feat(frontend): add identify-methods and tsa policy UI definitions

Author: vitormattos

src/views/Settings/PolicyWorkbench/settings/identify-methods/IdentifyMethodsRuleEditor.vue

@@ -0,0 +1,178 @@
+<!--
+  - SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+  - SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+<template>
+	<div class="identify-methods-editor">
+		<div v-if="entries.length === 0" class="identify-methods-editor__empty">
+			{{ t('libresign', 'No identification methods available.') }}
+		</div>
+
+		<div v-for="(identifyMethod, index) in entries"
+			:key="identifyMethod.name"
+			class="identify-methods-editor__method">
+			<hr v-if="index !== 0">
+
+			<NcCheckboxRadioSwitch type="switch"
+				:model-value="identifyMethod.enabled"
+				@update:modelValue="onMethodToggle(index, $event)">
+				{{ identifyMethod.friendly_name ?? identifyMethod.name }}
+			</NcCheckboxRadioSwitch>
+
+			<div v-if="identifyMethod.enabled" class="identify-methods-editor__method-details">
+				<fieldset v-if="identifyMethod.name === 'email'" class="identify-methods-editor__sub-section">
+					<NcCheckboxRadioSwitch :model-value="Boolean(identifyMethod.can_create_account)"
+						@update:modelValue="onCanCreateAccountToggle(index, $event)">
+						{{ t('libresign', 'Request to create account when the user does not have an account') }}
+					</NcCheckboxRadioSwitch>
+				</fieldset>
+
+				<fieldset class="identify-methods-editor__sub-section">
+					<legend>{{ t('libresign', 'Signature methods') }}</legend>
+					<NcCheckboxRadioSwitch v-for="(signatureMethod, signatureMethodName) in identifyMethod.signatureMethods"
+						:key="signatureMethodName"
+						type="radio"
+						:name="identifyMethod.name"
+						:value="signatureMethodName"
+						:model-value="identifyMethod.signatureMethodEnabled"
+						@update:modelValue="onSignatureMethodChange(index, String($event))">
+						{{ signatureMethod.label ?? signatureMethodName }}
+					</NcCheckboxRadioSwitch>
+				</fieldset>
+			</div>
+		</div>
+	</div>
+</template>
+
+<script setup lang="ts">
+import { computed } from 'vue'
+
+import { t } from '@nextcloud/l10n'
+import NcCheckboxRadioSwitch from '@nextcloud/vue/components/NcCheckboxRadioSwitch'
+
+import type { EffectivePolicyValue } from '../../../../../types/index'
+import {
+	normalizeIdentifyMethodsPolicy,
+	serializeIdentifyMethodsPolicy,
+	type IdentifyMethodPolicyEntry,
+} from './model'
+
+defineOptions({
+	name: 'IdentifyMethodsRuleEditor',
+})
+
+const props = defineProps<{
+	modelValue: EffectivePolicyValue
+}>()
+
+const emit = defineEmits<{
+	'update:modelValue': [value: IdentifyMethodPolicyEntry[]]
+}>()
+
+const entries = computed(() => {
+	const normalized = normalizeIdentifyMethodsPolicy(props.modelValue)
+	return ensureSignatureMethodSelection(normalized)
+})
+
+function onMethodToggle(index: number, enabled: boolean): void {
+	const nextEntries = [...entries.value]
+	nextEntries[index] = {
+		...nextEntries[index],
+		enabled,
+	}
+	emit('update:modelValue', serializeIdentifyMethodsPolicy(ensureSignatureMethodSelection(nextEntries).filter((entry) => entry.enabled)))
+}
+
+function onCanCreateAccountToggle(index: number, canCreateAccount: boolean): void {
+	const nextEntries = [...entries.value]
+	nextEntries[index] = {
+		...nextEntries[index],
+		can_create_account: canCreateAccount,
+	}
+	emit('update:modelValue', serializeIdentifyMethodsPolicy(ensureSignatureMethodSelection(nextEntries).filter((entry) => entry.enabled)))
+}
+
+function onSignatureMethodChange(index: number, signatureMethodName: string): void {
+	const nextEntries = [...entries.value]
+	nextEntries[index] = {
+		...nextEntries[index],
+		signatureMethodEnabled: signatureMethodName,
+	}
+	emit('update:modelValue', serializeIdentifyMethodsPolicy(ensureSignatureMethodSelection(nextEntries).filter((entry) => entry.enabled)))
+}
+
+function ensureSignatureMethodSelection(entries: IdentifyMethodPolicyEntry[]): IdentifyMethodPolicyEntry[] {
+	return entries.map((entry) => {
+		const signatureMethodNames = Object.keys(entry.signatureMethods)
+		if (signatureMethodNames.length === 0) {
+			return {
+				...entry,
+				signatureMethodEnabled: undefined,
+			}
+		}
+
+		let selectedSignatureMethod = entry.signatureMethodEnabled
+		if (!selectedSignatureMethod || !signatureMethodNames.includes(selectedSignatureMethod)) {
+			selectedSignatureMethod = signatureMethodNames.find((signatureMethodName) => entry.signatureMethods[signatureMethodName]?.enabled)
+				?? signatureMethodNames[0]
+		}
+
+		const signatureMethods = Object.fromEntries(
+			signatureMethodNames.map((signatureMethodName) => [
+				signatureMethodName,
+				{
+					...entry.signatureMethods[signatureMethodName],
+					enabled: signatureMethodName === selectedSignatureMethod,
+				},
+			]),
+		)
+
+		return {
+			...entry,
+			signatureMethods,
+			signatureMethodEnabled: selectedSignatureMethod,
+		}
+	})
+}
+</script>
+
+<style scoped lang="scss">
+.identify-methods-editor {
+	display: flex;
+	flex-direction: column;
+	gap: 0.5rem;
+}
+
+.identify-methods-editor__empty {
+	color: var(--color-text-maxcontrast);
+	font-size: 0.9rem;
+}
+
+.identify-methods-editor__method {
+	display: flex;
+	flex-direction: column;
+	gap: 0.5rem;
+}
+
+.identify-methods-editor__method-details {
+	display: flex;
+	flex-direction: column;
+	gap: 0.5rem;
+}
+
+.identify-methods-editor__sub-section {
+	display: flex;
+	flex-direction: column;
+	gap: 0.25rem;
+	border: 0;
+	margin: 0 0 0 1.5rem;
+	padding: 0;
+}
+
+.identify-methods-editor__sub-section legend {
+	padding: 0;
+	margin-bottom: 0.25rem;
+	font-weight: 600;
+}
+</style>

src/views/Settings/PolicyWorkbench/settings/identify-methods/model.ts

@@ -0,0 +1,130 @@
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import type { EffectivePolicyValue } from '../../../../../types/index'
+
+export type IdentifyMethodSignatureMethod = {
+	enabled?: boolean
+	label?: string
+}
+
+export type IdentifyMethodPolicyEntry = {
+	name: string
+	friendly_name?: string
+	enabled: boolean
+	can_create_account?: boolean
+	mandatory?: boolean
+	signatureMethods: Record<string, IdentifyMethodSignatureMethod>
+	signatureMethodEnabled?: string
+}
+
+export function normalizeIdentifyMethodsPolicy(value: EffectivePolicyValue): IdentifyMethodPolicyEntry[] {
+	if (typeof value === 'string') {
+		const decoded = safeJsonParse(value)
+		if (Array.isArray(decoded)) {
+			value = decoded as unknown as EffectivePolicyValue
+		}
+	}
+
+	if (!Array.isArray(value)) {
+		return []
+	}
+
+	const normalized: IdentifyMethodPolicyEntry[] = []
+
+	for (const rawEntry of value) {
+		if (!rawEntry || typeof rawEntry !== 'object') {
+			continue
+		}
+
+		const candidate = rawEntry as Record<string, unknown>
+		const name = typeof candidate.name === 'string' ? candidate.name.trim() : ''
+		if (!name) {
+			continue
+		}
+
+		const signatureMethods = normalizeSignatureMethods(candidate.signatureMethods)
+
+		normalized.push({
+			name,
+			friendly_name: typeof candidate.friendly_name === 'string' ? candidate.friendly_name : undefined,
+			enabled: Boolean(candidate.enabled),
+			can_create_account: candidate.can_create_account === undefined ? undefined : Boolean(candidate.can_create_account),
+			mandatory: candidate.mandatory === undefined ? undefined : Boolean(candidate.mandatory),
+			signatureMethods,
+			signatureMethodEnabled: typeof candidate.signatureMethodEnabled === 'string'
+				? candidate.signatureMethodEnabled
+				: undefined,
+		})
+	}
+
+	return normalized
+}
+
+export function serializeIdentifyMethodsPolicy(entries: IdentifyMethodPolicyEntry[]): IdentifyMethodPolicyEntry[] {
+	return entries.map((entry) => {
+		const signatureMethods: Record<string, IdentifyMethodSignatureMethod> = {}
+
+		for (const [signatureMethodName, signatureMethod] of Object.entries(entry.signatureMethods)) {
+			signatureMethods[signatureMethodName] = {
+				enabled: Boolean(signatureMethod.enabled),
+			}
+		}
+
+		const normalizedEntry: IdentifyMethodPolicyEntry = {
+			name: entry.name,
+			enabled: Boolean(entry.enabled),
+			signatureMethods,
+		}
+
+		if (typeof entry.friendly_name === 'string') {
+			normalizedEntry.friendly_name = entry.friendly_name
+		}
+
+		if (entry.can_create_account !== undefined) {
+			normalizedEntry.can_create_account = Boolean(entry.can_create_account)
+		}
+
+		if (entry.mandatory !== undefined) {
+			normalizedEntry.mandatory = Boolean(entry.mandatory)
+		}
+
+		if (entry.signatureMethodEnabled) {
+			normalizedEntry.signatureMethodEnabled = entry.signatureMethodEnabled
+		}
+
+		return normalizedEntry
+	})
+}
+
+function normalizeSignatureMethods(value: unknown): Record<string, IdentifyMethodSignatureMethod> {
+	if (!value || typeof value !== 'object' || Array.isArray(value)) {
+		return {}
+	}
+
+	const signatureMethods: Record<string, IdentifyMethodSignatureMethod> = {}
+
+	for (const [signatureMethodName, rawConfig] of Object.entries(value as Record<string, unknown>)) {
+		if (!rawConfig || typeof rawConfig !== 'object') {
+			continue
+		}
+
+		const candidate = rawConfig as Record<string, unknown>
+		signatureMethods[signatureMethodName] = {
+			enabled: Boolean(candidate.enabled),
+			label: typeof candidate.label === 'string' ? candidate.label : undefined,
+		}
+	}
+
+	return signatureMethods
+}
+
+function safeJsonParse(value: string): unknown {
+	try {
+		return JSON.parse(value)
+	} catch {
+		return null
+	}
+}

src/views/Settings/PolicyWorkbench/settings/identify-methods/realDefinition.ts

@@ -0,0 +1,52 @@
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { t } from '@nextcloud/l10n'
+
+import type { EffectivePolicyValue } from '../../../../../types/index'
+import type { RealPolicySettingDefinition } from '../realTypes'
+import IdentifyMethodsRuleEditor from './IdentifyMethodsRuleEditor.vue'
+import { normalizeIdentifyMethodsPolicy, serializeIdentifyMethodsPolicy } from './model'
+
+export const identifyMethodsRealDefinition: RealPolicySettingDefinition = {
+	key: 'identify_methods',
+	title: t('libresign', 'Identification factors'),
+	description: t('libresign', 'Ways to identify a person who will sign a document.'),
+	supportedScopes: ['system', 'group', 'user'],
+	editor: IdentifyMethodsRuleEditor,
+	resolutionMode: 'precedence',
+	createEmptyValue: () => [] as unknown as EffectivePolicyValue,
+	normalizeDraftValue: (value: EffectivePolicyValue) => serializeIdentifyMethodsPolicy(normalizeIdentifyMethodsPolicy(value)) as unknown as EffectivePolicyValue,
+	hasSelectableDraftValue: () => true,
+	normalizeAllowChildOverride: (_scope, allowChildOverride: boolean) => allowChildOverride,
+	getFallbackSystemDefault: (policyValue: EffectivePolicyValue | null | undefined, sourceScope?: string | null) => {
+		if (sourceScope === 'system' && policyValue !== null && policyValue !== undefined) {
+			return policyValue
+		}
+
+		return [] as unknown as EffectivePolicyValue
+	},
+	summarizeValue: (value: EffectivePolicyValue) => {
+		const normalized = normalizeIdentifyMethodsPolicy(value)
+		if (normalized.length === 0) {
+			return t('libresign', 'Default runtime behavior')
+		}
+
+		const enabled = normalized.filter((entry) => entry.enabled)
+		if (enabled.length === 0) {
+			return t('libresign', 'No enabled identification factor')
+		}
+
+		if (enabled.length <= 2) {
+			return enabled.map((entry) => entry.friendly_name ?? entry.name).join(', ')
+		}
+
+		return t('libresign', '{count} enabled factors', { count: String(enabled.length) })
+	},
+	formatAllowOverride: (allowChildOverride: boolean) =>
+		allowChildOverride
+			? t('libresign', 'Groups and users can set their own rule')
+			: t('libresign', 'Groups and users must follow this value'),
+}