fleet/server/api_endpoints/api_endpoints.go

package apiendpoints

import (
	_ "embed"
	"fmt"
	"net/http"

	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/ghodss/yaml"
	"github.com/gorilla/mux"
)

//go:embed api_endpoints.yml
var apiEndpointsYAML []byte

var apiEndpoints []fleet.APIEndpoint

var apiEndpointsSet map[string]struct{}

// GetAPIEndpoints returns a copy of the embedded API endpoints slice.
func GetAPIEndpoints() []fleet.APIEndpoint {
	result := make([]fleet.APIEndpoint, len(apiEndpoints))
	copy(result, apiEndpoints)
	return result
}

// IsInCatalog reports whether the given endpoint fingerprint is in the catalog.
func IsInCatalog(fingerprint string) bool {
	_, ok := apiEndpointsSet[fingerprint]
	return ok
}

func Init(h http.Handler) error {
	r, ok := h.(*mux.Router)
	if !ok {
		return fmt.Errorf("expected *mux.Router, got %T", h)
	}

	registered := make(map[string]struct{})
	_ = r.Walk(func(route *mux.Route, _ *mux.Router, _ []*mux.Route) error {
		tpl, err := route.GetPathTemplate()
		if err != nil {
			return nil
		}
		meths, err := route.GetMethods()
		if err != nil || len(meths) == 0 {
			return nil
		}
		for _, m := range meths {
			val := fleet.NewAPIEndpointFromTpl(m, tpl)
			registered[val.Fingerprint()] = struct{}{}
		}
		return nil
	})

	loadedApiEndpoints, err := loadAPIEndpoints()
	if err != nil {
		return err
	}

	var missing []string
	for _, e := range loadedApiEndpoints {
		if _, ok := registered[e.Fingerprint()]; !ok {
			missing = append(missing, e.Method+" "+e.Path)
		}
	}

	if len(missing) > 0 {
		return fmt.Errorf("the following API endpoints are unknown: %v", missing)
	}

	apiEndpoints = loadedApiEndpoints

	set := make(map[string]struct{}, len(loadedApiEndpoints))
	for _, e := range loadedApiEndpoints {
		set[e.Fingerprint()] = struct{}{}
	}
	apiEndpointsSet = set

	return nil
}

func loadAPIEndpoints() ([]fleet.APIEndpoint, error) {
	endpoints := make([]fleet.APIEndpoint, 0)

	if err := yaml.Unmarshal(apiEndpointsYAML, &endpoints); err != nil {
		return nil, err
	}

	seen := make(map[string]struct{}, len(endpoints))
	for _, e := range endpoints {
		fp := e.Fingerprint()
		if _, ok := seen[fp]; ok {
			panic(fmt.Errorf("duplicate entry (%s, %s)", e.Method, e.Path))
		}
		seen[fp] = struct{}{}
	}
	return endpoints, nil
}
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`package apiendpoints`

			`import (`
			`_ "embed"`
			`"fmt"`
			`"net/http"`

			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/ghodss/yaml"`
			`"github.com/gorilla/mux"`
			`)`

			`//go:embed api_endpoints.yml`
			`var apiEndpointsYAML []byte`

			`var apiEndpoints []fleet.APIEndpoint`

Added middleware for api-only users auth (#43772) Fixes #42885 Added new middleware (APIOnlyEndpointCheck) that enforces 403 for API-only users whose request either isn't in the API endpoint catalog or falls outside their configured per-user endpoint restrictions. 2026-04-21 11:11:33 +00:00			`var apiEndpointsSet map[string]struct{}`

Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`// GetAPIEndpoints returns a copy of the embedded API endpoints slice.`
			`func GetAPIEndpoints() []fleet.APIEndpoint {`
			`result := make([]fleet.APIEndpoint, len(apiEndpoints))`
			`copy(result, apiEndpoints)`
			`return result`
			`}`

Added middleware for api-only users auth (#43772) Fixes #42885 Added new middleware (APIOnlyEndpointCheck) that enforces 403 for API-only users whose request either isn't in the API endpoint catalog or falls outside their configured per-user endpoint restrictions. 2026-04-21 11:11:33 +00:00			`// IsInCatalog reports whether the given endpoint fingerprint is in the catalog.`
			`func IsInCatalog(fingerprint string) bool {`
			`_, ok := apiEndpointsSet[fingerprint]`
			`return ok`
			`}`

Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`func Init(h http.Handler) error {`
			`r, ok := h.(*mux.Router)`
			`if !ok {`
			`return fmt.Errorf("expected *mux.Router, got %T", h)`
			`}`

			`registered := make(map[string]struct{})`
			`_ = r.Walk(func(route mux.Route, _ mux.Router, _ []*mux.Route) error {`
			`tpl, err := route.GetPathTemplate()`
			`if err != nil {`
			`return nil`
			`}`
			`meths, err := route.GetMethods()`
			`if err != nil \|\| len(meths) == 0 {`
			`return nil`
			`}`
			`for _, m := range meths {`
			`val := fleet.NewAPIEndpointFromTpl(m, tpl)`
			`registered[val.Fingerprint()] = struct{}{}`
			`}`
			`return nil`
			`})`

Allow the creation of API-only users (#43440) Related issues: - Resolves #42882 - Resolves #42880 - Resolves #42884 # Changes - Added POST /users/api_only endpoint for creating API-only users. - Added PATCH /users/api_only/{id} for updating existing API-only users. - Updated `fleetctl user create --api-only` removing email/password field requirements. 2026-04-16 15:11:39 +00:00			`loadedApiEndpoints, err := loadAPIEndpoints()`
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`if err != nil {`
			`return err`
			`}`

			`var missing []string`
			`for _, e := range loadedApiEndpoints {`
			`if _, ok := registered[e.Fingerprint()]; !ok {`
			`missing = append(missing, e.Method+" "+e.Path)`
			`}`
			`}`

			`if len(missing) > 0 {`
			`return fmt.Errorf("the following API endpoints are unknown: %v", missing)`
			`}`

			`apiEndpoints = loadedApiEndpoints`

Added middleware for api-only users auth (#43772) Fixes #42885 Added new middleware (APIOnlyEndpointCheck) that enforces 403 for API-only users whose request either isn't in the API endpoint catalog or falls outside their configured per-user endpoint restrictions. 2026-04-21 11:11:33 +00:00			`set := make(map[string]struct{}, len(loadedApiEndpoints))`
			`for _, e := range loadedApiEndpoints {`
			`set[e.Fingerprint()] = struct{}{}`
			`}`
			`apiEndpointsSet = set`

Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`return nil`
			`}`

Allow the creation of API-only users (#43440) Related issues: - Resolves #42882 - Resolves #42880 - Resolves #42884 # Changes - Added POST /users/api_only endpoint for creating API-only users. - Added PATCH /users/api_only/{id} for updating existing API-only users. - Updated `fleetctl user create --api-only` removing email/password field requirements. 2026-04-16 15:11:39 +00:00			`func loadAPIEndpoints() ([]fleet.APIEndpoint, error) {`
Implement GET /api/v1/fleet/rest_api (#42883) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact. 2026-04-10 15:12:38 +00:00			`endpoints := make([]fleet.APIEndpoint, 0)`

			`if err := yaml.Unmarshal(apiEndpointsYAML, &endpoints); err != nil {`
			`return nil, err`
			`}`

			`seen := make(map[string]struct{}, len(endpoints))`
			`for _, e := range endpoints {`
			`fp := e.Fingerprint()`
			`if _, ok := seen[fp]; ok {`
			`panic(fmt.Errorf("duplicate entry (%s, %s)", e.Method, e.Path))`
			`}`
			`seen[fp] = struct{}{}`
			`}`
			`return endpoints, nil`
			`}`