feat: add course authoring automatic migration mechanism

Author: BryanttV

openedx_authz/admin.py

@@ -4,7 +4,7 @@
 from django import forms
 from django.contrib import admin
 
-from openedx_authz.models import ExtendedCasbinRule
+from openedx_authz.models import AuthzCourseAuthoringMigrationRun, ExtendedCasbinRule
 
 
 class CasbinRuleForm(forms.ModelForm):
@@ -48,3 +48,12 @@ class CasbinRuleAdmin(admin.ModelAdmin):
     # TODO: In a future, possibly we should only show an inline for the rules that
     # have an extended rule, and show the subject and scope information in detail.
     inlines = [ExtendedCasbinRuleInline]
+
+
+@admin.register(AuthzCourseAuthoringMigrationRun)
+class AuthzCourseAuthoringMigrationRunAdmin(admin.ModelAdmin):
+    """Admin for AuthzCourseAuthoringMigrationRun to display additional metadata."""
+
+    list_display = ("id", "scope_type", "scope_key", "migration_type", "status", "created_at", "updated_at")
+    search_fields = ("scope_type", "scope_key", "migration_type", "status")
+    list_filter = ("scope_type", "migration_type", "status")

openedx_authz/engine/utils.py

@@ -7,19 +7,32 @@
 import logging
 
 from casbin_adapter.models import CasbinRule
-from django.db.models.signals import post_delete
+from django.conf import settings
+from django.db.models.signals import post_delete, pre_save
 from django.dispatch import receiver
 
 from openedx_authz.api.users import unassign_all_roles_from_user
 from openedx_authz.models.core import ExtendedCasbinRule
+from openedx_authz.models.migrations import MigrationType, ScopeType
+from openedx_authz.tasks import migrate_course_authoring_async
 
 try:
     from openedx.core.djangoapps.user_api.accounts.signals import USER_RETIRE_LMS_CRITICAL
 except ImportError:
     USER_RETIRE_LMS_CRITICAL = None
 
+try:
+    from openedx.core.djangoapps.waffle_utils.models import WaffleFlagCourseOverrideModel, WaffleFlagOrgOverrideModel
+except ImportError:
+    WaffleFlagCourseOverrideModel = None
+    WaffleFlagOrgOverrideModel = None
+
+
 logger = logging.getLogger(__name__)
 
+# Flag name to monitor for automatic migration
+AUTHZ_COURSE_AUTHORING_FLAG = "authz.enable_course_authoring"
+
 
 @receiver(post_delete, sender=ExtendedCasbinRule)
 def delete_casbin_rule_on_extended_rule_deletion(sender, instance, **kwargs):  # pylint: disable=unused-argument
@@ -82,3 +95,103 @@ def unassign_roles_on_user_retirement(sender, user, **kwargs):  # pylint: disabl
 # Only register the handler if the signal is available (i.e., running in Open edX)
 if USER_RETIRE_LMS_CRITICAL is not None:
     USER_RETIRE_LMS_CRITICAL.connect(unassign_roles_on_user_retirement)
+
+
+def trigger_course_authoring_migration(
+    instance: WaffleFlagCourseOverrideModel | WaffleFlagOrgOverrideModel,
+    scope_type: ScopeType,
+    scope_key: str,
+) -> None:
+    """Trigger an asynchronous migration run.
+
+    Args:
+        instance: The waffle flag instance that triggered the migration
+        scope_type (ScopeType): Type of scope being migrated: course or organization
+        scope_key (str): Course ID or organization name
+    """
+    if instance.waffle_flag != AUTHZ_COURSE_AUTHORING_FLAG:
+        return
+
+    last_flag_obj = None
+    if isinstance(instance, WaffleFlagCourseOverrideModel):
+        last_flag_obj = (
+            WaffleFlagCourseOverrideModel.objects.filter(course_id=instance.course_id).order_by("-id").first()
+        )
+    elif isinstance(instance, WaffleFlagOrgOverrideModel):
+        last_flag_obj = WaffleFlagOrgOverrideModel.objects.filter(org=instance.org).order_by("-id").first()
+
+    if last_flag_obj and last_flag_obj.enabled == instance.enabled:
+        logger.info("No change in waffle flag, skipping course migration")
+        return
+
+    if not instance.enabled:
+        migration_type = MigrationType.ROLLBACK
+    else:
+        migration_type = MigrationType.FORWARD
+
+    course_id_list = None
+    org_id = None
+
+    if scope_type == ScopeType.COURSE:
+        course_id_list = [scope_key]
+    elif scope_type == ScopeType.ORG:
+        org_id = scope_key
+
+    logger.info(f"Triggering {migration_type} migration for {scope_type}:{scope_key} due to waffle flag change")
+
+    migrate_course_authoring_async(
+        migration_type=migration_type,
+        scope_type=scope_type,
+        scope_key=scope_key,
+        course_id_list=course_id_list,
+        org_id=org_id,
+        delete_after=True,
+    )
+
+
+@receiver(pre_save, sender=WaffleFlagCourseOverrideModel)
+def handle_course_waffle_flag_change(sender, instance, **kwargs) -> None:  # pylint: disable=unused-argument
+    """Handle changes to course-level waffle flags.
+
+    When the authz.enable_course_authoring flag is changed for a course,
+    trigger the appropriate migration run. Only trigger if automatic migration
+    is enabled in the settings.
+
+    Args:
+        sender: The model class (WaffleFlagCourseOverrideModel)
+        instance: The flag override instance being saved
+        **kwargs: Additional keyword arguments from the signal
+    """
+    if not settings.ENABLE_AUTOMATIC_AUTHZ_COURSE_AUTHORING_MIGRATION:
+        logger.info("Automatic migration is disabled, skipping course migration")
+        return
+
+    trigger_course_authoring_migration(
+        instance=instance,
+        scope_type=ScopeType.COURSE,
+        scope_key=str(instance.course_id),
+    )
+
+
+@receiver(pre_save, sender=WaffleFlagOrgOverrideModel)
+def handle_org_waffle_flag_change(sender, instance, **kwargs) -> None:  # pylint: disable=unused-argument
+    """Handle changes to organization-level waffle flags.
+
+    When the authz.enable_course_authoring flag is changed for an organization,
+    trigger the appropriate migration run. Only trigger if automatic migration
+    is enabled in the settings.
+
+    Args:
+        sender: The model class (WaffleFlagOrgOverrideModel)
+        instance: The flag override instance being saved
+        **kwargs: Additional keyword arguments from the signal
+    """
+    if not settings.ENABLE_AUTOMATIC_AUTHZ_COURSE_AUTHORING_MIGRATION:
+        logger.info("Automatic migration is disabled, skipping organization migration")
+        return
+
+    trigger_course_authoring_migration(
+        instance=instance,
+        scope_type=ScopeType.ORG,
+        scope_key=str(instance.org),
+    )

openedx_authz/handlers.py

@@ -0,0 +1,82 @@
+# Generated by Django 5.2.12 on 2026-04-09 22:46
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("openedx_authz", "0007_coursescope"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AuthzCourseAuthoringMigrationRun",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                (
+                    "migration_type",
+                    models.CharField(
+                        choices=[("forward", "Legacy to AuthZ"), ("rollback", "AuthZ to Legacy")],
+                        help_text="Direction of migration: forward (legacy → authz) or rollback (authz → legacy)",
+                        max_length=20,
+                    ),
+                ),
+                (
+                    "scope_type",
+                    models.CharField(
+                        choices=[("course", "Course"), ("org", "Organization")],
+                        help_text="Type of scope being migrated: course or organization",
+                        max_length=20,
+                    ),
+                ),
+                (
+                    "scope_key",
+                    models.CharField(
+                        help_text="Identifier for the scope (e.g., course-v1:edX+DemoX+DemoCourse or org name)",
+                        max_length=255,
+                    ),
+                ),
+                (
+                    "status",
+                    models.CharField(
+                        choices=[
+                            ("pending", "Pending"),
+                            ("running", "Running"),
+                            ("completed", "Completed"),
+                            ("skipped", "Skipped"),
+                        ],
+                        default="pending",
+                        help_text="Current status of the migration run",
+                        max_length=20,
+                    ),
+                ),
+                ("created_at", models.DateTimeField(auto_now_add=True, help_text="When the migration run was created")),
+                (
+                    "updated_at",
+                    models.DateTimeField(auto_now=True, help_text="When the migration run was last updated"),
+                ),
+                (
+                    "completed_at",
+                    models.DateTimeField(blank=True, help_text="When the migration run was completed", null=True),
+                ),
+                (
+                    "metadata",
+                    models.JSONField(
+                        blank=True,
+                        default=dict,
+                        help_text="Additional metadata about the migration run (e.g., counts, warnings)",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Course Authoring Migration Run",
+                "verbose_name_plural": "Course Authoring Migration Runs",
+                "ordering": ["-created_at"],
+                "indexes": [
+                    models.Index(fields=["scope_type", "scope_key"], name="openedx_aut_scope_t_d43a35_idx"),
+                    models.Index(fields=["status"], name="openedx_aut_status_e34b60_idx"),
+                    models.Index(fields=["-created_at"], name="openedx_aut_created_ab3e0a_idx"),
+                ],
+            },
+        ),
+    ]

openedx_authz/migrations/0008_authzcourseauthoringmigrationrun.py

@@ -16,5 +16,6 @@
 """
 
 from openedx_authz.models.core import *
+from openedx_authz.models.migrations import *
 from openedx_authz.models.scopes import *
 from openedx_authz.models.subjects import *

openedx_authz/models/__init__.py

@@ -0,0 +1,130 @@
+"""Models for tracking migration runs between legacy and AuthZ systems.
+
+.. no_pii:
+"""
+
+from django.db import models
+from django.utils import timezone
+
+
+class MigrationType(models.TextChoices):
+    """Direction of migration."""
+
+    FORWARD = "forward", "Legacy to AuthZ"
+    ROLLBACK = "rollback", "AuthZ to Legacy"
+
+
+class Status(models.TextChoices):
+    """Status of the migration task."""
+
+    PENDING = "pending", "Pending"
+    RUNNING = "running", "Running"
+    COMPLETED = "completed", "Completed"
+    SKIPPED = "skipped", "Skipped"
+
+
+class ScopeType(models.TextChoices):
+    """Type of scope being migrated."""
+
+    COURSE = "course", "Course"
+    ORG = "org", "Organization"
+
+
+class AuthzCourseAuthoringMigrationRun(models.Model):
+    """Track the status of course authoring migration tasks.
+
+    This model is used to track async migrations between the legacy
+    CourseAccessRole system and the new AuthZ system.
+    """
+
+    migration_type = models.CharField(
+        max_length=20,
+        choices=MigrationType,
+        help_text="Direction of migration: forward (legacy → authz) or rollback (authz → legacy)",
+    )
+
+    scope_type = models.CharField(
+        max_length=20,
+        choices=ScopeType,
+        help_text="Type of scope being migrated: course or organization",
+    )
+
+    scope_key = models.CharField(
+        max_length=255,
+        help_text="Identifier for the scope (e.g., course-v1:edX+DemoX+DemoCourse or org name)",
+    )
+
+    status = models.CharField(
+        max_length=20,
+        choices=Status,
+        default=Status.PENDING,
+        help_text="Current status of the migration run",
+    )
+
+    created_at = models.DateTimeField(
+        auto_now_add=True,
+        help_text="When the migration run was created",
+    )
+
+    updated_at = models.DateTimeField(
+        auto_now=True,
+        help_text="When the migration run was last updated",
+    )
+
+    completed_at = models.DateTimeField(
+        null=True,
+        blank=True,
+        help_text="When the migration run was completed",
+    )
+
+    metadata = models.JSONField(
+        default=dict,
+        blank=True,
+        help_text="Additional metadata about the migration run (e.g., counts, warnings)",
+    )
+
+    class Meta:
+        verbose_name = "Course Authoring Migration Run"
+        verbose_name_plural = "Course Authoring Migration Runs"
+        ordering = ["-created_at"]
+        indexes = [
+            models.Index(fields=["scope_type", "scope_key"]),
+            models.Index(fields=["status"]),
+            models.Index(fields=["-created_at"]),
+        ]
+
+    @classmethod
+    def create_pending(cls, migration_type, scope_type, scope_key, metadata=None) -> "AuthzCourseAuthoringMigrationRun":
+        """Create a pending migration run."""
+        return cls.objects.create(
+            migration_type=migration_type,
+            scope_type=scope_type,
+            scope_key=scope_key,
+            metadata=metadata or {},
+        )
+
+    def mark_running(self) -> None:
+        """Mark the migration run as running."""
+        self.status = Status.RUNNING
+        self.save(update_fields=["status", "updated_at"])
+
+    def mark_skipped(self, *, reason=None) -> None:
+        """Mark the migration run as skipped."""
+        self.status = Status.SKIPPED
+        if reason:
+            self.metadata = {**(self.metadata or {}), "skip_reason": reason}
+            self.save(update_fields=["status", "updated_at", "metadata"])
+            return
+        self.save(update_fields=["status", "updated_at"])
+
+    def mark_completed(self, *, metadata_updates=None) -> None:
+        """Mark the migration run as completed."""
+        self.status = Status.COMPLETED
+        self.completed_at = timezone.now()
+        if metadata_updates:
+            self.metadata = {**(self.metadata or {}), **metadata_updates}
+        self.save(update_fields=["status", "completed_at", "updated_at", "metadata"])
+
+    def __str__(self) -> str:
+        """Return a string representation of the migration run."""
+        return f"[{self.id}] {self.migration_type} {self.scope_type}:{self.scope_key} {self.status}"

openedx_authz/models/migrations.py

@@ -54,3 +54,8 @@ def plugin_settings(settings):
     # This setting defines the logging level for the Casbin enforcer.
     if not hasattr(settings, "CASBIN_LOG_LEVEL"):
         settings.CASBIN_LOG_LEVEL = "WARNING"
+
+    # Set default ENABLE_AUTOMATIC_AUTHZ_COURSE_AUTHORING_MIGRATION if not already set.
+    # This setting defines whether to enable automatic course migration.
+    if not hasattr(settings, "ENABLE_AUTOMATIC_AUTHZ_COURSE_AUTHORING_MIGRATION"):
+        settings.ENABLE_AUTOMATIC_AUTHZ_COURSE_AUTHORING_MIGRATION = False

openedx_authz/settings/common.py

@@ -78,3 +78,6 @@ def plugin_settings(settings):  # pylint: disable=unused-argument
 # Use stub model for testing instead of the real content_libraries app
 OPENEDX_AUTHZ_CONTENT_LIBRARY_MODEL = "stubs.ContentLibrary"
 OPENEDX_AUTHZ_COURSE_OVERVIEW_MODEL = "stubs.CourseOverview"
+
+# Migration settings
+ENABLE_AUTOMATIC_AUTHZ_COURSE_AUTHORING_MIGRATION = False