feat(groups): Allow group membership management

[javirln]

This patch introduces support for managing users within a group. Key changes include:

• New API endpoints:
  • AddMembers to add users to a group
  • RemoveMembers to remove users from a group
• Audit logging for membership changes
• Extended test coverage to include the new endpoints
• API-level refactor to use a generic IdentityReference for group-related requests
• New CLI commands for group and membership management (currently hidden):
  • group
  • group describe
  • group list
  • group delete
  • group member add
  • group member list
  • group member delete
• CLI commands handle pagination when needed and confirmation prompts for deletions

Permissions matrix:

• Admins and Owners have full access to group and membership operations
• Only Admins, Owners, and Group Maintainers can add or remove members
• Viewers and Org Members can list groups and their members

Pending:

• Support for updating a user’s role within a group.
• CLI support for updating groups

CLI Examples:

Creating a group

$ chainloop group create --name "Operations" --description "Focused group dedicated to day to day operations"
┌──────────────────────────────────────┬────────────┬──────────────────────────────────────────────────┬──────────────────────┬──────────────────────┐
│ ID                                   │ NAME       │ DESCRIPTION                                      │ CREATED AT           │ UPDATED AT           │
├──────────────────────────────────────┼────────────┼──────────────────────────────────────────────────┼──────────────────────┼──────────────────────┤
│ 69314171-9705-473f-988c-3a57365aa7cd │ Operations │ Focused group dedicated to day to day operations │ 2025-06-26T15:44:18Z │ 2025-06-26T15:44:18Z │
└──────────────────────────────────────┴────────────┴──────────────────────────────────────────────────┴──────────────────────┴──────────────────────┘
INF Group created successfully

Adding members to a group

$ chainloop group member add --name "Operations" --email "john@chainloop.local"
INF Member john@chainloop.local successfully added to group Operations

Listing members of a group

$ chainloop group member list --name Operations                                
┌──────────────────────────────────────────────┬────────────┬─────────────────────┐
│ EMAIL                                        │ ROLE       │ ADDED AT            │
├──────────────────────────────────────────────┼────────────┼─────────────────────┤
│ john@chainloop.local                         │ Member     │ 26 Jun 25 15:45 UTC │
│ Sarah De los Angeles <sarah@chainloop.local> │ Maintainer │ 26 Jun 25 15:44 UTC │
└──────────────────────────────────────────────┴────────────┴─────────────────────┘
INF Showing [1-2] out of 2

Removing members from a group

$ chainloop group member delete --name Operations --email "john@chainloop.local"
WRN You are about to remove the user "john@chainloop.local" from the group "Operations"

To confirm, please type "1QKW-7MAU"
1QKW-7MAU 
INF Member john@chainloop.local successfully removed from group Operations

Removing groups

$ chainloop group delete --name Operations
WRN Are you sure you want to delete the group 'Operations'?
To confirm, please type "RA72-4LQC"
RA72-4LQC
INF Group 'Operations' has been removed

[migmartri]

chore(groups)

maybe more like feature? :)

[migmartri]

Great description of the PR @javirln!

[migmartri]

@javirln let me know once you have fixed the conflicts

[jiparis]

If I'm not wrong, we agreed on not adding the OrgAdmin as maintainer. They can declare other maintainers, but they don't need to be maintainers as they are already admins (and maintainers are not mandatory)

[migmartri]

in GitHub, the creator of the group becomes a maintainer automatically, then they can leave though

[jiparis]

Yes, not a big deal at all. Let's keep it.

[migmartri]

is force used?

[javirln]

I think it is from a previous implementation, removing it.

[migmartri]

it might not need to be exposed

[migmartri]

this doesn't exist already?

[javirln]

I haven't seen it, we parse the time individually, see the example of workflow list

chainloop/app/cli/cmd/workflow_list.go

Line 128 in e461bc7

p.CreatedAt.Format(time.RFC822),

[migmartri]

in GitHub, the creator of the group becomes a maintainer automatically, then they can leave though

[jiparis]

The GroupUpdate operation is implemented in backend but not exposed in the CLI. We can do it later.

[jiparis]

I think here we should now use the enforcer.

[jiparis]

Here, userRole would be the Organization role, not the "maintainer" role. The idea would be to remove the above if isMaintainer check (or leave it as a double check), and look for the membership role of the user in the group. If found (it would be role:group:maintainer, we use it to enforce the permission. You can just use the current helpers:

       // Allow if user has admin or owner role
	if userRole == string(authz.RoleAdmin) || userRole == string(authz.RoleOwner) {
		return nil
	}
...
      return authorizeResource(ctx, policy, authz.ResourceTypeGroup, resolvedGroupID)

This way we rely entirely on roles to authorize the operation. It might look more complex, but it's way more flexible, since we can add later other roles, or remove some permissions from the current one, etc.

[jiparis]

Update: authorizeResource cannot be used since it only works if RBAC is enabled (Member role). You'll need to iterate through user resource memberships from the context.

[jiparis]

@javirln we are almost there. I found that the Role is not used at all, since it's still using the maintainer flag for everything.

[migmartri]

Thanks @javirln

[jiparis]

Thanks @javirln it works great!