feat: Add CCX concepts

No permissions are granted for CCX courses, this is just a placeholder
to keep these courses from erroring until we get to the LMS side

Author: Tycho Hob

openedx_authz/api/data.py

@@ -838,6 +838,30 @@ class OrgCourseOverviewGlobData(OrgGlobData):
 
     NAMESPACE: ClassVar[str] = "course-v1"
     ID_SEPARATOR: ClassVar[str] = "+"
+    
+    
+class CCXCourseOverviewData(CourseOverviewData):
+    """CCX course scope for authorization in the Open edX platform.
+
+    Inherits from CourseOverviewData as CCXs are coursees, just in a different namespace.
+
+    Attributes:
+        NAMESPACE: 'ccx-v1' for course scopes.
+        external_key: The course identifier (e.g., 'ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1').
+            Must be a valid CourseKey format.
+        namespaced_key: The course identifier with namespace (e.g., 'ccx-v1^ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1').
+        course_id: Property alias for external_key.
+
+    Examples:
+        >>> course = CourseOverviewData(external_key='ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1')
+        >>> course.namespaced_key
+        'ccx-v1^ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1'
+        >>> course.course_id
+        'ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1'
+
+    """
+
+    NAMESPACE: ClassVar[str] = "ccx-v1"
 
 
 class SubjectMeta(type):

openedx_authz/constants/roles.py

@@ -180,6 +180,13 @@
 
 COURSE_BETA_TESTER = RoleData(external_key="course_beta_tester", permissions=COURSE_BETA_TESTER_PERMISSIONS)
 
+# This is a known LMS-only permission, but doesn't actually grant anything yet.
+# 
+# It is intended to be handled in the Willow time frame.
+CCX_COACH_PERMISSIONS = []
+CCX_COACH = RoleData(external_key="ccx_coach", permissions=CCX_COACH_PERMISSIONS)
+
+
 # Map of legacy course role names to their equivalent new roles
 # This mapping must be unique in both directions, since it may be used as a reverse lookup (value → key).
 # If multiple keys share the same value, it will lead to collisions.
@@ -189,4 +196,5 @@
     "limited_staff": COURSE_LIMITED_STAFF.external_key,
     "data_researcher": COURSE_DATA_RESEARCHER.external_key,
     "beta_testers": COURSE_BETA_TESTER.external_key,
+    "ccx_coach": CCX_COACH.external_key,
 }

openedx_authz/engine/utils.py

@@ -169,6 +169,22 @@ def migrate_legacy_permissions(ContentLibraryPermission):
     return permissions_with_errors
 
 
+def _validate_migration_input(course_id_list, org_id):
+    """
+    Validate the common inputs for the migration functions.
+    """
+    if not course_id_list and not org_id:
+        raise ValueError(
+            "At least one of course_id_list or org_id must be provided to limit the scope of the migration."
+        )
+
+    if course_id_list and any([course_key for course_key in course_id_list if not course_key.startswith("course-v1:")]):
+        raise ValueError(
+            "Only full course keys (e.g., 'course-v1:org+course+run') are supported in the course_id_list."
+            " Other course types such as CCX are not supported."
+        )
+
+
 def migrate_legacy_course_roles_to_authz(course_access_role_model, course_id_list, org_id, delete_after_migration):
     """
     Migrate legacy course role data to the new Casbin-based authorization model.
@@ -194,10 +210,8 @@ def migrate_legacy_course_roles_to_authz(course_access_role_model, course_id_lis
     param org_id: Optional organization ID to filter the migration.
     param delete_after_migration: Whether to delete successfully migrated legacy permissions after migration.
     """
-    if not course_id_list and not org_id:
-        raise ValueError(
-            "At least one of course_id_list or org_id must be provided to limit the scope of the migration."
-        )
+    _validate_migration_input(course_id_list, org_id)
+
     course_access_role_filter = {
         "course_id__startswith": "course-v1:",
     }
@@ -280,10 +294,7 @@ def migrate_authz_to_legacy_course_roles(
     param delete_after_migration: Whether to unassign successfully migrated permissions
     from the new model after migration.
     """
-    if not course_id_list and not org_id:
-        raise ValueError(
-            "At least one of course_id_list or org_id must be provided to limit the scope of the rollback migration."
-        )
+    _validate_migration_input(course_id_list, org_id)
 
     # 1. Get all users with course-related permissions in the new model by filtering
     # UserSubjects that are linked to CourseScopes with a valid course overview.

openedx_authz/tests/api/test_data.py

@@ -8,6 +8,7 @@
 
 from openedx_authz.api.data import (
     ActionData,
+    CCXCourseOverviewData,
     ContentLibraryData,
     CourseOverviewData,
     OrgContentLibraryGlobData,
@@ -257,6 +258,8 @@ def test_scope_data_registration(self):
         self.assertIs(ScopeData.scope_registry["lib"], ContentLibraryData)
         self.assertIn("course-v1", ScopeData.scope_registry)
         self.assertIs(ScopeData.scope_registry["course-v1"], CourseOverviewData)
+        self.assertIn("ccx-v1", ScopeData.scope_registry)
+        self.assertIs(ScopeData.scope_registry["ccx-v1"], CCXCourseOverviewData)
 
         # Glob registries for organization-level scopes
         self.assertIn("lib", ScopeMeta.glob_registry)
@@ -265,6 +268,7 @@ def test_scope_data_registration(self):
         self.assertIs(ScopeMeta.glob_registry["course-v1"], OrgCourseOverviewGlobData)
 
     @data(
+        ("ccx-v1^ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1", CCXCourseOverviewData),
         ("course-v1^course-v1:WGU+CS002+2025_T1", CourseOverviewData),
         ("lib^lib:DemoX:CSPROB", ContentLibraryData),
         ("lib^lib:DemoX*", OrgContentLibraryGlobData),
@@ -285,6 +289,7 @@ def test_dynamic_instantiation_via_namespaced_key(self, namespaced_key, expected
         self.assertEqual(instance.namespaced_key, namespaced_key)
 
     @data(
+        ("ccx-v1^ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1", CCXCourseOverviewData),
         ("course-v1^course-v1:WGU+CS002+2025_T1", CourseOverviewData),
         ("lib^lib:DemoX:CSPROB", ContentLibraryData),
         ("lib^lib:DemoX:*", OrgContentLibraryGlobData),
@@ -297,6 +302,8 @@ def test_get_subclass_by_namespaced_key(self, namespaced_key, expected_class):
         """Test get_subclass_by_namespaced_key returns correct subclass.
 
         Expected Result:
+            - 'ccx-v1^...' returns CCXCourseOverviewData
+            - 'course-v1^...' returns CourseOverviewData
             - 'lib^...' returns ContentLibraryData
             - 'global^...' returns ScopeData
             - 'unknown^...' returns ScopeData (fallback)
@@ -306,6 +313,7 @@ def test_get_subclass_by_namespaced_key(self, namespaced_key, expected_class):
         self.assertIs(subclass, expected_class)
 
     @data(
+        ("ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1", CCXCourseOverviewData),
         ("course-v1:WGU+CS002+2025_T1", CourseOverviewData),
         ("lib:DemoX:CSPROB", ContentLibraryData),
         ("lib:DemoX:*", OrgContentLibraryGlobData),
@@ -326,6 +334,11 @@ def test_get_subclass_by_external_key(self, external_key, expected_class):
         self.assertIs(subclass, expected_class)
 
     @data(
+        ("ccx-v1:OpenedX+DemoX+DemoCourse+ccx@1", True, CCXCourseOverviewData),
+        ("ccx:OpenedX+DemoX+DemoCourse+ccx@1", False, CCXCourseOverviewData),
+        ("ccx-v2:OpenedX+DemoX+DemoCourse+ccx@1", False, CCXCourseOverviewData),
+        ("ccx-v1-OpenedX+DemoX+DemoCourse+ccx@1", False, CCXCourseOverviewData),
+        ("ccx-v1-OpenedX+DemoX+DemoCourse+ccx", False, CCXCourseOverviewData),
         ("course-v1:WGU+CS002+2025_T1", True, CourseOverviewData),
         ("course:WGU+CS002+2025_T1", False, CourseOverviewData),
         ("course-v2:WGU+CS002+2025_T1", False, CourseOverviewData),

openedx_authz/tests/test_migrations.py

@@ -196,6 +196,7 @@ def setUp(self):
             "org": self.org,
             "course_id": self.course_id,
         }
+        self.invalid_course = f"ccx-v1:{self.org}+{OBJECT_PREFIX}+2026_01+ccx@2"
         self.course_overview = CourseOverview.objects.create(
             id=self.course_id, org=self.org, display_name=f"{OBJECT_PREFIX} Course"
         )
@@ -883,6 +884,17 @@ def test_migrate_authz_to_legacy_course_roles_with_no_org_and_courses(self):
                 CourseAccessRole, UserSubject, course_id_list=None, org_id=None, delete_after_migration=True
             )
 
+    @patch("openedx_authz.api.data.CourseOverview", CourseOverview)
+    def test_migrate_authz_to_legacy_course_roles_with_invalid_courses(self):
+        with self.assertRaises(ValueError):
+            migrate_authz_to_legacy_course_roles(
+                CourseAccessRole,
+                UserSubject,
+                course_id_list=[self.invalid_course],
+                org_id=None,
+                delete_after_migration=True,
+            )
+
     @patch("openedx_authz.api.data.CourseOverview", CourseOverview)
     def test_migrate_legacy_course_roles_to_authz_with_no_org_and_courses(self):
         # Migrate from legacy CourseAccessRole to new Casbin-based model
@@ -891,6 +903,16 @@ def test_migrate_legacy_course_roles_to_authz_with_no_org_and_courses(self):
                 CourseAccessRole, course_id_list=None, org_id=None, delete_after_migration=True
             )
 
+    @patch("openedx_authz.api.data.CourseOverview", CourseOverview)
+    def test_migrate_legacy_course_roles_to_authz_with_invalid_courses(self):
+        with self.assertRaises(ValueError):
+            migrate_legacy_course_roles_to_authz(
+                CourseAccessRole,
+                course_id_list=[self.invalid_course],
+                org_id=None,
+                delete_after_migration=True,
+            )
+
     @patch("openedx_authz.management.commands.authz_migrate_course_authoring.CourseAccessRole", CourseAccessRole)
     @patch("openedx_authz.management.commands.authz_migrate_course_authoring.migrate_legacy_course_roles_to_authz")
     def test_authz_migrate_course_authoring_command(self, mock_migrate):

requirements/base.in

@@ -8,6 +8,7 @@ attrs                       # Classes without boilerplate
 pycasbin                    # Authorization library for implementing access control models
 casbin-django-orm-adapter   # Adapter for Django ORM for Casbin
 edx-opaque-keys             # Opaque keys for resource identification
+edx-ccx-keys                # CCX keys for Custom Course identification
 edx-api-doc-tools           # Tools for API documentation
 edx-django-utils            # Used for RequestCache
 edx-drf-extensions          # Extensions for Django Rest Framework used by Open edX

requirements/base.txt

@@ -64,6 +64,8 @@ drf-yasg==1.21.11
     # via edx-api-doc-tools
 edx-api-doc-tools==2.1.2
     # via -r requirements/base.in
+edx-ccx-keys==2.0.2
+    # via -r requirements/base.in
 edx-django-utils==8.0.1
     # via
     #   -r requirements/base.in
@@ -75,6 +77,7 @@ edx-drf-extensions==10.6.0
 edx-opaque-keys==3.0.0
     # via
     #   -r requirements/base.in
+    #   edx-ccx-keys
     #   edx-drf-extensions
     #   edx-organizations
 edx-organizations==7.3.0
@@ -115,6 +118,8 @@ semantic-version==2.10.0
     # via edx-drf-extensions
 simpleeval==1.0.3
     # via pycasbin
+six==1.17.0
+    # via edx-ccx-keys
 sqlparse==0.5.3
     # via django
 stevedore==5.5.0

requirements/dev.txt

@@ -15,7 +15,7 @@ astroid==4.0.3
     #   pylint-celery
 attrs==25.3.0
     # via -r requirements/quality.txt
-build==1.4.0
+build==1.4.2
     # via
     #   -r requirements/pip-tools.txt
     #   pip-tools
@@ -140,6 +140,8 @@ drf-yasg==1.21.11
     #   edx-api-doc-tools
 edx-api-doc-tools==2.1.2
     # via -r requirements/quality.txt
+edx-ccx-keys==2.0.2
+    # via -r requirements/quality.txt
 edx-django-utils==8.0.1
     # via
     #   -r requirements/quality.txt
@@ -155,6 +157,7 @@ edx-lint==5.6.0
 edx-opaque-keys==3.0.0
     # via
     #   -r requirements/quality.txt
+    #   edx-ccx-keys
     #   edx-drf-extensions
     #   edx-organizations
 edx-organizations==7.3.0
@@ -338,6 +341,7 @@ simpleeval==1.0.3
 six==1.17.0
     # via
     #   -r requirements/quality.txt
+    #   edx-ccx-keys
     #   edx-lint
 snowballstemmer==3.0.1
     # via

requirements/doc.txt

@@ -119,6 +119,8 @@ drf-yasg==1.21.11
     #   edx-api-doc-tools
 edx-api-doc-tools==2.1.2
     # via -r requirements/test.txt
+edx-ccx-keys==2.0.2
+    # via -r requirements/test.txt
 edx-django-utils==8.0.1
     # via
     #   -r requirements/test.txt
@@ -130,6 +132,7 @@ edx-drf-extensions==10.6.0
 edx-opaque-keys==3.0.0
     # via
     #   -r requirements/test.txt
+    #   edx-ccx-keys
     #   edx-drf-extensions
     #   edx-organizations
 edx-organizations==7.3.0
@@ -292,6 +295,10 @@ simpleeval==1.0.3
     # via
     #   -r requirements/test.txt
     #   pycasbin
+six==1.17.0
+    # via
+    #   -r requirements/test.txt
+    #   edx-ccx-keys
 snowballstemmer==3.0.1
     # via sphinx
 soupsieve==2.8

requirements/pip-tools.txt

@@ -4,7 +4,7 @@
 #
 #    pip-compile --output-file=requirements/pip-tools.txt requirements/pip-tools.in
 #
-build==1.4.0
+build==1.4.2
     # via pip-tools
 click==8.3.1
     # via pip-tools