feat: policy signature flow

composer.json

@@ -2,6 +2,7 @@
 	"require-dev": {
 		"bamarni/composer-bin-plugin": "^1.8",
 		"nextcloud/ocp": "dev-master",
+		"psr/http-client": "^1.0",
 		"roave/security-advisories": "dev-latest"
 	},
 	"config": {

eslint.config.mjs

@@ -3,11 +3,23 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 
+import js from '@eslint/js'
+import { FlatCompat } from '@eslint/eslintrc'
 import nextcloudConfig from '@nextcloud/eslint-config'
-import globals from 'globals'
+import { dirname } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const compat = new FlatCompat({
+	baseDirectory: dirname(fileURLToPath(import.meta.url)),
+	recommendedConfig: js.configs.recommended,
+	allConfig: js.configs.all,
+})
+
+const compatConfigs = (Array.isArray(nextcloudConfig) ? nextcloudConfig : [nextcloudConfig])
+	.flatMap((config) => compat.config(config))
 
 export default [
-	...(Array.isArray(nextcloudConfig) ? nextcloudConfig : [nextcloudConfig]),
+	...compatConfigs,
 
 	{
 		name: 'libresign/ignores',

lib/AppInfo/Application.php

@@ -60,7 +60,6 @@ public function register(IRegistrationContext $context): void {
 		$context->registerNotifierService(Notifier::class);
 
 		$context->registerSearchProvider(FileSearchProvider::class);
-
 		$context->registerEventListener(LoadSidebar::class, TemplateLoader::class);
 		$context->registerEventListener(BeforeNodeDeletedEvent::class, BeforeNodeDeletedListener::class);
 		$context->registerEventListener(CacheEntryRemovedEvent::class, BeforeNodeDeletedListener::class);

lib/Capabilities.php

@@ -8,13 +8,13 @@
 
 namespace OCA\Libresign;
 
-use OCA\Libresign\AppInfo\Application;
 use OCA\Libresign\Service\Envelope\EnvelopeService;
+use OCA\Libresign\Service\Policy\PolicyService;
+use OCA\Libresign\Service\Policy\Provider\Confetti\ConfettiPolicy;
 use OCA\Libresign\Service\SignatureTextService;
 use OCA\Libresign\Service\SignerElementsService;
 use OCP\App\IAppManager;
 use OCP\Capabilities\IPublicCapability;
-use OCP\IAppConfig;
 
 /**
  * @psalm-import-type LibresignCapabilities from ResponseDefinitions
@@ -29,7 +29,7 @@ public function __construct(
 		protected SignatureTextService $signatureTextService,
 		protected IAppManager $appManager,
 		protected EnvelopeService $envelopeService,
-		protected IAppConfig $appConfig,
+		protected PolicyService $policyService,
 	) {
 	}
 
@@ -43,7 +43,7 @@ public function getCapabilities(): array {
 		$capabilities = [
 			'features' => self::FEATURES,
 			'config' => [
-				'show-confetti' => $this->appConfig->getValueBool(Application::APP_ID, 'show_confetti_after_signing', true),
+				'show-confetti' => $this->policyService->resolve(ConfettiPolicy::KEY)->getEffectiveValueAsBool(true),
 				'sign-elements' => [
 					'is-available' => $this->signerElementsService->isSignElementsAvailable(),
 					'can-create-signature' => $this->signerElementsService->canCreateSignature(),

lib/Command/Developer/Reset.php

@@ -96,6 +96,12 @@ protected function configure(): void {
 				mode: InputOption::VALUE_NONE,
 				description: 'Reset config'
 			)
+			->addOption(
+				name: 'policy',
+				shortcut: null,
+				mode: InputOption::VALUE_NONE,
+				description: 'Reset policy data'
+			)
 		;
 	}
 
@@ -140,6 +146,10 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 				$this->resetConfig();
 				$ok = true;
 			}
+			if ($input->getOption('policy') || $all) {
+				$this->resetPolicy();
+				$ok = true;
+			}
 		} catch (\Exception $e) {
 			$this->logger->error($e->getMessage());
 			throw $e;
@@ -254,4 +264,17 @@ private function resetConfig(): void {
 		} catch (\Throwable) {
 		}
 	}
+
+	private function resetPolicy(): void {
+		try {
+			$delete = $this->db->getQueryBuilder();
+			$delete->delete('libresign_permission_set_binding')
+				->executeStatement();
+
+			$delete = $this->db->getQueryBuilder();
+			$delete->delete('libresign_permission_set')
+				->executeStatement();
+		} catch (\Throwable) {
+		}
+	}
 }

lib/Controller/AdminController.php

@@ -16,20 +16,23 @@
 use OCA\Libresign\Exception\LibresignException;
 use OCA\Libresign\Handler\CertificateEngine\CertificateEngineFactory;
 use OCA\Libresign\Handler\CertificateEngine\IEngineHandler;
-use OCA\Libresign\Helper\ConfigureCheckHelper;
 use OCA\Libresign\Service\Certificate\ValidateService;
 use OCA\Libresign\Service\CertificatePolicyService;
 use OCA\Libresign\Service\DocMdp\ConfigService as DocMdpConfigService;
 use OCA\Libresign\Service\FooterService;
 use OCA\Libresign\Service\IdentifyMethodService;
 use OCA\Libresign\Service\Install\ConfigureCheckService;
 use OCA\Libresign\Service\Install\InstallService;
+use OCA\Libresign\Service\Policy\PolicyService;
+use OCA\Libresign\Service\Policy\Provider\Tsa\TsaPolicy;
+use OCA\Libresign\Service\Policy\Provider\Tsa\TsaPolicyValue;
 use OCA\Libresign\Service\ReminderService;
 use OCA\Libresign\Service\SignatureBackgroundService;
 use OCA\Libresign\Service\SignatureTextService;
 use OCA\Libresign\Settings\Admin;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\ApiRoute;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\DataDownloadResponse;
@@ -83,6 +86,7 @@ public function __construct(
 		private ReminderService $reminderService,
 		private FooterService $footerService,
 		private DocMdpConfigService $docMdpConfigService,
+		private PolicyService $policyService,
 		private IdentifyMethodService $identifyMethodService,
 		private FileMapper $fileMapper,
 	) {
@@ -233,14 +237,8 @@ private function generateCertificate(
 	#[ApiRoute(verb: 'GET', url: '/api/{apiVersion}/admin/certificate', requirements: ['apiVersion' => '(v1)'])]
 	public function loadCertificate(): DataResponse {
 		$engine = $this->certificateEngineFactory->getEngine();
-		/** @var LibresignEngineHandler */
+		/** @var LibresignCertificateDataGenerated */
 		$certificate = $engine->toArray();
-		$configureResult = $engine->configureCheck();
-		$success = array_filter(
-			$configureResult,
-			fn (ConfigureCheckHelper $config) => $config->getStatus() === 'success'
-		);
-		$certificate['generated'] = count($success) === count($configureResult);
 
 		return new DataResponse($certificate);
 	}
@@ -764,10 +762,9 @@ public function setTsaConfig(
 			], Http::STATUS_BAD_REQUEST);
 		}
 
-		$this->appConfig->setValueString(Application::APP_ID, 'tsa_url', $trimmedUrl);
-
+		$trimmedOid = '';
 		if (empty($tsa_policy_oid)) {
-			$this->appConfig->deleteKey(Application::APP_ID, 'tsa_policy_oid');
+			$trimmedOid = '';
 		} else {
 			$trimmedOid = trim($tsa_policy_oid);
 			if (!preg_match('/^[0-9]+(\.[0-9]+)*$/', $trimmedOid)) {
@@ -776,11 +773,10 @@ public function setTsaConfig(
 					'message' => 'Invalid OID format'
 				], Http::STATUS_BAD_REQUEST);
 			}
-			$this->appConfig->setValueString(Application::APP_ID, 'tsa_policy_oid', $trimmedOid);
 		}
 
 		$authType = $tsa_auth_type ?? 'none';
-		$this->appConfig->setValueString(Application::APP_ID, 'tsa_auth_type', $authType);
+		$username = '';
 
 		if ($authType === 'basic') {
 			$hasUsername = !empty($tsa_username);
@@ -803,18 +799,29 @@ public function setTsaConfig(
 				], Http::STATUS_BAD_REQUEST);
 			}
 
-			$this->appConfig->setValueString(Application::APP_ID, 'tsa_username', trim($tsa_username));
+			$username = trim($tsa_username);
 			$this->appConfig->setValueString(
 				Application::APP_ID,
 				key: 'tsa_password',
 				value: $tsa_password,
 				sensitive: true,
 			);
 		} else {
-			$this->appConfig->deleteKey(Application::APP_ID, 'tsa_username');
+			$username = '';
 			$this->appConfig->deleteKey(Application::APP_ID, 'tsa_password');
 		}
 
+		$this->policyService->saveSystem(
+			TsaPolicy::KEY,
+			[
+				'url' => $trimmedUrl,
+				'policy_oid' => $trimmedOid,
+				'auth_type' => $authType,
+				'username' => $username,
+			],
+			false,
+		);
+
 		return new DataResponse(['status' => 'success']);
 	}
 
@@ -830,11 +837,7 @@ public function setTsaConfig(
 	#[NoCSRFRequired]
 	#[ApiRoute(verb: 'DELETE', url: '/api/{apiVersion}/admin/tsa', requirements: ['apiVersion' => '(v1)'])]
 	public function deleteTsaConfig(): DataResponse {
-		$fields = ['tsa_url', 'tsa_policy_oid', 'tsa_auth_type', 'tsa_username', 'tsa_password'];
-
-		foreach ($fields as $field) {
-			$this->appConfig->deleteKey(Application::APP_ID, $field);
-		}
+		$this->policyService->saveSystem(TsaPolicy::KEY, TsaPolicyValue::defaults(), false);
 
 		return new DataResponse(['status' => 'success']);
 	}
@@ -850,11 +853,14 @@ public function deleteTsaConfig(): DataResponse {
 	 */
 	#[ApiRoute(verb: 'GET', url: '/api/{apiVersion}/admin/footer-template', requirements: ['apiVersion' => '(v1)'])]
 	public function getFooterTemplate(): DataResponse {
+		$previewSettings = $this->footerService->getPreviewSettings();
+
 		return new DataResponse([
 			'template' => $this->footerService->getTemplate(),
 			'isDefault' => $this->footerService->isDefaultTemplate(),
-			'preview_width' => $this->appConfig->getValueInt(Application::APP_ID, 'footer_preview_width', 595),
-			'preview_height' => $this->appConfig->getValueInt(Application::APP_ID, 'footer_preview_height', 100),
+			'preview_width' => $previewSettings['preview_width'],
+			'preview_height' => $previewSettings['preview_height'],
+			'preview_zoom' => $previewSettings['preview_zoom'],
 		]);
 	}
 
@@ -874,7 +880,7 @@ public function getFooterTemplate(): DataResponse {
 	#[ApiRoute(verb: 'POST', url: '/api/{apiVersion}/admin/footer-template', requirements: ['apiVersion' => '(v1)'])]
 	public function saveFooterTemplate(string $template = '', int $width = 595, int $height = 50) {
 		try {
-			$this->footerService->saveTemplate($template);
+			$this->footerService->saveTemplate($template, $width, $height);
 			$pdf = $this->footerService->renderPreviewPdf('', $width, $height);
 
 			return new DataDownloadResponse($pdf, 'footer-preview.pdf', 'application/pdf');
@@ -894,15 +900,18 @@ public function saveFooterTemplate(string $template = '', int $width = 595, int
 	 * @param string $template Template to preview
 	 * @param int $width Width of preview in points (default: 595 - A4 width)
 	 * @param int $height Height of preview in points (default: 50)
+	 * @param ?bool $writeQrcodeOnFooter Whether to force QR code rendering in footer preview (null uses policy)
 	 * @return DataDownloadResponse<Http::STATUS_OK, 'application/pdf', array{}>|DataResponse<Http::STATUS_BAD_REQUEST, LibresignErrorResponse, array{}>
 	 *
 	 * 200: OK
 	 * 400: Bad request
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
 	#[ApiRoute(verb: 'POST', url: '/api/{apiVersion}/admin/footer-template/preview-pdf', requirements: ['apiVersion' => '(v1)'])]
-	public function footerTemplatePreviewPdf(string $template = '', int $width = 595, int $height = 50) {
+	public function footerTemplatePreviewPdf(string $template = '', int $width = 595, int $height = 50, ?bool $writeQrcodeOnFooter = null) {
 		try {
-			$pdf = $this->footerService->renderPreviewPdf($template ?: null, $width, $height);
+			$pdf = $this->footerService->renderPreviewPdf($template ?: null, $width, $height, $writeQrcodeOnFooter);
 			return new DataDownloadResponse($pdf, 'footer-preview.pdf', 'application/pdf');
 		} catch (\Exception $e) {
 			return new DataResponse([
@@ -960,57 +969,6 @@ private function saveOrDeleteConfig(string $key, ?string $value, string $default
 		}
 	}
 
-	/**
-	 * Set signature flow configuration
-	 *
-	 * @param bool $enabled Whether to force a signature flow for all documents
-	 * @param string|null $mode Signature flow mode: 'parallel' or 'ordered_numeric' (only used when enabled is true)
-	 * @return DataResponse<Http::STATUS_OK, LibresignMessageResponse, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, LibresignErrorResponse, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, LibresignErrorResponse, array{}>
-	 *
-	 * 200: Configuration saved successfully
-	 * 400: Invalid signature flow mode provided
-	 * 500: Internal server error
-	 */
-	#[ApiRoute(verb: 'POST', url: '/api/{apiVersion}/admin/signature-flow/config', requirements: ['apiVersion' => '(v1)'])]
-	public function setSignatureFlowConfig(bool $enabled, ?string $mode = null): DataResponse {
-		try {
-			if (!$enabled) {
-				$this->appConfig->deleteKey(Application::APP_ID, 'signature_flow');
-				return new DataResponse([
-					'message' => $this->l10n->t('Settings saved'),
-				]);
-			}
-
-			if ($mode === null) {
-				return new DataResponse([
-					'error' => $this->l10n->t('Mode is required when signature flow is enabled.'),
-				], Http::STATUS_BAD_REQUEST);
-			}
-
-			try {
-				$signatureFlow = \OCA\Libresign\Enum\SignatureFlow::from($mode);
-			} catch (\ValueError) {
-				return new DataResponse([
-					'error' => $this->l10n->t('Invalid signature flow mode. Use "parallel" or "ordered_numeric".'),
-				], Http::STATUS_BAD_REQUEST);
-			}
-
-			$this->appConfig->setValueString(
-				Application::APP_ID,
-				'signature_flow',
-				$signatureFlow->value
-			);
-
-			return new DataResponse([
-				'message' => $this->l10n->t('Settings saved'),
-			]);
-		} catch (\Exception $e) {
-			return new DataResponse([
-				'error' => $e->getMessage(),
-			], Http::STATUS_INTERNAL_SERVER_ERROR);
-		}
-	}
-
 	/**
 	 * Configure DocMDP signature restrictions
 	 *

lib/Controller/FileController.php

@@ -183,7 +183,7 @@ public function validateBinary(): DataResponse {
 				->toArray();
 			$statusCode = Http::STATUS_OK;
 		} catch (InvalidArgumentException $e) {
-			$message = $this->l10n->t($e->getMessage());
+			$message = $e->getMessage();
 			$return = [
 				'action' => JSActions::ACTION_DO_NOTHING,
 				'errors' => [['message' => $message]]
@@ -255,15 +255,15 @@ private function validate(
 				->toArray();
 			$statusCode = Http::STATUS_OK;
 		} catch (LibresignException $e) {
-			$message = $this->l10n->t($e->getMessage());
+			$message = $e->getMessage();
 			$return = [
 				'action' => JSActions::ACTION_DO_NOTHING,
 				'errors' => [['message' => $message]]
 			];
 			$statusCode = Http::STATUS_NOT_FOUND;
 		} catch (\Throwable $th) {
-			$message = $this->l10n->t($th->getMessage());
-			$this->logger->error($message);
+			$this->logger->error($th->getMessage(), ['exception' => $th]);
+			$message = $this->l10n->t('Internal error. Contact admin.');
 			$return = [
 				'action' => JSActions::ACTION_DO_NOTHING,
 				'errors' => [['message' => $message]]