Implement shadow user creation in /v3/roles endpoint

Author: svkrieger

app/controllers/v3/roles_controller.rb

@@ -114,7 +114,12 @@ def create_org_role(message)
     unauthorized! unless permission_queryer.can_write_to_active_org?(org.id)
     suspended! unless permission_queryer.is_org_active?(org.id)
 
-    user_guid = message.user_guid || lookup_user_guid_in_uaa(message.username, message.user_origin)
+    if message.username && message.user_origin && message.user_origin != 'uaa' && org_managers_can_create_users?
+      user = create_uaa_shadow_user(message.username, message.user_origin)
+      user_guid = user['id']
+    else
+      user_guid = message.user_guid || lookup_user_guid_in_uaa(message.username, message.user_origin)
+    end
 
     user = User.first(guid: user_guid) || create_cc_user(user_guid)
 
@@ -140,6 +145,12 @@ def create_cc_user(user_guid)
     UserCreate.new.create(message:)
   end
 
+  def create_uaa_shadow_user(username, origin)
+    message = UserCreateMessage.new(username:, origin:)
+    unprocessable!(message.errors.full_messages) unless message.valid?
+    User.create_uaa_shadow_user(message.username, message.origin)
+  end
+
   def readable_users
     current_user.readable_users(permission_queryer.can_read_globally?)
   end
@@ -203,4 +214,8 @@ def lookup_user_guid_in_uaa(username, given_origin, creating_space_role: false)
   def uaa_username_lookup_client
     CloudController::DependencyLocator.instance.uaa_username_lookup_client
   end
+
+  def org_managers_can_create_users?
+    VCAP::CloudController::Config.config.get(:allow_user_creation_by_org_manager) && FeatureFlag.raise_unless_enabled!(:set_roles_by_username)
+  end
 end