YDA-4101: add ability to create external user with custom creator

.github/workflows/api-tests.yml

@@ -80,6 +80,11 @@ jobs:
         cat ../copytovault.log
         cat ../publication.log
 
+    - name: Output rodsLogs
+      if: failure()
+      run: |
+        docker exec provider.yoda sh -c 'set -x ; cat /var/lib/irods/log/rodsLog*'
+
 # Uncomment section below when needed for debugging.
 #
 #    - name: Setup tmate session for debugging

uuGroup.r

@@ -460,6 +460,25 @@ uuGroupGetDescription(*groupName, *description) {
 	}
 }
 
+# \brief Get a list of both manager and non-manager members of a group.
+#
+# This function ignores zone names, this is usually a bad idea.
+#
+# \deprecated Use uuGroupGetMembers(*groupName, *includeRo, *addTypePrefix, *members) instead
+#
+# \param[in]  groupName
+# \param[out] members a list of user names
+#
+uuGroupGetMembers(*groupName, *members) {
+	uuGroupGetMembers(*groupName, false, false, *m);
+	*members = list();
+	foreach (*member in *m) {
+		# Throw away the zone name for backward compat.
+		uuChop(*member, *name, *_, "#", true);
+		*members = cons(*name, *members);
+	}
+}
+
 
 # \brief Get a list of a group's members.
 #
@@ -922,17 +941,29 @@ uuUserMetaRemove(*userName, *property, *status, *message) {
 	}
 }
 
-# \brief Add a user to a group.
+# \brief Add a user to a group on behalf of another user.
 #
 # \param[in]  groupName
-# \param[in]  user      the user to add to the group
-# \param[out] status    zero on success, non-zero on failure
-# \param[out] message   a user friendly error message, may contain the reason why an action was disallowed
+# \param[in]  user          the user to add to the group
+# \param[in]  creatorUser   the user who will add the new user
+# \param[in]  creatorZone   the zone of the user who will add the new user
+# \param[out] status        zero on success, non-zero on failure
+# \param[out] message       a user friendly error message, may contain the reason why an action was disallowed
 #
-uuGroupUserAdd(*groupName, *user, *status, *message) {
+uuGroupUserAdd(*groupName, *user, *creatorUser, *creatorZone, *status, *message) {
 	*status  = '1';
 	*message = "An internal error occurred.";
 
+	*fullNameActor = "$userNameClient#$rodsZoneClient";
+	# Check that the creator user exists
+	*fullNameCreator = "*creatorUser#*creatorZone";
+
+	uuUserExists(*fullNameCreator, *exists);
+	# If creator does not exist, exit
+	if (!*exists) {
+    	succeed; # Return here (fail would ruin the status and error message).
+	}
+
 	uuGetUserAndZone(*user, *userName, *userZone);
 	*fullName = "*userName#*userZone";
 
@@ -954,15 +985,24 @@ uuGroupUserAdd(*groupName, *user, *status, *message) {
                 *externalUser = "";
                 rule_group_check_external_user(*userName, *externalUser)
                 if (*externalUser == "1") {
+					# Confirm that the actor is allowed to perform this action (either admin or the actor is the same as the creator user)
+					uuGetUserType(*fullNameActor, *actorUserType);
+					if (*actorUserType == "rodsadmin" || *fullNameCreator == *fullNameActor) {
                         *http_code = ""
                         *message = ""
-                        rule_group_provision_external_user(*userName, $userNameClient, $rodsZoneClient, *http_code, *message);
+                        rule_group_provision_external_user(*userName, *creatorUser, *creatorZone, *http_code, *message);
                         if (*message != "") {
                                 writeLine("serverLog", "[EXTERNAL USER] *message");
                                 *status = *http_code;
                                 succeed; # Return here (fail would ruin the status and error message).
                         }
-                        writeLine("serverLog", "[EXTERNAL USER] User *userName added by $userNameClient on $rodsZoneClient.");
+                        writeLine("serverLog", "[EXTERNAL USER] User *userName added by $userNameClient on $rodsZoneClient on the behalf of *creatorUser on *creatorZone.");
+					}
+					else {
+						# Actor user is not allowed to do this action
+						writeLine("serverLog", "[EXTERNAL USER] Actor $userNameClient on $rodsZoneClient does not have sufficient permissions to create external user *userName");
+						succeed; # Return here (fail would ruin the status and error message).
+					}
                 }
 	}
 
@@ -978,6 +1018,21 @@ uuGroupUserAdd(*groupName, *user, *status, *message) {
 	}
 }
 
+# \brief Add a user to a group.
+#
+# \param[in]  groupName
+# \param[in]  user      the user to add to the group
+# \param[out] status    zero on success, non-zero on failure
+# \param[out] message   a user friendly error message, may contain the reason why an action was disallowed
+#
+uuGroupUserAdd(*groupName, *user, *status, *message) {
+	*status  = '1';
+	*message = "An internal error occurred.";
+
+	uuGroupUserAdd(*groupName, *user, $userNameClient, $rodsZoneClient, *status, *message)
+}
+
+
 # \brief Remove a user from a group.
 #
 # \param[in]  groupName