feat(policy): migrate approval groups setting for id docs

Signed-off-by: Vitor Mattos <[email protected]>

Author: vitormattos

lib/Helper/ValidateHelper.php

@@ -28,10 +28,12 @@
 use OCA\Libresign\Service\FileService;
 use OCA\Libresign\Service\IdentifyMethod\IIdentifyMethod;
 use OCA\Libresign\Service\IdentifyMethodService;
+use OCA\Libresign\Service\Policy\Provider\ApprovalGroups\ApprovalGroupsPolicyValue;
 use OCA\Libresign\Service\Policy\RequestSignAuthorizationService;
 use OCA\Libresign\Service\SequentialSigningService;
 use OCA\Libresign\Service\SignerElementsService;
 use OCP\AppFramework\Db\DoesNotExistException;
+use OCP\Exceptions\AppConfigTypeConflictException;
 use OCP\Files\IMimeTypeDetector;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
@@ -959,8 +961,8 @@ public function userCanApproveValidationDocuments(?IUser $user, bool $throw = tr
 			return false;
 		}
 
-		$authorized = $this->appConfig->getValueArray(Application::APP_ID, 'approval_group', ['admin']);
-		if (!$authorized || !is_array($authorized) || empty($authorized)) {
+		$authorized = $this->getApprovalGroups();
+		if (empty($authorized)) {
 			$authorized = ['admin'];
 		}
 		$userGroups = $this->groupManager->getUserGroupIds($user);
@@ -973,6 +975,17 @@ public function userCanApproveValidationDocuments(?IUser $user, bool $throw = tr
 		return true;
 	}
 
+	/** @return list<string> */
+	private function getApprovalGroups(): array {
+		try {
+			$value = $this->appConfig->getValueArray(Application::APP_ID, 'approval_group', ['admin']);
+			return ApprovalGroupsPolicyValue::decode($value);
+		} catch (AppConfigTypeConflictException) {
+			$value = $this->appConfig->getValueString(Application::APP_ID, 'approval_group', '[]');
+			return ApprovalGroupsPolicyValue::decode($value);
+		}
+	}
+
 	private function validateDocMdpPdfRestrictions(array $data): void {
 		if (empty($data['uuid']) || empty($data['signers'])) {
 			return;

lib/Service/File/AccountSettingsProvider.php

@@ -12,7 +12,9 @@
 use OCA\Libresign\AppInfo\Application;
 use OCA\Libresign\Exception\LibresignException;
 use OCA\Libresign\Handler\SignEngine\Pkcs12Handler;
+use OCA\Libresign\Service\Policy\Provider\ApprovalGroups\ApprovalGroupsPolicyValue;
 use OCP\Accounts\IAccountManager;
+use OCP\Exceptions\AppConfigTypeConflictException;
 use OCP\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IUser;
@@ -42,7 +44,7 @@ private function canRequestSign(?IUser $user = null): bool {
 		if (!$user) {
 			return false;
 		}
-		$authorized = $this->appConfig->getValueArray(Application::APP_ID, 'approval_group', ['admin']);
+		$authorized = $this->getApprovalGroups();
 		if (empty($authorized)) {
 			return false;
 		}
@@ -69,11 +71,22 @@ private function isApprover(?IUser $user = null): bool {
 		if (!$user) {
 			return false;
 		}
-		$approvalGroups = $this->appConfig->getValueArray(Application::APP_ID, 'approval_group', ['admin']);
+		$approvalGroups = $this->getApprovalGroups();
 		if (empty($approvalGroups)) {
 			return false;
 		}
 		$userGroups = $this->groupManager->getUserGroupIds($user);
 		return (bool)array_intersect($userGroups, $approvalGroups);
 	}
+
+	/** @return list<string> */
+	private function getApprovalGroups(): array {
+		try {
+			$value = $this->appConfig->getValueArray(Application::APP_ID, 'approval_group', ['admin']);
+			return ApprovalGroupsPolicyValue::decode($value);
+		} catch (AppConfigTypeConflictException) {
+			$value = $this->appConfig->getValueString(Application::APP_ID, 'approval_group', '[]');
+			return ApprovalGroupsPolicyValue::decode($value);
+		}
+	}
 }

lib/Service/File/SettingsLoader.php

@@ -18,8 +18,10 @@
 use OCA\Libresign\Service\IdDocsPolicyService;
 use OCA\Libresign\Service\IdentifyMethodService;
 use OCA\Libresign\Service\Policy\PolicyService;
+use OCA\Libresign\Service\Policy\Provider\ApprovalGroups\ApprovalGroupsPolicyValue;
 use OCA\Libresign\Service\Policy\Provider\IdentificationDocuments\IdentificationDocumentsPolicy;
 use OCA\Libresign\Service\Policy\Provider\IdentificationDocuments\IdentificationDocumentsPolicyValue;
+use OCP\Exceptions\AppConfigTypeConflictException;
 use OCP\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IUser;
@@ -91,7 +93,7 @@ public function getIdentificationDocumentsStatus(?IUser $user = null, ?SignReque
 			return self::IDENTIFICATION_DOCUMENTS_DISABLED;
 		}
 
-		$approvalGroups = $this->appConfig->getValueArray(Application::APP_ID, 'approval_group', ['admin']);
+		$approvalGroups = $this->getApprovalGroups();
 		if ($user && !empty($approvalGroups) && is_array($approvalGroups)) {
 			$userGroups = $this->groupManager->getUserGroupIds($user);
 			if (array_intersect($userGroups, $approvalGroups)) {
@@ -144,6 +146,17 @@ private function isIdentificationDocumentsEnabled(?IUser $user): bool {
 		return IdentificationDocumentsPolicyValue::normalize($resolved->getEffectiveValue(), false);
 	}
 
+	/** @return list<string> */
+	private function getApprovalGroups(): array {
+		try {
+			$value = $this->appConfig->getValueArray(Application::APP_ID, 'approval_group', ['admin']);
+			return ApprovalGroupsPolicyValue::decode($value);
+		} catch (AppConfigTypeConflictException) {
+			$value = $this->appConfig->getValueString(Application::APP_ID, 'approval_group', '[]');
+			return ApprovalGroupsPolicyValue::decode($value);
+		}
+	}
+
 	/**
 	 * Get user identification documents settings
 	 * These are user-specific settings, not file-specific

lib/Service/Policy/Provider/ApprovalGroups/ApprovalGroupsPolicy.php

@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Service\Policy\Provider\ApprovalGroups;
+
+use OCA\Libresign\Service\Policy\Contract\IPolicyDefinition;
+use OCA\Libresign\Service\Policy\Contract\IPolicyDefinitionProvider;
+use OCA\Libresign\Service\Policy\Model\PolicyContext;
+use OCA\Libresign\Service\Policy\Model\PolicySpec;
+
+final class ApprovalGroupsPolicy implements IPolicyDefinitionProvider {
+	public const KEY = 'approval_group';
+	public const SYSTEM_APP_CONFIG_KEY = self::KEY;
+
+	#[\Override]
+	public function keys(): array {
+		return [
+			self::KEY,
+		];
+	}
+
+	#[\Override]
+	public function get(string|\BackedEnum $policyKey): IPolicyDefinition {
+		return match ($this->normalizePolicyKey($policyKey)) {
+			self::KEY => new PolicySpec(
+				key: self::KEY,
+				defaultSystemValue: ApprovalGroupsPolicyValue::encode(ApprovalGroupsPolicyValue::DEFAULT_GROUPS),
+				allowedValues: static fn (PolicyContext $context): array => [],
+				normalizer: static fn (mixed $rawValue): mixed => ApprovalGroupsPolicyValue::encode($rawValue),
+				validator: static function (mixed $value): void {
+					if (!is_string($value)) {
+						throw new \InvalidArgumentException('Invalid value for ' . self::KEY);
+					}
+
+					$decoded = ApprovalGroupsPolicyValue::decode($value);
+					if ($decoded === []) {
+						throw new \InvalidArgumentException('At least one authorized group is required for ' . self::KEY);
+					}
+				},
+				appConfigKey: self::SYSTEM_APP_CONFIG_KEY,
+				supportsUserPreference: false,
+			),
+			default => throw new \InvalidArgumentException('Unknown policy key: ' . $this->normalizePolicyKey($policyKey)),
+		};
+	}
+
+	private function normalizePolicyKey(string|\BackedEnum $policyKey): string {
+		if ($policyKey instanceof \BackedEnum) {
+			return (string)$policyKey->value;
+		}
+
+		return $policyKey;
+	}
+}

lib/Service/Policy/Provider/ApprovalGroups/ApprovalGroupsPolicyValue.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Service\Policy\Provider\ApprovalGroups;
+
+final class ApprovalGroupsPolicyValue {
+	/** @var list<string> */
+	public const DEFAULT_GROUPS = ['admin'];
+
+	/** @return list<string> */
+	public static function decode(mixed $rawValue): array {
+		if (is_array($rawValue)) {
+			return self::normalizeGroupIds($rawValue);
+		}
+
+		if (!is_string($rawValue)) {
+			return [];
+		}
+
+		$trimmed = trim($rawValue);
+		if ($trimmed === '') {
+			return [];
+		}
+
+		$decoded = json_decode($trimmed, true);
+		if (is_array($decoded)) {
+			return self::normalizeGroupIds($decoded);
+		}
+
+		return self::normalizeGroupIds(array_map('trim', explode(',', $trimmed)));
+	}
+
+	public static function encode(mixed $rawValue): string {
+		return json_encode(self::decode($rawValue), JSON_THROW_ON_ERROR);
+	}
+
+	/**
+	 * @param array<mixed> $rawGroups
+	 * @return list<string>
+	 */
+	private static function normalizeGroupIds(array $rawGroups): array {
+		$normalized = [];
+		foreach ($rawGroups as $groupId) {
+			if (!is_string($groupId)) {
+				continue;
+			}
+
+			$trimmed = trim($groupId);
+			if ($trimmed === '') {
+				continue;
+			}
+
+			$normalized[] = $trimmed;
+		}
+
+		$unique = array_values(array_unique($normalized));
+		sort($unique);
+
+		return $unique;
+	}
+}

lib/Service/Policy/Provider/PolicyProviders.php

@@ -8,6 +8,7 @@
 
 namespace OCA\Libresign\Service\Policy\Provider;
 
+use OCA\Libresign\Service\Policy\Provider\ApprovalGroups\ApprovalGroupsPolicy;
 use OCA\Libresign\Service\Policy\Provider\CollectMetadata\CollectMetadataPolicy;
 use OCA\Libresign\Service\Policy\Provider\DocMdp\DocMdpPolicy;
 use OCA\Libresign\Service\Policy\Provider\Footer\FooterPolicy;
@@ -19,6 +20,7 @@
 final class PolicyProviders {
 	/** @var array<string, class-string> */
 	public const BY_KEY = [
+		ApprovalGroupsPolicy::KEY => ApprovalGroupsPolicy::class,
 		CollectMetadataPolicy::KEY => CollectMetadataPolicy::class,
 		FooterPolicy::KEY => FooterPolicy::class,
 		DocMdpPolicy::KEY => DocMdpPolicy::class,

lib/Settings/Admin.php

@@ -18,6 +18,8 @@
 use OCA\Libresign\Service\IdDocsPolicyService;
 use OCA\Libresign\Service\IdentifyMethodService;
 use OCA\Libresign\Service\Policy\PolicyService;
+use OCA\Libresign\Service\Policy\Provider\ApprovalGroups\ApprovalGroupsPolicy;
+use OCA\Libresign\Service\Policy\Provider\ApprovalGroups\ApprovalGroupsPolicyValue;
 use OCA\Libresign\Service\SignatureBackgroundService;
 use OCA\Libresign\Service\SignatureTextService;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
@@ -96,7 +98,12 @@ public function getForm(): TemplateResponse {
 		$this->initialState->provideInitialState('signing_mode', $this->getSigningModeInitialState());
 		$this->initialState->provideInitialState('worker_type', $this->getWorkerTypeInitialState());
 		$this->initialState->provideInitialState('identification_documents', $this->idDocsPolicyService->isIdentificationDocumentsEnabled());
-		$this->initialState->provideInitialState('approval_group', $this->appConfig->getValueArray(Application::APP_ID, 'approval_group', ['admin']));
+		$this->initialState->provideInitialState(
+			'approval_group',
+			ApprovalGroupsPolicyValue::decode(
+				$this->policyService->resolve(ApprovalGroupsPolicy::KEY)->getEffectiveValue(),
+			),
+		);
 		$this->initialState->provideInitialState('envelope_enabled', $this->appConfig->getValueBool(Application::APP_ID, 'envelope_enabled', true));
 		$this->initialState->provideInitialState('parallel_workers', $this->appConfig->getValueString(Application::APP_ID, 'parallel_workers', '4'));
 		$this->initialState->provideInitialState('show_confetti_after_signing', $this->appConfig->getValueBool(Application::APP_ID, 'show_confetti_after_signing', true));

src/tests/views/Settings/IdentificationDocuments.spec.ts

@@ -6,12 +6,20 @@
 import { beforeAll, beforeEach, describe, expect, it, vi } from 'vitest'
 import { flushPromises, mount } from '@vue/test-utils'
 
-const loadStateMock = vi.fn()
 const axiosGetMock = vi.fn()
+const fetchEffectivePoliciesMock = vi.fn(async () => {})
+const getEffectiveValueMock = vi.fn((policyKey: string) => {
+	if (policyKey === 'identification_documents') {
+		return true
+	}
 
-vi.mock('@nextcloud/initial-state', () => ({
-	loadState: (...args: unknown[]) => loadStateMock(...args),
-}))
+	if (policyKey === 'approval_group') {
+		return []
+	}
+
+	return null
+})
+const saveSystemPolicyMock = vi.fn(async (_policyKey: string, value: string) => ({ effectiveValue: value }))
 
 vi.mock('@nextcloud/axios', () => ({
 	default: {
@@ -21,13 +29,13 @@ vi.mock('@nextcloud/axios', () => ({
 
 vi.mock('@nextcloud/l10n', () => globalThis.mockNextcloudL10n())
 
-const OCP = {
-	AppConfig: {
-		setValue: vi.fn(),
-	},
-}
-
-;(globalThis as typeof globalThis & { OCP: typeof OCP }).OCP = OCP
+vi.mock('../../../store/policies', () => ({
+	usePoliciesStore: () => ({
+		fetchEffectivePolicies: fetchEffectivePoliciesMock,
+		getEffectiveValue: getEffectiveValueMock,
+		saveSystemPolicy: saveSystemPolicyMock,
+	}),
+}))
 
 let IdentificationDocuments: unknown
 
@@ -37,28 +45,13 @@ beforeAll(async () => {
 
 describe('IdentificationDocuments', () => {
 	beforeEach(() => {
-		loadStateMock.mockReset()
 		axiosGetMock.mockReset()
-		OCP.AppConfig.setValue.mockClear()
+		fetchEffectivePoliciesMock.mockClear()
+		getEffectiveValueMock.mockClear()
+		saveSystemPolicyMock.mockClear()
 	})
 
 	it('saves groups on update:modelValue', async () => {
-		loadStateMock.mockImplementation((_app: string, key: string, fallback: unknown) => {
-			if (key === 'approval_group') {
-				return []
-			}
-			if (key === 'effective_policies') {
-				return {
-					policies: {
-						identification_documents: {
-							effectiveValue: true,
-						},
-					},
-				}
-			}
-			return fallback
-		})
-
 		axiosGetMock.mockImplementation((url: string) => {
 			if (url.includes('cloud/groups/details')) {
 				return Promise.resolve({
@@ -95,6 +88,6 @@ describe('IdentificationDocuments', () => {
 		ncSelect.vm.$emit('update:modelValue', [{ id: 'grpA', displayname: 'Group A' }])
 		await flushPromises()
 
-		expect(OCP.AppConfig.setValue).toHaveBeenCalledWith('libresign', 'approval_group', '["grpA"]')
+		expect(saveSystemPolicyMock).toHaveBeenCalledWith('approval_group', '["grpA"]', false)
 	})
 })