jfrog-client-go icon indicating copy to clipboard operation
jfrog-client-go copied to clipboard
verified publisher icon jfrog

Cannot create user with "#" in a username

Open dlorych opened this issue 2 months ago • 3 comments

Describe the bug

Calling func (us *UserService) CreateUser(params UserParams) error with UserParams having username set to a value with "#" (e.g. test#1) end with an 409 response: The userName that was provided in the request path does not match the userName in the provided user configuration object.

Interestingly, the CreateUser REST API (according to REST API docs should be a HTTP POST /access/api/v2/users call. There's no username in the request path.

Looks that 2 functions CreateUser and UpdateUser are using wrong HTTP request methods. CreateUser should call POST ~and UpdateUser should call PUT~ (the Update User is not specified in REST API docs) - currently it is the other way.

Anyway, calling func (us *UserService) UpdateUser(params UserParams) error with UserParams having username set to a value with "#" (e.g. test#1) is returning the same 409 response :/.

Note: there's no issue to create a user with # in the username through UI.

Current behavior

Calling func (us *UserService) CreateUser(params UserParams) error with UserParams having username set to a value with "#" (e.g. test#1) end with an 409 response: The userName that was provided in the request path does not match the userName in the provided user configuration object.

Reproduction steps

Call func (us *UserService) CreateUser(params UserParams) error with UserParams having username set to a value with "#" (e.g. test#1)

Expected behavior

Calling func (us *UserService) CreateUser(params UserParams) error with UserParams having username set to a value with "#" (e.g. test#1) ends with 201: Successful (as documented in REST API docs).

JFrog Client-Go version

v1.55

JFrog CLI version (if applicable)

No response

Operating system type and version

macOS 26.0.1 (25A362)

JFrog Artifactory version

7.117.5

JFrog Xray version

3.125.2

dlorych avatar Oct 27 '25 15:10 dlorych

does it work with api calls ?

RemiBou avatar Oct 27 '25 15:10 RemiBou

I just checked, it works with API calls (although I was not able to reproduce the HTTP 409 response). The issue is that the CLI does not URL-encode the username which appears in the URL. BTW, the API being used by the CLI is the legacy API POST /artifactory/api/security/users/....

The fix should be around https://github.com/jfrog/jfrog-client-go/blob/c0168f77093c250270149ecf9a5baec2f5e0c8da/artifactory/services/users.go#L144

cyrilc-pro avatar Oct 27 '25 15:10 cyrilc-pro

GetUser and DeleteUser functions are also affected:

https://github.com/jfrog/jfrog-client-go/blob/c0168f77093c250270149ecf9a5baec2f5e0c8da/artifactory/services/users.go#L59

https://github.com/jfrog/jfrog-client-go/blob/c0168f77093c250270149ecf9a5baec2f5e0c8da/artifactory/services/users.go#L150

cyrilc-pro avatar Oct 27 '25 15:10 cyrilc-pro

@dlorych: Have you seen comments on your go-ntlmssp PR? Can you answer and update it?

After my contact to Security Microsoft Team, a lot of changes have been done recently. Only your PR has not been merged...

Thanks in advance.

Neustradamus avatar Nov 12 '25 18:11 Neustradamus