Allow the creation of API-only users

- Added POST /users/api_only endpoint for creating API-only users.
- Added PATCH /users/api_only/{id} for updating existing API-only users.
- Updated `fleetctl user create --api-only` removing email/password field requirements.

Author: juan-fdz-hawa

changes/42882-42880-42884-allow-creation-of-api-only-users

@@ -0,0 +1,3 @@
+- Added POST /users/api_only endpoint for creating API-only users.
+- Added PATCH /users/api_only/{id} for updating existing API-only users.
+- Updated `fleetctl user create --api-only` removing email/password field requirements.

cmd/fleetctl/fleetctl/user.go

@@ -38,9 +38,8 @@ func createUserCommand() *cli.Command {
    If a password is required and not provided by flag, the command will prompt for password input through stdin.`,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
-				Name:     emailFlagName,
-				Usage:    "Email for new user (required)",
-				Required: true,
+				Name:  emailFlagName,
+				Usage: "Email for new user. Not required when using --api-only (required otherwise)",
 			},
 			&cli.StringFlag{
 				Name:     nameFlagName,
@@ -49,7 +48,7 @@ func createUserCommand() *cli.Command {
 			},
 			&cli.StringFlag{
 				Name:  passwordFlagName,
-				Usage: "Password for new user",
+				Usage: "Password for new user. This can be omitted if using --api-only (otherwise required)",
 			},
 			&cli.BoolFlag{
 				Name:  ssoFlagName,
@@ -125,6 +124,31 @@ func createUserCommand() *cli.Command {
 				}
 			}
 
+			// API-only (non-SSO) users are created via a dedicated endpoint that
+			// generates the email and password server-side.
+			if apiOnly {
+				sessionKey, err := client.CreateAPIOnlyUser(name, globalRole, teams)
+				if err != nil {
+					return fmt.Errorf("Failed to create user: %w", err)
+				}
+				if sessionKey != nil && *sessionKey != "" {
+					if appCfg, cfgErr := client.GetAppConfig(); cfgErr == nil &&
+						appCfg.License != nil && appCfg.License.IsPremium() {
+						fmt.Fprintln(c.App.Writer, "To further customize endpoints this API-only user has access to, head to the Fleet UI")
+					}
+					// Prevents blocking if we are executing a test
+					if terminal.IsTerminal(int(os.Stdin.Fd())) {
+						fmt.Fprint(c.App.Writer, "\nWhen you're ready to view the API token, press any key (will not be shown again): ")
+						if _, err := os.Stdin.Read(make([]byte, 1)); err != nil {
+							return fmt.Errorf("failed to read input: %w", err)
+						}
+						fmt.Fprintln(c.App.Writer)
+					}
+					fmt.Fprintf(c.App.Writer, "The API token for your new user is: %s\n", *sessionKey)
+				}
+				return nil
+			}
+
 			if sso && len(password) > 0 {
 				return errors.New("Password may not be provided for SSO users.")
 			}

cmd/fleetctl/fleetctl/users_test.go

@@ -58,15 +58,11 @@ func TestUserCreateForcePasswordReset(t *testing.T) {
 	ds.InviteByEmailFunc = func(ctx context.Context, email string) (*fleet.Invite, error) {
 		return nil, &notFoundError{}
 	}
+	// createdUsers tracks users created during tests so Login can find them by email.
+	createdUsers := map[string]*fleet.User{}
 	ds.UserByEmailFunc = func(ctx context.Context, email string) (*fleet.User, error) {
-		if email == "bar@example.com" {
-			apiOnlyUser := &fleet.User{
-				ID:    1,
-				Email: email,
-			}
-			err := apiOnlyUser.SetPassword(pwd, 24, 10)
-			require.NoError(t, err)
-			return apiOnlyUser, nil
+		if u, ok := createdUsers[email]; ok {
+			return u, nil
 		}
 		return nil, &notFoundError{}
 	}
@@ -100,7 +96,7 @@ func TestUserCreateForcePasswordReset(t *testing.T) {
 		},
 		{
 			name:                            "api-only",
-			args:                            []string{"--email", "bar@example.com", "--password", pwd, "--name", "bar", "--api-only"},
+			args:                            []string{"--name", "bar", "--api-only"},
 			expectedAdminForcePasswordReset: false,
 			displaysToken:                   true,
 		},
@@ -120,6 +116,7 @@ func TestUserCreateForcePasswordReset(t *testing.T) {
 		ds.NewUserFuncInvoked = false
 		ds.NewUserFunc = func(ctx context.Context, user *fleet.User) (*fleet.User, error) {
 			assert.Equal(t, tc.expectedAdminForcePasswordReset, user.AdminForcedPasswordReset)
+			createdUsers[user.Email] = user
 			return user, nil
 		}
 

server/datastore/mysql/users.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
+	"github.com/fleetdm/fleet/v4/server/contexts/viewer"
 	"github.com/fleetdm/fleet/v4/server/fleet"
 	common_mysql "github.com/fleetdm/fleet/v4/server/platform/mysql"
 	"github.com/jmoiron/sqlx"
@@ -36,6 +37,12 @@ func (ds *Datastore) NewUser(ctx context.Context, user *fleet.User) (*fleet.User
 		return nil, ctxerr.Wrap(ctx, err, "validate role")
 	}
 
+	var authorID *uint
+	if vc, ok := viewer.FromContext(ctx); ok {
+		id := vc.UserID()
+		authorID = &id
+	}
+
 	err := ds.withTx(ctx, func(tx sqlx.ExtContext) error {
 		sqlStatement := `
       INSERT INTO users (
@@ -82,6 +89,13 @@ func (ds *Datastore) NewUser(ctx context.Context, user *fleet.User) (*fleet.User
 		if err := saveTeamsForUserDB(ctx, tx, user); err != nil {
 			return err
 		}
+
+		if user.APIEndpoints != nil {
+			if err := replaceUserAPIEndpoints(ctx, tx, user.ID, authorID, user.APIEndpoints); err != nil {
+				return err
+			}
+		}
+
 		return nil
 	})
 	if err != nil {
@@ -111,6 +125,10 @@ func (ds *Datastore) findUser(ctx context.Context, searchCol string, searchVal i
 		return nil, ctxerr.Wrap(ctx, err, "load teams")
 	}
 
+	if err := ds.loadAPIEndpointsForUsers(ctx, []*fleet.User{user}); err != nil {
+		return nil, ctxerr.Wrap(ctx, err, "load api endpoints")
+	}
+
 	// When SSO is enabled, we can ignore forced password resets
 	// However, we want to leave the db untouched, to cover cases where SSO is toggled
 	if user.SSOEnabled {
@@ -174,6 +192,10 @@ func (ds *Datastore) ListUsers(ctx context.Context, opt fleet.UserListOptions) (
 		return nil, ctxerr.Wrap(ctx, err, "load teams")
 	}
 
+	if err := ds.loadAPIEndpointsForUsers(ctx, users); err != nil {
+		return nil, ctxerr.Wrap(ctx, err, "load api endpoints")
+	}
+
 	return users, nil
 }
 
@@ -230,15 +252,25 @@ func (ds *Datastore) deletedUserByID(ctx context.Context, id uint) (*fleet.User,
 }
 
 func (ds *Datastore) SaveUser(ctx context.Context, user *fleet.User) error {
+	var authorID *uint
+	if vc, ok := viewer.FromContext(ctx); ok {
+		id := vc.UserID()
+		authorID = &id
+	}
 	return ds.withTx(ctx, func(tx sqlx.ExtContext) error {
-		return saveUserDB(ctx, tx, user)
+		return saveUserDB(ctx, tx, user, authorID)
 	})
 }
 
 func (ds *Datastore) SaveUsers(ctx context.Context, users []*fleet.User) error {
+	var authorID *uint
+	if vc, ok := viewer.FromContext(ctx); ok {
+		id := vc.UserID()
+		authorID = &id
+	}
 	return ds.withTx(ctx, func(tx sqlx.ExtContext) error {
 		for _, user := range users {
-			err := saveUserDB(ctx, tx, user)
+			err := saveUserDB(ctx, tx, user, authorID)
 			if err != nil {
 				return err
 			}
@@ -247,7 +279,7 @@ func (ds *Datastore) SaveUsers(ctx context.Context, users []*fleet.User) error {
 	})
 }
 
-func saveUserDB(ctx context.Context, tx sqlx.ExtContext, user *fleet.User) error {
+func saveUserDB(ctx context.Context, tx sqlx.ExtContext, user *fleet.User, authorID *uint) error {
 	if err := fleet.ValidateRole(user.GlobalRole, user.Teams); err != nil {
 		return ctxerr.Wrap(ctx, err, "validate role")
 	}
@@ -301,6 +333,57 @@ func saveUserDB(ctx context.Context, tx sqlx.ExtContext, user *fleet.User) error
 		return err
 	}
 
+	if user.APIEndpoints != nil {
+		if err := replaceUserAPIEndpoints(ctx, tx, user.ID, authorID, user.APIEndpoints); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// loadAPIEndpointsForUsers loads api_endpoints for any API-only users in the slice.
+// Non-API-only users are left untouched.
+func (ds *Datastore) loadAPIEndpointsForUsers(ctx context.Context, users []*fleet.User) error {
+	var apiOnlyIDs []uint
+	for _, u := range users {
+		if u.APIOnly {
+			apiOnlyIDs = append(apiOnlyIDs, u.ID)
+		}
+	}
+	if len(apiOnlyIDs) == 0 {
+		return nil
+	}
+
+	query, args, err := sqlx.In(
+		`SELECT user_id, method, path FROM user_api_endpoints WHERE user_id IN (?) ORDER BY method, path`,
+		apiOnlyIDs,
+	)
+	if err != nil {
+		return ctxerr.Wrap(ctx, err, "build load api endpoints query")
+	}
+
+	var rows []struct {
+		UserID uint   `db:"user_id"`
+		Method string `db:"method"`
+		Path   string `db:"path"`
+	}
+	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &rows, query, args...); err != nil {
+		return ctxerr.Wrap(ctx, err, "load api endpoints for users")
+	}
+
+	byUserID := make(map[uint][]fleet.APIEndpointRef, len(apiOnlyIDs))
+	for _, row := range rows {
+		byUserID[row.UserID] = append(byUserID[row.UserID], fleet.APIEndpointRef{
+			Method: row.Method,
+			Path:   row.Path,
+		})
+	}
+	for _, u := range users {
+		if u.APIOnly {
+			u.APIEndpoints = byUserID[u.ID] // nil when no endpoints assigned
+		}
+	}
 	return nil
 }
 
@@ -442,6 +525,11 @@ func (ds *Datastore) DeleteUserIfNotLastAdmin(ctx context.Context, id uint) erro
 // It uses SELECT ... FOR UPDATE to prevent concurrent requests from bypassing
 // the check (TOCTOU race condition).
 func (ds *Datastore) SaveUserIfNotLastAdmin(ctx context.Context, user *fleet.User) error {
+	var authorID *uint
+	if vc, ok := viewer.FromContext(ctx); ok {
+		id := vc.UserID()
+		authorID = &id
+	}
 	return ds.withTx(ctx, func(tx sqlx.ExtContext) error {
 		// Lock the admin rows to prevent concurrent modifications.
 		var count int
@@ -453,7 +541,7 @@ func (ds *Datastore) SaveUserIfNotLastAdmin(ctx context.Context, user *fleet.Use
 			return fleet.ErrLastGlobalAdmin
 		}
 
-		return saveUserDB(ctx, tx, user)
+		return saveUserDB(ctx, tx, user, authorID)
 	})
 }
 
@@ -507,3 +595,45 @@ func (ds *Datastore) UserSettings(ctx context.Context, userID uint) (*fleet.User
 	}
 	return settings, nil
 }
+
+// replaceUserAPIEndpoints replaces all API endpoint permissions for the given user.
+// authorID is the user who made the change; pass nil when there is no viewer context
+// (e.g., system-level operations), in which case author_id is stored as NULL.
+func replaceUserAPIEndpoints(ctx context.Context, tx sqlx.ExtContext, userID uint, authorID *uint, endpoints []fleet.APIEndpointRef) error {
+	if _, err := tx.ExecContext(ctx, `DELETE FROM user_api_endpoints WHERE user_id = ?`, userID); err != nil {
+		return ctxerr.Wrap(ctx, err, "delete user api endpoints")
+	}
+	if len(endpoints) == 0 {
+		return nil
+	}
+	placeholders := strings.Repeat("(?, ?, ?, ?),", len(endpoints))
+	placeholders = placeholders[:len(placeholders)-1] // trim trailing comma
+	args := make([]any, 0, len(endpoints)*4)
+	for _, ep := range endpoints {
+		args = append(args, userID, ep.Path, ep.Method, authorID)
+	}
+	_, err := tx.ExecContext(ctx,
+		`INSERT INTO user_api_endpoints (user_id, path, method, author_id) VALUES `+placeholders,
+		args...,
+	)
+	return ctxerr.Wrap(ctx, err, "insert user api endpoints")
+}
+
+// ListUserAPIEndpoints returns all API endpoint permissions assigned to the given user.
+func (ds *Datastore) ListUserAPIEndpoints(ctx context.Context, userID uint) ([]fleet.APIEndpoint, error) {
+	var rows []struct {
+		Method string `db:"method"`
+		Path   string `db:"path"`
+	}
+	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &rows,
+		`SELECT method, path FROM user_api_endpoints WHERE user_id = ? ORDER BY method, path`,
+		userID,
+	); err != nil {
+		return nil, ctxerr.Wrap(ctx, err, "list user api endpoints")
+	}
+	endpoints := make([]fleet.APIEndpoint, 0, len(rows))
+	for _, row := range rows {
+		endpoints = append(endpoints, fleet.NewAPIEndpointFromTpl(row.Method, row.Path))
+	}
+	return endpoints, nil
+}

server/fleet/datastore.go

@@ -97,6 +97,9 @@ type Datastore interface {
 
 	UserSettings(ctx context.Context, userID uint) (*UserSettings, error)
 
+	// ListUserAPIEndpoints returns the API endpoint permissions assigned to the given user.
+	ListUserAPIEndpoints(ctx context.Context, userID uint) ([]APIEndpoint, error)
+
 	///////////////////////////////////////////////////////////////////////////////
 	// QueryStore
 

server/fleet/service.go

@@ -195,6 +195,10 @@ type Service interface {
 	// ModifyUser updates a user's parameters given a UserPayload.
 	ModifyUser(ctx context.Context, userID uint, p UserPayload) (user *User, err error)
 
+	// ModifyAPIOnlyUser patches the allowed properties of an existing API-only user.
+	// Only name, global_role, teams and api_endpoints may be changed.
+	ModifyAPIOnlyUser(ctx context.Context, userID uint, p UserPayload) (user *User, err error)
+
 	// DeleteUser permanently deletes the user identified by the provided ID.
 	DeleteUser(ctx context.Context, id uint) (*User, error)
 

server/fleet/users.go

@@ -24,6 +24,12 @@ type UserSummary struct {
 	APIOnly     bool   `db:"api_only"`
 }
 
+// APIEndpointRef represents an endpoint an API-only user has access to.
+type APIEndpointRef struct {
+	Method string `json:"method"`
+	Path   string `json:"path"`
+}
+
 // User is the model struct that represents a Fleet user.
 type User struct {
 	UpdateCreateTimestamps
@@ -50,6 +56,10 @@ type User struct {
 
 	Settings *UserSettings `json:"settings,omitempty"`
 	Deleted  bool          `json:"-" db:"deleted"`
+
+	// APIEndpoints if this user is an API-only user, this returns
+	// a list of all end-points the user has access to.
+	APIEndpoints []APIEndpointRef `json:"api_endpoints,omitempty"`
 }
 
 type UserSettings struct {
@@ -200,6 +210,10 @@ type UserPayload struct {
 	NewPassword              *string       `json:"new_password,omitempty"`
 	Settings                 *UserSettings `json:"settings,omitempty"`
 	InviteID                 *uint         `json:"-"`
+
+	// If this is an API-only user, then this can be used to specify which
+	// API endpoints the user has access to
+	APIEndpoints *[]APIEndpointRef `json:"api_endpoints,omitempty"`
 }
 
 func (p *UserPayload) VerifyInviteCreate() error {
@@ -352,6 +366,9 @@ func (p UserPayload) User(keySize, cost int) (*User, error) {
 	if p.InviteID != nil {
 		user.InviteID = p.InviteID
 	}
+	if p.APIEndpoints != nil {
+		user.APIEndpoints = *p.APIEndpoints
+	}
 
 	return user, nil
 }