fleet

Elgato_dark/fleet

Fork 0

mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00

Commit graph

Author	SHA1	Message	Date
Lucas Manuel Rodriguez	bbcc8c13eb	Add explicit checks for forbidden API only endpoints (future proofing) (#44664 ) Related issue: Resolves #42887. From Claude's audit: ``` [...] Concerns worth addressing A. Catalog drift is the real long-term risk. Today the yaml is curated. If a future engineer adds (say) POST /users/api_only, PATCH /users/api_only/:id, POST /users/roles/spec, POST /password_reset, or any session-issuing route, an allowlisted api_only user can clone themselves or broaden a peer's allowlist. Suggest a CI test that hard-fails if any of those route prefixes show up in api_endpoints.yml, plus a comment at the top of the yaml listing the categories that must never be added (user/role/invite/password/session/SSO). [...] ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Tests * Added validation tests for API endpoint configuration to ensure security compliance and proper detection of restricted endpoint combinations. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-04 13:47:57 -03:00
Juan Fernandez	1bc32467a7	Implement GET /api/v1/fleet/rest_api (#42883 ) Related issue: Resolves #42883 Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded `api_endpoints.yml` artifact.	2026-04-10 11:12:38 -04:00

Author

SHA1

Message

Date

Lucas Manuel Rodriguez

bbcc8c13eb

Add explicit checks for forbidden API only endpoints (future proofing) (#44664 )

**Related issue:** Resolves #42887.

From Claude's audit:
```
[...]
Concerns worth addressing

A. Catalog drift is the real long-term risk. Today the yaml is curated. 
If a future engineer adds (say) POST /users/api_only, PATCH /users/api_only/:id, POST /users/roles/spec,
POST /password_reset, or any session-issuing route, an allowlisted api_only user can clone themselves or
broaden a peer's allowlist.
Suggest a CI test that hard-fails if any of those route prefixes show up in api_endpoints.yml,
plus a comment at the top of the yaml listing the categories that must never be added (user/role/invite/password/session/SSO).
[...]
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Tests**
* Added validation tests for API endpoint configuration to ensure
security compliance and proper detection of restricted endpoint
combinations.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

2026-05-04 13:47:57 -03:00

Juan Fernandez

1bc32467a7

Implement GET /api/v1/fleet/rest_api (#42883 )

**Related issue:** Resolves #42883 

Added a new premium GET /api/_version_/fleet/rest_api endpoint that
returns the contents of the embedded `api_endpoints.yml` artifact.

2026-04-10 11:12:38 -04:00

2 commits