = el.parentElement;
+  }
+  return el;
+}
+
+function forEach(values, callback) {
+  return [].forEach.call(values, callback);
+}
+
+var itemTemplate = function(values) {
+  var id = 'glossary-term-' + values.termId;
+  return '<li class="' + values.glossaryItemClass + '">' +
+      '<button class="data-glossary-term ' + values.termClass + '" aria-controls="' + id + '">' +
+        values.term +
+      '</button>' +
+      '<div id="' + id + '" class="' + values.definitionClass + '">' + values.definition + '</div>' +
+    '</li>'
+}
+
+var defaultSelectors = {
+  glossaryID: '#glossary',
+  toggle: '.js-glossary-toggle',
+  close: '.js-glossary-close',
+  listClass: '.js-glossary-list',
+  searchClass: '.js-glossary-search'
+};
+
+var defaultClasses = {
+  definitionClass: 'glossary__definition',
+  glossaryItemClass: 'glossary__item',
+  highlightedTerm: 'term--highlight',
+  termClass: 'glossary__term'
+};
+
+function removeTabindex(elm) {
+  var elms = getTabIndex(elm);
+  forEach(elms, function(elm) {
+    elm.setAttribute('tabIndex', '-1');
+  });
+}
+
+function restoreTabindex(elm) {
+  var elms = getTabIndex(elm);
+  forEach(elms, function(elm) {
+    elm.setAttribute('tabIndex', '0');
+  });
+}
+
+function getTabIndex(elm) {
+  return elm.querySelectorAll('a, button, input, [tabindex]');
+}
+
+/**
+ * Glossary widget
+ * @constructor
+ * @param {Array} terms - Term objects with "glossary-term" and "glossary-definition" keys
+ * @param {Object} selectors - CSS selectors for glossary components
+ * @param {Object} classes - CSS classes to be applied for styling
+ */
+function Glossary(terms, selectors, classes) {
+  this.terms = terms;
+  this.selectors = objectAssign({}, defaultSelectors, selectors);
+  this.classes = objectAssign({}, defaultClasses, classes);
+
+  this.body = document.querySelector(this.selectors.glossaryID);
+  this.toggleBtn = document.querySelector(this.selectors.toggle);
+  this.closeBtn = document.querySelector(this.selectors.close);
+  this.search = this.body.querySelector(this.selectors.searchClass);
+  this.listElm = this.body.querySelector(this.selectors.listClass);
+  this.selectedTerm = this.toggleBtn;
+
+  // Initialize state
+  this.isOpen = false;
+
+  // Update DOM
+  this.populate();
+  this.initList();
+  this.linkTerms();
+
+  // Remove tabindices
+  removeTabindex(this.body);
+
+  // Initialize accordions
+  this.accordion = new Accordion(this.listElm, null, {contentPrefix: 'glossary'});
+
+  // Bind listeners
+  this.listeners = [];
+  this.addEventListener(this.toggleBtn, 'click', this.toggle.bind(this));
+  this.addEventListener(this.closeBtn, 'click', this.hide.bind(this));
+  this.addEventListener(this.search, 'input', this.handleInput.bind(this));
+  this.addEventListener(document.body, 'keyup', this.handleKeyup.bind(this));
+  this.addEventListener(document,'click', this.closeOpenGlossary.bind(this));
+}
+
+Glossary.prototype.populate = function() {
+  this.terms.forEach(function(term, i) {
+    var opts = {
+      term: term.term,
+      definition: term.definition,
+      definitionClass: this.classes.definitionClass,
+      glossaryItemClass: this.classes.glossaryItemClass,
+      termClass: this.classes.termClass,
+      termId: i
+    };
+    this.listElm.insertAdjacentHTML('beforeend', itemTemplate(opts));
+  }, this);
+};
+
+/** Initialize list.js list of terms */
+Glossary.prototype.initList = function() {
+  var glossaryId = this.selectors.glossaryID.slice(1);
+  var listClass = this.selectors.listClass.slice(1);
+  var searchClass = this.selectors.searchClass.slice(1);
+  var options = {
+    valueNames: ['data-glossary-term'],
+    listClass: listClass,
+    searchClass: searchClass,
+  };
+  this.list = new List(glossaryId, options);
+  this.list.sort('data-glossary-term', {order: 'asc'});
+};
+
+/** Add links to terms in body */
+Glossary.prototype.linkTerms = function() {
+  var terms = document.querySelectorAll('[data-term]');
+  forEach(terms, function(term) {
+    term.setAttribute('title', 'Click to define');
+    term.setAttribute('tabIndex', 0);
+    term.setAttribute('data-term', (term.getAttribute('data-term') || '').toLowerCase());
+  });
+  document.body.addEventListener('click', this.handleTermTouch.bind(this));
+  document.body.addEventListener('keyup', this.handleTermTouch.bind(this));
+};
+
+Glossary.prototype.handleTermTouch = function(e) {
+  if (e.which === KEYCODE_ENTER || e.type === 'click') {
+    if (selectorMatches(e.target, '[data-term]')) {
+      e.stopPropagation();
+      this.show(e);
+      this.selectedTerm = e.target;
+      this.findTerm(e.target.getAttribute('data-term'));
+    }
+    else {
+      this.selectedTerm = this.toggleBtn;
+    }
+  }
+};
+
+/** Highlight a term */
+Glossary.prototype.findTerm = function(term) {
+  this.search.value = term;
+  var highlightClass = this.classes.highlightedTerm;
+
+  // Highlight the term and remove other highlights
+  forEach(this.body.querySelectorAll('.' + highlightClass), function(term) {
+    term.classList.remove(highlightClass);
+  });
+  forEach(this.body.querySelectorAll('span[data-term="' + term + '"]'), function(term) {
+    term.classList.add(highlightClass);
+  });
+  this.list.filter(function(item) {
+    return item._values['data-glossary-term'].toLowerCase() === term;
+  });
+
+  this.list.search();
+  var button = this.list.visibleItems[0].elm.querySelector('button');
+  this.accordion.expand(button);
+};
+
+Glossary.prototype.toggle = function() {
+  var method = this.isOpen ? this.hide : this.show;
+  method.apply(this);
+};
+
+Glossary.prototype.show = function() {
+  this.body.setAttribute('aria-hidden', 'false');
+  this.toggleBtn.setAttribute('aria-expanded', 'true');
+  this.search.focus();
+  this.isOpen = true;
+  restoreTabindex(this.body);
+};
+
+Glossary.prototype.hide = function() {
+  this.body.setAttribute('aria-hidden', 'true');
+  this.toggleBtn.setAttribute('aria-expanded', 'false');
+  this.selectedTerm.focus();
+  this.isOpen = false;
+  removeTabindex(this.body);
+};
+
+/** Remove existing filters on input */
+Glossary.prototype.handleInput = function() {
+  if (this.list.filtered) {
+    this.list.filter();
+  }
+};
+
+/** Close glossary on escape keypress */
+Glossary.prototype.handleKeyup = function(e) {
+  if (e.keyCode == KEYCODE_ESC) {
+    if (this.isOpen) {
+      this.hide();
+    }
+  }
+};
+
+// Close glossary when clicking outside of glossary
+Glossary.prototype.closeOpenGlossary = function(e) {
+  if ( e.target !== this.toggleBtn && this.isOpen) {
+    if (!(closest(e.target, this.selectors.glossaryID))) {
+        this.hide();
+    }
+  }
+};
+
+Glossary.prototype.addEventListener = function(elm, event, callback) {
+  if (elm) {
+    elm.addEventListener(event, callback);
+    this.listeners.push({
+      elm: elm,
+      event: event,
+      callback: callback
+    });
+  }
+};
+
+Glossary.prototype.destroy = function() {
+  this.accordion.destroy();
+  this.listeners.forEach(function(listener) {
+    listener.elm.removeEventListener(listener.event, listener.callback);
+  });
+};
+
+module.exports = Glossary;

app/static/js/glossary.js

@@ -1,4 +1,4 @@
-var Glossary = require("glossary-panel");
+var Glossary = require("./glossary-panel.js");
 var terms = require("../data/glossary.json");
 
 var body = document.querySelectorAll(