From 0b3994b7cd3766d3fb0dd08aeef88cc5cd0d8696 Mon Sep 17 00:00:00 2001
From: claravox <claravox@users.noreply.github.com>
Date: Thu, 5 Oct 2023 15:32:30 +0200
Subject: [PATCH 1/4] YDA-4101: add ability to create external user with custom
 creator

---
 uuGroup.r | 59 ++++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 52 insertions(+), 7 deletions(-)

diff --git a/uuGroup.r b/uuGroup.r
index 5ca5ed184..9b6da0790 100644
--- a/uuGroup.r
+++ b/uuGroup.r
@@ -460,6 +460,25 @@ uuGroupGetDescription(*groupName, *description) {
 	}
 }
 
+# \brief Get a list of both manager and non-manager members of a group.
+#
+# This function ignores zone names, this is usually a bad idea.
+#
+# \deprecated Use uuGroupGetMembers(*groupName, *includeRo, *addTypePrefix, *members) instead
+#
+# \param[in]  groupName
+# \param[out] members a list of user names
+#
+uuGroupGetMembers(*groupName, *members) {
+	uuGroupGetMembers(*groupName, false, false, *m);
+	*members = list();
+	foreach (*member in *m) {
+		# Throw away the zone name for backward compat.
+		uuChop(*member, *name, *_, "#", true);
+		*members = cons(*name, *members);
+	}
+}
+
 
 # \brief Get a list of a group's members.
 #
@@ -922,17 +941,28 @@ uuUserMetaRemove(*userName, *property, *status, *message) {
 	}
 }
 
-# \brief Add a user to a group.
+# \brief Add a user to a group on behalf of another user.
 #
 # \param[in]  groupName
-# \param[in]  user      the user to add to the group
-# \param[out] status    zero on success, non-zero on failure
-# \param[out] message   a user friendly error message, may contain the reason why an action was disallowed
+# \param[in]  user          the user to add to the group
+# \param[in]  creatorUser   the user who will add the new user
+# \param[in]  creatorZone   the zone of the user who will add the new user
+# \param[out] status        zero on success, non-zero on failure
+# \param[out] message       a user friendly error message, may contain the reason why an action was disallowed
 #
-uuGroupUserAdd(*groupName, *user, *status, *message) {
+uuGroupUserAdd(*groupName, *user, *creatorUser, *creatorZone, *status, *message) {
 	*status  = '1';
 	*message = "An internal error occurred.";
 
+	# Check that the creator user exists
+	*fullName = "*creatorUser#*creatorZone";
+
+	uuUserExists(*fullName, *exists);
+	# If creator does not exist, exit
+	if (!*exists) {
+    	succeed; # Return here (fail would ruin the status and error message).
+	}
+
 	uuGetUserAndZone(*user, *userName, *userZone);
 	*fullName = "*userName#*userZone";
 
@@ -956,13 +986,13 @@ uuGroupUserAdd(*groupName, *user, *status, *message) {
                 if (*externalUser == "1") {
                         *http_code = ""
                         *message = ""
-                        rule_group_provision_external_user(*userName, $userNameClient, $rodsZoneClient, *http_code, *message);
+                        rule_group_provision_external_user(*userName, *creatorUser, *creatorZone, *http_code, *message);
                         if (*message != "") {
                                 writeLine("serverLog", "[EXTERNAL USER] *message");
                                 *status = *http_code;
                                 succeed; # Return here (fail would ruin the status and error message).
                         }
-                        writeLine("serverLog", "[EXTERNAL USER] User *userName added by $userNameClient on $rodsZoneClient.");
+                        writeLine("serverLog", "[EXTERNAL USER] User *userName added on the behalf of *creatorUser on *creatorZone.");
                 }
 	}
 
@@ -978,6 +1008,21 @@ uuGroupUserAdd(*groupName, *user, *status, *message) {
 	}
 }
 
+# \brief Add a user to a group.
+#
+# \param[in]  groupName
+# \param[in]  user      the user to add to the group
+# \param[out] status    zero on success, non-zero on failure
+# \param[out] message   a user friendly error message, may contain the reason why an action was disallowed
+#
+uuGroupUserAdd(*groupName, *user, *status, *message) {
+	*status  = '1';
+	*message = "An internal error occurred.";
+	
+	uuGroupUserAdd(*groupName, *user, $userNameClient, $rodsZoneClient, *status, *message)
+}
+
+
 # \brief Remove a user from a group.
 #
 # \param[in]  groupName

From 85873130e920fa1f956069837a995609c36925d9 Mon Sep 17 00:00:00 2001
From: claravox <claravox@users.noreply.github.com>
Date: Fri, 6 Oct 2023 14:51:31 +0200
Subject: [PATCH 2/4] Add additional logging and authentication check

---
 uuGroup.r | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/uuGroup.r b/uuGroup.r
index 9b6da0790..34c7480e4 100644
--- a/uuGroup.r
+++ b/uuGroup.r
@@ -954,10 +954,11 @@ uuGroupUserAdd(*groupName, *user, *creatorUser, *creatorZone, *status, *message)
 	*status  = '1';
 	*message = "An internal error occurred.";
 
+	*fullNameActor = "$userNameClient#$rodsZoneClient";
 	# Check that the creator user exists
-	*fullName = "*creatorUser#*creatorZone";
+	*fullNameCreator = "*creatorUser#*creatorZone";
 
-	uuUserExists(*fullName, *exists);
+	uuUserExists(*fullNameCreator, *exists);
 	# If creator does not exist, exit
 	if (!*exists) {
     	succeed; # Return here (fail would ruin the status and error message).
@@ -984,6 +985,9 @@ uuGroupUserAdd(*groupName, *user, *creatorUser, *creatorZone, *status, *message)
                 *externalUser = "";
                 rule_group_check_external_user(*userName, *externalUser)
                 if (*externalUser == "1") {
+					# Confirm that the actor is allowed to perform this action
+					uuGetUserType(*fullNameActor, *actorUserType);
+					if (*actorUserType == "rodsadmin") {
                         *http_code = ""
                         *message = ""
                         rule_group_provision_external_user(*userName, *creatorUser, *creatorZone, *http_code, *message);
@@ -992,7 +996,13 @@ uuGroupUserAdd(*groupName, *user, *creatorUser, *creatorZone, *status, *message)
                                 *status = *http_code;
                                 succeed; # Return here (fail would ruin the status and error message).
                         }
-                        writeLine("serverLog", "[EXTERNAL USER] User *userName added on the behalf of *creatorUser on *creatorZone.");
+                        writeLine("serverLog", "[EXTERNAL USER] User *userName added by $userNameClient on $rodsZoneClient on the behalf of *creatorUser on *creatorZone.");
+					}
+					else {
+						# Actor user is not allowed to do this action
+						writeLine("serverLog", "[EXTERNAL USER] Actor $userNameClient on $rodsZoneClient does not have sufficient permissions to create external user");
+						succeed; # Return here (fail would ruin the status and error message).
+					}
                 }
 	}
 

From c21c6cbe960117205a1cbdfc36469699bca9a252 Mon Sep 17 00:00:00 2001
From: claravox <claravox@users.noreply.github.com>
Date: Mon, 9 Oct 2023 11:07:55 +0200
Subject: [PATCH 3/4] Fix creator check for creating new external user

---
 uuGroup.r | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/uuGroup.r b/uuGroup.r
index 34c7480e4..90538e865 100644
--- a/uuGroup.r
+++ b/uuGroup.r
@@ -985,9 +985,9 @@ uuGroupUserAdd(*groupName, *user, *creatorUser, *creatorZone, *status, *message)
                 *externalUser = "";
                 rule_group_check_external_user(*userName, *externalUser)
                 if (*externalUser == "1") {
-					# Confirm that the actor is allowed to perform this action
+					# Confirm that the actor is allowed to perform this action (either admin or the actor is the same as the creator user)
 					uuGetUserType(*fullNameActor, *actorUserType);
-					if (*actorUserType == "rodsadmin") {
+					if (*actorUserType == "rodsadmin" || *fullNameCreator == *fullNameActor) {
                         *http_code = ""
                         *message = ""
                         rule_group_provision_external_user(*userName, *creatorUser, *creatorZone, *http_code, *message);
@@ -1000,7 +1000,7 @@ uuGroupUserAdd(*groupName, *user, *creatorUser, *creatorZone, *status, *message)
 					}
 					else {
 						# Actor user is not allowed to do this action
-						writeLine("serverLog", "[EXTERNAL USER] Actor $userNameClient on $rodsZoneClient does not have sufficient permissions to create external user");
+						writeLine("serverLog", "[EXTERNAL USER] Actor $userNameClient on $rodsZoneClient does not have sufficient permissions to create external user *userName");
 						succeed; # Return here (fail would ruin the status and error message).
 					}
                 }

From b14bfe1e5db9438133faf2cbb55ddaa06c1359f7 Mon Sep 17 00:00:00 2001
From: claravox <claravox@users.noreply.github.com>
Date: Mon, 9 Oct 2023 11:08:17 +0200
Subject: [PATCH 4/4] Output rodsLogs in Github Actions API test on failure

---
 .github/workflows/api-tests.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/api-tests.yml b/.github/workflows/api-tests.yml
index eec78114a..cf1cdb9a2 100644
--- a/.github/workflows/api-tests.yml
+++ b/.github/workflows/api-tests.yml
@@ -80,6 +80,11 @@ jobs:
         cat ../copytovault.log
         cat ../publication.log
 
+    - name: Output rodsLogs
+      if: failure()
+      run: |
+        docker exec provider.yoda sh -c 'set -x ; cat /var/lib/irods/log/rodsLog*'
+
 # Uncomment section below when needed for debugging.
 #
 #    - name: Setup tmate session for debugging