fleet/server/api_endpoints/api_endpoints.go

package apiendpoints

import (
	_ "embed"
	"fmt"
	"net/http"

	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/ghodss/yaml"
	kithttp "github.com/go-kit/kit/transport/http"
	"github.com/gorilla/mux"
)

// FeatureRouteFunc registers the routes of a bounded-context / feature module
// onto a mux router. It mirrors endpointer.HandlerRoutesFunc.
type FeatureRouteFunc func(r *mux.Router, opts []kithttp.ServerOption)

//go:embed api_endpoints.yml
var apiEndpointsYAML []byte

var apiEndpoints []fleet.APIEndpoint

var apiEndpointsSet map[string]struct{}

// GetAPIEndpoints returns a copy of the embedded API endpoints slice.
func GetAPIEndpoints() []fleet.APIEndpoint {
	result := make([]fleet.APIEndpoint, len(apiEndpoints))
	copy(result, apiEndpoints)
	return result
}

// IsInCatalog reports whether the given endpoint fingerprint is in the catalog.
func IsInCatalog(fingerprint string) bool {
	_, ok := apiEndpointsSet[fingerprint]
	return ok
}

// Init validates that every endpoint in the embedded catalog is registered
// on the provided handler or one of the given feature routes. Feature routes
// are walked on a throwaway router so callers can validate routes that are
// declared elsewhere.
func Init(h http.Handler, featureRoutes ...FeatureRouteFunc) error {
	r, ok := h.(*mux.Router)
	if !ok {
		return fmt.Errorf("expected *mux.Router, got %T", h)
	}

	registered := make(map[string]struct{})
	collect := func(rt *mux.Router) {
		_ = rt.Walk(func(route *mux.Route, _ *mux.Router, _ []*mux.Route) error {
			tpl, err := route.GetPathTemplate()
			if err != nil {
				return nil
			}
			meths, err := route.GetMethods()
			if err != nil || len(meths) == 0 {
				return nil
			}
			for _, m := range meths {
				val := fleet.NewAPIEndpointFromTpl(m, tpl)
				registered[val.Fingerprint()] = struct{}{}
			}
			return nil
		})
	}

	collect(r)

	for _, fr := range featureRoutes {
		if fr == nil {
			continue
		}
		tmp := mux.NewRouter()
		fr(tmp, nil)
		collect(tmp)
	}

	loadedApiEndpoints, err := loadAPIEndpoints()
	if err != nil {
		return err
	}

	var missing []string
	for _, e := range loadedApiEndpoints {
		if _, ok := registered[e.Fingerprint()]; !ok {
			missing = append(missing, e.Method+" "+e.Path)
		}
	}

	if len(missing) > 0 {
		return fmt.Errorf("the following API endpoints are unknown: %v", missing)
	}

	apiEndpoints = loadedApiEndpoints

	set := make(map[string]struct{}, len(loadedApiEndpoints))
	for _, e := range loadedApiEndpoints {
		set[e.Fingerprint()] = struct{}{}
	}
	apiEndpointsSet = set

	return nil
}

func loadAPIEndpoints() ([]fleet.APIEndpoint, error) {
	endpoints := make([]fleet.APIEndpoint, 0)

	if err := yaml.Unmarshal(apiEndpointsYAML, &endpoints); err != nil {
		return nil, err
	}

	seen := make(map[string]struct{}, len(endpoints))
	for _, e := range endpoints {
		fp := e.Fingerprint()
		if _, ok := seen[fp]; ok {
			panic(fmt.Errorf("duplicate entry (%s, %s)", e.Method, e.Path))
		}
		seen[fp] = struct{}{}
	}
	return endpoints, nil
}
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`package apiendpoints`

			`import (`
			`_ "embed"`
			`"fmt"`
			`"net/http"`

			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/ghodss/yaml"`
Fixed broken tests due validation logic not taking into account feature routes (#44112) Extends API endpoint catalog validation to also look at feature routes. 2026-04-24 13:49:26 +00:00			`kithttp "github.com/go-kit/kit/transport/http"`
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`"github.com/gorilla/mux"`
			`)`

Fixed broken tests due validation logic not taking into account feature routes (#44112) Extends API endpoint catalog validation to also look at feature routes. 2026-04-24 13:49:26 +00:00			`// FeatureRouteFunc registers the routes of a bounded-context / feature module`
			`// onto a mux router. It mirrors endpointer.HandlerRoutesFunc.`
			`type FeatureRouteFunc func(r *mux.Router, opts []kithttp.ServerOption)`

Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`//go:embed api_endpoints.yml`
			`var apiEndpointsYAML []byte`

			`var apiEndpoints []fleet.APIEndpoint`

Added middleware for api-only users auth (#43772) Fixes #42885 Added new middleware (APIOnlyEndpointCheck) that enforces 403 for API-only users whose request either isn't in the API endpoint catalog or falls outside their configured per-user endpoint restrictions. 2026-04-21 11:11:33 +00:00			`var apiEndpointsSet map[string]struct{}`

Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`// GetAPIEndpoints returns a copy of the embedded API endpoints slice.`
			`func GetAPIEndpoints() []fleet.APIEndpoint {`
			`result := make([]fleet.APIEndpoint, len(apiEndpoints))`
			`copy(result, apiEndpoints)`
			`return result`
			`}`

Added middleware for api-only users auth (#43772) Fixes #42885 Added new middleware (APIOnlyEndpointCheck) that enforces 403 for API-only users whose request either isn't in the API endpoint catalog or falls outside their configured per-user endpoint restrictions. 2026-04-21 11:11:33 +00:00			`// IsInCatalog reports whether the given endpoint fingerprint is in the catalog.`
			`func IsInCatalog(fingerprint string) bool {`
			`_, ok := apiEndpointsSet[fingerprint]`
			`return ok`
			`}`

Fixed broken tests due validation logic not taking into account feature routes (#44112) Extends API endpoint catalog validation to also look at feature routes. 2026-04-24 13:49:26 +00:00			`// Init validates that every endpoint in the embedded catalog is registered`
			`// on the provided handler or one of the given feature routes. Feature routes`
			`// are walked on a throwaway router so callers can validate routes that are`
			`// declared elsewhere.`
			`func Init(h http.Handler, featureRoutes ...FeatureRouteFunc) error {`
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`r, ok := h.(*mux.Router)`
			`if !ok {`
			`return fmt.Errorf("expected *mux.Router, got %T", h)`
			`}`

			`registered := make(map[string]struct{})`
Fixed broken tests due validation logic not taking into account feature routes (#44112) Extends API endpoint catalog validation to also look at feature routes. 2026-04-24 13:49:26 +00:00			`collect := func(rt *mux.Router) {`
			`_ = rt.Walk(func(route mux.Route, _ mux.Router, _ []*mux.Route) error {`
			`tpl, err := route.GetPathTemplate()`
			`if err != nil {`
			`return nil`
			`}`
			`meths, err := route.GetMethods()`
			`if err != nil \|\| len(meths) == 0 {`
			`return nil`
			`}`
			`for _, m := range meths {`
			`val := fleet.NewAPIEndpointFromTpl(m, tpl)`
			`registered[val.Fingerprint()] = struct{}{}`
			`}`
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`return nil`
Fixed broken tests due validation logic not taking into account feature routes (#44112) Extends API endpoint catalog validation to also look at feature routes. 2026-04-24 13:49:26 +00:00			`})`
			`}`

			`collect(r)`

			`for _, fr := range featureRoutes {`
			`if fr == nil {`
			`continue`
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`}`
Fixed broken tests due validation logic not taking into account feature routes (#44112) Extends API endpoint catalog validation to also look at feature routes. 2026-04-24 13:49:26 +00:00			`tmp := mux.NewRouter()`
			`fr(tmp, nil)`
			`collect(tmp)`
			`}`
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00
Allow the creation of API-only users (#43440) Related issues: - Resolves #42882 - Resolves #42880 - Resolves #42884 # Changes - Added POST /users/api_only endpoint for creating API-only users. - Added PATCH /users/api_only/{id} for updating existing API-only users. - Updated `fleetctl user create --api-only` removing email/password field requirements. 2026-04-16 15:11:39 +00:00			`loadedApiEndpoints, err := loadAPIEndpoints()`
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`if err != nil {`
			`return err`
			`}`

			`var missing []string`
			`for _, e := range loadedApiEndpoints {`
			`if _, ok := registered[e.Fingerprint()]; !ok {`
			`missing = append(missing, e.Method+" "+e.Path)`
			`}`
			`}`

			`if len(missing) > 0 {`
			`return fmt.Errorf("the following API endpoints are unknown: %v", missing)`
			`}`

			`apiEndpoints = loadedApiEndpoints`

Added middleware for api-only users auth (#43772) Fixes #42885 Added new middleware (APIOnlyEndpointCheck) that enforces 403 for API-only users whose request either isn't in the API endpoint catalog or falls outside their configured per-user endpoint restrictions. 2026-04-21 11:11:33 +00:00			`set := make(map[string]struct{}, len(loadedApiEndpoints))`
			`for _, e := range loadedApiEndpoints {`
			`set[e.Fingerprint()] = struct{}{}`
			`}`
			`apiEndpointsSet = set`

Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`return nil`
			`}`

Allow the creation of API-only users (#43440) Related issues: - Resolves #42882 - Resolves #42880 - Resolves #42884 # Changes - Added POST /users/api_only endpoint for creating API-only users. - Added PATCH /users/api_only/{id} for updating existing API-only users. - Updated `fleetctl user create --api-only` removing email/password field requirements. 2026-04-16 15:11:39 +00:00			`func loadAPIEndpoints() ([]fleet.APIEndpoint, error) {`
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`endpoints := make([]fleet.APIEndpoint, 0)`

			`if err := yaml.Unmarshal(apiEndpointsYAML, &endpoints); err != nil {`
			`return nil, err`
			`}`

			`seen := make(map[string]struct{}, len(endpoints))`
			`for _, e := range endpoints {`
			`fp := e.Fingerprint()`
			`if _, ok := seen[fp]; ok {`
			`panic(fmt.Errorf("duplicate entry (%s, %s)", e.Method, e.Path))`
			`}`
			`seen[fp] = struct{}{}`
			`}`
			`return endpoints, nil`
			`}`