Launchpad MP (501314) - r00ta/openfga-users-to-groups-endpoints

[r00tabot]

This is autogenerated by maas.r00ta.com. Enjoy!

Commit message: feat: add v2 and v3 API usergroup membership endpoints

Details:

• openfga built-in migrations are executed before the alembic migrations, because we added an alembic migration that creates a view on the openfga.tuple table.
• A new view maasserver_usergroup_members_view has been added. It reads data from the openfga.tuple table and joins it with the auth_user table, so to return the list of users and their groups.
• V2 endpoints to list, add and remove users to groups
• V3 endpoints to list, add and remove users to groups
• Avoid adding system users to groups.

[Copilot]

Pull request overview

Adds user↔group membership management backed by OpenFGA tuples, exposing the functionality via new V2 and V3 API endpoints and a DB view to list group members, while avoiding auto-assigning internal/system users to groups.

Changes:

• Add maasserver_usergroup_members_view (via Alembic + test DB seed) and a read-only repository/model to list group members.
• Add servicelayer membership operations (list/add/remove) plus OpenFGA tuple deletion helper.
• Add V2 + V3 API endpoints and tests for listing/adding/removing group members; skip system users in auto-group assignment.

Reviewed changes

Copilot reviewed 24 out of 25 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
src/tests/maasservicelayer/services/test_usergroups.py	Expands servicelayer tests for membership operations and new error case.
src/tests/maasservicelayer/services/test_openfga_tuples.py	Adds integration test for removing a user from a group tuple.
src/tests/maasservicelayer/db/repositories/test_usergroups_members.py	Adds repository/clause-factory tests for the new members view repository.
src/tests/maasapiserver/v3/api/public/handlers/test_usergroups.py	Adds V3 API handler tests for group membership endpoints.
src/tests/fixtures/factories/user.py	Changes default test-user creation fields (notably email).
src/maasservicelayer/services/usergroups.py	Adds membership methods and “already in group” validation to servicelayer.
src/maasservicelayer/services/openfga_tuples.py	Adds a helper to delete a specific user’s membership tuple for a group.
src/maasservicelayer/services/init.py	Wires UserGroupMembersRepository into the service collection.
src/maasservicelayer/models/usergroup_members.py	Introduces UserGroupMember model for members view rows.
src/maasservicelayer/db/tables.py	Adds SQLAlchemy table metadata for maasserver_usergroup_members_view.
src/maasservicelayer/db/repositories/usergroups_members.py	Adds read-only repository + clause factory for the members view.
src/maasservicelayer/db/alembic/versions/0020_create_maasserver_user_group_membership.py	Creates the maasserver_usergroup_members_view view.
src/maasserver/testing/initial.maas_test.sql	Updates test DB seed with the view + bumps Alembic version.
src/maasserver/testing/factory.py	Adds a factory helper to create usergroups via servicelayer.
src/maasserver/models/signals/users.py	Skips system users when auto-adding new users to default groups.
src/maasserver/models/signals/tests/test_users.py	Adds tests ensuring system users do not get OpenFGA group tuples.
src/maasserver/management/commands/dbupgrade.py	Runs OpenFGA built-in migrations before Alembic migrations.
src/maasserver/exceptions.py	Adds a 409 conflict exception for “user already in group” (V2 API).
src/maasserver/api/usergroups.py	Adds V2 membership endpoints (list/add/remove).
src/maasserver/api/tests/test_usergroups.py	Adds V2 API tests for membership endpoints.
src/maasopenfga/internal/migrations/00002_migrate_environments.go	Attempts to ignore internal users during OpenFGA environment migration.
src/maasapiserver/v3/api/public/models/responses/usergroup_members.py	Adds V3 response models for group members list.
src/maasapiserver/v3/api/public/models/requests/usergroup_members.py	Adds V3 request model for adding a member to a group.
src/maasapiserver/v3/api/public/handlers/usergroups.py	Adds V3 endpoints to list/add/remove group members.

Comments suppressed due to low confidence (1)

src/tests/fixtures/factories/user.py:31

• create_test_user() now sets a fixed default email (mail@example.com). In this codebase auth_user.email is unique, so creating multiple users without overriding email will violate the unique constraint and break many tests. Generate a unique default email (e.g. derived from username/random) or leave it unset unless provided.

    user = {
        "username": "myusername",
        "password": "pbkdf2_sha256$260000$f1nMJPH4Z5Wc8QxkTsZ1p6$ylZBpgGE3FNlP2zOU21cYiLtvxwtkglsPKUETtXhzDw=",  # hash('test')
        "is_superuser": False,
        "first_name": "first",
        "last_name": "last",
        "email": "mail@example.com",
        "is_staff": False,
        "is_active": True,
        "date_joined": date_joined,
    }
    user.update(extra_details)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.