feat(policy): migrate identification_documents to canonical policy stack

Author: vitormattos

lib/Service/File/SettingsLoader.php

@@ -14,17 +14,14 @@
 use OCA\Libresign\Db\IdDocsMapper;
 use OCA\Libresign\Db\SignRequest;
 use OCA\Libresign\Enum\FileStatus;
-use OCA\Libresign\ResponseDefinitions;
 use OCA\Libresign\Service\IdDocsPolicyService;
 use OCA\Libresign\Service\IdentifyMethodService;
+use OCA\Libresign\Service\Policy\PolicyService;
+use OCA\Libresign\Service\Policy\Provider\IdentificationDocuments\IdentificationDocumentsPolicy;
 use OCP\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IUser;
-use stdClass;
 
-/**
- * @psalm-import-type LibresignSettings from ResponseDefinitions
- */
 class SettingsLoader {
 	public const IDENTIFICATION_DOCUMENTS_DISABLED = 0;
 	public const IDENTIFICATION_DOCUMENTS_NEED_SEND = 1;
@@ -34,6 +31,7 @@ class SettingsLoader {
 	public function __construct(
 		private AccountSettingsProvider $accountSettingsProvider,
 		private IdDocsPolicyService $idDocsPolicyService,
+		private PolicyService $policyService,
 		private IAppConfig $appConfig,
 		private IGroupManager $groupManager,
 		private IdDocsMapper $idDocsMapper,
@@ -42,7 +40,7 @@ public function __construct(
 	}
 
 	public function loadSettings(
-		stdClass $fileData,
+		\stdClass $fileData,
 		FileResponseOptions $options,
 	): void {
 		if (!$options->isShowSettings()) {
@@ -69,7 +67,7 @@ public function loadSettings(
 		}
 	}
 
-	private function loadApproverSignatureMethods(stdClass $fileData): void {
+	private function loadApproverSignatureMethods(\stdClass $fileData): void {
 		try {
 			$idDocs = $this->idDocsMapper->getByFileId($fileData->id);
 			$signRequestId = $idDocs->getSignRequestId();
@@ -84,7 +82,7 @@ private function loadApproverSignatureMethods(stdClass $fileData): void {
 	}
 
 	public function getIdentificationDocumentsStatus(?IUser $user = null, ?SignRequest $signRequest = null): int {
-		if (!$this->appConfig->getValueBool(Application::APP_ID, 'identification_documents', false)) {
+		if (!$this->isIdentificationDocumentsEnabled($user)) {
 			return self::IDENTIFICATION_DOCUMENTS_DISABLED;
 		}
 
@@ -131,12 +129,33 @@ private function calculateStatusFromFiles(?array $files): int {
 		return self::IDENTIFICATION_DOCUMENTS_APPROVED;
 	}
 
+	private function isIdentificationDocumentsEnabled(?IUser $user): bool {
+		$resolved = $user
+			? $this->policyService->resolveForUser(IdentificationDocumentsPolicy::KEY, $user)
+			: $this->policyService->resolve(IdentificationDocumentsPolicy::KEY);
+
+		$value = $resolved->getEffectiveValue();
+		if (is_bool($value)) {
+			return $value;
+		}
+
+		if (is_int($value)) {
+			return $value !== 0;
+		}
+
+		if (is_string($value)) {
+			return in_array(strtolower(trim($value)), ['1', 'true', 'yes', 'on'], true);
+		}
+
+		return (bool)$value;
+	}
+
 	/**
 	 * Get user identification documents settings
 	 * These are user-specific settings, not file-specific
-	 * Always returns complete LibresignSettings with defaults
+	 * Always returns complete settings payload with defaults.
 	 *
-	 * @psalm-return LibresignSettings
+	 * @return array<string, mixed>
 	 */
 	public function getUserIdentificationSettings(?IUser $user, ?SignRequest $signRequest = null): array {
 		$status = $this->getIdentificationDocumentsStatus($user, $signRequest);

lib/Service/IdDocsPolicyService.php

@@ -8,24 +8,24 @@
 
 namespace OCA\Libresign\Service;
 
-use OCA\Libresign\AppInfo\Application;
 use OCA\Libresign\Db\IdDocsMapper;
 use OCA\Libresign\Enum\FileStatus;
 use OCA\Libresign\Helper\ValidateHelper;
+use OCA\Libresign\Service\Policy\PolicyService;
+use OCA\Libresign\Service\Policy\Provider\IdentificationDocuments\IdentificationDocumentsPolicy;
 use OCP\AppFramework\Db\DoesNotExistException;
-use OCP\IAppConfig;
 use OCP\IUser;
 
 class IdDocsPolicyService {
 	public function __construct(
-		private IAppConfig $appConfig,
+		private PolicyService $policyService,
 		private ValidateHelper $validateHelper,
 		private IdDocsMapper $idDocsMapper,
 	) {
 	}
 
 	public function canApproverSignIdDoc(IUser $user, int $fileId, int $status): bool {
-		if (!$this->appConfig->getValueBool(Application::APP_ID, 'identification_documents', false)) {
+		if (!$this->isIdentificationDocumentsEnabled($user)) {
 			return false;
 		}
 		if (!$this->validateHelper->userCanApproveValidationDocuments($user, false)) {
@@ -42,4 +42,22 @@ public function canApproverSignIdDoc(IUser $user, int $fileId, int $status): boo
 			return false;
 		}
 	}
+
+	private function isIdentificationDocumentsEnabled(IUser $user): bool {
+		$value = $this->policyService->resolveForUser(IdentificationDocumentsPolicy::KEY, $user)->getEffectiveValue();
+
+		if (is_bool($value)) {
+			return $value;
+		}
+
+		if (is_int($value)) {
+			return $value !== 0;
+		}
+
+		if (is_string($value)) {
+			return in_array(strtolower(trim($value)), ['1', 'true', 'yes', 'on'], true);
+		}
+
+		return (bool)$value;
+	}
 }

lib/Service/Policy/Provider/IdentificationDocuments/IdentificationDocumentsPolicy.php

@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Service\Policy\Provider\IdentificationDocuments;
+
+use OCA\Libresign\Service\Policy\Contract\IPolicyDefinition;
+use OCA\Libresign\Service\Policy\Contract\IPolicyDefinitionProvider;
+use OCA\Libresign\Service\Policy\Model\PolicySpec;
+
+final class IdentificationDocumentsPolicy implements IPolicyDefinitionProvider {
+	public const KEY = 'identification_documents';
+	public const SYSTEM_APP_CONFIG_KEY = 'identification_documents';
+
+	#[\Override]
+	public function keys(): array {
+		return [
+			self::KEY,
+		];
+	}
+
+	#[\Override]
+	public function get(string|\BackedEnum $policyKey): IPolicyDefinition {
+		return match ($this->normalizePolicyKey($policyKey)) {
+			self::KEY => new PolicySpec(
+				key: self::KEY,
+				defaultSystemValue: false,
+				allowedValues: [
+					false,
+					true,
+				],
+				normalizer: static function (mixed $rawValue): mixed {
+					if (is_bool($rawValue)) {
+						return $rawValue;
+					}
+
+					if (is_int($rawValue)) {
+						return $rawValue !== 0;
+					}
+
+					if (is_string($rawValue)) {
+						$value = strtolower(trim($rawValue));
+						if (in_array($value, ['1', 'true', 'yes', 'on'], true)) {
+							return true;
+						}
+
+						if (in_array($value, ['0', 'false', 'no', 'off', ''], true)) {
+							return false;
+						}
+					}
+
+					return (bool)$rawValue;
+				},
+				appConfigKey: self::SYSTEM_APP_CONFIG_KEY,
+			),
+			default => throw new \InvalidArgumentException('Unknown policy key: ' . $this->normalizePolicyKey($policyKey)),
+		};
+	}
+
+	private function normalizePolicyKey(string|\BackedEnum $policyKey): string {
+		if ($policyKey instanceof \BackedEnum) {
+			return (string)$policyKey->value;
+		}
+
+		return $policyKey;
+	}
+}

lib/Service/Policy/Provider/PolicyProviders.php

@@ -10,6 +10,7 @@
 
 use OCA\Libresign\Service\Policy\Provider\DocMdp\DocMdpPolicy;
 use OCA\Libresign\Service\Policy\Provider\Footer\FooterPolicy;
+use OCA\Libresign\Service\Policy\Provider\IdentificationDocuments\IdentificationDocumentsPolicy;
 use OCA\Libresign\Service\Policy\Provider\RequestSignGroups\RequestSignGroupsPolicy;
 use OCA\Libresign\Service\Policy\Provider\Signature\SignatureFlowPolicy;
 
@@ -20,5 +21,6 @@ final class PolicyProviders {
 		DocMdpPolicy::KEY => DocMdpPolicy::class,
 		RequestSignGroupsPolicy::KEY => RequestSignGroupsPolicy::class,
 		SignatureFlowPolicy::KEY => SignatureFlowPolicy::class,
+		IdentificationDocumentsPolicy::KEY => IdentificationDocumentsPolicy::class,
 	];
 }

src/tests/views/Settings/IdentificationDocuments.spec.ts

@@ -44,12 +44,18 @@ describe('IdentificationDocuments', () => {
 
 	it('saves groups on update:modelValue', async () => {
 		loadStateMock.mockImplementation((_app: string, key: string, fallback: unknown) => {
-			if (key === 'identification_documents') {
-				return true
-			}
 			if (key === 'approval_group') {
 				return []
 			}
+			if (key === 'effective_policies') {
+				return {
+					policies: {
+						identification_documents: {
+							effectiveValue: true,
+						},
+					},
+				}
+			}
 			return fallback
 		})
 
@@ -74,7 +80,6 @@ describe('IdentificationDocuments', () => {
 			global: {
 				stubs: {
 					NcSettingsSection: { template: '<div><slot /></div>' },
-					NcCheckboxRadioSwitch: { template: '<div><slot /></div>' },
 					NcSelect: {
 						name: 'NcSelect',
 						props: ['modelValue'],

src/views/Settings/IdentificationDocuments.vue

@@ -5,29 +5,29 @@
 <template>
 	<NcSettingsSection
 		:name="t('libresign', 'Identification documents')"
-		:description="t('libresign', 'The flow of identification documents will make it mandatory for anyone who must sign a file, to send their identification documents, this, in order for them to be approved by some member of the approval group. The user can only create the certificate after these are approved.')">
-		<NcCheckboxRadioSwitch type="switch"
-			v-model="identificationDocumentsFlowEnabled"
-			@update:modelValue="saveIdentificationDocumentsStatus">
-			{{ t('libresign', 'Enable identification documents flow') }}
-		</NcCheckboxRadioSwitch>
-		<p v-if="identificationDocumentsFlowEnabled">
-			{{ t('libresign', 'Select authorized groups that can request to sign documents. Admin group is the default group and doesn\'t need to be defined.') }}
-			<br>
-			<NcSelect :key="idApprovalGroupsKey"
-				v-model="approvalGroups"
-				label="displayname"
-				:no-wrap="false"
-				:aria-label-combobox="description"
-				:close-on-select="false"
-				:disabled="loadingGroups"
-				:loading="loadingGroups"
-				:multiple="true"
-				:options="groups"
-				:searchable="true"
-				:show-no-options="false"
-				@search-change="searchGroup"
-				@update:modelValue="saveApprovalGroups" />
+		:description="t('libresign', 'Configure which groups can approve submitted identification documents. Admin group members can always approve.')">
+		<p>
+			{{ t('libresign', 'The Identification documents flow itself is managed in Policies.') }}
+		</p>
+		<p>
+			{{ t('libresign', 'Approval groups are used only when the effective policy enables this flow.') }}
+		</p>
+		<NcSelect :key="idApprovalGroupsKey"
+			v-model="approvalGroups"
+			label="displayname"
+			:no-wrap="false"
+			:aria-label-combobox="description"
+			:close-on-select="false"
+			:disabled="loadingGroups || !identificationDocumentsFlowEnabled"
+			:loading="loadingGroups"
+			:multiple="true"
+			:options="groups"
+			:searchable="true"
+			:show-no-options="false"
+			@search-change="searchGroup"
+			@update:modelValue="saveApprovalGroups" />
+		<p v-if="!identificationDocumentsFlowEnabled" class="identification-documents-content__hint">
+			{{ t('libresign', 'This list is disabled because the effective policy currently disables identification documents flow.') }}
 		</p>
 	</NcSettingsSection>
 </template>
@@ -38,7 +38,6 @@ import { generateOcsUrl } from '@nextcloud/router'
 import { t } from '@nextcloud/l10n'
 import { computed, onMounted, ref } from 'vue'
 
-import NcCheckboxRadioSwitch from '@nextcloud/vue/components/NcCheckboxRadioSwitch'
 import NcSelect from '@nextcloud/vue/components/NcSelect'
 import NcSettingsSection from '@nextcloud/vue/components/NcSettingsSection'
 
@@ -54,8 +53,26 @@ type Group = {
 }
 
 const approvalGroupState = loadState('libresign', 'approval_group', ['admin'])
-const identificationDocumentsState = loadState<unknown>('libresign', 'identification_documents', false)
-const identificationDocumentsFlowEnabled = ref(identificationDocumentsState === true || identificationDocumentsState === '1')
+const effectivePoliciesState = loadState<{ policies?: Record<string, { effectiveValue?: unknown }> }>('libresign', 'effective_policies', { policies: {} })
+
+function resolveEnabledValue(value: unknown): boolean {
+	if (typeof value === 'boolean') {
+		return value
+	}
+
+	if (typeof value === 'number') {
+		return value !== 0
+	}
+
+	if (typeof value === 'string') {
+		return ['1', 'true', 'yes', 'on'].includes(value.trim().toLowerCase())
+	}
+
+	return false
+}
+
+const effectivePolicies = effectivePoliciesState?.policies ?? {}
+const identificationDocumentsFlowEnabled = ref(resolveEnabledValue(effectivePolicies.identification_documents?.effectiveValue))
 const approvalGroupIds = ref<string[]>(Array.isArray(approvalGroupState) ? approvalGroupState : ['admin'])
 const approvalGroups = ref<Array<Group | string>>([])
 const groups = ref<Group[]>([])
@@ -68,10 +85,6 @@ function syncApprovalGroupsFromState() {
 	approvalGroups.value = groups.value.filter((group) => approvalGroupIds.value.indexOf(group.id) !== -1)
 }
 
-function saveIdentificationDocumentsStatus() {
-	OCP.AppConfig.setValue('libresign', 'identification_documents', identificationDocumentsFlowEnabled.value ? '1' : '0')
-}
-
 function saveApprovalGroups() {
 	const listOfInputGroupsSelected = JSON.stringify(approvalGroups.value.map((group) => {
 		if (typeof group === 'object') {
@@ -106,7 +119,7 @@ onMounted(async () => {
 })
 </script>
 <style scoped>
-.identification-documents-content{
+.identification-documents-content {
 	display: flex;
 	flex-direction: column;
 }