admin/security: Unescape characters in username path params

- `DELETE /v1/security/users/{user}`
- `PUT /v1/security/users/{user}`

(cherry picked from commit 93d575f)

src/v/redpanda/admin_server.cc

@@ -94,6 +94,7 @@
 #include <seastar/http/httpd.hh>
 #include <seastar/http/reply.hh>
 #include <seastar/http/request.hh>
+#include <seastar/http/url.hh>
 #include <seastar/util/log.hh>
 #include <seastar/util/variant_utils.hh>
 
@@ -1656,7 +1657,12 @@ admin_server::delete_user_handler(std::unique_ptr<ss::httpd::request> req) {
         throw co_await redirect_to_leader(*req, model::controller_ntp);
     }
 
-    auto user = security::credential_user(req->param["user"]);
+    ss::sstring user_v;
+    if (!ss::http::internal::url_decode(req->param["user"], user_v)) {
+        throw ss::httpd::bad_param_exception{fmt::format(
+          "Invalid parameter 'user' got {{{}}}", req->param["user"])};
+    }
+    auto user = security::credential_user(user_v);
 
     if (!_controller->get_credential_store().local().contains(user)) {
         vlog(logger.debug, "User '{}' already gone during deletion", user);
@@ -1683,7 +1689,12 @@ admin_server::update_user_handler(std::unique_ptr<ss::httpd::request> req) {
         throw co_await redirect_to_leader(*req, model::controller_ntp);
     }
 
-    auto user = security::credential_user(req->param["user"]);
+    ss::sstring user_v;
+    if (!ss::http::internal::url_decode(req->param["user"], user_v)) {
+        throw ss::httpd::bad_param_exception{fmt::format(
+          "Invalid parameter 'user' got {{{}}}", req->param["user"])};
+    }
+    auto user = security::credential_user(user_v);
 
     auto doc = parse_json_body(*req);