AAI-421: add admin endpoints for approve and revoke access to platforms and groups

[amandazhuyilan]

Description

AAI-421: add admin endpoints for approve and revocation (with reasons) for groups and platforms.

Changes

• New approval admin endpoint added for groups
• Revoke endpoint now accepts the body, propagates the reason, and guards missing services
• Admin and model tests updated to cover the new reason behaviour

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have added unit / integration tests that prove my fix is effective or that my feature works
• I have run all tests locally and they pass
• I have updated the documentation (if applicable)

How to Test Manually (if necessary)

<Describe how reviewers can manually, if necessary, test the changes>

[Copilot]

Pull Request Overview

This PR adds administrative endpoints for approving and revoking user access to platforms and groups, with support for storing revocation reasons up to 1024 characters.

Key changes:

• New admin endpoints for approve/revoke operations on platforms, groups, and generic services
• Database schema updates to store revocation reasons in membership and history tables
• Request validation model that enforces trimming and character limits for revocation reasons

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
routers/admin.py	Adds new admin endpoints and helper functions for approve/revoke operations
db/models.py	Updates membership models to include revocation_reason field and history tracking
db/types.py	Adds revocation_reason field to membership data models
tests/test_admin.py	Test coverage for new approve/revoke functionality
tests/db/test_models.py	Tests for revocation reason storage in models and history
migrations/	Database migration files for adding revocation_reason columns
README.md	Minor documentation improvements for migration generation

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[marius-mather]

A few changes needed here:

• Unless I've missed something, platform and group approvals are separate and done by different people. So we don't need combined endpoints that do both.
• We need to confirm that the admin has permission to act on the specific platform/group by checking their roles in their access token against the admin roles defined in the DB
• Not sure why we ended up with multiple migration files - is it possible to delete the new ones, and see if generating them again creates a single migration (might help to merge main into this branch first)

[amandazhuyilan]

Ready for review again @marius-mather 👍 - a list of changes:

• Added a check for the admin roles before approving or revoking members to the groups / platforms
• Separated the approvals and revokes for platforms and groups, previously grouped them as services and resources
• Merged empty migration files
• Update tests accordingly

[marius-mather]

Needs some slight tweaking in terms of how we look up groups and platforms - we should do this from the DB wherever possible, PLATFORM_MAPPING/GROUP_MAPPING are workarounds that should only be needed in specific cases.

I've fixed up the migrations so that the previous platform-related ones aren't deleted - they might have already been applied on the deployment so we don't want to remove them.

Otherwise looks good to go.

[amandazhuyilan]

One last review please @marius-mather 🙏

[marius-mather]

@amandazhuyilan force-pushing undid the fix I did for migrations - please don't force push or it can break things like that. I will fix migrations again now, after that this is looking good to merge.

[marius-mather]

Looking good now, thanks!