feat: hide signature_flow pref from users not in authorized groups

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>

Author: vitormattos

lib/Service/Policy/Provider/Signature/SignatureFlowPolicy.php

@@ -11,12 +11,20 @@
 use OCA\Libresign\Enum\SignatureFlow;
 use OCA\Libresign\Service\Policy\Contract\IPolicyDefinition;
 use OCA\Libresign\Service\Policy\Contract\IPolicyDefinitionProvider;
+use OCA\Libresign\Service\Policy\Model\PolicyContext;
 use OCA\Libresign\Service\Policy\Model\PolicySpec;
+use OCA\Libresign\Service\Policy\Provider\RequestSignGroups\RequestSignGroupsPolicyValue;
+use OCP\AppFramework\Services\IAppConfig;
 
 final class SignatureFlowPolicy implements IPolicyDefinitionProvider {
 	public const KEY = 'signature_flow';
 	public const SYSTEM_APP_CONFIG_KEY = 'policy.signature_flow.system';
 
+	public function __construct(
+		private IAppConfig $appConfig,
+	) {
+	}
+
 	#[\Override]
 	public function keys(): array {
 		return [
@@ -44,6 +52,7 @@ public function get(string|\BackedEnum $policyKey): IPolicyDefinition {
 				},
 				appConfigKey: self::SYSTEM_APP_CONFIG_KEY,
 				resolutionMode: PolicySpec::RESOLUTION_MODE_VALUE_CHOICE,
+				eligibilityChecker: fn (PolicyContext $context): bool => $this->isUserInAuthorizedGroup($context),
 			),
 			default => throw new \InvalidArgumentException('Unknown policy key: ' . $this->normalizePolicyKey($policyKey)),
 		};
@@ -56,4 +65,25 @@ private function normalizePolicyKey(string|\BackedEnum $policyKey): string {
 
 		return $policyKey;
 	}
+
+	private function isUserInAuthorizedGroup(PolicyContext $context): bool {
+		$authorizedGroupsJson = $this->appConfig->getAppValueString(
+			'policy.groups_request_sign',
+			RequestSignGroupsPolicyValue::encode(RequestSignGroupsPolicyValue::DEFAULT_GROUPS),
+		);
+		$authorizedGroups = RequestSignGroupsPolicyValue::decode($authorizedGroupsJson);
+
+		$userGroups = $context->getGroups();
+		if ($userGroups === []) {
+			return false;
+		}
+
+		foreach ($userGroups as $userGroup) {
+			if (in_array($userGroup, $authorizedGroups, true)) {
+				return true;
+			}
+		}
+
+		return false;
+	}
 }

tests/php/Unit/Service/Policy/Provider/Signature/SignatureFlowPolicyTest.php

@@ -9,12 +9,19 @@
 namespace OCA\Libresign\Tests\Unit\Service\Policy\Provider\Signature;
 
 use OCA\Libresign\Service\Policy\Model\PolicyContext;
+use OCA\Libresign\Service\Policy\Provider\RequestSignGroups\RequestSignGroupsPolicyValue;
 use OCA\Libresign\Service\Policy\Provider\Signature\SignatureFlowPolicy;
+use OCP\AppFramework\Services\IAppConfig;
 use PHPUnit\Framework\TestCase;
 
 final class SignatureFlowPolicyTest extends TestCase {
 	public function testProviderBuildsSignatureFlowDefinition(): void {
-		$provider = new SignatureFlowPolicy();
+		$appConfig = $this->createMock(IAppConfig::class);
+		$appConfig->method('getAppValueString')->willReturn(
+			RequestSignGroupsPolicyValue::encode(RequestSignGroupsPolicyValue::DEFAULT_GROUPS)
+		);
+
+		$provider = new SignatureFlowPolicy($appConfig);
 		$this->assertSame([SignatureFlowPolicy::KEY], $provider->keys());
 		$definition = $provider->get(SignatureFlowPolicy::KEY);