Groups API /saml_group_links returns 404 for POST when group name contains period character
Summary
When a group name includes the .
character, the endpoint POST /groups/:id/saml_group_links
to update SAML group links returns a 404
when using the URL-encoded group name. Using the group ID works as expected, and a GET
using the URL-encoded group name works as expected.
Steps to reproduce
- Optional. If you don't already have one, create a top-level group with a premium or ultimate subscription to enable SAML SSO features.
- Optional. If you haven't already, configure SAML SSO for the top-level group. I can also add you to my group that I've been testing this in.
- Create a sub-group of your top-level group that has a name with a
.
character in it.- For my test, this is
my_ultimate_group/private/group.period
.
- For my test, this is
-
List SAML group links for the sub-group using the URL-encoded path to ensure your encoding is correct.
- For reference,
/
becomes%2F
and.
becomes%2E
. - For my test, this is
curl --request GET 'https://gitlab.com/api/v4/groups/my_ultimate_group%2Fprivate%2Fgroup%2Eperiod/saml_group_links' --header 'PRIVATE-TOKEN: glpat-redacted'
. - You should get a response that lists all currently-configured group links. If none are configured in the group, it will return an empty set
[]
.
- For reference,
-
Add a SAML group link for the group using the URL-encoded path.
- The
saml_group_name
can be anything as long as the characters are allowed. - For my test, this is
curl --request POST 'https://gitlab.com/api/v4/groups/my_ultimate_group%2Fprivate%2Fgroup%2Eperiod/saml_group_links?saml_group_name=FAKE-GROUP&access_level=20' --header 'PRIVATE-TOKEN: glpat-redacted'
- The
- Observe the
{"error":"404 Not Found"}
message. - Optional. Replace the URL-encoded path with the group ID to validate that the API call would otherwise work.
- For my test, this is
curl --request POST 'https://gitlab.com/api/v4/groups/87662447/saml_group_links?saml_group_name=FAKE-GROUP&access_level=20' --header 'PRIVATE-TOKEN: glpat-redacted'
. - My result returned
{"name":"FAKE-GROUP","access_level":20,"member_role_id":null}
- For my test, this is
Configuration used
Architecture
GitLab.com
Current behavior
The call returns a 404 error
Expected behavior
URL-encoded group names that contain a .
character can be used for POST operations the same as if you had used the group ID.
Versions
GitLab.com
Platforms
GitLab.com
Relevant logs
Workarounds
Note: Workarounds are not solutions, but might help unblock work.
- This issue does not occur when you use the group's ID. Use the [details of a group](Details of a group endpoint to get the group's ID from its URL-encoded path, and then use the ID to execute the query.
- If you must use the group's path instead of the ID, change the group's path to replace the
.
character with another character like-
, or remove the character entirely.- Keep in mind that any users will need to update the path anywhere its in use. GitLab will apply a redirect, but be sure to review how redirects behave (in the above link) before renaming a group.
Edited by Keelan Lang