Merge branch 'release/1.17.1'

* refactor(api): refactor TLS support

* feat(api): migrate endpoint data

* refactor(api): remove unused code and rename functions

* refactor(app): remove console.log statement

.codeclimate.yml

@@ -12,7 +12,8 @@ engines:
     enabled: true
     config:
       languages:
-      - javascript
+        javascript:
+          mass_threshold: 80
   eslint:
     enabled: true
     config:

.codefresh/codefresh_branch.yml

@@ -13,14 +13,28 @@ steps:
     image: portainer/angular-builder:latest
     working_directory: ${{build_backend}}
     commands:
-      - npm install -g bower grunt grunt-cli && npm install
-      - bower install --allow-root
-      - grunt build-webapp
+      - yarn
+      - yarn grunt build-webapp
       - mv api/cmd/portainer/portainer dist/
 
+  get_docker_version:
+    image: alpine
+    working_directory: ${{build_frontend}}
+    commands:
+      - cf_export DOCKER_VERSION=`cat gruntfile.js | grep -m 1 'shippedDockerVersion' | cut -d\' -f2`
+
+  download_docker_binary:
+    image: busybox
+    working_directory: ${{build_frontend}}
+    commands:
+      - echo ${{DOCKER_VERSION}}
+      - wget -O /tmp/docker-binaries.tgz https://download.docker.com/linux/static/stable/x86_64/docker-${{DOCKER_VERSION}}.tgz
+      - tar -xf /tmp/docker-binaries.tgz -C /tmp
+      - mv /tmp/docker/docker dist/
+
   build_image:
     type: build
-    working_directory: ${{build_frontend}}
+    working_directory: ${{download_docker_binary}}
     dockerfile: ./build/linux/Dockerfile
     image_name: portainer/portainer
     tag: ${{CF_BRANCH}}
@@ -30,7 +44,3 @@ steps:
     candidate: '${{build_image}}'
     tag: '${{CF_BRANCH}}'
     registry: dockerhub
-    when:
-      branch:
-        only:
-          - develop

.codefresh/codefresh_pullrequest.yml

@@ -0,0 +1,46 @@
+version: '1.0'
+steps:
+
+  build_backend:
+    image: portainer/golang-builder:ci
+    working_directory: ${{main_clone}}
+    commands:
+      - mkdir -p /go/src/github.com/${{CF_REPO_OWNER}}
+      - ln -s /codefresh/volume/${{CF_REPO_NAME}}/api /go/src/github.com/${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
+      - /build.sh api/cmd/portainer
+
+  build_frontend:
+    image: portainer/angular-builder:latest
+    working_directory: ${{build_backend}}
+    commands:
+      - yarn
+      - yarn grunt build-webapp
+      - mv api/cmd/portainer/portainer dist/
+
+  get_docker_version:
+    image: alpine
+    working_directory: ${{build_frontend}}
+    commands:
+      - cf_export DOCKER_VERSION=`cat gruntfile.js | grep -m 1 'shippedDockerVersion' | cut -d\' -f2`
+
+  download_docker_binary:
+    image: busybox
+    working_directory: ${{build_frontend}}
+    commands:
+      - echo ${{DOCKER_VERSION}}
+      - wget -O /tmp/docker-binaries.tgz https://download.docker.com/linux/static/stable/x86_64/docker-${{DOCKER_VERSION}}.tgz
+      - tar -xf /tmp/docker-binaries.tgz -C /tmp
+      - mv /tmp/docker/docker dist/
+
+  build_image:
+    type: build
+    working_directory: ${{download_docker_binary}}
+    dockerfile: ./build/linux/Dockerfile
+    image_name: portainer/portainer
+    tag: ${{CF_BRANCH}}
+
+  push_image:
+    type: push
+    candidate: '${{build_image}}'
+    tag: 'pr${{CF_PULL_REQUEST_NUMBER}}'
+    registry: dockerhub

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -0,0 +1,47 @@
+---
+name: Bug report
+about: Create a bug report
+
+---
+
+<!--
+
+Thanks for reporting a bug for Portainer !
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+Before opening a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Bug description**
+
+A clear and concise description of what the bug is.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+Briefly describe what you were expecting.
+
+**Steps to reproduce the issue:**
+
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Technical details:**
+
+* Portainer version:
+* Docker version (managed by Portainer):
+* Platform (windows/linux):
+* Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
+* Browser:
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/Custom.md

@@ -0,0 +1,15 @@
+---
+name: Question
+about: Ask us a question about Portainer usage or deployment
+
+---
+
+<!--
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Question**:
+How can I deploy Portainer on... ?

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -0,0 +1,31 @@
+---
+name: Feature request
+about: Suggest a feature/enhancement that should be added in Portainer
+
+---
+
+<!--
+
+Thanks for opening a feature request for Portainer !
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+Before opening a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

CODE_OF_CONDUCT.md

@@ -0,0 +1,46 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at anthony.lapenna@portainer.io. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

CONTRIBUTING.md

@@ -30,9 +30,6 @@ You can have a use Github filters to list these issues:
 * intermediate labeled issues: https://github.com/portainer/portainer/labels/exp%2Fintermediate
 * advanced labeled issues: https://github.com/portainer/portainer/labels/exp%2Fadvanced
 
-### Linting
-
-Please check your code using `grunt lint` before submitting your pull requests.
 
 ### Commit Message Format
 

README.md

@@ -1,29 +1,39 @@
 
 <p align="center">
-  <img title="portainer" src='http://portainer.io/images/logo_alt.png' />
+  <img title="portainer" src='https://portainer.io/images/logo_alt.png' />
 </p>
 
 [![Docker Pulls](https://img.shields.io/docker/pulls/portainer/portainer.svg)](https://hub.docker.com/r/portainer/portainer/)
 [![Microbadger](https://images.microbadger.com/badges/image/portainer/portainer.svg)](http://microbadger.com/images/portainer/portainer "Image size")
-[![Documentation Status](https://readthedocs.org/projects/portainer/badge/?version=stable)](http://portainer.readthedocs.io/en/latest/?badge=stable)
+[![Documentation Status](https://readthedocs.org/projects/portainer/badge/?version=stable)](http://portainer.readthedocs.io/en/stable/?badge=stable)
 [![Codefresh build status]( https://g.codefresh.io/api/badges/build?repoOwner=portainer&repoName=portainer&branch=develop&pipelineName=portainer-ci&accountName=deviantony&type=cf-1)]( https://g.codefresh.io/repositories/portainer/portainer/builds?filter=trigger:build;branch:develop;service:5922a08a3a1aab000116fcc6~portainer-ci)
+[![Code Climate](https://codeclimate.com/github/portainer/portainer/badges/gpa.svg)](https://codeclimate.com/github/portainer/portainer)
+[![Slack](https://portainer.io/slack/badge.svg)](https://portainer.io/slack/)
 [![Gitter](https://badges.gitter.im/portainer/Lobby.svg)](https://gitter.im/portainer/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=YHXZJQNJQ36H6)
 
-**_Portainer_** is a lightweight management UI which allows you to **easily** manage your Docker host or Swarm cluster.
+**_Portainer_** is a lightweight management UI which allows you to **easily** manage your different Docker environments (Docker hosts or Swarm clusters).
 
-**_Portainer_** is meant to be as **simple** to deploy as it is to use. It consists of a single container that can run on any Docker engine (Docker for Linux and Docker for Windows are supported).
+**_Portainer_** is meant to be as **simple** to deploy as it is to use. It consists of a single container that can run on any Docker engine (can be deployed as Linux container or a Windows native container).
 
-**_Portainer_** allows you to manage your Docker containers, images, volumes, networks and more ! It is compatible with the *standalone Docker* engine and with *Docker Swarm*.
+**_Portainer_** allows you to manage your Docker containers, images, volumes, networks and more ! It is compatible with the *standalone Docker* engine and with *Docker Swarm mode*.
 
 ## Demo
 
-<img src="http://portainer.io/images/screenshots/portainer.gif" width="77%"/>
+<img src="https://portainer.io/images/screenshots/portainer.gif" width="77%"/>
 
 You can try out the public demo instance: http://demo.portainer.io/ (login with the username **admin** and the password **tryportainer**).
 
 Please note that the public demo cluster is **reset every 15min**.
 
+Alternatively, you can deploy a copy of the demo stack inside a [play-with-docker (PWD)](https://labs.play-with-docker.com) playground:
+
+- Browse [PWD/?stack=portainer-demo/play-with-docker/docker-stack.yml](http://play-with-docker.com/?stack=https://raw.githubusercontent.com/portainer/portainer-demo/master/play-with-docker/docker-stack.yml)
+- Sign in with your [Docker ID](https://docs.docker.com/docker-id)
+- Follow [these](https://github.com/portainer/portainer-demo/blob/master/play-with-docker/docker-stack.yml#L5-L8) steps.
+
+Unlike the public demo, the playground sessions are deleted after 4 hours. Apart from that, all the settings are same, including default credentials.
+
 ## Getting started
 
 * [Deploy Portainer](https://portainer.readthedocs.io/en/latest/deployment.html)
@@ -33,8 +43,8 @@ Please note that the public demo cluster is **reset every 15min**.
 
 * Issues: https://github.com/portainer/portainer/issues
 * FAQ: https://portainer.readthedocs.io/en/latest/faq.html
+* Slack (chat): https://portainer.io/slack/
 * Gitter (chat): https://gitter.im/portainer/Lobby
-* Slack: http://portainer.io/slack/
 
 ## Reporting bugs and contributing
 

api/archive/tar.go

@@ -0,0 +1,36 @@
+package archive
+
+import (
+	"archive/tar"
+	"bytes"
+)
+
+// TarFileInBuffer will create a tar archive containing a single file named via fileName and using the content
+// specified in fileContent. Returns the archive as a byte array.
+func TarFileInBuffer(fileContent []byte, fileName string) ([]byte, error) {
+	var buffer bytes.Buffer
+	tarWriter := tar.NewWriter(&buffer)
+
+	header := &tar.Header{
+		Name: fileName,
+		Mode: 0600,
+		Size: int64(len(fileContent)),
+	}
+
+	err := tarWriter.WriteHeader(header)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = tarWriter.Write(fileContent)
+	if err != nil {
+		return nil, err
+	}
+
+	err = tarWriter.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	return buffer.Bytes(), nil
+}

api/bolt/datastore.go

@@ -20,8 +20,13 @@ type Store struct {
 	TeamService            *TeamService
 	TeamMembershipService  *TeamMembershipService
 	EndpointService        *EndpointService
+	EndpointGroupService   *EndpointGroupService
 	ResourceControlService *ResourceControlService
 	VersionService         *VersionService
+	SettingsService        *SettingsService
+	RegistryService        *RegistryService
+	DockerHubService       *DockerHubService
+	StackService           *StackService
 
 	db                    *bolt.DB
 	checkForDataMigration bool
@@ -34,7 +39,12 @@ const (
 	teamBucketName            = "teams"
 	teamMembershipBucketName  = "team_membership"
 	endpointBucketName        = "endpoints"
+	endpointGroupBucketName   = "endpoint_groups"
 	resourceControlBucketName = "resource_control"
+	settingsBucketName        = "settings"
+	registryBucketName        = "registries"
+	dockerhubBucketName       = "dockerhub"
+	stackBucketName           = "stacks"
 )
 
 // NewStore initializes a new Store and the associated services
@@ -45,15 +55,25 @@ func NewStore(storePath string) (*Store, error) {
 		TeamService:            &TeamService{},
 		TeamMembershipService:  &TeamMembershipService{},
 		EndpointService:        &EndpointService{},
+		EndpointGroupService:   &EndpointGroupService{},
 		ResourceControlService: &ResourceControlService{},
 		VersionService:         &VersionService{},
+		SettingsService:        &SettingsService{},
+		RegistryService:        &RegistryService{},
+		DockerHubService:       &DockerHubService{},
+		StackService:           &StackService{},
 	}
 	store.UserService.store = store
 	store.TeamService.store = store
 	store.TeamMembershipService.store = store
 	store.EndpointService.store = store
+	store.EndpointGroupService.store = store
 	store.ResourceControlService.store = store
 	store.VersionService.store = store
+	store.SettingsService.store = store
+	store.RegistryService.store = store
+	store.DockerHubService.store = store
+	store.StackService.store = store
 
 	_, err := os.Stat(storePath + "/" + databaseFileName)
 	if err != nil && os.IsNotExist(err) {
@@ -70,40 +90,52 @@ func NewStore(storePath string) (*Store, error) {
 // Open opens and initializes the BoltDB database.
 func (store *Store) Open() error {
 	path := store.Path + "/" + databaseFileName
+
 	db, err := bolt.Open(path, 0600, &bolt.Options{Timeout: 1 * time.Second})
 	if err != nil {
 		return err
 	}
 	store.db = db
+
+	bucketsToCreate := []string{versionBucketName, userBucketName, teamBucketName, endpointBucketName,
+		endpointGroupBucketName, resourceControlBucketName, teamMembershipBucketName, settingsBucketName,
+		registryBucketName, dockerhubBucketName, stackBucketName}
+
 	return db.Update(func(tx *bolt.Tx) error {
-		_, err := tx.CreateBucketIfNotExists([]byte(versionBucketName))
-		if err != nil {
-			return err
-		}
-		_, err = tx.CreateBucketIfNotExists([]byte(userBucketName))
-		if err != nil {
-			return err
-		}
-		_, err = tx.CreateBucketIfNotExists([]byte(teamBucketName))
-		if err != nil {
-			return err
-		}
-		_, err = tx.CreateBucketIfNotExists([]byte(endpointBucketName))
-		if err != nil {
-			return err
-		}
-		_, err = tx.CreateBucketIfNotExists([]byte(resourceControlBucketName))
-		if err != nil {
-			return err
-		}
-		_, err = tx.CreateBucketIfNotExists([]byte(teamMembershipBucketName))
-		if err != nil {
-			return err
+
+		for _, bucket := range bucketsToCreate {
+			_, err := tx.CreateBucketIfNotExists([]byte(bucket))
+			if err != nil {
+				return err
+			}
 		}
+
 		return nil
 	})
 }
 
+// Init creates the default data set.
+func (store *Store) Init() error {
+	groups, err := store.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	if len(groups) == 0 {
+		unassignedGroup := &portainer.EndpointGroup{
+			Name:            "Unassigned",
+			Description:     "Unassigned endpoints",
+			Labels:          []portainer.Pair{},
+			AuthorizedUsers: []portainer.UserID{},
+			AuthorizedTeams: []portainer.TeamID{},
+		}
+
+		return store.EndpointGroupService.CreateEndpointGroup(unassignedGroup)
+	}
+
+	return nil
+}
+
 // Close closes the BoltDB database.
 func (store *Store) Close() error {
 	if store.db != nil {

api/bolt/dockerhub_service.go

@@ -0,0 +1,61 @@
+package bolt
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+// DockerHubService represents a service for managing registries.
+type DockerHubService struct {
+	store *Store
+}
+
+const (
+	dbDockerHubKey = "DOCKERHUB"
+)
+
+// DockerHub returns the DockerHub object.
+func (service *DockerHubService) DockerHub() (*portainer.DockerHub, error) {
+	var data []byte
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(dockerhubBucketName))
+		value := bucket.Get([]byte(dbDockerHubKey))
+		if value == nil {
+			return portainer.ErrDockerHubNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var dockerhub portainer.DockerHub
+	err = internal.UnmarshalDockerHub(data, &dockerhub)
+	if err != nil {
+		return nil, err
+	}
+	return &dockerhub, nil
+}
+
+// StoreDockerHub persists a DockerHub object.
+func (service *DockerHubService) StoreDockerHub(dockerhub *portainer.DockerHub) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(dockerhubBucketName))
+
+		data, err := internal.MarshalDockerHub(dockerhub)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put([]byte(dbDockerHubKey), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}

api/bolt/endpoint_group_service.go

@@ -0,0 +1,114 @@
+package bolt
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+// EndpointGroupService represents a service for managing endpoint groups.
+type EndpointGroupService struct {
+	store *Store
+}
+
+// EndpointGroup returns an endpoint group by ID.
+func (service *EndpointGroupService) EndpointGroup(ID portainer.EndpointGroupID) (*portainer.EndpointGroup, error) {
+	var data []byte
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+		value := bucket.Get(internal.Itob(int(ID)))
+		if value == nil {
+			return portainer.ErrEndpointGroupNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var endpointGroup portainer.EndpointGroup
+	err = internal.UnmarshalEndpointGroup(data, &endpointGroup)
+	if err != nil {
+		return nil, err
+	}
+	return &endpointGroup, nil
+}
+
+// EndpointGroups return an array containing all the endpoint groups.
+func (service *EndpointGroupService) EndpointGroups() ([]portainer.EndpointGroup, error) {
+	var endpointGroups = make([]portainer.EndpointGroup, 0)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var endpointGroup portainer.EndpointGroup
+			err := internal.UnmarshalEndpointGroup(v, &endpointGroup)
+			if err != nil {
+				return err
+			}
+			endpointGroups = append(endpointGroups, endpointGroup)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return endpointGroups, nil
+}
+
+// CreateEndpointGroup assign an ID to a new endpoint group and saves it.
+func (service *EndpointGroupService) CreateEndpointGroup(endpointGroup *portainer.EndpointGroup) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+
+		id, _ := bucket.NextSequence()
+		endpointGroup.ID = portainer.EndpointGroupID(id)
+
+		data, err := internal.MarshalEndpointGroup(endpointGroup)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put(internal.Itob(int(endpointGroup.ID)), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// UpdateEndpointGroup updates an endpoint group.
+func (service *EndpointGroupService) UpdateEndpointGroup(ID portainer.EndpointGroupID, endpointGroup *portainer.EndpointGroup) error {
+	data, err := internal.MarshalEndpointGroup(endpointGroup)
+	if err != nil {
+		return err
+	}
+
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+		err = bucket.Put(internal.Itob(int(ID)), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// DeleteEndpointGroup deletes an endpoint group.
+func (service *EndpointGroupService) DeleteEndpointGroup(ID portainer.EndpointGroupID) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+		err := bucket.Delete(internal.Itob(int(ID)))
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}

api/bolt/endpoint_service.go

@@ -7,7 +7,7 @@ import (
 	"github.com/boltdb/bolt"
 )
 
-// EndpointService represents a service for managing users.
+// EndpointService represents a service for managing endpoints.
 type EndpointService struct {
 	store *Store
 }

api/bolt/internal/internal.go

@@ -47,6 +47,36 @@ func UnmarshalEndpoint(data []byte, endpoint *portainer.Endpoint) error {
 	return json.Unmarshal(data, endpoint)
 }
 
+// MarshalEndpointGroup encodes an endpoint group to binary format.
+func MarshalEndpointGroup(group *portainer.EndpointGroup) ([]byte, error) {
+	return json.Marshal(group)
+}
+
+// UnmarshalEndpointGroup decodes an endpoint group from a binary data.
+func UnmarshalEndpointGroup(data []byte, group *portainer.EndpointGroup) error {
+	return json.Unmarshal(data, group)
+}
+
+// MarshalStack encodes a stack to binary format.
+func MarshalStack(stack *portainer.Stack) ([]byte, error) {
+	return json.Marshal(stack)
+}
+
+// UnmarshalStack decodes a stack from a binary data.
+func UnmarshalStack(data []byte, stack *portainer.Stack) error {
+	return json.Unmarshal(data, stack)
+}
+
+// MarshalRegistry encodes a registry to binary format.
+func MarshalRegistry(registry *portainer.Registry) ([]byte, error) {
+	return json.Marshal(registry)
+}
+
+// UnmarshalRegistry decodes a registry from a binary data.
+func UnmarshalRegistry(data []byte, registry *portainer.Registry) error {
+	return json.Unmarshal(data, registry)
+}
+
 // MarshalResourceControl encodes a resource control object to binary format.
 func MarshalResourceControl(rc *portainer.ResourceControl) ([]byte, error) {
 	return json.Marshal(rc)
@@ -57,6 +87,26 @@ func UnmarshalResourceControl(data []byte, rc *portainer.ResourceControl) error
 	return json.Unmarshal(data, rc)
 }
 
+// MarshalSettings encodes a settings object to binary format.
+func MarshalSettings(settings *portainer.Settings) ([]byte, error) {
+	return json.Marshal(settings)
+}
+
+// UnmarshalSettings decodes a settings object from a binary data.
+func UnmarshalSettings(data []byte, settings *portainer.Settings) error {
+	return json.Unmarshal(data, settings)
+}
+
+// MarshalDockerHub encodes a Dockerhub object to binary format.
+func MarshalDockerHub(settings *portainer.DockerHub) ([]byte, error) {
+	return json.Marshal(settings)
+}
+
+// UnmarshalDockerHub decodes a Dockerhub object from a binary data.
+func UnmarshalDockerHub(data []byte, settings *portainer.DockerHub) error {
+	return json.Unmarshal(data, settings)
+}
+
 // Itob returns an 8-byte big endian representation of v.
 // This function is typically used for encoding integer IDs to byte slices
 // so that they can be used as BoltDB keys.

api/bolt/migrate_dbversion10.go

@@ -0,0 +1,28 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion11() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		if endpoint.Type == portainer.AgentOnDockerEnvironment {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = true
+		} else {
+			if endpoint.TLSConfig.TLSSkipVerify && !endpoint.TLSConfig.TLS {
+				endpoint.TLSConfig.TLSSkipVerify = false
+			}
+		}
+
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion2.go

@@ -0,0 +1,25 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateSettingsToDBVersion3() error {
+	legacySettings, err := m.SettingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.AuthenticationMethod = portainer.AuthenticationInternal
+	legacySettings.LDAPSettings = portainer.LDAPSettings{
+		TLSConfig: portainer.TLSConfiguration{},
+		SearchSettings: []portainer.LDAPSearchSettings{
+			portainer.LDAPSearchSettings{},
+		},
+	}
+
+	err = m.SettingsService.StoreSettings(legacySettings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion3.go

@@ -0,0 +1,27 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToDBVersion4() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.TLSConfig = portainer.TLSConfiguration{}
+		if endpoint.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = false
+			endpoint.TLSConfig.TLSCACertPath = endpoint.TLSCACertPath
+			endpoint.TLSConfig.TLSCertPath = endpoint.TLSCertPath
+			endpoint.TLSConfig.TLSKeyPath = endpoint.TLSKeyPath
+		}
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion4.go

@@ -0,0 +1,16 @@
+package bolt
+
+func (m *Migrator) updateSettingsToVersion5() error {
+	legacySettings, err := m.SettingsService.Settings()
+	if err != nil {
+		return err
+	}
+	legacySettings.AllowBindMountsForRegularUsers = true
+
+	err = m.SettingsService.StoreSettings(legacySettings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion5.go

@@ -0,0 +1,16 @@
+package bolt
+
+func (m *Migrator) updateSettingsToVersion6() error {
+	legacySettings, err := m.SettingsService.Settings()
+	if err != nil {
+		return err
+	}
+	legacySettings.AllowPrivilegedModeForRegularUsers = true
+
+	err = m.SettingsService.StoreSettings(legacySettings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion6.go

@@ -0,0 +1,16 @@
+package bolt
+
+func (m *Migrator) updateSettingsToVersion7() error {
+	legacySettings, err := m.SettingsService.Settings()
+	if err != nil {
+		return err
+	}
+	legacySettings.DisplayDonationHeader = true
+
+	err = m.SettingsService.StoreSettings(legacySettings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion7.go

@@ -0,0 +1,20 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion8() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.Extensions = []portainer.EndpointExtension{}
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion8.go

@@ -0,0 +1,20 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion9() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.GroupID = portainer.EndpointGroupID(1)
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion9.go

@@ -0,0 +1,20 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion10() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.Type = portainer.DockerEnvironment
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator.go

@@ -7,6 +7,7 @@ type Migrator struct {
 	UserService            *UserService
 	EndpointService        *EndpointService
 	ResourceControlService *ResourceControlService
+	SettingsService        *SettingsService
 	VersionService         *VersionService
 	CurrentDBVersion       int
 	store                  *Store
@@ -18,6 +19,7 @@ func NewMigrator(store *Store, version int) *Migrator {
 		UserService:            store.UserService,
 		EndpointService:        store.EndpointService,
 		ResourceControlService: store.ResourceControlService,
+		SettingsService:        store.SettingsService,
 		VersionService:         store.VersionService,
 		CurrentDBVersion:       version,
 		store:                  store,
@@ -28,7 +30,7 @@ func NewMigrator(store *Store, version int) *Migrator {
 func (m *Migrator) Migrate() error {
 
 	// Portainer < 1.12
-	if m.CurrentDBVersion == 0 {
+	if m.CurrentDBVersion < 1 {
 		err := m.updateAdminUserToDBVersion1()
 		if err != nil {
 			return err
@@ -36,7 +38,7 @@ func (m *Migrator) Migrate() error {
 	}
 
 	// Portainer 1.12.x
-	if m.CurrentDBVersion == 1 {
+	if m.CurrentDBVersion < 2 {
 		err := m.updateResourceControlsToDBVersion2()
 		if err != nil {
 			return err
@@ -47,6 +49,77 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 
+	// Portainer 1.13.x
+	if m.CurrentDBVersion < 3 {
+		err := m.updateSettingsToDBVersion3()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.14.0
+	if m.CurrentDBVersion < 4 {
+		err := m.updateEndpointsToDBVersion4()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1235
+	if m.CurrentDBVersion < 5 {
+		err := m.updateSettingsToVersion5()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1236
+	if m.CurrentDBVersion < 6 {
+		err := m.updateSettingsToVersion6()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1449
+	if m.CurrentDBVersion < 7 {
+		err := m.updateSettingsToVersion7()
+		if err != nil {
+			return err
+		}
+	}
+
+	if m.CurrentDBVersion < 8 {
+		err := m.updateEndpointsToVersion8()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https: //github.com/portainer/portainer/issues/1396
+	if m.CurrentDBVersion < 9 {
+		err := m.updateEndpointsToVersion9()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/461
+	if m.CurrentDBVersion < 10 {
+		err := m.updateEndpointsToVersion10()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1906
+	if m.CurrentDBVersion < 11 {
+		err := m.updateEndpointsToVersion11()
+		if err != nil {
+			return err
+		}
+	}
+
 	err := m.VersionService.StoreDBVersion(portainer.DBVersion)
 	if err != nil {
 		return err

api/bolt/registry_service.go

@@ -0,0 +1,114 @@
+package bolt
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+// RegistryService represents a service for managing registries.
+type RegistryService struct {
+	store *Store
+}
+
+// Registry returns an registry by ID.
+func (service *RegistryService) Registry(ID portainer.RegistryID) (*portainer.Registry, error) {
+	var data []byte
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(registryBucketName))
+		value := bucket.Get(internal.Itob(int(ID)))
+		if value == nil {
+			return portainer.ErrRegistryNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var registry portainer.Registry
+	err = internal.UnmarshalRegistry(data, &registry)
+	if err != nil {
+		return nil, err
+	}
+	return &registry, nil
+}
+
+// Registries returns an array containing all the registries.
+func (service *RegistryService) Registries() ([]portainer.Registry, error) {
+	var registries = make([]portainer.Registry, 0)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(registryBucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var registry portainer.Registry
+			err := internal.UnmarshalRegistry(v, &registry)
+			if err != nil {
+				return err
+			}
+			registries = append(registries, registry)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return registries, nil
+}
+
+// CreateRegistry creates a new registry.
+func (service *RegistryService) CreateRegistry(registry *portainer.Registry) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(registryBucketName))
+
+		id, _ := bucket.NextSequence()
+		registry.ID = portainer.RegistryID(id)
+
+		data, err := internal.MarshalRegistry(registry)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put(internal.Itob(int(registry.ID)), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// UpdateRegistry updates an registry.
+func (service *RegistryService) UpdateRegistry(ID portainer.RegistryID, registry *portainer.Registry) error {
+	data, err := internal.MarshalRegistry(registry)
+	if err != nil {
+		return err
+	}
+
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(registryBucketName))
+		err = bucket.Put(internal.Itob(int(ID)), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// DeleteRegistry deletes an registry.
+func (service *RegistryService) DeleteRegistry(ID portainer.RegistryID) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(registryBucketName))
+		err := bucket.Delete(internal.Itob(int(ID)))
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}

api/bolt/settings_service.go

@@ -0,0 +1,61 @@
+package bolt
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+// SettingsService represents a service to manage application settings.
+type SettingsService struct {
+	store *Store
+}
+
+const (
+	dbSettingsKey = "SETTINGS"
+)
+
+// Settings retrieve the settings object.
+func (service *SettingsService) Settings() (*portainer.Settings, error) {
+	var data []byte
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(settingsBucketName))
+		value := bucket.Get([]byte(dbSettingsKey))
+		if value == nil {
+			return portainer.ErrSettingsNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var settings portainer.Settings
+	err = internal.UnmarshalSettings(data, &settings)
+	if err != nil {
+		return nil, err
+	}
+	return &settings, nil
+}
+
+// StoreSettings persists a Settings object.
+func (service *SettingsService) StoreSettings(settings *portainer.Settings) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(settingsBucketName))
+
+		data, err := internal.MarshalSettings(settings)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put([]byte(dbSettingsKey), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}

api/bolt/stack_service.go

@@ -0,0 +1,138 @@
+package bolt
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+// StackService represents a service for managing stacks.
+type StackService struct {
+	store *Store
+}
+
+// Stack returns a stack object by ID.
+func (service *StackService) Stack(ID portainer.StackID) (*portainer.Stack, error) {
+	var data []byte
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+		value := bucket.Get([]byte(ID))
+		if value == nil {
+			return portainer.ErrStackNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var stack portainer.Stack
+	err = internal.UnmarshalStack(data, &stack)
+	if err != nil {
+		return nil, err
+	}
+	return &stack, nil
+}
+
+// Stacks returns an array containing all the stacks.
+func (service *StackService) Stacks() ([]portainer.Stack, error) {
+	var stacks = make([]portainer.Stack, 0)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var stack portainer.Stack
+			err := internal.UnmarshalStack(v, &stack)
+			if err != nil {
+				return err
+			}
+			stacks = append(stacks, stack)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return stacks, nil
+}
+
+// StacksBySwarmID return an array containing all the stacks related to the specified Swarm ID.
+func (service *StackService) StacksBySwarmID(id string) ([]portainer.Stack, error) {
+	var stacks = make([]portainer.Stack, 0)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var stack portainer.Stack
+			err := internal.UnmarshalStack(v, &stack)
+			if err != nil {
+				return err
+			}
+			if stack.SwarmID == id {
+				stacks = append(stacks, stack)
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return stacks, nil
+}
+
+// CreateStack creates a new stack.
+func (service *StackService) CreateStack(stack *portainer.Stack) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+
+		data, err := internal.MarshalStack(stack)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put([]byte(stack.ID), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// UpdateStack updates an stack.
+func (service *StackService) UpdateStack(ID portainer.StackID, stack *portainer.Stack) error {
+	data, err := internal.MarshalStack(stack)
+	if err != nil {
+		return err
+	}
+
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+		err = bucket.Put([]byte(ID), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// DeleteStack deletes an stack.
+func (service *StackService) DeleteStack(ID portainer.StackID) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+		err := bucket.Delete([]byte(ID))
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}

api/cli/cli.go

@@ -6,6 +6,7 @@ import (
 	"github.com/portainer/portainer"
 
 	"os"
+	"path/filepath"
 	"strings"
 
 	"gopkg.in/alecthomas/kingpin.v2"
@@ -15,12 +16,13 @@ import (
 type Service struct{}
 
 const (
-	errInvalidEndpointProtocol    = portainer.Error("Invalid endpoint protocol: Portainer only supports unix:// or tcp://")
-	errSocketNotFound             = portainer.Error("Unable to locate Unix socket")
-	errEndpointsFileNotFound      = portainer.Error("Unable to locate external endpoints file")
-	errInvalidSyncInterval        = portainer.Error("Invalid synchronization interval")
-	errEndpointExcludeExternal    = portainer.Error("Cannot use the -H flag mutually with --external-endpoints")
-	errNoAuthExcludeAdminPassword = portainer.Error("Cannot use --no-auth with --admin-password")
+	errInvalidEndpointProtocol       = portainer.Error("Invalid endpoint protocol: Portainer only supports unix:// or tcp://")
+	errSocketNotFound                = portainer.Error("Unable to locate Unix socket")
+	errEndpointsFileNotFound         = portainer.Error("Unable to locate external endpoints file")
+	errInvalidSyncInterval           = portainer.Error("Invalid synchronization interval")
+	errEndpointExcludeExternal       = portainer.Error("Cannot use the -H flag mutually with --external-endpoints")
+	errNoAuthExcludeAdminPassword    = portainer.Error("Cannot use --no-auth with --admin-password or --admin-password-file")
+	errAdminPassExcludeAdminPassFile = portainer.Error("Cannot use --admin-password with --admin-password-file")
 )
 
 // ParseFlags parse the CLI flags and return a portainer.Flags struct
@@ -28,39 +30,50 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 	kingpin.Version(version)
 
 	flags := &portainer.CLIFlags{
-		Endpoint:          kingpin.Flag("host", "Dockerd endpoint").Short('H').String(),
-		Logo:              kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
-		Labels:            pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
-		ExternalEndpoints: kingpin.Flag("external-endpoints", "Path to a file defining available endpoints").String(),
-		SyncInterval:      kingpin.Flag("sync-interval", "Duration between each synchronization via the external endpoints source").Default(defaultSyncInterval).String(),
 		Addr:              kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
 		Assets:            kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:              kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
-		Templates:         kingpin.Flag("templates", "URL to the templates (apps) definitions").Default(defaultTemplatesURL).Short('t').String(),
+		EndpointURL:       kingpin.Flag("host", "Endpoint URL").Short('H').String(),
+		ExternalEndpoints: kingpin.Flag("external-endpoints", "Path to a file defining available endpoints").String(),
 		NoAuth:            kingpin.Flag("no-auth", "Disable authentication").Default(defaultNoAuth).Bool(),
-		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAuth).Bool(),
-		TLSVerify:         kingpin.Flag("tlsverify", "TLS support").Default(defaultTLSVerify).Bool(),
+		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAnalytics).Bool(),
+		TLS:               kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
+		TLSSkipVerify:     kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
 		TLSCacert:         kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
 		TLSCert:           kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
 		TLSKey:            kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
 		SSL:               kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
 		SSLCert:           kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
 		SSLKey:            kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
+		SyncInterval:      kingpin.Flag("sync-interval", "Duration between each synchronization via the external endpoints source").Default(defaultSyncInterval).String(),
 		AdminPassword:     kingpin.Flag("admin-password", "Hashed admin password").String(),
+		AdminPasswordFile: kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
+		Labels:            pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
+		Logo:              kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
+		Templates:         kingpin.Flag("templates", "URL to the templates (apps) definitions").Short('t').String(),
 	}
 
 	kingpin.Parse()
+
+	if !filepath.IsAbs(*flags.Assets) {
+		ex, err := os.Executable()
+		if err != nil {
+			panic(err)
+		}
+		*flags.Assets = filepath.Join(filepath.Dir(ex), *flags.Assets)
+	}
+
 	return flags, nil
 }
 
 // ValidateFlags validates the values of the flags.
 func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 
-	if *flags.Endpoint != "" && *flags.ExternalEndpoints != "" {
+	if *flags.EndpointURL != "" && *flags.ExternalEndpoints != "" {
 		return errEndpointExcludeExternal
 	}
 
-	err := validateEndpoint(*flags.Endpoint)
+	err := validateEndpointURL(*flags.EndpointURL)
 	if err != nil {
 		return err
 	}
@@ -75,21 +88,25 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 		return err
 	}
 
-	if *flags.NoAuth && (*flags.AdminPassword != "") {
+	if *flags.NoAuth && (*flags.AdminPassword != "" || *flags.AdminPasswordFile != "") {
 		return errNoAuthExcludeAdminPassword
 	}
 
+	if *flags.AdminPassword != "" && *flags.AdminPasswordFile != "" {
+		return errAdminPassExcludeAdminPassFile
+	}
+
 	return nil
 }
 
-func validateEndpoint(endpoint string) error {
-	if endpoint != "" {
-		if !strings.HasPrefix(endpoint, "unix://") && !strings.HasPrefix(endpoint, "tcp://") {
+func validateEndpointURL(endpointURL string) error {
+	if endpointURL != "" {
+		if !strings.HasPrefix(endpointURL, "unix://") && !strings.HasPrefix(endpointURL, "tcp://") {
 			return errInvalidEndpointProtocol
 		}
 
-		if strings.HasPrefix(endpoint, "unix://") {
-			socketPath := strings.TrimPrefix(endpoint, "unix://")
+		if strings.HasPrefix(endpointURL, "unix://") {
+			socketPath := strings.TrimPrefix(endpointURL, "unix://")
 			if _, err := os.Stat(socketPath); err != nil {
 				if os.IsNotExist(err) {
 					return errSocketNotFound

api/cli/defaults.go

@@ -5,11 +5,11 @@ package cli
 const (
 	defaultBindAddress     = ":9000"
 	defaultDataDirectory   = "/data"
-	defaultAssetsDirectory = "."
-	defaultTemplatesURL    = "https://raw.githubusercontent.com/portainer/templates/master/templates.json"
+	defaultAssetsDirectory = "./"
 	defaultNoAuth          = "false"
 	defaultNoAnalytics     = "false"
-	defaultTLSVerify       = "false"
+	defaultTLS             = "false"
+	defaultTLSSkipVerify   = "false"
 	defaultTLSCACertPath   = "/certs/ca.pem"
 	defaultTLSCertPath     = "/certs/cert.pem"
 	defaultTLSKeyPath      = "/certs/key.pem"

api/cli/defaults_windows.go

@@ -3,11 +3,11 @@ package cli
 const (
 	defaultBindAddress     = ":9000"
 	defaultDataDirectory   = "C:\\data"
-	defaultAssetsDirectory = "."
-	defaultTemplatesURL    = "https://raw.githubusercontent.com/portainer/templates/master/templates.json"
+	defaultAssetsDirectory = "./"
 	defaultNoAuth          = "false"
 	defaultNoAnalytics     = "false"
-	defaultTLSVerify       = "false"
+	defaultTLS             = "false"
+	defaultTLSSkipVerify   = "false"
 	defaultTLSCACertPath   = "C:\\certs\\ca.pem"
 	defaultTLSCertPath     = "C:\\certs\\cert.pem"
 	defaultTLSKeyPath      = "C:\\certs\\key.pem"

api/cmd/portainer/main.go

@@ -1,14 +1,20 @@
 package main // import "github.com/portainer/portainer"
 
 import (
+	"strings"
+
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/bolt"
 	"github.com/portainer/portainer/cli"
 	"github.com/portainer/portainer/cron"
 	"github.com/portainer/portainer/crypto"
-	"github.com/portainer/portainer/file"
+	"github.com/portainer/portainer/exec"
+	"github.com/portainer/portainer/filesystem"
+	"github.com/portainer/portainer/git"
 	"github.com/portainer/portainer/http"
+	"github.com/portainer/portainer/http/client"
 	"github.com/portainer/portainer/jwt"
+	"github.com/portainer/portainer/ldap"
 
 	"log"
 )
@@ -28,7 +34,7 @@ func initCLI() *portainer.CLIFlags {
 }
 
 func initFileService(dataStorePath string) portainer.FileService {
-	fileService, err := file.NewService(dataStorePath, "")
+	fileService, err := filesystem.NewService(dataStorePath, "")
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -46,6 +52,11 @@ func initStore(dataStorePath string) *bolt.Store {
 		log.Fatal(err)
 	}
 
+	err = store.Init()
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	err = store.MigrateData()
 	if err != nil {
 		log.Fatal(err)
@@ -53,6 +64,10 @@ func initStore(dataStorePath string) *bolt.Store {
 	return store
 }
 
+func initStackManager(assetsPath string, dataStorePath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (portainer.StackManager, error) {
+	return exec.NewStackManager(assetsPath, dataStorePath, signatureService, fileService)
+}
+
 func initJWTService(authenticationEnabled bool) portainer.JWTService {
 	if authenticationEnabled {
 		jwtService, err := jwt.NewService()
@@ -64,10 +79,22 @@ func initJWTService(authenticationEnabled bool) portainer.JWTService {
 	return nil
 }
 
+func initDigitalSignatureService() portainer.DigitalSignatureService {
+	return &crypto.ECDSAService{}
+}
+
 func initCryptoService() portainer.CryptoService {
 	return &crypto.Service{}
 }
 
+func initLDAPService() portainer.LDAPService {
+	return &ldap.Service{}
+}
+
+func initGitService() portainer.GitService {
+	return &git.Service{}
+}
+
 func initEndpointWatcher(endpointService portainer.EndpointService, externalEnpointFile string, syncInterval string) bool {
 	authorizeEndpointMgmt := true
 	if externalEnpointFile != "" {
@@ -82,16 +109,69 @@ func initEndpointWatcher(endpointService portainer.EndpointService, externalEnpo
 	return authorizeEndpointMgmt
 }
 
-func initSettings(authorizeEndpointMgmt bool, flags *portainer.CLIFlags) *portainer.Settings {
-	return &portainer.Settings{
-		HiddenLabels:       *flags.Labels,
-		Logo:               *flags.Logo,
+func initStatus(authorizeEndpointMgmt bool, flags *portainer.CLIFlags) *portainer.Status {
+	return &portainer.Status{
 		Analytics:          !*flags.NoAnalytics,
 		Authentication:     !*flags.NoAuth,
 		EndpointManagement: authorizeEndpointMgmt,
+		Version:            portainer.APIVersion,
 	}
 }
 
+func initDockerHub(dockerHubService portainer.DockerHubService) error {
+	_, err := dockerHubService.DockerHub()
+	if err == portainer.ErrDockerHubNotFound {
+		dockerhub := &portainer.DockerHub{
+			Authentication: false,
+			Username:       "",
+			Password:       "",
+		}
+		return dockerHubService.StoreDockerHub(dockerhub)
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func initSettings(settingsService portainer.SettingsService, flags *portainer.CLIFlags) error {
+	_, err := settingsService.Settings()
+	if err == portainer.ErrSettingsNotFound {
+		settings := &portainer.Settings{
+			LogoURL:                     *flags.Logo,
+			DisplayDonationHeader:       true,
+			DisplayExternalContributors: false,
+			AuthenticationMethod:        portainer.AuthenticationInternal,
+			LDAPSettings: portainer.LDAPSettings{
+				TLSConfig: portainer.TLSConfiguration{},
+				SearchSettings: []portainer.LDAPSearchSettings{
+					portainer.LDAPSearchSettings{},
+				},
+			},
+			AllowBindMountsForRegularUsers:     true,
+			AllowPrivilegedModeForRegularUsers: true,
+		}
+
+		if *flags.Templates != "" {
+			settings.TemplatesURL = *flags.Templates
+		} else {
+			settings.TemplatesURL = portainer.DefaultTemplatesURL
+		}
+
+		if *flags.Labels != nil {
+			settings.BlackListedLabels = *flags.Labels
+		} else {
+			settings.BlackListedLabels = make([]portainer.Pair, 0)
+		}
+
+		return settingsService.StoreSettings(settings)
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func retrieveFirstEndpointFromDatabase(endpointService portainer.EndpointService) *portainer.Endpoint {
 	endpoints, err := endpointService.Endpoints()
 	if err != nil {
@@ -100,6 +180,122 @@ func retrieveFirstEndpointFromDatabase(endpointService portainer.EndpointService
 	return &endpoints[0]
 }
 
+func loadAndParseKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	private, public, err := fileService.LoadKeyPair()
+	if err != nil {
+		return err
+	}
+	return signatureService.ParseKeyPair(private, public)
+}
+
+func generateAndStoreKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	private, public, err := signatureService.GenerateKeyPair()
+	if err != nil {
+		return err
+	}
+	privateHeader, publicHeader := signatureService.PEMHeaders()
+	return fileService.StoreKeyPair(private, public, privateHeader, publicHeader)
+}
+
+func initKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	existingKeyPair, err := fileService.KeyPairFilesExist()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if existingKeyPair {
+		return loadAndParseKeyPair(fileService, signatureService)
+	}
+	return generateAndStoreKeyPair(fileService, signatureService)
+}
+
+func createTLSSecuredEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService) error {
+	tlsConfiguration := portainer.TLSConfiguration{
+		TLS:           *flags.TLS,
+		TLSSkipVerify: *flags.TLSSkipVerify,
+	}
+
+	if *flags.TLS {
+		tlsConfiguration.TLSCACertPath = *flags.TLSCacert
+		tlsConfiguration.TLSCertPath = *flags.TLSCert
+		tlsConfiguration.TLSKeyPath = *flags.TLSKey
+	} else if !*flags.TLS && *flags.TLSSkipVerify {
+		tlsConfiguration.TLS = true
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:            "primary",
+		URL:             *flags.EndpointURL,
+		GroupID:         portainer.EndpointGroupID(1),
+		Type:            portainer.DockerEnvironment,
+		TLSConfig:       tlsConfiguration,
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+	}
+
+	if strings.HasPrefix(endpoint.URL, "tcp://") {
+		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(tlsConfiguration.TLSCACertPath, tlsConfiguration.TLSCertPath, tlsConfiguration.TLSKeyPath, tlsConfiguration.TLSSkipVerify)
+		if err != nil {
+			return err
+		}
+
+		agentOnDockerEnvironment, err := client.ExecutePingOperation(endpoint.URL, tlsConfig)
+		if err != nil {
+			return err
+		}
+
+		if agentOnDockerEnvironment {
+			endpoint.Type = portainer.AgentOnDockerEnvironment
+		}
+	}
+
+	return endpointService.CreateEndpoint(endpoint)
+}
+
+func createUnsecuredEndpoint(endpointURL string, endpointService portainer.EndpointService) error {
+	if strings.HasPrefix(endpointURL, "tcp://") {
+		_, err := client.ExecutePingOperation(endpointURL, nil)
+		if err != nil {
+			return err
+		}
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:            "primary",
+		URL:             endpointURL,
+		GroupID:         portainer.EndpointGroupID(1),
+		Type:            portainer.DockerEnvironment,
+		TLSConfig:       portainer.TLSConfiguration{},
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+	}
+
+	return endpointService.CreateEndpoint(endpoint)
+}
+
+func initEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService) error {
+	if *flags.EndpointURL == "" {
+		return nil
+	}
+
+	endpoints, err := endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	if len(endpoints) > 0 {
+		log.Println("Instance already has defined endpoints. Skipping the endpoint defined via CLI.")
+		return nil
+	}
+
+	if *flags.TLS || *flags.TLSSkipVerify {
+		return createTLSSecuredEndpoint(flags, endpointService)
+	}
+	return createUnsecuredEndpoint(*flags.EndpointURL, endpointService)
+}
+
 func main() {
 	flags := initCLI()
 
@@ -112,71 +308,107 @@ func main() {
 
 	cryptoService := initCryptoService()
 
+	digitalSignatureService := initDigitalSignatureService()
+
+	ldapService := initLDAPService()
+
+	gitService := initGitService()
+
 	authorizeEndpointMgmt := initEndpointWatcher(store.EndpointService, *flags.ExternalEndpoints, *flags.SyncInterval)
 
-	settings := initSettings(authorizeEndpointMgmt, flags)
+	err := initKeyPair(fileService, digitalSignatureService)
+	if err != nil {
+		log.Fatal(err)
+	}
 
-	if *flags.Endpoint != "" {
-		var endpoints []portainer.Endpoint
-		endpoints, err := store.EndpointService.Endpoints()
+	stackManager, err := initStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = initSettings(store.SettingsService, flags)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = initDockerHub(store.DockerHubService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	applicationStatus := initStatus(authorizeEndpointMgmt, flags)
+
+	err = initEndpoint(flags, store.EndpointService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	adminPasswordHash := ""
+	if *flags.AdminPasswordFile != "" {
+		content, err := fileService.GetFileContent(*flags.AdminPasswordFile)
 		if err != nil {
 			log.Fatal(err)
 		}
-		if len(endpoints) == 0 {
-			endpoint := &portainer.Endpoint{
-				Name:            "primary",
-				URL:             *flags.Endpoint,
-				TLS:             *flags.TLSVerify,
-				TLSCACertPath:   *flags.TLSCacert,
-				TLSCertPath:     *flags.TLSCert,
-				TLSKeyPath:      *flags.TLSKey,
-				AuthorizedUsers: []portainer.UserID{},
-				AuthorizedTeams: []portainer.TeamID{},
+		adminPasswordHash, err = cryptoService.Hash(content)
+		if err != nil {
+			log.Fatal(err)
+		}
+	} else if *flags.AdminPassword != "" {
+		adminPasswordHash = *flags.AdminPassword
+	}
+
+	if adminPasswordHash != "" {
+		users, err := store.UserService.UsersByRole(portainer.AdministratorRole)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		if len(users) == 0 {
+			log.Printf("Creating admin user with password hash %s", adminPasswordHash)
+			user := &portainer.User{
+				Username: "admin",
+				Role:     portainer.AdministratorRole,
+				Password: adminPasswordHash,
 			}
-			err = store.EndpointService.CreateEndpoint(endpoint)
+			err := store.UserService.CreateUser(user)
 			if err != nil {
 				log.Fatal(err)
 			}
 		} else {
-			log.Println("Instance already has defined endpoints. Skipping the endpoint defined via CLI.")
-		}
-	}
-
-	if *flags.AdminPassword != "" {
-		log.Printf("Creating admin user with password hash %s", *flags.AdminPassword)
-		user := &portainer.User{
-			Username: "admin",
-			Role:     portainer.AdministratorRole,
-			Password: *flags.AdminPassword,
-		}
-		err := store.UserService.CreateUser(user)
-		if err != nil {
-			log.Fatal(err)
+			log.Println("Instance already has an administrator user defined. Skipping admin password related flags.")
 		}
 	}
 
 	var server portainer.Server = &http.Server{
+		Status:                 applicationStatus,
 		BindAddress:            *flags.Addr,
 		AssetsPath:             *flags.Assets,
-		Settings:               settings,
-		TemplatesURL:           *flags.Templates,
 		AuthDisabled:           *flags.NoAuth,
 		EndpointManagement:     authorizeEndpointMgmt,
 		UserService:            store.UserService,
 		TeamService:            store.TeamService,
 		TeamMembershipService:  store.TeamMembershipService,
 		EndpointService:        store.EndpointService,
+		EndpointGroupService:   store.EndpointGroupService,
 		ResourceControlService: store.ResourceControlService,
+		SettingsService:        store.SettingsService,
+		RegistryService:        store.RegistryService,
+		DockerHubService:       store.DockerHubService,
+		StackService:           store.StackService,
+		StackManager:           stackManager,
 		CryptoService:          cryptoService,
 		JWTService:             jwtService,
 		FileService:            fileService,
+		LDAPService:            ldapService,
+		GitService:             gitService,
+		SignatureService:       digitalSignatureService,
 		SSL:                    *flags.SSL,
 		SSLCert:                *flags.SSLCert,
 		SSLKey:                 *flags.SSLKey,
 	}
 
-	log.Printf("Starting Portainer on %s", *flags.Addr)
-	err := server.Start()
+	log.Printf("Starting Portainer %s on %s", portainer.APIVersion, *flags.Addr)
+	err = server.Start()
 	if err != nil {
 		log.Fatal(err)
 	}

api/cron/endpoint_sync.go

@@ -22,6 +22,16 @@ type (
 		endpointsToUpdate []*portainer.Endpoint
 		endpointsToDelete []*portainer.Endpoint
 	}
+
+	fileEndpoint struct {
+		Name          string `json:"Name"`
+		URL           string `json:"URL"`
+		TLS           bool   `json:"TLS,omitempty"`
+		TLSSkipVerify bool   `json:"TLSSkipVerify,omitempty"`
+		TLSCACert     string `json:"TLSCACert,omitempty"`
+		TLSCert       string `json:"TLSCert,omitempty"`
+		TLSKey        string `json:"TLSKey,omitempty"`
+	}
 )
 
 const (
@@ -55,6 +65,28 @@ func isValidEndpoint(endpoint *portainer.Endpoint) bool {
 	return false
 }
 
+func convertFileEndpoints(fileEndpoints []fileEndpoint) []portainer.Endpoint {
+	convertedEndpoints := make([]portainer.Endpoint, 0)
+
+	for _, e := range fileEndpoints {
+		endpoint := portainer.Endpoint{
+			Name:      e.Name,
+			URL:       e.URL,
+			TLSConfig: portainer.TLSConfiguration{},
+		}
+		if e.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = e.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = e.TLSCACert
+			endpoint.TLSConfig.TLSCertPath = e.TLSCert
+			endpoint.TLSConfig.TLSKeyPath = e.TLSKey
+		}
+		convertedEndpoints = append(convertedEndpoints, endpoint)
+	}
+
+	return convertedEndpoints
+}
+
 func endpointExists(endpoint *portainer.Endpoint, endpoints []portainer.Endpoint) int {
 	for idx, v := range endpoints {
 		if endpoint.Name == v.Name && isValidEndpoint(&v) {
@@ -66,22 +98,25 @@ func endpointExists(endpoint *portainer.Endpoint, endpoints []portainer.Endpoint
 
 func mergeEndpointIfRequired(original, updated *portainer.Endpoint) *portainer.Endpoint {
 	var endpoint *portainer.Endpoint
-	if original.URL != updated.URL || original.TLS != updated.TLS ||
-		(updated.TLS && original.TLSCACertPath != updated.TLSCACertPath) ||
-		(updated.TLS && original.TLSCertPath != updated.TLSCertPath) ||
-		(updated.TLS && original.TLSKeyPath != updated.TLSKeyPath) {
+	if original.URL != updated.URL || original.TLSConfig.TLS != updated.TLSConfig.TLS ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSSkipVerify != updated.TLSConfig.TLSSkipVerify) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCACertPath != updated.TLSConfig.TLSCACertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCertPath != updated.TLSConfig.TLSCertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSKeyPath != updated.TLSConfig.TLSKeyPath) {
 		endpoint = original
 		endpoint.URL = updated.URL
-		if updated.TLS {
-			endpoint.TLS = true
-			endpoint.TLSCACertPath = updated.TLSCACertPath
-			endpoint.TLSCertPath = updated.TLSCertPath
-			endpoint.TLSKeyPath = updated.TLSKeyPath
+		if updated.TLSConfig.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = updated.TLSConfig.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = updated.TLSConfig.TLSCACertPath
+			endpoint.TLSConfig.TLSCertPath = updated.TLSConfig.TLSCertPath
+			endpoint.TLSConfig.TLSKeyPath = updated.TLSConfig.TLSKeyPath
 		} else {
-			endpoint.TLS = false
-			endpoint.TLSCACertPath = ""
-			endpoint.TLSCertPath = ""
-			endpoint.TLSKeyPath = ""
+			endpoint.TLSConfig.TLS = false
+			endpoint.TLSConfig.TLSSkipVerify = false
+			endpoint.TLSConfig.TLSCACertPath = ""
+			endpoint.TLSConfig.TLSCertPath = ""
+			endpoint.TLSConfig.TLSKeyPath = ""
 		}
 	}
 	return endpoint
@@ -107,8 +142,6 @@ func (job endpointSyncJob) prepareSyncData(storedEndpoints, fileEndpoints []port
 			if endpoint != nil {
 				job.logger.Printf("New definition for a stored endpoint found in file, updating database. [name: %v] [url: %v]\n", endpoint.Name, endpoint.URL)
 				endpointsToUpdate = append(endpointsToUpdate, endpoint)
-			} else {
-				job.logger.Printf("No change detected for a stored endpoint. [name: %v] [url: %v]\n", storedEndpoints[idx].Name, storedEndpoints[idx].URL)
 			}
 		} else {
 			job.logger.Printf("Stored endpoint not found in file (definition might be invalid), removing from database. [name: %v] [url: %v]", storedEndpoints[idx].Name, storedEndpoints[idx].URL)
@@ -117,7 +150,7 @@ func (job endpointSyncJob) prepareSyncData(storedEndpoints, fileEndpoints []port
 	}
 
 	for idx, endpoint := range fileEndpoints {
-		if endpoint.Name == "" || endpoint.URL == "" {
+		if !isValidEndpoint(&endpoint) {
 			job.logger.Printf("Invalid file endpoint definition, skipping. [name: %v] [url: %v]", endpoint.Name, endpoint.URL)
 			continue
 		}
@@ -141,7 +174,7 @@ func (job endpointSyncJob) Sync() error {
 		return err
 	}
 
-	var fileEndpoints []portainer.Endpoint
+	var fileEndpoints []fileEndpoint
 	err = json.Unmarshal(data, &fileEndpoints)
 	if endpointSyncError(err, job.logger) {
 		return err
@@ -156,7 +189,9 @@ func (job endpointSyncJob) Sync() error {
 		return err
 	}
 
-	sync := job.prepareSyncData(storedEndpoints, fileEndpoints)
+	convertedFileEndpoints := convertFileEndpoints(fileEndpoints)
+
+	sync := job.prepareSyncData(storedEndpoints, convertedFileEndpoints)
 	if sync.requireSync() {
 		err = job.endpointService.Synchronize(sync.endpointsToCreate, sync.endpointsToUpdate, sync.endpointsToDelete)
 		if endpointSyncError(err, job.logger) {

api/crypto/ecdsa.go

@@ -0,0 +1,125 @@
+package crypto
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/md5"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"math/big"
+)
+
+const (
+	// PrivateKeyPemHeader represents the header that is appended to the PEM file when
+	// storing the private key.
+	PrivateKeyPemHeader = "EC PRIVATE KEY"
+	// PublicKeyPemHeader represents the header that is appended to the PEM file when
+	// storing the public key.
+	PublicKeyPemHeader = "ECDSA PUBLIC KEY"
+)
+
+// ECDSAService is a service used to create digital signatures when communicating with
+// an agent based environment. It will automatically generates a key pair using ECDSA or
+// can also reuse an existing ECDSA key pair.
+type ECDSAService struct {
+	privateKey    *ecdsa.PrivateKey
+	publicKey     *ecdsa.PublicKey
+	encodedPubKey string
+}
+
+// EncodedPublicKey returns the encoded version of the public that can be used
+// to be shared with other services. It's the hexadecimal encoding of the public key
+// content.
+func (service *ECDSAService) EncodedPublicKey() string {
+	return service.encodedPubKey
+}
+
+// PEMHeaders returns the ECDSA PEM headers.
+func (service *ECDSAService) PEMHeaders() (string, string) {
+	return PrivateKeyPemHeader, PublicKeyPemHeader
+}
+
+// ParseKeyPair parses existing private/public key pair content and associate
+// the parsed keys to the service.
+func (service *ECDSAService) ParseKeyPair(private, public []byte) error {
+	privateKey, err := x509.ParseECPrivateKey(private)
+	if err != nil {
+		return err
+	}
+
+	service.privateKey = privateKey
+
+	encodedKey := hex.EncodeToString(public)
+	service.encodedPubKey = encodedKey
+
+	publicKey, err := x509.ParsePKIXPublicKey(public)
+	if err != nil {
+		return err
+	}
+
+	service.publicKey = publicKey.(*ecdsa.PublicKey)
+
+	return nil
+}
+
+// GenerateKeyPair will create a new key pair using ECDSA.
+func (service *ECDSAService) GenerateKeyPair() ([]byte, []byte, error) {
+	pubkeyCurve := elliptic.P256()
+
+	privatekey, err := ecdsa.GenerateKey(pubkeyCurve, rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	service.privateKey = privatekey
+	service.publicKey = &privatekey.PublicKey
+
+	private, err := x509.MarshalECPrivateKey(service.privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(service.publicKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	encodedKey := hex.EncodeToString(public)
+	service.encodedPubKey = encodedKey
+
+	return private, public, nil
+}
+
+// Sign creates a signature from a message.
+// It automatically hash the message using MD5 and creates a signature from
+// that hash.
+// It then encodes the generated signature in base64.
+func (service *ECDSAService) Sign(message string) (string, error) {
+	digest := md5.New()
+	digest.Write([]byte(message))
+	hash := digest.Sum(nil)
+
+	r := big.NewInt(0)
+	s := big.NewInt(0)
+
+	r, s, err := ecdsa.Sign(rand.Reader, service.privateKey, hash)
+	if err != nil {
+		return "", err
+	}
+
+	keyBytes := service.privateKey.Params().BitSize / 8
+
+	rBytes := r.Bytes()
+	rBytesPadded := make([]byte, keyBytes)
+	copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
+
+	sBytes := s.Bytes()
+	sBytesPadded := make([]byte, keyBytes)
+	copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
+
+	signature := append(rBytesPadded, sBytesPadded...)
+
+	return base64.RawStdEncoding.EncodeToString(signature), nil
+}

api/crypto/tls.go

@@ -6,21 +6,54 @@ import (
 	"io/ioutil"
 )
 
-// CreateTLSConfiguration initializes a tls.Config using a CA certificate, a certificate and a key
-func CreateTLSConfiguration(caCertPath, certPath, keyPath string) (*tls.Config, error) {
-	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
-	if err != nil {
-		return nil, err
+// CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
+// loaded from memory.
+func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {
+	config := &tls.Config{}
+	config.InsecureSkipVerify = skipServerVerification
+
+	if !skipClientVerification {
+		certificate, err := tls.X509KeyPair(cert, key)
+		if err != nil {
+			return nil, err
+		}
+		config.Certificates = []tls.Certificate{certificate}
 	}
-	caCert, err := ioutil.ReadFile(caCertPath)
-	if err != nil {
-		return nil, err
-	}
-	caCertPool := x509.NewCertPool()
-	caCertPool.AppendCertsFromPEM(caCert)
-	config := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-		RootCAs:      caCertPool,
+
+	if !skipServerVerification {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		config.RootCAs = caCertPool
 	}
+
+	return config, nil
+}
+
+// CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key
+// loaded from disk.
+func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipServerVerification bool) (*tls.Config, error) {
+	config := &tls.Config{}
+	config.InsecureSkipVerify = skipServerVerification
+
+	if certPath != "" && keyPath != "" {
+		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+		if err != nil {
+			return nil, err
+		}
+
+		config.Certificates = []tls.Certificate{cert}
+	}
+
+	if !skipServerVerification && caCertPath != "" {
+		caCert, err := ioutil.ReadFile(caCertPath)
+		if err != nil {
+			return nil, err
+		}
+
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		config.RootCAs = caCertPool
+	}
+
 	return config, nil
 }

api/errors.go

@@ -4,6 +4,7 @@ package portainer
 const (
 	ErrUnauthorized           = Error("Unauthorized")
 	ErrResourceAccessDenied   = Error("Access denied to resource")
+	ErrResourceNotFound       = Error("Unable to find resource")
 	ErrUnsupportedDockerAPI   = Error("Unsupported Docker API response")
 	ErrMissingSecurityContext = Error("Unable to find security details in request context")
 )
@@ -12,8 +13,10 @@ const (
 const (
 	ErrUserNotFound            = Error("User not found")
 	ErrUserAlreadyExists       = Error("User already exists")
-	ErrInvalidUsername         = Error("Invalid username. White spaces are not allowed.")
-	ErrAdminAlreadyInitialized = Error("Admin user already initialized")
+	ErrInvalidUsername         = Error("Invalid username. White spaces are not allowed")
+	ErrAdminAlreadyInitialized = Error("An administrator user already exists")
+	ErrCannotRemoveAdmin       = Error("Cannot remove the default administrator account")
+	ErrAdminCannotRemoveSelf   = Error("Cannot remove your own user account. Contact another administrator")
 )
 
 // Team errors.
@@ -25,7 +28,7 @@ const (
 // TeamMembership errors.
 const (
 	ErrTeamMembershipNotFound      = Error("Team membership not found")
-	ErrTeamMembershipAlreadyExists = Error("Team membership already exists for this user and team.")
+	ErrTeamMembershipAlreadyExists = Error("Team membership already exists for this user and team")
 )
 
 // ResourceControl errors.
@@ -41,11 +44,46 @@ const (
 	ErrEndpointAccessDenied = Error("Access denied to endpoint")
 )
 
+// Endpoint group errors.
+const (
+	ErrEndpointGroupNotFound    = Error("Endpoint group not found")
+	ErrCannotRemoveDefaultGroup = Error("Cannot remove the default endpoint group")
+)
+
+// Registry errors.
+const (
+	ErrRegistryNotFound      = Error("Registry not found")
+	ErrRegistryAlreadyExists = Error("A registry is already defined for this URL")
+)
+
+// Stack errors
+const (
+	ErrStackNotFound                   = Error("Stack not found")
+	ErrStackAlreadyExists              = Error("A stack already exists with this name")
+	ErrComposeFileNotFoundInRepository = Error("Unable to find a Compose file in the repository")
+)
+
+// Endpoint extensions error
+const (
+	ErrEndpointExtensionNotSupported      = Error("This extension is not supported")
+	ErrEndpointExtensionAlreadyAssociated = Error("This extension is already associated to the endpoint")
+)
+
 // Version errors.
 const (
 	ErrDBVersionNotFound = Error("DB version not found")
 )
 
+// Settings errors.
+const (
+	ErrSettingsNotFound = Error("Settings not found")
+)
+
+// DockerHub errors.
+const (
+	ErrDockerHubNotFound = Error("Dockerhub not found")
+)
+
 // Crypto errors.
 const (
 	ErrCryptoHashFailure = Error("Unable to hash data")

api/exec/stack_manager.go

@@ -0,0 +1,178 @@
+package exec
+
+import (
+	"bytes"
+	"encoding/json"
+	"os"
+	"os/exec"
+	"path"
+	"runtime"
+
+	"github.com/portainer/portainer"
+)
+
+// StackManager represents a service for managing stacks.
+type StackManager struct {
+	binaryPath       string
+	dataPath         string
+	signatureService portainer.DigitalSignatureService
+	fileService      portainer.FileService
+}
+
+// NewStackManager initializes a new StackManager service.
+// It also updates the configuration of the Docker CLI binary.
+func NewStackManager(binaryPath, dataPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (*StackManager, error) {
+	manager := &StackManager{
+		binaryPath:       binaryPath,
+		dataPath:         dataPath,
+		signatureService: signatureService,
+		fileService:      fileService,
+	}
+
+	err := manager.updateDockerCLIConfiguration(dataPath)
+	if err != nil {
+		return nil, err
+	}
+
+	return manager, nil
+}
+
+// Login executes the docker login command against a list of registries (including DockerHub).
+func (manager *StackManager) Login(dockerhub *portainer.DockerHub, registries []portainer.Registry, endpoint *portainer.Endpoint) {
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	for _, registry := range registries {
+		if registry.Authentication {
+			registryArgs := append(args, "login", "--username", registry.Username, "--password", registry.Password, registry.URL)
+			runCommandAndCaptureStdErr(command, registryArgs, nil, "")
+		}
+	}
+
+	if dockerhub.Authentication {
+		dockerhubArgs := append(args, "login", "--username", dockerhub.Username, "--password", dockerhub.Password)
+		runCommandAndCaptureStdErr(command, dockerhubArgs, nil, "")
+	}
+}
+
+// Logout executes the docker logout command.
+func (manager *StackManager) Logout(endpoint *portainer.Endpoint) error {
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	args = append(args, "logout")
+	return runCommandAndCaptureStdErr(command, args, nil, "")
+}
+
+// Deploy executes the docker stack deploy command.
+func (manager *StackManager) Deploy(stack *portainer.Stack, prune bool, endpoint *portainer.Endpoint) error {
+	stackFilePath := path.Join(stack.ProjectPath, stack.EntryPoint)
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+
+	if prune {
+		args = append(args, "stack", "deploy", "--prune", "--with-registry-auth", "--compose-file", stackFilePath, stack.Name)
+	} else {
+		args = append(args, "stack", "deploy", "--with-registry-auth", "--compose-file", stackFilePath, stack.Name)
+	}
+
+	env := make([]string, 0)
+	for _, envvar := range stack.Env {
+		env = append(env, envvar.Name+"="+envvar.Value)
+	}
+
+	stackFolder := path.Dir(stackFilePath)
+	return runCommandAndCaptureStdErr(command, args, env, stackFolder)
+}
+
+// Remove executes the docker stack rm command.
+func (manager *StackManager) Remove(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	args = append(args, "stack", "rm", stack.Name)
+	return runCommandAndCaptureStdErr(command, args, nil, "")
+}
+
+func runCommandAndCaptureStdErr(command string, args []string, env []string, workingDir string) error {
+	var stderr bytes.Buffer
+	cmd := exec.Command(command, args...)
+	cmd.Stderr = &stderr
+	cmd.Dir = workingDir
+
+	if env != nil {
+		cmd.Env = os.Environ()
+		cmd.Env = append(cmd.Env, env...)
+	}
+
+	err := cmd.Run()
+	if err != nil {
+		return portainer.Error(stderr.String())
+	}
+
+	return nil
+}
+
+func prepareDockerCommandAndArgs(binaryPath, dataPath string, endpoint *portainer.Endpoint) (string, []string) {
+	// Assume Linux as a default
+	command := path.Join(binaryPath, "docker")
+
+	if runtime.GOOS == "windows" {
+		command = path.Join(binaryPath, "docker.exe")
+	}
+
+	args := make([]string, 0)
+	args = append(args, "--config", dataPath)
+	args = append(args, "-H", endpoint.URL)
+
+	if endpoint.TLSConfig.TLS {
+		args = append(args, "--tls")
+
+		if !endpoint.TLSConfig.TLSSkipVerify {
+			args = append(args, "--tlsverify", "--tlscacert", endpoint.TLSConfig.TLSCACertPath)
+		}
+
+		if endpoint.TLSConfig.TLSCertPath != "" && endpoint.TLSConfig.TLSKeyPath != "" {
+			args = append(args, "--tlscert", endpoint.TLSConfig.TLSCertPath, "--tlskey", endpoint.TLSConfig.TLSKeyPath)
+		}
+	}
+
+	return command, args
+}
+
+func (manager *StackManager) updateDockerCLIConfiguration(dataPath string) error {
+	configFilePath := path.Join(dataPath, "config.json")
+	config, err := manager.retrieveConfigurationFromDisk(configFilePath)
+	if err != nil {
+		return err
+	}
+
+	signature, err := manager.signatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return err
+	}
+
+	if config["HttpHeaders"] == nil {
+		config["HttpHeaders"] = make(map[string]interface{})
+	}
+	headersObject := config["HttpHeaders"].(map[string]interface{})
+	headersObject["X-PortainerAgent-ManagerOperation"] = "1"
+	headersObject["X-PortainerAgent-Signature"] = signature
+	headersObject["X-PortainerAgent-PublicKey"] = manager.signatureService.EncodedPublicKey()
+
+	err = manager.fileService.WriteJSONToFile(configFilePath, config)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (manager *StackManager) retrieveConfigurationFromDisk(path string) (map[string]interface{}, error) {
+	var config map[string]interface{}
+
+	raw, err := manager.fileService.GetFileContent(path)
+	if err != nil {
+		return make(map[string]interface{}), nil
+	}
+
+	err = json.Unmarshal([]byte(raw), &config)
+	if err != nil {
+		return nil, err
+	}
+
+	return config, nil
+}

api/file/file.go

@@ -1,143 +0,0 @@
-package file
-
-import (
-	"github.com/portainer/portainer"
-
-	"io"
-	"os"
-	"path"
-	"strconv"
-)
-
-const (
-	// TLSStorePath represents the subfolder where TLS files are stored in the file store folder.
-	TLSStorePath = "tls"
-	// TLSCACertFile represents the name on disk for a TLS CA file.
-	TLSCACertFile = "ca.pem"
-	// TLSCertFile represents the name on disk for a TLS certificate file.
-	TLSCertFile = "cert.pem"
-	// TLSKeyFile represents the name on disk for a TLS key file.
-	TLSKeyFile = "key.pem"
-)
-
-// Service represents a service for managing files and directories.
-type Service struct {
-	dataStorePath string
-	fileStorePath string
-}
-
-// NewService initializes a new service. It creates a data directory and a directory to store files
-// inside this directory if they don't exist.
-func NewService(dataStorePath, fileStorePath string) (*Service, error) {
-	service := &Service{
-		dataStorePath: dataStorePath,
-		fileStorePath: path.Join(dataStorePath, fileStorePath),
-	}
-
-	// Checking if a mount directory exists is broken with Go on Windows.
-	// This will need to be reviewed after the issue has been fixed in Go.
-	// See: https://github.com/portainer/portainer/issues/474
-	// err := createDirectoryIfNotExist(dataStorePath, 0755)
-	// if err != nil {
-	// 	return nil, err
-	// }
-
-	err := service.createDirectoryInStoreIfNotExist(TLSStorePath)
-	if err != nil {
-		return nil, err
-	}
-
-	return service, nil
-}
-
-// StoreTLSFile creates a subfolder in the TLSStorePath and stores a new file with the content from r.
-func (service *Service) StoreTLSFile(endpointID portainer.EndpointID, fileType portainer.TLSFileType, r io.Reader) error {
-	ID := strconv.Itoa(int(endpointID))
-	endpointStorePath := path.Join(TLSStorePath, ID)
-	err := service.createDirectoryInStoreIfNotExist(endpointStorePath)
-	if err != nil {
-		return err
-	}
-
-	var fileName string
-	switch fileType {
-	case portainer.TLSFileCA:
-		fileName = TLSCACertFile
-	case portainer.TLSFileCert:
-		fileName = TLSCertFile
-	case portainer.TLSFileKey:
-		fileName = TLSKeyFile
-	default:
-		return portainer.ErrUndefinedTLSFileType
-	}
-
-	tlsFilePath := path.Join(endpointStorePath, fileName)
-	err = service.createFileInStore(tlsFilePath, r)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPathForTLSFile returns the absolute path to a specific TLS file for an endpoint.
-func (service *Service) GetPathForTLSFile(endpointID portainer.EndpointID, fileType portainer.TLSFileType) (string, error) {
-	var fileName string
-	switch fileType {
-	case portainer.TLSFileCA:
-		fileName = TLSCACertFile
-	case portainer.TLSFileCert:
-		fileName = TLSCertFile
-	case portainer.TLSFileKey:
-		fileName = TLSKeyFile
-	default:
-		return "", portainer.ErrUndefinedTLSFileType
-	}
-	ID := strconv.Itoa(int(endpointID))
-	return path.Join(service.fileStorePath, TLSStorePath, ID, fileName), nil
-}
-
-// DeleteTLSFiles deletes a folder containing the TLS files for an endpoint.
-func (service *Service) DeleteTLSFiles(endpointID portainer.EndpointID) error {
-	ID := strconv.Itoa(int(endpointID))
-	endpointPath := path.Join(service.fileStorePath, TLSStorePath, ID)
-	err := os.RemoveAll(endpointPath)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// createDirectoryInStoreIfNotExist creates a new directory in the file store if it doesn't exists on the file system.
-func (service *Service) createDirectoryInStoreIfNotExist(name string) error {
-	path := path.Join(service.fileStorePath, name)
-	return createDirectoryIfNotExist(path, 0700)
-}
-
-// createDirectoryIfNotExist creates a directory if it doesn't exists on the file system.
-func createDirectoryIfNotExist(path string, mode uint32) error {
-	_, err := os.Stat(path)
-	if os.IsNotExist(err) {
-		err = os.Mkdir(path, os.FileMode(mode))
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
-	}
-	return nil
-}
-
-// createFile creates a new file in the file store with the content from r.
-func (service *Service) createFileInStore(filePath string, r io.Reader) error {
-	path := path.Join(service.fileStorePath, filePath)
-	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return err
-	}
-	defer out.Close()
-	_, err = io.Copy(out, r)
-	if err != nil {
-		return err
-	}
-	return nil
-}

api/filesystem/filesystem.go

@@ -0,0 +1,332 @@
+package filesystem
+
+import (
+	"bytes"
+	"encoding/json"
+	"encoding/pem"
+	"io/ioutil"
+
+	"github.com/portainer/portainer"
+
+	"io"
+	"os"
+	"path"
+)
+
+const (
+	// TLSStorePath represents the subfolder where TLS files are stored in the file store folder.
+	TLSStorePath = "tls"
+	// LDAPStorePath represents the subfolder where LDAP TLS files are stored in the TLSStorePath.
+	LDAPStorePath = "ldap"
+	// TLSCACertFile represents the name on disk for a TLS CA file.
+	TLSCACertFile = "ca.pem"
+	// TLSCertFile represents the name on disk for a TLS certificate file.
+	TLSCertFile = "cert.pem"
+	// TLSKeyFile represents the name on disk for a TLS key file.
+	TLSKeyFile = "key.pem"
+	// ComposeStorePath represents the subfolder where compose files are stored in the file store folder.
+	ComposeStorePath = "compose"
+	// ComposeFileDefaultName represents the default name of a compose file.
+	ComposeFileDefaultName = "docker-compose.yml"
+	// PrivateKeyFile represents the name on disk of the file containing the private key.
+	PrivateKeyFile = "portainer.key"
+	// PublicKeyFile represents the name on disk of the file containing the public key.
+	PublicKeyFile = "portainer.pub"
+)
+
+// Service represents a service for managing files and directories.
+type Service struct {
+	dataStorePath string
+	fileStorePath string
+}
+
+// NewService initializes a new service. It creates a data directory and a directory to store files
+// inside this directory if they don't exist.
+func NewService(dataStorePath, fileStorePath string) (*Service, error) {
+	service := &Service{
+		dataStorePath: dataStorePath,
+		fileStorePath: path.Join(dataStorePath, fileStorePath),
+	}
+
+	err := os.MkdirAll(dataStorePath, 0755)
+	if err != nil {
+		return nil, err
+	}
+
+	err = service.createDirectoryInStore(TLSStorePath)
+	if err != nil {
+		return nil, err
+	}
+
+	err = service.createDirectoryInStore(ComposeStorePath)
+	if err != nil {
+		return nil, err
+	}
+
+	return service, nil
+}
+
+// RemoveDirectory removes a directory on the filesystem.
+func (service *Service) RemoveDirectory(directoryPath string) error {
+	return os.RemoveAll(directoryPath)
+}
+
+// GetStackProjectPath returns the absolute path on the FS for a stack based
+// on its identifier.
+func (service *Service) GetStackProjectPath(stackIdentifier string) string {
+	return path.Join(service.fileStorePath, ComposeStorePath, stackIdentifier)
+}
+
+// StoreStackFileFromString creates a subfolder in the ComposeStorePath and stores a new file using the content from a string.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreStackFileFromString(stackIdentifier, fileName, stackFileContent string) (string, error) {
+	stackStorePath := path.Join(ComposeStorePath, stackIdentifier)
+	err := service.createDirectoryInStore(stackStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	composeFilePath := path.Join(stackStorePath, fileName)
+	data := []byte(stackFileContent)
+	r := bytes.NewReader(data)
+
+	err = service.createFileInStore(composeFilePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, stackStorePath), nil
+}
+
+// StoreStackFileFromReader creates a subfolder in the ComposeStorePath and stores a new file using the content from an io.Reader.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreStackFileFromReader(stackIdentifier, fileName string, r io.Reader) (string, error) {
+	stackStorePath := path.Join(ComposeStorePath, stackIdentifier)
+	err := service.createDirectoryInStore(stackStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	composeFilePath := path.Join(stackStorePath, fileName)
+
+	err = service.createFileInStore(composeFilePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, stackStorePath), nil
+}
+
+// StoreTLSFile creates a folder in the TLSStorePath and stores a new file with the content from r.
+func (service *Service) StoreTLSFile(folder string, fileType portainer.TLSFileType, r io.Reader) error {
+	storePath := path.Join(TLSStorePath, folder)
+	err := service.createDirectoryInStore(storePath)
+	if err != nil {
+		return err
+	}
+
+	var fileName string
+	switch fileType {
+	case portainer.TLSFileCA:
+		fileName = TLSCACertFile
+	case portainer.TLSFileCert:
+		fileName = TLSCertFile
+	case portainer.TLSFileKey:
+		fileName = TLSKeyFile
+	default:
+		return portainer.ErrUndefinedTLSFileType
+	}
+
+	tlsFilePath := path.Join(storePath, fileName)
+	err = service.createFileInStore(tlsFilePath, r)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPathForTLSFile returns the absolute path to a specific TLS file for an endpoint.
+func (service *Service) GetPathForTLSFile(folder string, fileType portainer.TLSFileType) (string, error) {
+	var fileName string
+	switch fileType {
+	case portainer.TLSFileCA:
+		fileName = TLSCACertFile
+	case portainer.TLSFileCert:
+		fileName = TLSCertFile
+	case portainer.TLSFileKey:
+		fileName = TLSKeyFile
+	default:
+		return "", portainer.ErrUndefinedTLSFileType
+	}
+	return path.Join(service.fileStorePath, TLSStorePath, folder, fileName), nil
+}
+
+// DeleteTLSFiles deletes a folder in the TLS store path.
+func (service *Service) DeleteTLSFiles(folder string) error {
+	storePath := path.Join(service.fileStorePath, TLSStorePath, folder)
+	err := os.RemoveAll(storePath)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// DeleteTLSFile deletes a specific TLS file from a folder.
+func (service *Service) DeleteTLSFile(folder string, fileType portainer.TLSFileType) error {
+	var fileName string
+	switch fileType {
+	case portainer.TLSFileCA:
+		fileName = TLSCACertFile
+	case portainer.TLSFileCert:
+		fileName = TLSCertFile
+	case portainer.TLSFileKey:
+		fileName = TLSKeyFile
+	default:
+		return portainer.ErrUndefinedTLSFileType
+	}
+
+	filePath := path.Join(service.fileStorePath, TLSStorePath, folder, fileName)
+
+	err := os.Remove(filePath)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetFileContent returns a string content from file.
+func (service *Service) GetFileContent(filePath string) (string, error) {
+	content, err := ioutil.ReadFile(filePath)
+	if err != nil {
+		return "", err
+	}
+
+	return string(content), nil
+}
+
+// WriteJSONToFile writes JSON to the specified file.
+func (service *Service) WriteJSONToFile(path string, content interface{}) error {
+	jsonContent, err := json.Marshal(content)
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(path, jsonContent, 0644)
+}
+
+// KeyPairFilesExist checks for the existence of the key files.
+func (service *Service) KeyPairFilesExist() (bool, error) {
+	privateKeyPath := path.Join(service.dataStorePath, PrivateKeyFile)
+	exists, err := fileExists(privateKeyPath)
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+
+	publicKeyPath := path.Join(service.dataStorePath, PublicKeyFile)
+	exists, err = fileExists(publicKeyPath)
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// StoreKeyPair store the specified keys content as PEM files on disk.
+func (service *Service) StoreKeyPair(private, public []byte, privatePEMHeader, publicPEMHeader string) error {
+	err := service.createPEMFileInStore(private, privatePEMHeader, PrivateKeyFile)
+	if err != nil {
+		return err
+	}
+
+	err = service.createPEMFileInStore(public, publicPEMHeader, PublicKeyFile)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// LoadKeyPair retrieve the content of both key files on disk.
+func (service *Service) LoadKeyPair() ([]byte, []byte, error) {
+	privateKey, err := service.getContentFromPEMFile(PrivateKeyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	publicKey, err := service.getContentFromPEMFile(PublicKeyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return privateKey, publicKey, nil
+}
+
+// createDirectoryInStore creates a new directory in the file store
+func (service *Service) createDirectoryInStore(name string) error {
+	path := path.Join(service.fileStorePath, name)
+	return os.MkdirAll(path, 0700)
+}
+
+// createFile creates a new file in the file store with the content from r.
+func (service *Service) createFileInStore(filePath string, r io.Reader) error {
+	path := path.Join(service.fileStorePath, filePath)
+
+	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, r)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) createPEMFileInStore(content []byte, fileType, filePath string) error {
+	path := path.Join(service.fileStorePath, filePath)
+	block := &pem.Block{Type: fileType, Bytes: content}
+
+	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	err = pem.Encode(out, block)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) getContentFromPEMFile(filePath string) ([]byte, error) {
+	path := path.Join(service.fileStorePath, filePath)
+
+	fileContent, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(fileContent)
+	return block.Bytes, nil
+}
+
+func fileExists(filePath string) (bool, error) {
+	if _, err := os.Stat(filePath); err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}

api/git/git.go

@@ -0,0 +1,39 @@
+package git
+
+import (
+	"net/url"
+	"strings"
+
+	"gopkg.in/src-d/go-git.v4"
+)
+
+// Service represents a service for managing Git.
+type Service struct{}
+
+// NewService initializes a new service.
+func NewService(dataStorePath string) (*Service, error) {
+	service := &Service{}
+
+	return service, nil
+}
+
+// ClonePublicRepository clones a public git repository using the specified URL in the specified
+// destination folder.
+func (service *Service) ClonePublicRepository(repositoryURL, destination string) error {
+	return cloneRepository(repositoryURL, destination)
+}
+
+// ClonePrivateRepositoryWithBasicAuth clones a private git repository using the specified URL in the specified
+// destination folder. It will use the specified username and password for basic HTTP authentication.
+func (service *Service) ClonePrivateRepositoryWithBasicAuth(repositoryURL, destination, username, password string) error {
+	credentials := username + ":" + url.PathEscape(password)
+	repositoryURL = strings.Replace(repositoryURL, "://", "://"+credentials+"@", 1)
+	return cloneRepository(repositoryURL, destination)
+}
+
+func cloneRepository(repositoryURL, destination string) error {
+	_, err := git.PlainClone(destination, false, &git.CloneOptions{
+		URL: repositoryURL,
+	})
+	return err
+}

api/http/client/client.go

@@ -0,0 +1,46 @@
+package client
+
+import (
+	"crypto/tls"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/portainer/portainer"
+)
+
+// ExecutePingOperation will send a SystemPing operation HTTP request to a Docker environment
+// using the specified host and optional TLS configuration.
+func ExecutePingOperation(host string, tlsConfig *tls.Config) (bool, error) {
+	transport := &http.Transport{}
+
+	scheme := "http"
+	if tlsConfig != nil {
+		transport.TLSClientConfig = tlsConfig
+		scheme = "https"
+	}
+
+	client := &http.Client{
+		Timeout:   time.Second * 3,
+		Transport: transport,
+	}
+
+	target := strings.Replace(host, "tcp://", scheme+"://", 1)
+	return pingOperation(client, target)
+}
+
+func pingOperation(client *http.Client, target string) (bool, error) {
+	pingOperationURL := target + "/_ping"
+
+	response, err := client.Get(pingOperationURL)
+	if err != nil {
+		return false, err
+	}
+
+	agentOnDockerEnvironment := false
+	if response.Header.Get(portainer.PortainerAgentHeader) != "" {
+		agentOnDockerEnvironment = true
+	}
+
+	return agentOnDockerEnvironment, nil
+}

api/http/error/error.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"log"
 	"net/http"
-	"strings"
 )
 
 // errorResponse is a generic response for sending a error.
@@ -18,13 +17,7 @@ func WriteErrorResponse(w http.ResponseWriter, err error, code int, logger *log.
 		logger.Printf("http error: %s (code=%d)", err, code)
 	}
 
+	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(code)
 	json.NewEncoder(w).Encode(&errorResponse{Err: err.Error()})
 }
-
-// WriteMethodNotAllowedResponse writes an error message to the response and sets the Allow header.
-func WriteMethodNotAllowedResponse(w http.ResponseWriter, allowedMethods []string) {
-	w.Header().Set("Allow", strings.Join(allowedMethods, ", "))
-	w.WriteHeader(http.StatusMethodNotAllowed)
-	json.NewEncoder(w).Encode(&errorResponse{Err: http.StatusText(http.StatusMethodNotAllowed)})
-}

api/http/handler/auth.go

@@ -17,11 +17,13 @@ import (
 // AuthHandler represents an HTTP API handler for managing authentication.
 type AuthHandler struct {
 	*mux.Router
-	Logger        *log.Logger
-	authDisabled  bool
-	UserService   portainer.UserService
-	CryptoService portainer.CryptoService
-	JWTService    portainer.JWTService
+	Logger          *log.Logger
+	authDisabled    bool
+	UserService     portainer.UserService
+	CryptoService   portainer.CryptoService
+	JWTService      portainer.JWTService
+	LDAPService     portainer.LDAPService
+	SettingsService portainer.SettingsService
 }
 
 const (
@@ -35,24 +37,30 @@ const (
 )
 
 // NewAuthHandler returns a new instance of AuthHandler.
-func NewAuthHandler(bouncer *security.RequestBouncer, authDisabled bool) *AuthHandler {
+func NewAuthHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter, authDisabled bool) *AuthHandler {
 	h := &AuthHandler{
 		Router:       mux.NewRouter(),
 		Logger:       log.New(os.Stderr, "", log.LstdFlags),
 		authDisabled: authDisabled,
 	}
 	h.Handle("/auth",
-		bouncer.PublicAccess(http.HandlerFunc(h.handlePostAuth)))
+		rateLimiter.LimitAccess(bouncer.PublicAccess(http.HandlerFunc(h.handlePostAuth)))).Methods(http.MethodPost)
 
 	return h
 }
 
-func (handler *AuthHandler) handlePostAuth(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodPost})
-		return
+type (
+	postAuthRequest struct {
+		Username string `valid:"required"`
+		Password string `valid:"required"`
 	}
 
+	postAuthResponse struct {
+		JWT string `json:"jwt"`
+	}
+)
+
+func (handler *AuthHandler) handlePostAuth(w http.ResponseWriter, r *http.Request) {
 	if handler.authDisabled {
 		httperror.WriteErrorResponse(w, ErrAuthDisabled, http.StatusServiceUnavailable, handler.Logger)
 		return
@@ -75,24 +83,39 @@ func (handler *AuthHandler) handlePostAuth(w http.ResponseWriter, r *http.Reques
 
 	u, err := handler.UserService.UserByUsername(username)
 	if err == portainer.ErrUserNotFound {
-		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		httperror.WriteErrorResponse(w, ErrInvalidCredentials, http.StatusBadRequest, handler.Logger)
 		return
 	} else if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
-	err = handler.CryptoService.CompareHashAndData(u.Password, password)
+	settings, err := handler.SettingsService.Settings()
 	if err != nil {
-		httperror.WriteErrorResponse(w, ErrInvalidCredentials, http.StatusUnprocessableEntity, handler.Logger)
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
+	if settings.AuthenticationMethod == portainer.AuthenticationLDAP && u.ID != 1 {
+		err = handler.LDAPService.AuthenticateUser(username, password, &settings.LDAPSettings)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+	} else {
+		err = handler.CryptoService.CompareHashAndData(u.Password, password)
+		if err != nil {
+			httperror.WriteErrorResponse(w, ErrInvalidCredentials, http.StatusUnprocessableEntity, handler.Logger)
+			return
+		}
+	}
+
 	tokenData := &portainer.TokenData{
 		ID:       u.ID,
 		Username: u.Username,
 		Role:     u.Role,
 	}
+
 	token, err := handler.JWTService.GenerateToken(tokenData)
 	if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
@@ -101,12 +124,3 @@ func (handler *AuthHandler) handlePostAuth(w http.ResponseWriter, r *http.Reques
 
 	encodeJSON(w, &postAuthResponse{JWT: token}, handler.Logger)
 }
-
-type postAuthRequest struct {
-	Username string `valid:"required"`
-	Password string `valid:"required"`
-}
-
-type postAuthResponse struct {
-	JWT string `json:"jwt"`
-}

api/http/handler/docker.go

@@ -20,6 +20,7 @@ type DockerHandler struct {
 	*mux.Router
 	Logger                *log.Logger
 	EndpointService       portainer.EndpointService
+	EndpointGroupService  portainer.EndpointGroupService
 	TeamMembershipService portainer.TeamMembershipService
 	ProxyManager          *proxy.Manager
 }
@@ -30,29 +31,11 @@ func NewDockerHandler(bouncer *security.RequestBouncer) *DockerHandler {
 		Router: mux.NewRouter(),
 		Logger: log.New(os.Stderr, "", log.LstdFlags),
 	}
-	h.PathPrefix("/{id}/").Handler(
+	h.PathPrefix("/{id}/docker").Handler(
 		bouncer.AuthenticatedAccess(http.HandlerFunc(h.proxyRequestsToDockerAPI)))
 	return h
 }
 
-func (handler *DockerHandler) checkEndpointAccessControl(endpoint *portainer.Endpoint, userID portainer.UserID) bool {
-	for _, authorizedUserID := range endpoint.AuthorizedUsers {
-		if authorizedUserID == userID {
-			return true
-		}
-	}
-
-	memberships, _ := handler.TeamMembershipService.TeamMembershipsByUserID(userID)
-	for _, authorizedTeamID := range endpoint.AuthorizedTeams {
-		for _, membership := range memberships {
-			if membership.TeamID == authorizedTeamID {
-				return true
-			}
-		}
-	}
-	return false
-}
-
 func (handler *DockerHandler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
@@ -75,20 +58,35 @@ func (handler *DockerHandler) proxyRequestsToDockerAPI(w http.ResponseWriter, r
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
-	if tokenData.Role != portainer.AdministratorRole && !handler.checkEndpointAccessControl(endpoint, tokenData.ID) {
-		httperror.WriteErrorResponse(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)
+
+	memberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
+	if tokenData.Role != portainer.AdministratorRole {
+		group, err := handler.EndpointGroupService.EndpointGroup(endpoint.GroupID)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+
+		if !security.AuthorizedEndpointAccess(endpoint, group, tokenData.ID, memberships) {
+			httperror.WriteErrorResponse(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)
+			return
+		}
+	}
+
 	var proxy http.Handler
 	proxy = handler.ProxyManager.GetProxy(string(endpointID))
 	if proxy == nil {
 		proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
 		if err != nil {
-			httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 			return
 		}
 	}
 
-	http.StripPrefix("/"+id, proxy).ServeHTTP(w, r)
+	http.StripPrefix("/"+id+"/docker", proxy).ServeHTTP(w, r)
 }

api/http/handler/dockerhub.go

@@ -0,0 +1,91 @@
+package handler
+
+import (
+	"encoding/json"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// DockerHubHandler represents an HTTP API handler for managing DockerHub.
+type DockerHubHandler struct {
+	*mux.Router
+	Logger           *log.Logger
+	DockerHubService portainer.DockerHubService
+}
+
+// NewDockerHubHandler returns a new instance of DockerHubHandler.
+func NewDockerHubHandler(bouncer *security.RequestBouncer) *DockerHubHandler {
+	h := &DockerHubHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/dockerhub",
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handleGetDockerHub))).Methods(http.MethodGet)
+	h.Handle("/dockerhub",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutDockerHub))).Methods(http.MethodPut)
+
+	return h
+}
+
+type (
+	putDockerHubRequest struct {
+		Authentication bool   `valid:""`
+		Username       string `valid:""`
+		Password       string `valid:""`
+	}
+)
+
+// handleGetDockerHub handles GET requests on /dockerhub
+func (handler *DockerHubHandler) handleGetDockerHub(w http.ResponseWriter, r *http.Request) {
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	dockerhub.Password = ""
+
+	encodeJSON(w, dockerhub, handler.Logger)
+	return
+}
+
+// handlePutDockerHub handles PUT requests on /dockerhub
+func (handler *DockerHubHandler) handlePutDockerHub(w http.ResponseWriter, r *http.Request) {
+	var req putDockerHubRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	dockerhub := &portainer.DockerHub{
+		Authentication: false,
+		Username:       "",
+		Password:       "",
+	}
+
+	if req.Authentication {
+		dockerhub.Authentication = true
+		dockerhub.Username = req.Username
+		dockerhub.Password = req.Password
+	}
+
+	err = handler.DockerHubService.StoreDockerHub(dockerhub)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+	}
+}

api/http/handler/endpoint.go

@@ -1,7 +1,12 @@
 package handler
 
 import (
+	"bytes"
+	"strings"
+
 	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/crypto"
+	"github.com/portainer/portainer/http/client"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/proxy"
 	"github.com/portainer/portainer/http/security"
@@ -22,6 +27,7 @@ type EndpointHandler struct {
 	Logger                      *log.Logger
 	authorizeEndpointManagement bool
 	EndpointService             portainer.EndpointService
+	EndpointGroupService        portainer.EndpointGroupService
 	FileService                 portainer.FileService
 	ProxyManager                *proxy.Manager
 }
@@ -55,6 +61,36 @@ func NewEndpointHandler(bouncer *security.RequestBouncer, authorizeEndpointManag
 	return h
 }
 
+type (
+	putEndpointAccessRequest struct {
+		AuthorizedUsers []int `valid:"-"`
+		AuthorizedTeams []int `valid:"-"`
+	}
+
+	putEndpointsRequest struct {
+		Name                string `valid:"-"`
+		URL                 string `valid:"-"`
+		PublicURL           string `valid:"-"`
+		GroupID             int    `valid:"-"`
+		TLS                 bool   `valid:"-"`
+		TLSSkipVerify       bool   `valid:"-"`
+		TLSSkipClientVerify bool   `valid:"-"`
+	}
+
+	postEndpointPayload struct {
+		name                      string
+		url                       string
+		publicURL                 string
+		groupID                   int
+		useTLS                    bool
+		skipTLSServerVerification bool
+		skipTLSClientVerification bool
+		caCert                    []byte
+		cert                      []byte
+		key                       []byte
+	}
+)
+
 // handleGetEndpoints handles GET requests on /endpoints
 func (handler *EndpointHandler) handleGetEndpoints(w http.ResponseWriter, r *http.Request) {
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
@@ -69,7 +105,13 @@ func (handler *EndpointHandler) handleGetEndpoints(w http.ResponseWriter, r *htt
 		return
 	}
 
-	filteredEndpoints, err := security.FilterEndpoints(endpoints, securityContext)
+	groups, err := handler.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredEndpoints, err := security.FilterEndpoints(endpoints, groups, securityContext)
 	if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
@@ -78,6 +120,180 @@ func (handler *EndpointHandler) handleGetEndpoints(w http.ResponseWriter, r *htt
 	encodeJSON(w, filteredEndpoints, handler.Logger)
 }
 
+func (handler *EndpointHandler) createTLSSecuredEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
+	tlsConfig, err := crypto.CreateTLSConfigurationFromBytes(payload.caCert, payload.cert, payload.key, payload.skipTLSClientVerification, payload.skipTLSServerVerification)
+	if err != nil {
+		return nil, err
+	}
+
+	agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.url, tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	endpointType := portainer.DockerEnvironment
+	if agentOnDockerEnvironment {
+		endpointType = portainer.AgentOnDockerEnvironment
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:      payload.name,
+		URL:       payload.url,
+		Type:      endpointType,
+		GroupID:   portainer.EndpointGroupID(payload.groupID),
+		PublicURL: payload.publicURL,
+		TLSConfig: portainer.TLSConfiguration{
+			TLS:           payload.useTLS,
+			TLSSkipVerify: payload.skipTLSServerVerification,
+		},
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+	}
+
+	err = handler.EndpointService.CreateEndpoint(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	folder := strconv.Itoa(int(endpoint.ID))
+
+	if !payload.skipTLSServerVerification {
+		r := bytes.NewReader(payload.caCert)
+		// TODO: review the API exposed by the FileService to store
+		// a file from a byte slice and return the path to the stored file instead
+		// of using multiple legacy calls (StoreTLSFile, GetPathForTLSFile) here.
+		err = handler.FileService.StoreTLSFile(folder, portainer.TLSFileCA, r)
+		if err != nil {
+			handler.EndpointService.DeleteEndpoint(endpoint.ID)
+			return nil, err
+		}
+		caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
+		endpoint.TLSConfig.TLSCACertPath = caCertPath
+	}
+
+	if !payload.skipTLSClientVerification {
+		r := bytes.NewReader(payload.cert)
+		err = handler.FileService.StoreTLSFile(folder, portainer.TLSFileCert, r)
+		if err != nil {
+			handler.EndpointService.DeleteEndpoint(endpoint.ID)
+			return nil, err
+		}
+		certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
+		endpoint.TLSConfig.TLSCertPath = certPath
+
+		r = bytes.NewReader(payload.key)
+		err = handler.FileService.StoreTLSFile(folder, portainer.TLSFileKey, r)
+		if err != nil {
+			handler.EndpointService.DeleteEndpoint(endpoint.ID)
+			return nil, err
+		}
+		keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
+		endpoint.TLSConfig.TLSKeyPath = keyPath
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return endpoint, nil
+}
+
+func (handler *EndpointHandler) createUnsecuredEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
+	endpointType := portainer.DockerEnvironment
+
+	if !strings.HasPrefix(payload.url, "unix://") {
+		agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.url, nil)
+		if err != nil {
+			return nil, err
+		}
+		if agentOnDockerEnvironment {
+			endpointType = portainer.AgentOnDockerEnvironment
+		}
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:      payload.name,
+		URL:       payload.url,
+		Type:      endpointType,
+		GroupID:   portainer.EndpointGroupID(payload.groupID),
+		PublicURL: payload.publicURL,
+		TLSConfig: portainer.TLSConfiguration{
+			TLS: false,
+		},
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+	}
+
+	err := handler.EndpointService.CreateEndpoint(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return endpoint, nil
+}
+
+func (handler *EndpointHandler) createEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
+	if payload.useTLS {
+		return handler.createTLSSecuredEndpoint(payload)
+	}
+	return handler.createUnsecuredEndpoint(payload)
+}
+
+func convertPostEndpointRequestToPayload(r *http.Request) (*postEndpointPayload, error) {
+	payload := &postEndpointPayload{}
+	payload.name = r.FormValue("Name")
+	payload.url = r.FormValue("URL")
+	payload.publicURL = r.FormValue("PublicURL")
+
+	if payload.name == "" || payload.url == "" {
+		return nil, ErrInvalidRequestFormat
+	}
+
+	rawGroupID := r.FormValue("GroupID")
+	if rawGroupID == "" {
+		payload.groupID = 1
+	} else {
+		groupID, err := strconv.Atoi(rawGroupID)
+		if err != nil {
+			return nil, err
+		}
+		payload.groupID = groupID
+	}
+
+	payload.useTLS = r.FormValue("TLS") == "true"
+
+	if payload.useTLS {
+		payload.skipTLSServerVerification = r.FormValue("TLSSkipVerify") == "true"
+		payload.skipTLSClientVerification = r.FormValue("TLSSkipClientVerify") == "true"
+
+		if !payload.skipTLSServerVerification {
+			caCert, err := getUploadedFileContent(r, "TLSCACertFile")
+			if err != nil {
+				return nil, err
+			}
+			payload.caCert = caCert
+		}
+
+		if !payload.skipTLSClientVerification {
+			cert, err := getUploadedFileContent(r, "TLSCertFile")
+			if err != nil {
+				return nil, err
+			}
+			payload.cert = cert
+			key, err := getUploadedFileContent(r, "TLSKeyFile")
+			if err != nil {
+				return nil, err
+			}
+			payload.key = key
+		}
+	}
+
+	return payload, nil
+}
+
 // handlePostEndpoints handles POST requests on /endpoints
 func (handler *EndpointHandler) handlePostEndpoints(w http.ResponseWriter, r *http.Request) {
 	if !handler.authorizeEndpointManagement {
@@ -85,59 +301,19 @@ func (handler *EndpointHandler) handlePostEndpoints(w http.ResponseWriter, r *ht
 		return
 	}
 
-	var req postEndpointsRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
-		return
-	}
-
-	_, err := govalidator.ValidateStruct(req)
+	payload, err := convertPostEndpointRequestToPayload(r)
 	if err != nil {
-		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpoint := &portainer.Endpoint{
-		Name:            req.Name,
-		URL:             req.URL,
-		PublicURL:       req.PublicURL,
-		TLS:             req.TLS,
-		AuthorizedUsers: []portainer.UserID{},
-		AuthorizedTeams: []portainer.TeamID{},
-	}
-
-	err = handler.EndpointService.CreateEndpoint(endpoint)
+	endpoint, err := handler.createEndpoint(payload)
 	if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
-	if req.TLS {
-		caCertPath, _ := handler.FileService.GetPathForTLSFile(endpoint.ID, portainer.TLSFileCA)
-		endpoint.TLSCACertPath = caCertPath
-		certPath, _ := handler.FileService.GetPathForTLSFile(endpoint.ID, portainer.TLSFileCert)
-		endpoint.TLSCertPath = certPath
-		keyPath, _ := handler.FileService.GetPathForTLSFile(endpoint.ID, portainer.TLSFileKey)
-		endpoint.TLSKeyPath = keyPath
-		err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
-		if err != nil {
-			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
-			return
-		}
-	}
-
-	encodeJSON(w, &postEndpointsResponse{ID: int(endpoint.ID)}, handler.Logger)
-}
-
-type postEndpointsRequest struct {
-	Name      string `valid:"required"`
-	URL       string `valid:"required"`
-	PublicURL string `valid:"-"`
-	TLS       bool
-}
-
-type postEndpointsResponse struct {
-	ID int `json:"Id"`
+	encodeJSON(w, &endpoint, handler.Logger)
 }
 
 // handleGetEndpoint handles GET requests on /endpoints/:id
@@ -218,11 +394,6 @@ func (handler *EndpointHandler) handlePutEndpointAccess(w http.ResponseWriter, r
 	}
 }
 
-type putEndpointAccessRequest struct {
-	AuthorizedUsers []int `valid:"-"`
-	AuthorizedTeams []int `valid:"-"`
-}
-
 // handlePutEndpoint handles PUT requests on /endpoints/:id
 func (handler *EndpointHandler) handlePutEndpoint(w http.ResponseWriter, r *http.Request) {
 	if !handler.authorizeEndpointManagement {
@@ -272,20 +443,40 @@ func (handler *EndpointHandler) handlePutEndpoint(w http.ResponseWriter, r *http
 		endpoint.PublicURL = req.PublicURL
 	}
 
+	if req.GroupID != 0 {
+		endpoint.GroupID = portainer.EndpointGroupID(req.GroupID)
+	}
+
+	folder := strconv.Itoa(int(endpoint.ID))
 	if req.TLS {
-		endpoint.TLS = true
-		caCertPath, _ := handler.FileService.GetPathForTLSFile(endpoint.ID, portainer.TLSFileCA)
-		endpoint.TLSCACertPath = caCertPath
-		certPath, _ := handler.FileService.GetPathForTLSFile(endpoint.ID, portainer.TLSFileCert)
-		endpoint.TLSCertPath = certPath
-		keyPath, _ := handler.FileService.GetPathForTLSFile(endpoint.ID, portainer.TLSFileKey)
-		endpoint.TLSKeyPath = keyPath
+		endpoint.TLSConfig.TLS = true
+		endpoint.TLSConfig.TLSSkipVerify = req.TLSSkipVerify
+		if !req.TLSSkipVerify {
+			caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
+			endpoint.TLSConfig.TLSCACertPath = caCertPath
+		} else {
+			endpoint.TLSConfig.TLSCACertPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileCA)
+		}
+
+		if !req.TLSSkipClientVerify {
+			certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
+			endpoint.TLSConfig.TLSCertPath = certPath
+			keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
+			endpoint.TLSConfig.TLSKeyPath = keyPath
+		} else {
+			endpoint.TLSConfig.TLSCertPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileCert)
+			endpoint.TLSConfig.TLSKeyPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileKey)
+		}
 	} else {
-		endpoint.TLS = false
-		endpoint.TLSCACertPath = ""
-		endpoint.TLSCertPath = ""
-		endpoint.TLSKeyPath = ""
-		err = handler.FileService.DeleteTLSFiles(endpoint.ID)
+		endpoint.TLSConfig.TLS = false
+		endpoint.TLSConfig.TLSSkipVerify = false
+		endpoint.TLSConfig.TLSCACertPath = ""
+		endpoint.TLSConfig.TLSCertPath = ""
+		endpoint.TLSConfig.TLSKeyPath = ""
+		err = handler.FileService.DeleteTLSFiles(folder)
 		if err != nil {
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 			return
@@ -305,13 +496,6 @@ func (handler *EndpointHandler) handlePutEndpoint(w http.ResponseWriter, r *http
 	}
 }
 
-type putEndpointsRequest struct {
-	Name      string `valid:"-"`
-	URL       string `valid:"-"`
-	PublicURL string `valid:"-"`
-	TLS       bool   `valid:"-"`
-}
-
 // handleDeleteEndpoint handles DELETE requests on /endpoints/:id
 func (handler *EndpointHandler) handleDeleteEndpoint(w http.ResponseWriter, r *http.Request) {
 	if !handler.authorizeEndpointManagement {
@@ -339,6 +523,7 @@ func (handler *EndpointHandler) handleDeleteEndpoint(w http.ResponseWriter, r *h
 	}
 
 	handler.ProxyManager.DeleteProxy(string(endpointID))
+	handler.ProxyManager.DeleteExtensionProxies(string(endpointID))
 
 	err = handler.EndpointService.DeleteEndpoint(portainer.EndpointID(endpointID))
 	if err != nil {
@@ -346,8 +531,8 @@ func (handler *EndpointHandler) handleDeleteEndpoint(w http.ResponseWriter, r *h
 		return
 	}
 
-	if endpoint.TLS {
-		err = handler.FileService.DeleteTLSFiles(portainer.EndpointID(endpointID))
+	if endpoint.TLSConfig.TLS {
+		err = handler.FileService.DeleteTLSFiles(id)
 		if err != nil {
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 			return

api/http/handler/endpoint_group.go

@@ -0,0 +1,364 @@
+package handler
+
+import (
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
+
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+	"strconv"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/gorilla/mux"
+)
+
+// EndpointGroupHandler represents an HTTP API handler for managing endpoint groups.
+type EndpointGroupHandler struct {
+	*mux.Router
+	Logger               *log.Logger
+	EndpointService      portainer.EndpointService
+	EndpointGroupService portainer.EndpointGroupService
+}
+
+// NewEndpointGroupHandler returns a new instance of EndpointGroupHandler.
+func NewEndpointGroupHandler(bouncer *security.RequestBouncer) *EndpointGroupHandler {
+	h := &EndpointGroupHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/endpoint_groups",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePostEndpointGroups))).Methods(http.MethodPost)
+	h.Handle("/endpoint_groups",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetEndpointGroups))).Methods(http.MethodGet)
+	h.Handle("/endpoint_groups/{id}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handleGetEndpointGroup))).Methods(http.MethodGet)
+	h.Handle("/endpoint_groups/{id}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutEndpointGroup))).Methods(http.MethodPut)
+	h.Handle("/endpoint_groups/{id}/access",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutEndpointGroupAccess))).Methods(http.MethodPut)
+	h.Handle("/endpoint_groups/{id}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handleDeleteEndpointGroup))).Methods(http.MethodDelete)
+
+	return h
+}
+
+type (
+	postEndpointGroupsResponse struct {
+		ID int `json:"Id"`
+	}
+
+	postEndpointGroupsRequest struct {
+		Name                string                 `valid:"required"`
+		Description         string                 `valid:"-"`
+		Labels              []portainer.Pair       `valid:""`
+		AssociatedEndpoints []portainer.EndpointID `valid:""`
+	}
+
+	putEndpointGroupAccessRequest struct {
+		AuthorizedUsers []int `valid:"-"`
+		AuthorizedTeams []int `valid:"-"`
+	}
+
+	putEndpointGroupsRequest struct {
+		Name                string                 `valid:"-"`
+		Description         string                 `valid:"-"`
+		Labels              []portainer.Pair       `valid:""`
+		AssociatedEndpoints []portainer.EndpointID `valid:""`
+	}
+)
+
+// handleGetEndpointGroups handles GET requests on /endpoint_groups
+func (handler *EndpointGroupHandler) handleGetEndpointGroups(w http.ResponseWriter, r *http.Request) {
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredEndpointGroups, err := security.FilterEndpointGroups(endpointGroups, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, filteredEndpointGroups, handler.Logger)
+}
+
+// handlePostEndpointGroups handles POST requests on /endpoint_groups
+func (handler *EndpointGroupHandler) handlePostEndpointGroups(w http.ResponseWriter, r *http.Request) {
+	var req postEndpointGroupsRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpointGroup := &portainer.EndpointGroup{
+		Name:            req.Name,
+		Description:     req.Description,
+		Labels:          req.Labels,
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+	}
+
+	err = handler.EndpointGroupService.CreateEndpointGroup(endpointGroup)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, endpoint := range endpoints {
+		if endpoint.GroupID == portainer.EndpointGroupID(1) {
+			err = handler.checkForGroupAssignment(endpoint, endpointGroup.ID, req.AssociatedEndpoints)
+			if err != nil {
+				httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+				return
+			}
+		}
+	}
+
+	encodeJSON(w, &postEndpointGroupsResponse{ID: int(endpointGroup.ID)}, handler.Logger)
+}
+
+// handleGetEndpointGroup handles GET requests on /endpoint_groups/:id
+func (handler *EndpointGroupHandler) handleGetEndpointGroup(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	endpointGroupID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err == portainer.ErrEndpointGroupNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, endpointGroup, handler.Logger)
+}
+
+// handlePutEndpointGroupAccess handles PUT requests on /endpoint_groups/:id/access
+func (handler *EndpointGroupHandler) handlePutEndpointGroupAccess(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	endpointGroupID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	var req putEndpointGroupAccessRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err == portainer.ErrEndpointGroupNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if req.AuthorizedUsers != nil {
+		authorizedUserIDs := []portainer.UserID{}
+		for _, value := range req.AuthorizedUsers {
+			authorizedUserIDs = append(authorizedUserIDs, portainer.UserID(value))
+		}
+		endpointGroup.AuthorizedUsers = authorizedUserIDs
+	}
+
+	if req.AuthorizedTeams != nil {
+		authorizedTeamIDs := []portainer.TeamID{}
+		for _, value := range req.AuthorizedTeams {
+			authorizedTeamIDs = append(authorizedTeamIDs, portainer.TeamID(value))
+		}
+		endpointGroup.AuthorizedTeams = authorizedTeamIDs
+	}
+
+	err = handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, endpointGroup)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+// handlePutEndpointGroup handles PUT requests on /endpoint_groups/:id
+func (handler *EndpointGroupHandler) handlePutEndpointGroup(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	endpointGroupID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	var req putEndpointGroupsRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	groupID := portainer.EndpointGroupID(endpointGroupID)
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(groupID)
+	if err == portainer.ErrEndpointGroupNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if req.Name != "" {
+		endpointGroup.Name = req.Name
+	}
+
+	if req.Description != "" {
+		endpointGroup.Description = req.Description
+	}
+
+	endpointGroup.Labels = req.Labels
+
+	err = handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, endpointGroup)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, endpoint := range endpoints {
+		err = handler.updateEndpointGroup(endpoint, groupID, req.AssociatedEndpoints)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+	}
+}
+
+func (handler *EndpointGroupHandler) updateEndpointGroup(endpoint portainer.Endpoint, groupID portainer.EndpointGroupID, associatedEndpoints []portainer.EndpointID) error {
+	if endpoint.GroupID == groupID {
+		return handler.checkForGroupUnassignment(endpoint, associatedEndpoints)
+	} else if endpoint.GroupID == portainer.EndpointGroupID(1) {
+		return handler.checkForGroupAssignment(endpoint, groupID, associatedEndpoints)
+	}
+	return nil
+}
+
+func (handler *EndpointGroupHandler) checkForGroupUnassignment(endpoint portainer.Endpoint, associatedEndpoints []portainer.EndpointID) error {
+	for _, id := range associatedEndpoints {
+		if id == endpoint.ID {
+			return nil
+		}
+	}
+
+	endpoint.GroupID = portainer.EndpointGroupID(1)
+	return handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+}
+
+func (handler *EndpointGroupHandler) checkForGroupAssignment(endpoint portainer.Endpoint, groupID portainer.EndpointGroupID, associatedEndpoints []portainer.EndpointID) error {
+	for _, id := range associatedEndpoints {
+
+		if id == endpoint.ID {
+			endpoint.GroupID = groupID
+			return handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		}
+	}
+	return nil
+}
+
+// handleDeleteEndpointGroup handles DELETE requests on /endpoint_groups/:id
+func (handler *EndpointGroupHandler) handleDeleteEndpointGroup(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	endpointGroupID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if endpointGroupID == 1 {
+		httperror.WriteErrorResponse(w, portainer.ErrCannotRemoveDefaultGroup, http.StatusForbidden, handler.Logger)
+		return
+	}
+
+	groupID := portainer.EndpointGroupID(endpointGroupID)
+	_, err = handler.EndpointGroupService.EndpointGroup(groupID)
+	if err == portainer.ErrEndpointGroupNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.EndpointGroupService.DeleteEndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, endpoint := range endpoints {
+		if endpoint.GroupID == groupID {
+			endpoint.GroupID = portainer.EndpointGroupID(1)
+			err = handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+			if err != nil {
+				httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+				return
+			}
+		}
+	}
+}

api/http/handler/extensions.go

@@ -0,0 +1,143 @@
+package handler
+
+import (
+	"encoding/json"
+	"strconv"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// ExtensionHandler represents an HTTP API handler for managing Settings.
+type ExtensionHandler struct {
+	*mux.Router
+	Logger          *log.Logger
+	EndpointService portainer.EndpointService
+	ProxyManager    *proxy.Manager
+}
+
+// NewExtensionHandler returns a new instance of ExtensionHandler.
+func NewExtensionHandler(bouncer *security.RequestBouncer) *ExtensionHandler {
+	h := &ExtensionHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/{endpointId}/extensions",
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handlePostExtensions))).Methods(http.MethodPost)
+	h.Handle("/{endpointId}/extensions/{extensionType}",
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handleDeleteExtensions))).Methods(http.MethodDelete)
+	return h
+}
+
+type (
+	postExtensionRequest struct {
+		Type int    `valid:"required"`
+		URL  string `valid:"required"`
+	}
+)
+
+func (handler *ExtensionHandler) handlePostExtensions(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req postExtensionRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	extensionType := portainer.EndpointExtensionType(req.Type)
+
+	var extension *portainer.EndpointExtension
+
+	for _, ext := range endpoint.Extensions {
+		if ext.Type == extensionType {
+			extension = &ext
+		}
+	}
+
+	if extension != nil {
+		extension.URL = req.URL
+	} else {
+		extension = &portainer.EndpointExtension{
+			Type: extensionType,
+			URL:  req.URL,
+		}
+		endpoint.Extensions = append(endpoint.Extensions, *extension)
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, extension, handler.Logger)
+}
+
+func (handler *ExtensionHandler) handleDeleteExtensions(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	extType, err := strconv.Atoi(vars["extensionType"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	extensionType := portainer.EndpointExtensionType(extType)
+
+	for idx, ext := range endpoint.Extensions {
+		if ext.Type == extensionType {
+			endpoint.Extensions = append(endpoint.Extensions[:idx], endpoint.Extensions[idx+1:]...)
+		}
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}

api/http/handler/extensions/storidge.go

@@ -0,0 +1,106 @@
+package extensions
+
+import (
+	"strconv"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// StoridgeHandler represents an HTTP API handler for proxying requests to the Docker API.
+type StoridgeHandler struct {
+	*mux.Router
+	Logger                *log.Logger
+	EndpointService       portainer.EndpointService
+	EndpointGroupService  portainer.EndpointGroupService
+	TeamMembershipService portainer.TeamMembershipService
+	ProxyManager          *proxy.Manager
+}
+
+// NewStoridgeHandler returns a new instance of StoridgeHandler.
+func NewStoridgeHandler(bouncer *security.RequestBouncer) *StoridgeHandler {
+	h := &StoridgeHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.PathPrefix("/{id}/extensions/storidge").Handler(
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.proxyRequestsToStoridgeAPI)))
+	return h
+}
+
+func (handler *StoridgeHandler) proxyRequestsToStoridgeAPI(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	parsedID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpointID := portainer.EndpointID(parsedID)
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	memberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		group, err := handler.EndpointGroupService.EndpointGroup(endpoint.GroupID)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+
+		if !security.AuthorizedEndpointAccess(endpoint, group, tokenData.ID, memberships) {
+			httperror.WriteErrorResponse(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)
+			return
+		}
+	}
+
+	var storidgeExtension *portainer.EndpointExtension
+	for _, extension := range endpoint.Extensions {
+		if extension.Type == portainer.StoridgeEndpointExtension {
+			storidgeExtension = &extension
+		}
+	}
+
+	if storidgeExtension == nil {
+		httperror.WriteErrorResponse(w, portainer.ErrEndpointExtensionNotSupported, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	proxyExtensionKey := string(endpoint.ID) + "_" + string(portainer.StoridgeEndpointExtension)
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetExtensionProxy(proxyExtensionKey)
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterExtensionProxy(proxyExtensionKey, storidgeExtension.URL)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+	}
+
+	http.StripPrefix("/"+id+"/extensions/storidge", proxy).ServeHTTP(w, r)
+}

api/http/handler/file.go

@@ -1,6 +1,9 @@
 package handler
 
 import (
+	"os"
+
+	"log"
 	"net/http"
 	"strings"
 )
@@ -8,12 +11,14 @@ import (
 // FileHandler represents an HTTP API handler for managing static files.
 type FileHandler struct {
 	http.Handler
+	Logger *log.Logger
 }
 
 // NewFileHandler returns a new instance of FileHandler.
-func NewFileHandler(assetPath string) *FileHandler {
+func NewFileHandler(assetPublicPath string) *FileHandler {
 	h := &FileHandler{
-		Handler: http.FileServer(http.Dir(assetPath)),
+		Handler: http.FileServer(http.Dir(assetPublicPath)),
+		Logger:  log.New(os.Stderr, "", log.LstdFlags),
 	}
 	return h
 }
@@ -27,11 +32,11 @@ func isHTML(acceptContent []string) bool {
 	return false
 }
 
-func (fileHandler *FileHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+func (handler *FileHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if !isHTML(r.Header["Accept"]) {
 		w.Header().Set("Cache-Control", "max-age=31536000")
 	} else {
 		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 	}
-	fileHandler.Handler.ServeHTTP(w, r)
+	handler.Handler.ServeHTTP(w, r)
 }

api/http/handler/handler.go

@@ -2,12 +2,14 @@ package handler
 
 import (
 	"encoding/json"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"strings"
 
 	"github.com/portainer/portainer"
 	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/handler/extensions"
 )
 
 // Handler is a collection of all the service handlers.
@@ -17,7 +19,14 @@ type Handler struct {
 	TeamHandler           *TeamHandler
 	TeamMembershipHandler *TeamMembershipHandler
 	EndpointHandler       *EndpointHandler
+	EndpointGroupHandler  *EndpointGroupHandler
+	RegistryHandler       *RegistryHandler
+	DockerHubHandler      *DockerHubHandler
+	ExtensionHandler      *ExtensionHandler
+	StoridgeHandler       *extensions.StoridgeHandler
 	ResourceHandler       *ResourceHandler
+	StackHandler          *StackHandler
+	StatusHandler         *StatusHandler
 	SettingsHandler       *SettingsHandler
 	TemplatesHandler      *TemplatesHandler
 	DockerHandler         *DockerHandler
@@ -33,42 +42,76 @@ const (
 	ErrInvalidRequestFormat = portainer.Error("Invalid request data format")
 	// ErrInvalidQueryFormat defines an error raised when the data sent in the query or the URL is invalid
 	ErrInvalidQueryFormat = portainer.Error("Invalid query format")
-	// ErrEmptyResponseBody defines an error raised when portainer excepts to parse the body of a HTTP response and there is nothing to parse
-	// ErrEmptyResponseBody = portainer.Error("Empty response body")
 )
 
 // ServeHTTP delegates a request to the appropriate subhandler.
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if strings.HasPrefix(r.URL.Path, "/api/auth") {
+
+	switch {
+	case strings.HasPrefix(r.URL.Path, "/api/auth"):
 		http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/users") {
-		http.StripPrefix("/api", h.UserHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/teams") {
-		http.StripPrefix("/api", h.TeamHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/team_memberships") {
-		http.StripPrefix("/api", h.TeamMembershipHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/endpoints") {
-		http.StripPrefix("/api", h.EndpointHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/resource_controls") {
+	case strings.HasPrefix(r.URL.Path, "/api/dockerhub"):
+		http.StripPrefix("/api", h.DockerHubHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/endpoint_groups"):
+		http.StripPrefix("/api", h.EndpointGroupHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/endpoints"):
+		switch {
+		case strings.Contains(r.URL.Path, "/docker/"):
+			http.StripPrefix("/api/endpoints", h.DockerHandler).ServeHTTP(w, r)
+		case strings.Contains(r.URL.Path, "/stacks"):
+			http.StripPrefix("/api/endpoints", h.StackHandler).ServeHTTP(w, r)
+		case strings.Contains(r.URL.Path, "/extensions/storidge"):
+			http.StripPrefix("/api/endpoints", h.StoridgeHandler).ServeHTTP(w, r)
+		case strings.Contains(r.URL.Path, "/extensions"):
+			http.StripPrefix("/api/endpoints", h.ExtensionHandler).ServeHTTP(w, r)
+		default:
+			http.StripPrefix("/api", h.EndpointHandler).ServeHTTP(w, r)
+		}
+	case strings.HasPrefix(r.URL.Path, "/api/registries"):
+		http.StripPrefix("/api", h.RegistryHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/resource_controls"):
 		http.StripPrefix("/api", h.ResourceHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/settings") {
+	case strings.HasPrefix(r.URL.Path, "/api/settings"):
 		http.StripPrefix("/api", h.SettingsHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/templates") {
+	case strings.HasPrefix(r.URL.Path, "/api/status"):
+		http.StripPrefix("/api", h.StatusHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/templates"):
 		http.StripPrefix("/api", h.TemplatesHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/upload") {
+	case strings.HasPrefix(r.URL.Path, "/api/upload"):
 		http.StripPrefix("/api", h.UploadHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/websocket") {
+	case strings.HasPrefix(r.URL.Path, "/api/users"):
+		http.StripPrefix("/api", h.UserHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/teams"):
+		http.StripPrefix("/api", h.TeamHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/team_memberships"):
+		http.StripPrefix("/api", h.TeamMembershipHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/websocket"):
 		http.StripPrefix("/api", h.WebSocketHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/api/docker") {
-		http.StripPrefix("/api/docker", h.DockerHandler).ServeHTTP(w, r)
-	} else if strings.HasPrefix(r.URL.Path, "/") {
+	case strings.HasPrefix(r.URL.Path, "/"):
 		h.FileHandler.ServeHTTP(w, r)
 	}
 }
 
-// encodeJSON encodes v to w in JSON format. Error() is called if encoding fails.
+// encodeJSON encodes v to w in JSON format. WriteErrorResponse() is called if encoding fails.
 func encodeJSON(w http.ResponseWriter, v interface{}, logger *log.Logger) {
+	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(v); err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, logger)
 	}
 }
+
+// getUploadedFileContent retrieve the content of a file uploaded in the request.
+// Uses requestParameter as the key to retrieve the file in the request payload.
+func getUploadedFileContent(request *http.Request, requestParameter string) ([]byte, error) {
+	file, _, err := request.FormFile(requestParameter)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	fileContent, err := ioutil.ReadAll(file)
+	if err != nil {
+		return nil, err
+	}
+	return fileContent, nil
+}

api/http/handler/registry.go

@@ -0,0 +1,320 @@
+package handler
+
+import (
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
+
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+	"strconv"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/gorilla/mux"
+)
+
+// RegistryHandler represents an HTTP API handler for managing Docker registries.
+type RegistryHandler struct {
+	*mux.Router
+	Logger          *log.Logger
+	RegistryService portainer.RegistryService
+}
+
+// NewRegistryHandler returns a new instance of RegistryHandler.
+func NewRegistryHandler(bouncer *security.RequestBouncer) *RegistryHandler {
+	h := &RegistryHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/registries",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePostRegistries))).Methods(http.MethodPost)
+	h.Handle("/registries",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetRegistries))).Methods(http.MethodGet)
+	h.Handle("/registries/{id}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handleGetRegistry))).Methods(http.MethodGet)
+	h.Handle("/registries/{id}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutRegistry))).Methods(http.MethodPut)
+	h.Handle("/registries/{id}/access",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutRegistryAccess))).Methods(http.MethodPut)
+	h.Handle("/registries/{id}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handleDeleteRegistry))).Methods(http.MethodDelete)
+
+	return h
+}
+
+type (
+	postRegistriesRequest struct {
+		Name           string `valid:"required"`
+		URL            string `valid:"required"`
+		Authentication bool   `valid:""`
+		Username       string `valid:""`
+		Password       string `valid:""`
+	}
+
+	postRegistriesResponse struct {
+		ID int `json:"Id"`
+	}
+
+	putRegistryAccessRequest struct {
+		AuthorizedUsers []int `valid:"-"`
+		AuthorizedTeams []int `valid:"-"`
+	}
+
+	putRegistriesRequest struct {
+		Name           string `valid:"required"`
+		URL            string `valid:"required"`
+		Authentication bool   `valid:""`
+		Username       string `valid:""`
+		Password       string `valid:""`
+	}
+)
+
+// handleGetRegistries handles GET requests on /registries
+func (handler *RegistryHandler) handleGetRegistries(w http.ResponseWriter, r *http.Request) {
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredRegistries, err := security.FilterRegistries(registries, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for i := range filteredRegistries {
+		filteredRegistries[i].Password = ""
+	}
+
+	encodeJSON(w, filteredRegistries, handler.Logger)
+}
+
+// handlePostRegistries handles POST requests on /registries
+func (handler *RegistryHandler) handlePostRegistries(w http.ResponseWriter, r *http.Request) {
+	var req postRegistriesRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	for _, r := range registries {
+		if r.URL == req.URL {
+			httperror.WriteErrorResponse(w, portainer.ErrRegistryAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	registry := &portainer.Registry{
+		Name:            req.Name,
+		URL:             req.URL,
+		Authentication:  req.Authentication,
+		Username:        req.Username,
+		Password:        req.Password,
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+	}
+
+	err = handler.RegistryService.CreateRegistry(registry)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postRegistriesResponse{ID: int(registry.ID)}, handler.Logger)
+}
+
+// handleGetRegistry handles GET requests on /registries/:id
+func (handler *RegistryHandler) handleGetRegistry(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	registryID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	registry, err := handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrRegistryNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registry.Password = ""
+
+	encodeJSON(w, registry, handler.Logger)
+}
+
+// handlePutRegistryAccess handles PUT requests on /registries/:id/access
+func (handler *RegistryHandler) handlePutRegistryAccess(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	registryID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	var req putRegistryAccessRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	registry, err := handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrRegistryNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if req.AuthorizedUsers != nil {
+		authorizedUserIDs := []portainer.UserID{}
+		for _, value := range req.AuthorizedUsers {
+			authorizedUserIDs = append(authorizedUserIDs, portainer.UserID(value))
+		}
+		registry.AuthorizedUsers = authorizedUserIDs
+	}
+
+	if req.AuthorizedTeams != nil {
+		authorizedTeamIDs := []portainer.TeamID{}
+		for _, value := range req.AuthorizedTeams {
+			authorizedTeamIDs = append(authorizedTeamIDs, portainer.TeamID(value))
+		}
+		registry.AuthorizedTeams = authorizedTeamIDs
+	}
+
+	err = handler.RegistryService.UpdateRegistry(registry.ID, registry)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+// handlePutRegistry handles PUT requests on /registries/:id
+func (handler *RegistryHandler) handlePutRegistry(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	registryID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	var req putRegistriesRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	registry, err := handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrRegistryNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	for _, r := range registries {
+		if r.URL == req.URL && r.ID != registry.ID {
+			httperror.WriteErrorResponse(w, portainer.ErrRegistryAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	if req.Name != "" {
+		registry.Name = req.Name
+	}
+
+	if req.URL != "" {
+		registry.URL = req.URL
+	}
+
+	if req.Authentication {
+		registry.Authentication = true
+		registry.Username = req.Username
+		registry.Password = req.Password
+	} else {
+		registry.Authentication = false
+		registry.Username = ""
+		registry.Password = ""
+	}
+
+	err = handler.RegistryService.UpdateRegistry(registry.ID, registry)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+// handleDeleteRegistry handles DELETE requests on /registries/:id
+func (handler *RegistryHandler) handleDeleteRegistry(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	registryID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrRegistryNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.RegistryService.DeleteRegistry(portainer.RegistryID(registryID))
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}

api/http/handler/resource_control.go

@@ -39,6 +39,23 @@ func NewResourceHandler(bouncer *security.RequestBouncer) *ResourceHandler {
 	return h
 }
 
+type (
+	postResourcesRequest struct {
+		ResourceID         string   `valid:"required"`
+		Type               string   `valid:"required"`
+		AdministratorsOnly bool     `valid:"-"`
+		Users              []int    `valid:"-"`
+		Teams              []int    `valid:"-"`
+		SubResourceIDs     []string `valid:"-"`
+	}
+
+	putResourcesRequest struct {
+		AdministratorsOnly bool  `valid:"-"`
+		Users              []int `valid:"-"`
+		Teams              []int `valid:"-"`
+	}
+)
+
 // handlePostResources handles POST requests on /resources
 func (handler *ResourceHandler) handlePostResources(w http.ResponseWriter, r *http.Request) {
 	var req postResourcesRequest
@@ -61,6 +78,14 @@ func (handler *ResourceHandler) handlePostResources(w http.ResponseWriter, r *ht
 		resourceControlType = portainer.ServiceResourceControl
 	case "volume":
 		resourceControlType = portainer.VolumeResourceControl
+	case "network":
+		resourceControlType = portainer.NetworkResourceControl
+	case "secret":
+		resourceControlType = portainer.SecretResourceControl
+	case "stack":
+		resourceControlType = portainer.StackResourceControl
+	case "config":
+		resourceControlType = portainer.ConfigResourceControl
 	default:
 		httperror.WriteErrorResponse(w, portainer.ErrInvalidResourceControlType, http.StatusBadRequest, handler.Logger)
 		return
@@ -121,22 +146,13 @@ func (handler *ResourceHandler) handlePostResources(w http.ResponseWriter, r *ht
 
 	err = handler.ResourceControlService.CreateResourceControl(&resourceControl)
 	if err != nil {
-		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
 	return
 }
 
-type postResourcesRequest struct {
-	ResourceID         string   `valid:"required"`
-	Type               string   `valid:"required"`
-	AdministratorsOnly bool     `valid:"-"`
-	Users              []int    `valid:"-"`
-	Teams              []int    `valid:"-"`
-	SubResourceIDs     []string `valid:"-"`
-}
-
 // handlePutResources handles PUT requests on /resources/:id
 func (handler *ResourceHandler) handlePutResources(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
@@ -210,12 +226,6 @@ func (handler *ResourceHandler) handlePutResources(w http.ResponseWriter, r *htt
 	}
 }
 
-type putResourcesRequest struct {
-	AdministratorsOnly bool  `valid:"-"`
-	Users              []int `valid:"-"`
-	Teams              []int `valid:"-"`
-}
-
 // handleDeleteResources handles DELETE requests on /resources/:id
 func (handler *ResourceHandler) handleDeleteResources(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)

api/http/handler/settings.go

@@ -1,7 +1,11 @@
 package handler
 
 import (
+	"encoding/json"
+
+	"github.com/asaskevich/govalidator"
 	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/filesystem"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/security"
 
@@ -12,32 +16,166 @@ import (
 	"github.com/gorilla/mux"
 )
 
-// SettingsHandler represents an HTTP API handler for managing settings.
+// SettingsHandler represents an HTTP API handler for managing Settings.
 type SettingsHandler struct {
 	*mux.Router
-	Logger   *log.Logger
-	settings *portainer.Settings
+	Logger          *log.Logger
+	SettingsService portainer.SettingsService
+	LDAPService     portainer.LDAPService
+	FileService     portainer.FileService
 }
 
-// NewSettingsHandler returns a new instance of SettingsHandler.
-func NewSettingsHandler(bouncer *security.RequestBouncer, settings *portainer.Settings) *SettingsHandler {
+// NewSettingsHandler returns a new instance of OldSettingsHandler.
+func NewSettingsHandler(bouncer *security.RequestBouncer) *SettingsHandler {
 	h := &SettingsHandler{
-		Router:   mux.NewRouter(),
-		Logger:   log.New(os.Stderr, "", log.LstdFlags),
-		settings: settings,
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
 	}
 	h.Handle("/settings",
-		bouncer.PublicAccess(http.HandlerFunc(h.handleGetSettings)))
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handleGetSettings))).Methods(http.MethodGet)
+	h.Handle("/settings",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutSettings))).Methods(http.MethodPut)
+	h.Handle("/settings/public",
+		bouncer.PublicAccess(http.HandlerFunc(h.handleGetPublicSettings))).Methods(http.MethodGet)
+	h.Handle("/settings/authentication/checkLDAP",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutSettingsLDAPCheck))).Methods(http.MethodPut)
 
 	return h
 }
 
+type (
+	publicSettingsResponse struct {
+		LogoURL                            string                         `json:"LogoURL"`
+		DisplayDonationHeader              bool                           `json:"DisplayDonationHeader"`
+		DisplayExternalContributors        bool                           `json:"DisplayExternalContributors"`
+		AuthenticationMethod               portainer.AuthenticationMethod `json:"AuthenticationMethod"`
+		AllowBindMountsForRegularUsers     bool                           `json:"AllowBindMountsForRegularUsers"`
+		AllowPrivilegedModeForRegularUsers bool                           `json:"AllowPrivilegedModeForRegularUsers"`
+	}
+
+	putSettingsRequest struct {
+		TemplatesURL                       string                 `valid:"required"`
+		LogoURL                            string                 `valid:""`
+		BlackListedLabels                  []portainer.Pair       `valid:""`
+		DisplayDonationHeader              bool                   `valid:""`
+		DisplayExternalContributors        bool                   `valid:""`
+		AuthenticationMethod               int                    `valid:"required"`
+		LDAPSettings                       portainer.LDAPSettings `valid:""`
+		AllowBindMountsForRegularUsers     bool                   `valid:""`
+		AllowPrivilegedModeForRegularUsers bool                   `valid:""`
+	}
+
+	putSettingsLDAPCheckRequest struct {
+		LDAPSettings portainer.LDAPSettings `valid:""`
+	}
+)
+
 // handleGetSettings handles GET requests on /settings
 func (handler *SettingsHandler) handleGetSettings(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodGet})
+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
-	encodeJSON(w, handler.settings, handler.Logger)
+	encodeJSON(w, settings, handler.Logger)
+	return
+}
+
+// handleGetPublicSettings handles GET requests on /settings/public
+func (handler *SettingsHandler) handleGetPublicSettings(w http.ResponseWriter, r *http.Request) {
+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	publicSettings := &publicSettingsResponse{
+		LogoURL:                            settings.LogoURL,
+		DisplayDonationHeader:              settings.DisplayDonationHeader,
+		DisplayExternalContributors:        settings.DisplayExternalContributors,
+		AuthenticationMethod:               settings.AuthenticationMethod,
+		AllowBindMountsForRegularUsers:     settings.AllowBindMountsForRegularUsers,
+		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
+	}
+
+	encodeJSON(w, publicSettings, handler.Logger)
+	return
+}
+
+// handlePutSettings handles PUT requests on /settings
+func (handler *SettingsHandler) handlePutSettings(w http.ResponseWriter, r *http.Request) {
+	var req putSettingsRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	settings := &portainer.Settings{
+		TemplatesURL:                       req.TemplatesURL,
+		LogoURL:                            req.LogoURL,
+		BlackListedLabels:                  req.BlackListedLabels,
+		DisplayDonationHeader:              req.DisplayDonationHeader,
+		DisplayExternalContributors:        req.DisplayExternalContributors,
+		LDAPSettings:                       req.LDAPSettings,
+		AllowBindMountsForRegularUsers:     req.AllowBindMountsForRegularUsers,
+		AllowPrivilegedModeForRegularUsers: req.AllowPrivilegedModeForRegularUsers,
+	}
+
+	if req.AuthenticationMethod == 1 {
+		settings.AuthenticationMethod = portainer.AuthenticationInternal
+	} else if req.AuthenticationMethod == 2 {
+		settings.AuthenticationMethod = portainer.AuthenticationLDAP
+	} else {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if (settings.LDAPSettings.TLSConfig.TLS || settings.LDAPSettings.StartTLS) && !settings.LDAPSettings.TLSConfig.TLSSkipVerify {
+		caCertPath, _ := handler.FileService.GetPathForTLSFile(filesystem.LDAPStorePath, portainer.TLSFileCA)
+		settings.LDAPSettings.TLSConfig.TLSCACertPath = caCertPath
+	} else {
+		settings.LDAPSettings.TLSConfig.TLSCACertPath = ""
+		err := handler.FileService.DeleteTLSFiles(filesystem.LDAPStorePath)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		}
+	}
+
+	err = handler.SettingsService.StoreSettings(settings)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+	}
+}
+
+// handlePutSettingsLDAPCheck handles PUT requests on /settings/ldap/check
+func (handler *SettingsHandler) handlePutSettingsLDAPCheck(w http.ResponseWriter, r *http.Request) {
+	var req putSettingsLDAPCheckRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if (req.LDAPSettings.TLSConfig.TLS || req.LDAPSettings.StartTLS) && !req.LDAPSettings.TLSConfig.TLSSkipVerify {
+		caCertPath, _ := handler.FileService.GetPathForTLSFile(filesystem.LDAPStorePath, portainer.TLSFileCA)
+		req.LDAPSettings.TLSConfig.TLSCACertPath = caCertPath
+	}
+
+	err = handler.LDAPService.TestConnectivity(&req.LDAPSettings)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
 }

api/http/handler/stack.go

@@ -0,0 +1,794 @@
+package handler
+
+import (
+	"encoding/json"
+	"path"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/filesystem"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// StackHandler represents an HTTP API handler for managing Stack.
+type StackHandler struct {
+	stackCreationMutex *sync.Mutex
+	stackDeletionMutex *sync.Mutex
+	*mux.Router
+	Logger                 *log.Logger
+	FileService            portainer.FileService
+	GitService             portainer.GitService
+	StackService           portainer.StackService
+	EndpointService        portainer.EndpointService
+	ResourceControlService portainer.ResourceControlService
+	RegistryService        portainer.RegistryService
+	DockerHubService       portainer.DockerHubService
+	StackManager           portainer.StackManager
+}
+
+type stackDeploymentConfig struct {
+	endpoint   *portainer.Endpoint
+	stack      *portainer.Stack
+	prune      bool
+	dockerhub  *portainer.DockerHub
+	registries []portainer.Registry
+}
+
+// NewStackHandler returns a new instance of StackHandler.
+func NewStackHandler(bouncer *security.RequestBouncer) *StackHandler {
+	h := &StackHandler{
+		Router:             mux.NewRouter(),
+		stackCreationMutex: &sync.Mutex{},
+		stackDeletionMutex: &sync.Mutex{},
+		Logger:             log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/{endpointId}/stacks",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handlePostStacks))).Methods(http.MethodPost)
+	h.Handle("/{endpointId}/stacks",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetStacks))).Methods(http.MethodGet)
+	h.Handle("/{endpointId}/stacks/{id}",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetStack))).Methods(http.MethodGet)
+	h.Handle("/{endpointId}/stacks/{id}",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleDeleteStack))).Methods(http.MethodDelete)
+	h.Handle("/{endpointId}/stacks/{id}",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handlePutStack))).Methods(http.MethodPut)
+	h.Handle("/{endpointId}/stacks/{id}/stackfile",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetStackFile))).Methods(http.MethodGet)
+	return h
+}
+
+type (
+	postStacksRequest struct {
+		Name                        string           `valid:"required"`
+		SwarmID                     string           `valid:"required"`
+		StackFileContent            string           `valid:""`
+		RepositoryURL               string           `valid:""`
+		RepositoryAuthentication    bool             `valid:""`
+		RepositoryUsername          string           `valid:""`
+		RepositoryPassword          string           `valid:""`
+		ComposeFilePathInRepository string           `valid:""`
+		Env                         []portainer.Pair `valid:""`
+	}
+	postStacksResponse struct {
+		ID string `json:"Id"`
+	}
+	getStackFileResponse struct {
+		StackFileContent string `json:"StackFileContent"`
+	}
+	putStackRequest struct {
+		StackFileContent string           `valid:"required"`
+		Env              []portainer.Pair `valid:""`
+		Prune            bool             `valid:"-"`
+	}
+)
+
+// handlePostStacks handles POST requests on /:endpointId/stacks?method=<method>
+func (handler *StackHandler) handlePostStacks(w http.ResponseWriter, r *http.Request) {
+	method := r.FormValue("method")
+	if method == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if method == "string" {
+		handler.handlePostStacksStringMethod(w, r)
+	} else if method == "repository" {
+		handler.handlePostStacksRepositoryMethod(w, r)
+	} else if method == "file" {
+		handler.handlePostStacksFileMethod(w, r)
+	} else {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+}
+
+func (handler *StackHandler) handlePostStacksStringMethod(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req postStacksRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackName := req.Name
+	if stackName == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackFileContent := req.StackFileContent
+	if stackFileContent == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	swarmID := req.SwarmID
+	if swarmID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stacks, err := handler.StackService.Stacks()
+	if err != nil && err != portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, stack := range stacks {
+		if strings.EqualFold(stack.Name, stackName) {
+			httperror.WriteErrorResponse(w, portainer.ErrStackAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackName + "_" + swarmID),
+		Name:       stackName,
+		SwarmID:    swarmID,
+		EntryPoint: filesystem.ComposeFileDefaultName,
+		Env:        req.Env,
+	}
+
+	projectPath, err := handler.FileService.StoreStackFileFromString(string(stack.ID), stack.EntryPoint, stackFileContent)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	stack.ProjectPath = projectPath
+
+	err = handler.StackService.CreateStack(stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredRegistries, err := security.FilterRegistries(registries, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	config := stackDeploymentConfig{
+		stack:      stack,
+		endpoint:   endpoint,
+		dockerhub:  dockerhub,
+		registries: filteredRegistries,
+		prune:      false,
+	}
+	err = handler.deployStack(&config)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postStacksResponse{ID: string(stack.ID)}, handler.Logger)
+}
+
+func (handler *StackHandler) handlePostStacksRepositoryMethod(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req postStacksRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackName := req.Name
+	swarmID := req.SwarmID
+
+	if stackName == "" || swarmID == "" || req.RepositoryURL == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if req.RepositoryAuthentication && (req.RepositoryUsername == "" || req.RepositoryPassword == "") {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if req.ComposeFilePathInRepository == "" {
+		req.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
+	}
+
+	stacks, err := handler.StackService.Stacks()
+	if err != nil && err != portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, stack := range stacks {
+		if strings.EqualFold(stack.Name, stackName) {
+			httperror.WriteErrorResponse(w, portainer.ErrStackAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackName + "_" + swarmID),
+		Name:       stackName,
+		SwarmID:    swarmID,
+		EntryPoint: req.ComposeFilePathInRepository,
+		Env:        req.Env,
+	}
+
+	projectPath := handler.FileService.GetStackProjectPath(string(stack.ID))
+	stack.ProjectPath = projectPath
+
+	// Ensure projectPath is empty
+	err = handler.FileService.RemoveDirectory(projectPath)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if req.RepositoryAuthentication {
+		err = handler.GitService.ClonePrivateRepositoryWithBasicAuth(req.RepositoryURL, projectPath, req.RepositoryUsername, req.RepositoryPassword)
+	} else {
+		err = handler.GitService.ClonePublicRepository(req.RepositoryURL, projectPath)
+	}
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackService.CreateStack(stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredRegistries, err := security.FilterRegistries(registries, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	config := stackDeploymentConfig{
+		stack:      stack,
+		endpoint:   endpoint,
+		dockerhub:  dockerhub,
+		registries: filteredRegistries,
+		prune:      false,
+	}
+	err = handler.deployStack(&config)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postStacksResponse{ID: string(stack.ID)}, handler.Logger)
+}
+
+func (handler *StackHandler) handlePostStacksFileMethod(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stackName := r.FormValue("Name")
+	if stackName == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	swarmID := r.FormValue("SwarmID")
+	if swarmID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	envParam := r.FormValue("Env")
+	var env []portainer.Pair
+	if err = json.Unmarshal([]byte(envParam), &env); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackFile, _, err := r.FormFile("file")
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	defer stackFile.Close()
+
+	stacks, err := handler.StackService.Stacks()
+	if err != nil && err != portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, stack := range stacks {
+		if strings.EqualFold(stack.Name, stackName) {
+			httperror.WriteErrorResponse(w, portainer.ErrStackAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackName + "_" + swarmID),
+		Name:       stackName,
+		SwarmID:    swarmID,
+		EntryPoint: filesystem.ComposeFileDefaultName,
+		Env:        env,
+	}
+
+	projectPath, err := handler.FileService.StoreStackFileFromReader(string(stack.ID), stack.EntryPoint, stackFile)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	stack.ProjectPath = projectPath
+
+	err = handler.StackService.CreateStack(stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredRegistries, err := security.FilterRegistries(registries, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	config := stackDeploymentConfig{
+		stack:      stack,
+		endpoint:   endpoint,
+		dockerhub:  dockerhub,
+		registries: filteredRegistries,
+		prune:      false,
+	}
+	err = handler.deployStack(&config)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postStacksResponse{ID: string(stack.ID)}, handler.Logger)
+}
+
+// handleGetStacks handles GET requests on /:endpointId/stacks?swarmId=<swarmId>
+func (handler *StackHandler) handleGetStacks(w http.ResponseWriter, r *http.Request) {
+	swarmID := r.FormValue("swarmId")
+
+	vars := mux.Vars(r)
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	_, err = handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var stacks []portainer.Stack
+	if swarmID == "" {
+		stacks, err = handler.StackService.Stacks()
+	} else {
+		stacks, err = handler.StackService.StacksBySwarmID(swarmID)
+	}
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	resourceControls, err := handler.ResourceControlService.ResourceControls()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredStacks := proxy.FilterStacks(stacks, resourceControls, securityContext.IsAdmin,
+		securityContext.UserID, securityContext.UserMemberships)
+
+	encodeJSON(w, filteredStacks, handler.Logger)
+}
+
+// handleGetStack handles GET requests on /:endpointId/stacks/:id
+func (handler *StackHandler) handleGetStack(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	resourceControl, err := handler.ResourceControlService.ResourceControlByResourceID(stack.Name)
+	if err != nil && err != portainer.ErrResourceControlNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	extendedStack := proxy.ExtendedStack{*stack, portainer.ResourceControl{}}
+	if resourceControl != nil {
+		if securityContext.IsAdmin || proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
+			extendedStack.ResourceControl = *resourceControl
+		} else {
+			httperror.WriteErrorResponse(w, portainer.ErrResourceAccessDenied, http.StatusForbidden, handler.Logger)
+			return
+		}
+	}
+
+	encodeJSON(w, extendedStack, handler.Logger)
+}
+
+// handlePutStack handles PUT requests on /:endpointId/stacks/:id
+func (handler *StackHandler) handlePutStack(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req putStackRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	stack.Env = req.Env
+
+	_, err = handler.FileService.StoreStackFileFromString(string(stack.ID), stack.EntryPoint, req.StackFileContent)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackService.UpdateStack(stack.ID, stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredRegistries, err := security.FilterRegistries(registries, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	config := stackDeploymentConfig{
+		stack:      stack,
+		endpoint:   endpoint,
+		dockerhub:  dockerhub,
+		registries: filteredRegistries,
+		prune:      req.Prune,
+	}
+	err = handler.deployStack(&config)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+// handleGetStackFile handles GET requests on /:endpointId/stacks/:id/stackfile
+func (handler *StackHandler) handleGetStackFile(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stackFileContent, err := handler.FileService.GetFileContent(path.Join(stack.ProjectPath, stack.EntryPoint))
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &getStackFileResponse{StackFileContent: stackFileContent}, handler.Logger)
+}
+
+// handleDeleteStack handles DELETE requests on /:endpointId/stacks/:id
+func (handler *StackHandler) handleDeleteStack(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	handler.stackDeletionMutex.Lock()
+	err = handler.StackManager.Remove(stack, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	handler.stackDeletionMutex.Unlock()
+
+	err = handler.StackService.DeleteStack(portainer.StackID(stackID))
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.FileService.RemoveDirectory(stack.ProjectPath)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+func (handler *StackHandler) deployStack(config *stackDeploymentConfig) error {
+	handler.stackCreationMutex.Lock()
+
+	handler.StackManager.Login(config.dockerhub, config.registries, config.endpoint)
+
+	err := handler.StackManager.Deploy(config.stack, config.prune, config.endpoint)
+	if err != nil {
+		handler.stackCreationMutex.Unlock()
+		return err
+	}
+
+	err = handler.StackManager.Logout(config.endpoint)
+	if err != nil {
+		handler.stackCreationMutex.Unlock()
+		return err
+	}
+
+	handler.stackCreationMutex.Unlock()
+	return nil
+}

api/http/handler/status.go

@@ -0,0 +1,38 @@
+package handler
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// StatusHandler represents an HTTP API handler for managing Status.
+type StatusHandler struct {
+	*mux.Router
+	Logger *log.Logger
+	Status *portainer.Status
+}
+
+// NewStatusHandler returns a new instance of StatusHandler.
+func NewStatusHandler(bouncer *security.RequestBouncer, status *portainer.Status) *StatusHandler {
+	h := &StatusHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+		Status: status,
+	}
+	h.Handle("/status",
+		bouncer.PublicAccess(http.HandlerFunc(h.handleGetStatus))).Methods(http.MethodGet)
+
+	return h
+}
+
+// handleGetStatus handles GET requests on /status
+func (handler *StatusHandler) handleGetStatus(w http.ResponseWriter, r *http.Request) {
+	encodeJSON(w, handler.Status, handler.Logger)
+	return
+}

api/http/handler/team.go

@@ -34,7 +34,7 @@ func NewTeamHandler(bouncer *security.RequestBouncer) *TeamHandler {
 	h.Handle("/teams",
 		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePostTeams))).Methods(http.MethodPost)
 	h.Handle("/teams",
-		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handleGetTeams))).Methods(http.MethodGet)
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetTeams))).Methods(http.MethodGet)
 	h.Handle("/teams/{id}",
 		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetTeam))).Methods(http.MethodGet)
 	h.Handle("/teams/{id}",
@@ -47,6 +47,20 @@ func NewTeamHandler(bouncer *security.RequestBouncer) *TeamHandler {
 	return h
 }
 
+type (
+	postTeamsRequest struct {
+		Name string `valid:"required"`
+	}
+
+	postTeamsResponse struct {
+		ID int `json:"Id"`
+	}
+
+	putTeamRequest struct {
+		Name string `valid:"-"`
+	}
+)
+
 // handlePostTeams handles POST requests on /teams
 func (handler *TeamHandler) handlePostTeams(w http.ResponseWriter, r *http.Request) {
 	var req postTeamsRequest
@@ -84,23 +98,23 @@ func (handler *TeamHandler) handlePostTeams(w http.ResponseWriter, r *http.Reque
 	encodeJSON(w, &postTeamsResponse{ID: int(team.ID)}, handler.Logger)
 }
 
-type postTeamsResponse struct {
-	ID int `json:"Id"`
-}
-
-type postTeamsRequest struct {
-	Name string `valid:"required"`
-}
-
 // handleGetTeams handles GET requests on /teams
 func (handler *TeamHandler) handleGetTeams(w http.ResponseWriter, r *http.Request) {
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
 	teams, err := handler.TeamService.Teams()
 	if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
-	encodeJSON(w, teams, handler.Logger)
+	filteredTeams := security.FilterUserTeams(teams, securityContext)
+
+	encodeJSON(w, filteredTeams, handler.Logger)
 }
 
 // handleGetTeam handles GET requests on /teams/:id
@@ -181,10 +195,6 @@ func (handler *TeamHandler) handlePutTeam(w http.ResponseWriter, r *http.Request
 	}
 }
 
-type putTeamRequest struct {
-	Name string `valid:"-"`
-}
-
 // handleDeleteTeam handles DELETE requests on /teams/:id
 func (handler *TeamHandler) handleDeleteTeam(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)

api/http/handler/team_membership.go

@@ -42,6 +42,24 @@ func NewTeamMembershipHandler(bouncer *security.RequestBouncer) *TeamMembershipH
 	return h
 }
 
+type (
+	postTeamMembershipsRequest struct {
+		UserID int `valid:"required"`
+		TeamID int `valid:"required"`
+		Role   int `valid:"required"`
+	}
+
+	postTeamMembershipsResponse struct {
+		ID int `json:"Id"`
+	}
+
+	putTeamMembershipRequest struct {
+		UserID int `valid:"required"`
+		TeamID int `valid:"required"`
+		Role   int `valid:"required"`
+	}
+)
+
 // handlePostTeamMemberships handles POST requests on /team_memberships
 func (handler *TeamMembershipHandler) handlePostTeamMemberships(w http.ResponseWriter, r *http.Request) {
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
@@ -100,16 +118,6 @@ func (handler *TeamMembershipHandler) handlePostTeamMemberships(w http.ResponseW
 	encodeJSON(w, &postTeamMembershipsResponse{ID: int(membership.ID)}, handler.Logger)
 }
 
-type postTeamMembershipsResponse struct {
-	ID int `json:"Id"`
-}
-
-type postTeamMembershipsRequest struct {
-	UserID int `valid:"required"`
-	TeamID int `valid:"required"`
-	Role   int `valid:"required"`
-}
-
 // handleGetTeamsMemberships handles GET requests on /team_memberships
 func (handler *TeamMembershipHandler) handleGetTeamsMemberships(w http.ResponseWriter, r *http.Request) {
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
@@ -195,12 +203,6 @@ func (handler *TeamMembershipHandler) handlePutTeamMembership(w http.ResponseWri
 	}
 }
 
-type putTeamMembershipRequest struct {
-	UserID int `valid:"required"`
-	TeamID int `valid:"required"`
-	Role   int `valid:"required"`
-}
-
 // handleDeleteTeamMembership handles DELETE requests on /team_memberships/:id
 func (handler *TeamMembershipHandler) handleDeleteTeamMembership(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)

api/http/handler/templates.go

@@ -7,6 +7,7 @@ import (
 	"os"
 
 	"github.com/gorilla/mux"
+	"github.com/portainer/portainer"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/security"
 )
@@ -14,33 +15,27 @@ import (
 // TemplatesHandler represents an HTTP API handler for managing templates.
 type TemplatesHandler struct {
 	*mux.Router
-	Logger                *log.Logger
-	containerTemplatesURL string
+	Logger          *log.Logger
+	SettingsService portainer.SettingsService
 }
 
 const (
-	containerTemplatesURLLinuxServerIo = "http://tools.linuxserver.io/portainer.json"
+	containerTemplatesURLLinuxServerIo = "https://tools.linuxserver.io/portainer.json"
 )
 
 // NewTemplatesHandler returns a new instance of TemplatesHandler.
-func NewTemplatesHandler(bouncer *security.RequestBouncer, containerTemplatesURL string) *TemplatesHandler {
+func NewTemplatesHandler(bouncer *security.RequestBouncer) *TemplatesHandler {
 	h := &TemplatesHandler{
-		Router:                mux.NewRouter(),
-		Logger:                log.New(os.Stderr, "", log.LstdFlags),
-		containerTemplatesURL: containerTemplatesURL,
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
 	}
 	h.Handle("/templates",
-		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handleGetTemplates)))
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handleGetTemplates))).Methods(http.MethodGet)
 	return h
 }
 
 // handleGetTemplates handles GET requests on /templates?key=<key>
 func (handler *TemplatesHandler) handleGetTemplates(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodGet})
-		return
-	}
-
 	key := r.FormValue("key")
 	if key == "" {
 		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
@@ -48,11 +43,17 @@ func (handler *TemplatesHandler) handleGetTemplates(w http.ResponseWriter, r *ht
 	}
 
 	var templatesURL string
-	if key == "containers" {
-		templatesURL = handler.containerTemplatesURL
-	} else if key == "linuxserver.io" {
+	switch key {
+	case "containers":
+		settings, err := handler.SettingsService.Settings()
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+		templatesURL = settings.TemplatesURL
+	case "linuxserver.io":
 		templatesURL = containerTemplatesURLLinuxServerIo
-	} else {
+	default:
 		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
 		return
 	}

api/http/handler/upload.go

@@ -8,7 +8,6 @@ import (
 	"log"
 	"net/http"
 	"os"
-	"strconv"
 
 	"github.com/gorilla/mux"
 )
@@ -26,23 +25,19 @@ func NewUploadHandler(bouncer *security.RequestBouncer) *UploadHandler {
 		Router: mux.NewRouter(),
 		Logger: log.New(os.Stderr, "", log.LstdFlags),
 	}
-	h.Handle("/upload/tls/{endpointID}/{certificate:(?:ca|cert|key)}",
-		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handlePostUploadTLS)))
+	h.Handle("/upload/tls/{certificate:(?:ca|cert|key)}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePostUploadTLS))).Methods(http.MethodPost)
 	return h
 }
 
+// handlePostUploadTLS handles POST requests on /upload/tls/{certificate:(?:ca|cert|key)}?folder=<folder>
 func (handler *UploadHandler) handlePostUploadTLS(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodPost})
-		return
-	}
-
 	vars := mux.Vars(r)
-	endpointID := vars["endpointID"]
 	certificate := vars["certificate"]
-	ID, err := strconv.Atoi(endpointID)
-	if err != nil {
-		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+
+	folder := r.FormValue("folder")
+	if folder == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
@@ -66,7 +61,7 @@ func (handler *UploadHandler) handlePostUploadTLS(w http.ResponseWriter, r *http
 		return
 	}
 
-	err = handler.FileService.StoreTLSFile(portainer.EndpointID(ID), fileType, file)
+	err = handler.FileService.StoreTLSFile(folder, fileType, file)
 	if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return

api/http/handler/user.go

@@ -26,6 +26,7 @@ type UserHandler struct {
 	TeamMembershipService  portainer.TeamMembershipService
 	ResourceControlService portainer.ResourceControlService
 	CryptoService          portainer.CryptoService
+	SettingsService        portainer.SettingsService
 }
 
 // NewUserHandler returns a new instance of UserHandler.
@@ -46,18 +47,46 @@ func NewUserHandler(bouncer *security.RequestBouncer) *UserHandler {
 		bouncer.AdministratorAccess(http.HandlerFunc(h.handleDeleteUser))).Methods(http.MethodDelete)
 	h.Handle("/users/{id}/memberships",
 		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handleGetMemberships))).Methods(http.MethodGet)
-	h.Handle("/users/{id}/teams",
-		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetTeams))).Methods(http.MethodGet)
 	h.Handle("/users/{id}/passwd",
-		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handlePostUserPasswd)))
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handlePostUserPasswd))).Methods(http.MethodPost)
 	h.Handle("/users/admin/check",
-		bouncer.PublicAccess(http.HandlerFunc(h.handleGetAdminCheck)))
+		bouncer.PublicAccess(http.HandlerFunc(h.handleGetAdminCheck))).Methods(http.MethodGet)
 	h.Handle("/users/admin/init",
-		bouncer.PublicAccess(http.HandlerFunc(h.handlePostAdminInit)))
+		bouncer.PublicAccess(http.HandlerFunc(h.handlePostAdminInit))).Methods(http.MethodPost)
 
 	return h
 }
 
+type (
+	postUsersRequest struct {
+		Username string `valid:"required"`
+		Password string `valid:""`
+		Role     int    `valid:"required"`
+	}
+
+	postUsersResponse struct {
+		ID int `json:"Id"`
+	}
+
+	postUserPasswdRequest struct {
+		Password string `valid:"required"`
+	}
+
+	postUserPasswdResponse struct {
+		Valid bool `json:"valid"`
+	}
+
+	putUserRequest struct {
+		Password string `valid:"-"`
+		Role     int    `valid:"-"`
+	}
+
+	postAdminInitRequest struct {
+		Username string `valid:"required"`
+		Password string `valid:"required"`
+	}
+)
+
 // handlePostUsers handles POST requests on /users
 func (handler *UserHandler) handlePostUsers(w http.ResponseWriter, r *http.Request) {
 	var req postUsersRequest
@@ -93,13 +122,6 @@ func (handler *UserHandler) handlePostUsers(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	var role portainer.UserRole
-	if req.Role == 1 {
-		role = portainer.AdministratorRole
-	} else {
-		role = portainer.StandardUserRole
-	}
-
 	user, err := handler.UserService.UserByUsername(req.Username)
 	if err != nil && err != portainer.ErrUserNotFound {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
@@ -110,16 +132,32 @@ func (handler *UserHandler) handlePostUsers(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
+	var role portainer.UserRole
+	if req.Role == 1 {
+		role = portainer.AdministratorRole
+	} else {
+		role = portainer.StandardUserRole
+	}
+
 	user = &portainer.User{
 		Username: req.Username,
 		Role:     role,
 	}
-	user.Password, err = handler.CryptoService.Hash(req.Password)
+
+	settings, err := handler.SettingsService.Settings()
 	if err != nil {
-		httperror.WriteErrorResponse(w, portainer.ErrCryptoHashFailure, http.StatusBadRequest, handler.Logger)
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
+	if settings.AuthenticationMethod == portainer.AuthenticationInternal {
+		user.Password, err = handler.CryptoService.Hash(req.Password)
+		if err != nil {
+			httperror.WriteErrorResponse(w, portainer.ErrCryptoHashFailure, http.StatusBadRequest, handler.Logger)
+			return
+		}
+	}
+
 	err = handler.UserService.CreateUser(user)
 	if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
@@ -129,16 +167,6 @@ func (handler *UserHandler) handlePostUsers(w http.ResponseWriter, r *http.Reque
 	encodeJSON(w, &postUsersResponse{ID: int(user.ID)}, handler.Logger)
 }
 
-type postUsersResponse struct {
-	ID int `json:"Id"`
-}
-
-type postUsersRequest struct {
-	Username string `valid:"required"`
-	Password string `valid:"required"`
-	Role     int    `valid:"required"`
-}
-
 // handleGetUsers handles GET requests on /users
 func (handler *UserHandler) handleGetUsers(w http.ResponseWriter, r *http.Request) {
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
@@ -164,11 +192,6 @@ func (handler *UserHandler) handleGetUsers(w http.ResponseWriter, r *http.Reques
 
 // handlePostUserPasswd handles POST requests on /users/:id/passwd
 func (handler *UserHandler) handlePostUserPasswd(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodPost})
-		return
-	}
-
 	vars := mux.Vars(r)
 	id := vars["id"]
 
@@ -210,14 +233,6 @@ func (handler *UserHandler) handlePostUserPasswd(w http.ResponseWriter, r *http.
 	encodeJSON(w, &postUserPasswdResponse{Valid: valid}, handler.Logger)
 }
 
-type postUserPasswdRequest struct {
-	Password string `valid:"required"`
-}
-
-type postUserPasswdResponse struct {
-	Valid bool `json:"valid"`
-}
-
 // handleGetUser handles GET requests on /users/:id
 func (handler *UserHandler) handleGetUser(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
@@ -317,18 +332,8 @@ func (handler *UserHandler) handlePutUser(w http.ResponseWriter, r *http.Request
 	}
 }
 
-type putUserRequest struct {
-	Password string `valid:"-"`
-	Role     int    `valid:"-"`
-}
-
-// handlePostAdminInit handles GET requests on /users/admin/check
+// handleGetAdminCheck handles GET requests on /users/admin/check
 func (handler *UserHandler) handleGetAdminCheck(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodGet})
-		return
-	}
-
 	users, err := handler.UserService.UsersByRole(portainer.AdministratorRole)
 	if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
@@ -342,11 +347,6 @@ func (handler *UserHandler) handleGetAdminCheck(w http.ResponseWriter, r *http.R
 
 // handlePostAdminInit handles POST requests on /users/admin/init
 func (handler *UserHandler) handlePostAdminInit(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodPost})
-		return
-	}
-
 	var req postAdminInitRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
@@ -359,10 +359,14 @@ func (handler *UserHandler) handlePostAdminInit(w http.ResponseWriter, r *http.R
 		return
 	}
 
-	user, err := handler.UserService.UserByUsername("admin")
-	if err == portainer.ErrUserNotFound {
+	users, err := handler.UserService.UsersByRole(portainer.AdministratorRole)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	if len(users) == 0 {
 		user := &portainer.User{
-			Username: "admin",
+			Username: req.Username,
 			Role:     portainer.AdministratorRole,
 		}
 		user.Password, err = handler.CryptoService.Hash(req.Password)
@@ -376,18 +380,10 @@ func (handler *UserHandler) handlePostAdminInit(w http.ResponseWriter, r *http.R
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 			return
 		}
-	} else if err != nil {
-		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+	} else {
+		httperror.WriteErrorResponse(w, portainer.ErrAdminAlreadyInitialized, http.StatusConflict, handler.Logger)
 		return
 	}
-	if user != nil {
-		httperror.WriteErrorResponse(w, portainer.ErrAdminAlreadyInitialized, http.StatusForbidden, handler.Logger)
-		return
-	}
-}
-
-type postAdminInitRequest struct {
-	Password string `valid:"required"`
 }
 
 // handleDeleteUser handles DELETE requests on /users/:id
@@ -401,6 +397,22 @@ func (handler *UserHandler) handleDeleteUser(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
+	if userID == 1 {
+		httperror.WriteErrorResponse(w, portainer.ErrCannotRemoveAdmin, http.StatusForbidden, handler.Logger)
+		return
+	}
+
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if tokenData.ID == portainer.UserID(userID) {
+		httperror.WriteErrorResponse(w, portainer.ErrAdminCannotRemoveSelf, http.StatusForbidden, handler.Logger)
+		return
+	}
+
 	_, err = handler.UserService.User(portainer.UserID(userID))
 
 	if err == portainer.ErrUserNotFound {
@@ -454,37 +466,3 @@ func (handler *UserHandler) handleGetMemberships(w http.ResponseWriter, r *http.
 
 	encodeJSON(w, memberships, handler.Logger)
 }
-
-// handleGetTeams handles GET requests on /users/:id/teams
-func (handler *UserHandler) handleGetTeams(w http.ResponseWriter, r *http.Request) {
-	vars := mux.Vars(r)
-	id := vars["id"]
-
-	uid, err := strconv.Atoi(id)
-	if err != nil {
-		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
-		return
-	}
-	userID := portainer.UserID(uid)
-
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
-		return
-	}
-
-	if !security.AuthorizedUserManagement(userID, securityContext) {
-		httperror.WriteErrorResponse(w, portainer.ErrResourceAccessDenied, http.StatusForbidden, handler.Logger)
-		return
-	}
-
-	teams, err := handler.TeamService.Teams()
-	if err != nil {
-		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
-		return
-	}
-
-	filteredTeams := security.FilterUserTeams(teams, securityContext)
-
-	encodeJSON(w, filteredTeams, handler.Logger)
-}

api/http/handler/websocket.go

@@ -1,11 +1,11 @@
 package handler
 
 import (
+	"bufio"
 	"bytes"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"io"
 	"log"
 	"net"
 	"net/http"
@@ -16,121 +16,136 @@ import (
 	"time"
 
 	"github.com/gorilla/mux"
+	"github.com/gorilla/websocket"
+	"github.com/koding/websocketproxy"
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/crypto"
-	"golang.org/x/net/websocket"
+	httperror "github.com/portainer/portainer/http/error"
 )
 
-// WebSocketHandler represents an HTTP API handler for proxying requests to a web socket.
-type WebSocketHandler struct {
-	*mux.Router
-	Logger          *log.Logger
-	EndpointService portainer.EndpointService
-}
+type (
+	// WebSocketHandler represents an HTTP API handler for proxying requests to a web socket.
+	WebSocketHandler struct {
+		*mux.Router
+		Logger             *log.Logger
+		EndpointService    portainer.EndpointService
+		SignatureService   portainer.DigitalSignatureService
+		connectionUpgrader websocket.Upgrader
+	}
+
+	webSocketExecRequestParams struct {
+		execID   string
+		nodeName string
+		endpoint *portainer.Endpoint
+	}
+
+	execStartOperationPayload struct {
+		Tty    bool
+		Detach bool
+	}
+)
 
 // NewWebSocketHandler returns a new instance of WebSocketHandler.
 func NewWebSocketHandler() *WebSocketHandler {
 	h := &WebSocketHandler{
-		Router: mux.NewRouter(),
-		Logger: log.New(os.Stderr, "", log.LstdFlags),
+		Router:             mux.NewRouter(),
+		Logger:             log.New(os.Stderr, "", log.LstdFlags),
+		connectionUpgrader: websocket.Upgrader{},
 	}
-	h.Handle("/websocket/exec", websocket.Handler(h.webSocketDockerExec))
+	h.HandleFunc("/websocket/exec", h.handleWebsocketExec).Methods(http.MethodGet)
 	return h
 }
 
-func (handler *WebSocketHandler) webSocketDockerExec(ws *websocket.Conn) {
-	qry := ws.Request().URL.Query()
-	execID := qry.Get("id")
-	edpID := qry.Get("endpointId")
-
-	parsedID, err := strconv.Atoi(edpID)
-	if err != nil {
-		log.Printf("Unable to parse endpoint ID: %s", err)
+// handleWebsocketExec handles GET requests on /websocket/exec?id=<execID>&endpointId=<endpointID>&nodeName=<nodeName>
+// If the nodeName query parameter is present, the request will be proxied to the underlying agent endpoint.
+// If the nodeName query parameter is not specified, the request will be upgraded to the websocket protocol and
+// an ExecStart operation HTTP request will be created and hijacked.
+func (handler *WebSocketHandler) handleWebsocketExec(w http.ResponseWriter, r *http.Request) {
+	paramExecID := r.FormValue("id")
+	paramEndpointID := r.FormValue("endpointId")
+	if paramExecID == "" || paramEndpointID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpointID := portainer.EndpointID(parsedID)
-	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	endpointID, err := strconv.Atoi(paramEndpointID)
 	if err != nil {
-		log.Printf("Unable to retrieve endpoint: %s", err)
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpointURL, err := url.Parse(endpoint.URL)
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err != nil {
-		log.Printf("Unable to parse endpoint URL: %s", err)
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
-	var host string
-	if endpointURL.Scheme == "tcp" {
-		host = endpointURL.Host
-	} else if endpointURL.Scheme == "unix" {
-		host = endpointURL.Path
+	params := &webSocketExecRequestParams{
+		endpoint: endpoint,
+		execID:   paramExecID,
+		nodeName: r.FormValue("nodeName"),
 	}
 
-	// Should not be managed here
-	var tlsConfig *tls.Config
-	if endpoint.TLS {
-		tlsConfig, err = crypto.CreateTLSConfiguration(endpoint.TLSCACertPath,
-			endpoint.TLSCertPath,
-			endpoint.TLSKeyPath)
-		if err != nil {
-			log.Fatalf("Unable to create TLS configuration: %s", err)
-			return
+	err = handler.handleRequest(w, r, params)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+func (handler *WebSocketHandler) handleRequest(w http.ResponseWriter, r *http.Request, params *webSocketExecRequestParams) error {
+	r.Header.Del("Origin")
+
+	if params.nodeName != "" {
+		return handler.proxyWebsocketRequest(w, r, params)
+	}
+
+	websocketConn, err := handler.connectionUpgrader.Upgrade(w, r, nil)
+	if err != nil {
+		return err
+	}
+	defer websocketConn.Close()
+
+	return hijackExecStartOperation(websocketConn, params.endpoint, params.execID)
+}
+
+func (handler *WebSocketHandler) proxyWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketExecRequestParams) error {
+	agentURL, err := url.Parse(params.endpoint.URL)
+	if err != nil {
+		return err
+	}
+
+	agentURL.Scheme = "ws"
+	proxy := websocketproxy.NewProxy(agentURL)
+
+	if params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify {
+		agentURL.Scheme = "wss"
+		proxy.Dialer = &websocket.Dialer{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: params.endpoint.TLSConfig.TLSSkipVerify,
+			},
 		}
 	}
 
-	if err := hijack(host, endpointURL.Scheme, "POST", "/exec/"+execID+"/start", tlsConfig, true, ws, ws, ws, nil, nil); err != nil {
-		log.Fatalf("error during hijack: %s", err)
-		return
+	signature, err := handler.SignatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return err
 	}
+
+	proxy.Director = func(incoming *http.Request, out http.Header) {
+		out.Set(portainer.PortainerAgentSignatureHeader, signature)
+		out.Set(portainer.PortainerAgentTargetHeader, params.nodeName)
+	}
+
+	proxy.ServeHTTP(w, r)
+
+	return nil
 }
 
-type execConfig struct {
-	Tty    bool
-	Detach bool
-}
-
-// hijack allows to upgrade an HTTP connection to a TCP connection
-// It redirects IO streams for stdin, stdout and stderr to a websocket
-func hijack(addr, scheme, method, path string, tlsConfig *tls.Config, setRawTerminal bool, in io.ReadCloser, stdout, stderr io.Writer, started chan io.Closer, data interface{}) error {
-	execConfig := &execConfig{
-		Tty:    true,
-		Detach: false,
-	}
-
-	buf, err := json.Marshal(execConfig)
+func hijackExecStartOperation(websocketConn *websocket.Conn, endpoint *portainer.Endpoint, execID string) error {
+	dial, err := createDial(endpoint)
 	if err != nil {
-		return fmt.Errorf("error marshaling exec config: %s", err)
-	}
-
-	rdr := bytes.NewReader(buf)
-
-	req, err := http.NewRequest(method, path, rdr)
-	if err != nil {
-		return fmt.Errorf("error during hijack request: %s", err)
-	}
-
-	req.Header.Set("User-Agent", "Docker-Client")
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Connection", "Upgrade")
-	req.Header.Set("Upgrade", "tcp")
-	req.Host = addr
-
-	var (
-		dial    net.Conn
-		dialErr error
-	)
-
-	if tlsConfig == nil {
-		dial, dialErr = net.Dial(scheme, addr)
-	} else {
-		dial, dialErr = tls.Dial(scheme, addr, tlsConfig)
-	}
-
-	if dialErr != nil {
-		return dialErr
+		return err
 	}
 
 	// When we set up a TCP connection for hijack, there could be long periods
@@ -142,57 +157,128 @@ func hijack(addr, scheme, method, path string, tlsConfig *tls.Config, setRawTerm
 		tcpConn.SetKeepAlive(true)
 		tcpConn.SetKeepAlivePeriod(30 * time.Second)
 	}
+
+	httpConn := httputil.NewClientConn(dial, nil)
+	defer httpConn.Close()
+
+	execStartRequest, err := createExecStartRequest(execID)
 	if err != nil {
 		return err
 	}
-	clientconn := httputil.NewClientConn(dial, nil)
-	defer clientconn.Close()
 
-	// Server hijacks the connection, error 'connection closed' expected
-	clientconn.Do(req)
-
-	rwc, br := clientconn.Hijack()
-	defer rwc.Close()
-
-	if started != nil {
-		started <- rwc
+	err = hijackRequest(websocketConn, httpConn, execStartRequest)
+	if err != nil {
+		return err
 	}
 
-	var receiveStdout chan error
-
-	if stdout != nil || stderr != nil {
-		go func() (err error) {
-			if setRawTerminal && stdout != nil {
-				_, err = io.Copy(stdout, br)
-			}
-			return err
-		}()
-	}
-
-	go func() error {
-		if in != nil {
-			io.Copy(rwc, in)
-		}
-
-		if conn, ok := rwc.(interface {
-			CloseWrite() error
-		}); ok {
-			if err := conn.CloseWrite(); err != nil {
-			}
-		}
-		return nil
-	}()
-
-	if stdout != nil || stderr != nil {
-		if err := <-receiveStdout; err != nil {
-			return err
-		}
-	}
-	go func() {
-		for {
-			fmt.Println(br)
-		}
-	}()
-
 	return nil
 }
+
+func createDial(endpoint *portainer.Endpoint) (net.Conn, error) {
+	url, err := url.Parse(endpoint.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	var host string
+	if url.Scheme == "tcp" {
+		host = url.Host
+	} else if url.Scheme == "unix" {
+		host = url.Path
+	}
+
+	if endpoint.TLSConfig.TLS {
+		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
+		if err != nil {
+			return nil, err
+		}
+		return tls.Dial(url.Scheme, host, tlsConfig)
+	}
+
+	return net.Dial(url.Scheme, host)
+}
+
+func createExecStartRequest(execID string) (*http.Request, error) {
+	execStartOperationPayload := &execStartOperationPayload{
+		Tty:    true,
+		Detach: false,
+	}
+
+	encodedBody := bytes.NewBuffer(nil)
+	err := json.NewEncoder(encodedBody).Encode(execStartOperationPayload)
+	if err != nil {
+		return nil, err
+	}
+
+	request, err := http.NewRequest("POST", "/exec/"+execID+"/start", encodedBody)
+	if err != nil {
+		return nil, err
+	}
+
+	request.Header.Set("Content-Type", "application/json")
+	request.Header.Set("Connection", "Upgrade")
+	request.Header.Set("Upgrade", "tcp")
+
+	return request, nil
+}
+
+func hijackRequest(websocketConn *websocket.Conn, httpConn *httputil.ClientConn, request *http.Request) error {
+	// Server hijacks the connection, error 'connection closed' expected
+	resp, err := httpConn.Do(request)
+	if err != httputil.ErrPersistEOF {
+		if err != nil {
+			return err
+		}
+		if resp.StatusCode != http.StatusSwitchingProtocols {
+			resp.Body.Close()
+			return fmt.Errorf("unable to upgrade to tcp, received %d", resp.StatusCode)
+		}
+	}
+
+	tcpConn, brw := httpConn.Hijack()
+	defer tcpConn.Close()
+
+	errorChan := make(chan error, 1)
+	go streamFromTCPConnToWebsocketConn(websocketConn, brw, errorChan)
+	go streamFromWebsocketConnToTCPConn(websocketConn, tcpConn, errorChan)
+
+	err = <-errorChan
+	if websocket.IsUnexpectedCloseError(err, websocket.CloseGoingAway, websocket.CloseNoStatusReceived) {
+		return err
+	}
+
+	return nil
+}
+
+func streamFromWebsocketConnToTCPConn(websocketConn *websocket.Conn, tcpConn net.Conn, errorChan chan error) {
+	for {
+		_, in, err := websocketConn.ReadMessage()
+		if err != nil {
+			errorChan <- err
+			break
+		}
+
+		_, err = tcpConn.Write(in)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+	}
+}
+
+func streamFromTCPConnToWebsocketConn(websocketConn *websocket.Conn, br *bufio.Reader, errorChan chan error) {
+	for {
+		out := make([]byte, 1024)
+		_, err := br.Read(out)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+
+		err = websocketConn.WriteMessage(websocket.TextMessage, out)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+	}
+}

api/http/proxy/access_control.go

@@ -2,6 +2,83 @@ package proxy
 
 import "github.com/portainer/portainer"
 
+type (
+	// ExtendedStack represents a stack combined with its associated access control
+	ExtendedStack struct {
+		portainer.Stack
+		ResourceControl portainer.ResourceControl `json:"ResourceControl"`
+	}
+)
+
+// applyResourceAccessControl returns an optionally decorated object as the first return value and the
+// access level for the user (granted or denied) as the second return value.
+// It will retrieve an identifier from the labels object. If an identifier exists, it will check for
+// an existing resource control associated to it.
+// Returns a decorated object and authorized access (true) when a resource control is found and the user can access the resource.
+// Returns the original object and authorized access (true) when no resource control is found.
+// Returns the original object and denied access (false) when a resource control is found and the user cannot access the resource.
+func applyResourceAccessControlFromLabel(labelsObject, resourceObject map[string]interface{}, labelIdentifier string,
+	context *restrictedOperationContext) (map[string]interface{}, bool) {
+
+	if labelsObject != nil && labelsObject[labelIdentifier] != nil {
+		resourceIdentifier := labelsObject[labelIdentifier].(string)
+		return applyResourceAccessControl(resourceObject, resourceIdentifier, context)
+	}
+	return resourceObject, true
+}
+
+// applyResourceAccessControl returns an optionally decorated object as the first return value and the
+// access level for the user (granted or denied) as the second return value.
+// Returns a decorated object and authorized access (true) when a resource control is found to the specified resource
+// identifier and the user can access the resource.
+// Returns the original object and authorized access (true) when no resource control is found for the specified
+// resource identifier.
+// Returns the original object and denied access (false) when a resource control is associated to the resource
+// and the user cannot access the resource.
+func applyResourceAccessControl(resourceObject map[string]interface{}, resourceIdentifier string,
+	context *restrictedOperationContext) (map[string]interface{}, bool) {
+
+	authorizedAccess := true
+
+	resourceControl := getResourceControlByResourceID(resourceIdentifier, context.resourceControls)
+	if resourceControl != nil {
+		if context.isAdmin || canUserAccessResource(context.userID, context.userTeamIDs, resourceControl) {
+			resourceObject = decorateObject(resourceObject, resourceControl)
+		} else {
+			authorizedAccess = false
+		}
+	}
+
+	return resourceObject, authorizedAccess
+}
+
+// decorateResourceWithAccessControlFromLabel will retrieve an identifier from the labels object. If an identifier exists,
+// it will check for an existing resource control associated to it. If a resource control is found, the resource object will be
+// decorated. If no identifier can be found in the labels or no resource control is associated to the identifier, the resource
+// object will not be changed.
+func decorateResourceWithAccessControlFromLabel(labelsObject, resourceObject map[string]interface{}, labelIdentifier string,
+	resourceControls []portainer.ResourceControl) map[string]interface{} {
+
+	if labelsObject != nil && labelsObject[labelIdentifier] != nil {
+		resourceIdentifier := labelsObject[labelIdentifier].(string)
+		resourceObject = decorateResourceWithAccessControl(resourceObject, resourceIdentifier, resourceControls)
+	}
+
+	return resourceObject
+}
+
+// decorateResourceWithAccessControl will check if a resource control is associated to the specified resource identifier.
+// If a resource control is found, the resource object will be decorated, otherwise it will not be changed.
+func decorateResourceWithAccessControl(resourceObject map[string]interface{}, resourceIdentifier string,
+	resourceControls []portainer.ResourceControl) map[string]interface{} {
+
+	resourceControl := getResourceControlByResourceID(resourceIdentifier, resourceControls)
+	if resourceControl != nil {
+		return decorateObject(resourceObject, resourceControl)
+	}
+	return resourceObject
+}
+
 func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.TeamID, resourceControl *portainer.ResourceControl) bool {
 	for _, authorizedUserAccess := range resourceControl.UserAccesses {
 		if userID == authorizedUserAccess.UserID {
@@ -19,3 +96,66 @@ func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.Team
 
 	return false
 }
+
+func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
+	if object["Portainer"] == nil {
+		object["Portainer"] = make(map[string]interface{})
+	}
+
+	portainerMetadata := object["Portainer"].(map[string]interface{})
+	portainerMetadata["ResourceControl"] = resourceControl
+	return object
+}
+
+func getResourceControlByResourceID(resourceID string, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
+	for _, resourceControl := range resourceControls {
+		if resourceID == resourceControl.ResourceID {
+			return &resourceControl
+		}
+		for _, subResourceID := range resourceControl.SubResourceIDs {
+			if resourceID == subResourceID {
+				return &resourceControl
+			}
+		}
+	}
+	return nil
+}
+
+// CanAccessStack checks if a user can access a stack
+func CanAccessStack(stack *portainer.Stack, resourceControl *portainer.ResourceControl, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	userTeamIDs := make([]portainer.TeamID, 0)
+	for _, membership := range memberships {
+		userTeamIDs = append(userTeamIDs, membership.TeamID)
+	}
+
+	if canUserAccessResource(userID, userTeamIDs, resourceControl) {
+		return true
+	}
+
+	return false
+}
+
+// FilterStacks filters stacks based on user role and resource controls.
+func FilterStacks(stacks []portainer.Stack, resourceControls []portainer.ResourceControl, isAdmin bool,
+	userID portainer.UserID, memberships []portainer.TeamMembership) []ExtendedStack {
+
+	filteredStacks := make([]ExtendedStack, 0)
+
+	userTeamIDs := make([]portainer.TeamID, 0)
+	for _, membership := range memberships {
+		userTeamIDs = append(userTeamIDs, membership.TeamID)
+	}
+
+	for _, stack := range stacks {
+		extendedStack := ExtendedStack{stack, portainer.ResourceControl{}}
+		resourceControl := getResourceControlByResourceID(stack.Name, resourceControls)
+		if resourceControl == nil {
+			filteredStacks = append(filteredStacks, extendedStack)
+		} else if resourceControl != nil && (isAdmin || canUserAccessResource(userID, userTeamIDs, resourceControl)) {
+			extendedStack.ResourceControl = *resourceControl
+			filteredStacks = append(filteredStacks, extendedStack)
+		}
+	}
+
+	return filteredStacks
+}

api/http/proxy/build.go

@@ -0,0 +1,56 @@
+package proxy
+
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/portainer/portainer/archive"
+)
+
+type postDockerfileRequest struct {
+	Content string
+}
+
+// buildOperation inspects the "Content-Type" header to determine if it needs to alter the request.
+// If the value of the header is empty, it means that a Dockerfile is posted via upload, the function
+// will extract the file content from the request body, tar it, and rewrite the body.
+// If the value of the header contains "application/json", it means that the content of a Dockerfile is posted
+// in the request payload as JSON, the function will create a new file called Dockerfile inside a tar archive and
+// rewrite the body of the request.
+// In any other case, it will leave the request unaltered.
+func buildOperation(request *http.Request) error {
+	contentTypeHeader := request.Header.Get("Content-Type")
+	if contentTypeHeader != "" && !strings.Contains(contentTypeHeader, "application/json") {
+		return nil
+	}
+
+	var dockerfileContent []byte
+
+	if contentTypeHeader == "" {
+		body, err := ioutil.ReadAll(request.Body)
+		if err != nil {
+			return err
+		}
+		dockerfileContent = body
+	} else {
+		var req postDockerfileRequest
+		if err := json.NewDecoder(request.Body).Decode(&req); err != nil {
+			return err
+		}
+		dockerfileContent = []byte(req.Content)
+	}
+
+	buffer, err := archive.TarFileInBuffer(dockerfileContent, "Dockerfile")
+	if err != nil {
+		return err
+	}
+
+	request.Body = ioutil.NopCloser(bytes.NewReader(buffer))
+	request.ContentLength = int64(len(buffer))
+	request.Header.Set("Content-Type", "application/x-tar")
+
+	return nil
+}

api/http/proxy/configs.go

@@ -0,0 +1,107 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerConfigIdentifierNotFound defines an error raised when Portainer is unable to find a config identifier
+	ErrDockerConfigIdentifierNotFound = portainer.Error("Docker config identifier not found")
+	configIdentifier                  = "ID"
+)
+
+// configListOperation extracts the response as a JSON object, loop through the configs array
+// decorate and/or filter the configs based on resource controls before rewriting the response
+func configListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+
+	// ConfigList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateConfigList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterConfigList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// configInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the config based on resource control (check are done based on the configID and optional Swarm service ID)
+// and either rewrite an access denied response or a decorated config.
+func configInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// ConfigInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[configIdentifier] == nil {
+		return ErrDockerConfigIdentifierNotFound
+	}
+
+	configID := responseObject[configIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, configID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// decorateConfigList loops through all configs and decorates any config with an existing resource control.
+// Resource controls checks are based on: resource identifier.
+// Config object schema reference: https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
+func decorateConfigList(configData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedConfigData := make([]interface{}, 0)
+
+	for _, config := range configData {
+
+		configObject := config.(map[string]interface{})
+		if configObject[configIdentifier] == nil {
+			return nil, ErrDockerConfigIdentifierNotFound
+		}
+
+		configID := configObject[configIdentifier].(string)
+		configObject = decorateResourceWithAccessControl(configObject, configID, resourceControls)
+
+		decoratedConfigData = append(decoratedConfigData, configObject)
+	}
+
+	return decoratedConfigData, nil
+}
+
+// filterConfigList loops through all configs and filters public configs (no associated resource control)
+// as well as authorized configs (access granted to the user based on existing resource control).
+// Authorized configs are decorated during the process.
+// Resource controls checks are based on: resource identifier.
+// Config object schema reference: https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
+func filterConfigList(configData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredConfigData := make([]interface{}, 0)
+
+	for _, config := range configData {
+		configObject := config.(map[string]interface{})
+		if configObject[configIdentifier] == nil {
+			return nil, ErrDockerConfigIdentifierNotFound
+		}
+
+		configID := configObject[configIdentifier].(string)
+		configObject, access := applyResourceAccessControl(configObject, configID, context)
+		if access {
+			filteredConfigData = append(filteredConfigData, configObject)
+		}
+	}
+
+	return filteredConfigData, nil
+}

api/http/proxy/containers.go

@@ -11,11 +11,12 @@ const (
 	ErrDockerContainerIdentifierNotFound = portainer.Error("Docker container identifier not found")
 	containerIdentifier                  = "Id"
 	containerLabelForServiceIdentifier   = "com.docker.swarm.service.id"
+	containerLabelForStackIdentifier     = "com.docker.stack.namespace"
 )
 
 // containerListOperation extracts the response as a JSON object, loop through the containers array
 // decorate and/or filter the containers based on resource controls before rewriting the response
-func containerListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func containerListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ContainerList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
@@ -24,22 +25,29 @@ func containerListOperation(request *http.Request, response *http.Response, oper
 		return err
 	}
 
-	if operationContext.isAdmin {
-		responseArray, err = decorateContainerList(responseArray, operationContext.resourceControls)
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateContainerList(responseArray, executor.operationContext.resourceControls)
 	} else {
-		responseArray, err = filterContainerList(responseArray, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
+		responseArray, err = filterContainerList(responseArray, executor.operationContext)
 	}
 	if err != nil {
 		return err
 	}
 
+	if executor.labelBlackList != nil {
+		responseArray, err = filterContainersWithBlackListedLabels(responseArray, executor.labelBlackList)
+		if err != nil {
+			return err
+		}
+	}
+
 	return rewriteResponse(response, responseArray, http.StatusOK)
 }
 
 // containerInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the container based on resource control (check are done based on the containerID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated container.
-func containerInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func containerInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ContainerInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
 	responseObject, err := getResponseAsJSONOBject(response)
@@ -50,28 +58,22 @@ func containerInspectOperation(request *http.Request, response *http.Response, o
 	if responseObject[containerIdentifier] == nil {
 		return ErrDockerContainerIdentifierNotFound
 	}
-	containerID := responseObject[containerIdentifier].(string)
 
-	resourceControl := getResourceControlByResourceID(containerID, operationContext.resourceControls)
-	if resourceControl != nil {
-		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
+	containerID := responseObject[containerIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, containerID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	containerLabels := extractContainerLabelsFromContainerInspectObject(responseObject)
-	if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
-		serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, operationContext.resourceControls)
-		if resourceControl != nil {
-			if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
-				responseObject = decorateObject(responseObject, resourceControl)
-			} else {
-				return rewriteAccessDeniedResponse(response)
-			}
-		}
+	responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForServiceIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	return rewriteResponse(response, responseObject, http.StatusOK)
@@ -96,3 +98,96 @@ func extractContainerLabelsFromContainerListObject(responseObject map[string]int
 	containerLabelsObject := extractJSONField(responseObject, "Labels")
 	return containerLabelsObject
 }
+
+// decorateContainerList loops through all containers and decorates any container with an existing resource control.
+// Resource controls checks are based on: resource identifier, service identifier (from label), stack identifier (from label).
+// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+func decorateContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+
+		containerObject := container.(map[string]interface{})
+		if containerObject[containerIdentifier] == nil {
+			return nil, ErrDockerContainerIdentifierNotFound
+		}
+
+		containerID := containerObject[containerIdentifier].(string)
+		containerObject = decorateResourceWithAccessControl(containerObject, containerID, resourceControls)
+
+		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+		containerObject = decorateResourceWithAccessControlFromLabel(containerLabels, containerObject, containerLabelForServiceIdentifier, resourceControls)
+		containerObject = decorateResourceWithAccessControlFromLabel(containerLabels, containerObject, containerLabelForStackIdentifier, resourceControls)
+
+		decoratedContainerData = append(decoratedContainerData, containerObject)
+	}
+
+	return decoratedContainerData, nil
+}
+
+// filterContainerList loops through all containers and filters public containers (no associated resource control)
+// as well as authorized containers (access granted to the user based on existing resource control).
+// Authorized containers are decorated during the process.
+// Resource controls checks are based on: resource identifier, service identifier (from label), stack identifier (from label).
+// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+func filterContainerList(containerData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+		containerObject := container.(map[string]interface{})
+		if containerObject[containerIdentifier] == nil {
+			return nil, ErrDockerContainerIdentifierNotFound
+		}
+
+		containerID := containerObject[containerIdentifier].(string)
+		containerObject, access := applyResourceAccessControl(containerObject, containerID, context)
+		if access {
+			containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+			containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForServiceIdentifier, context)
+			if access {
+				containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForStackIdentifier, context)
+				if access {
+					filteredContainerData = append(filteredContainerData, containerObject)
+				}
+			}
+		}
+	}
+
+	return filteredContainerData, nil
+}
+
+// filterContainersWithLabels loops through a list of containers, and filters containers that do not contains
+// any labels in the labels black list.
+func filterContainersWithBlackListedLabels(containerData []interface{}, labelBlackList []portainer.Pair) ([]interface{}, error) {
+	filteredContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+		containerObject := container.(map[string]interface{})
+
+		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+		if containerLabels != nil {
+			if !containerHasBlackListedLabel(containerLabels, labelBlackList) {
+				filteredContainerData = append(filteredContainerData, containerObject)
+			}
+		} else {
+			filteredContainerData = append(filteredContainerData, containerObject)
+		}
+	}
+
+	return filteredContainerData, nil
+}
+
+func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelBlackList []portainer.Pair) bool {
+	for key, value := range containerLabels {
+		labelName := key
+		labelValue := value.(string)
+
+		for _, blackListedLabel := range labelBlackList {
+			if blackListedLabel.Name == labelName && blackListedLabel.Value == labelValue {
+				return true
+			}
+		}
+	}
+
+	return false
+}

api/http/proxy/decorator.go

@@ -1,90 +0,0 @@
-package proxy
-
-import "github.com/portainer/portainer"
-
-// decorateVolumeList loops through all volumes and will decorate any volume with an existing resource control.
-// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
-func decorateVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedVolumeData := make([]interface{}, 0)
-
-	for _, volume := range volumeData {
-
-		volumeObject := volume.(map[string]interface{})
-		if volumeObject[volumeIdentifier] == nil {
-			return nil, ErrDockerVolumeIdentifierNotFound
-		}
-
-		volumeID := volumeObject[volumeIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(volumeID, resourceControls)
-		if resourceControl != nil {
-			volumeObject = decorateObject(volumeObject, resourceControl)
-		}
-		decoratedVolumeData = append(decoratedVolumeData, volumeObject)
-	}
-
-	return decoratedVolumeData, nil
-}
-
-// decorateContainerList loops through all containers and will decorate any container with an existing resource control.
-// Check is based on the container ID and optional Swarm service ID.
-// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
-func decorateContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedContainerData := make([]interface{}, 0)
-
-	for _, container := range containerData {
-
-		containerObject := container.(map[string]interface{})
-		if containerObject[containerIdentifier] == nil {
-			return nil, ErrDockerContainerIdentifierNotFound
-		}
-
-		containerID := containerObject[containerIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(containerID, resourceControls)
-		if resourceControl != nil {
-			containerObject = decorateObject(containerObject, resourceControl)
-		}
-
-		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
-		if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
-			serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-			resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-			if resourceControl != nil {
-				containerObject = decorateObject(containerObject, resourceControl)
-			}
-		}
-
-		decoratedContainerData = append(decoratedContainerData, containerObject)
-	}
-
-	return decoratedContainerData, nil
-}
-
-// decorateServiceList loops through all services and will decorate any service with an existing resource control.
-// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-func decorateServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedServiceData := make([]interface{}, 0)
-
-	for _, service := range serviceData {
-
-		serviceObject := service.(map[string]interface{})
-		if serviceObject[serviceIdentifier] == nil {
-			return nil, ErrDockerServiceIdentifierNotFound
-		}
-
-		serviceID := serviceObject[serviceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-		if resourceControl != nil {
-			serviceObject = decorateObject(serviceObject, resourceControl)
-		}
-		decoratedServiceData = append(decoratedServiceData, serviceObject)
-	}
-
-	return decoratedServiceData, nil
-}
-
-func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
-	metadata := make(map[string]interface{})
-	metadata["ResourceControl"] = resourceControl
-	object["Portainer"] = metadata
-	return object
-}

api/http/proxy/factory.go

@@ -1,6 +1,7 @@
 package proxy
 
 import (
+	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -13,17 +14,22 @@ import (
 type proxyFactory struct {
 	ResourceControlService portainer.ResourceControlService
 	TeamMembershipService  portainer.TeamMembershipService
+	SettingsService        portainer.SettingsService
+	RegistryService        portainer.RegistryService
+	DockerHubService       portainer.DockerHubService
+	SignatureService       portainer.DigitalSignatureService
 }
 
-func (factory *proxyFactory) newHTTPProxy(u *url.URL) http.Handler {
+func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
 	u.Scheme = "http"
-	return factory.createReverseProxy(u)
+	return newSingleHostReverseProxyWithHostHeader(u)
 }
 
-func (factory *proxyFactory) newHTTPSProxy(u *url.URL, endpoint *portainer.Endpoint) (http.Handler, error) {
+func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, tlsConfig *portainer.TLSConfiguration, enableSignature bool) (http.Handler, error) {
 	u.Scheme = "https"
-	proxy := factory.createReverseProxy(u)
-	config, err := crypto.CreateTLSConfiguration(endpoint.TLSCACertPath, endpoint.TLSCertPath, endpoint.TLSKeyPath)
+
+	proxy := factory.createDockerReverseProxy(u, enableSignature)
+	config, err := crypto.CreateTLSConfigurationFromDisk(tlsConfig.TLSCACertPath, tlsConfig.TLSCertPath, tlsConfig.TLSKeyPath, tlsConfig.TLSSkipVerify)
 	if err != nil {
 		return nil, err
 	}
@@ -32,24 +38,50 @@ func (factory *proxyFactory) newHTTPSProxy(u *url.URL, endpoint *portainer.Endpo
 	return proxy, nil
 }
 
-func (factory *proxyFactory) newSocketProxy(path string) http.Handler {
+func (factory *proxyFactory) newDockerHTTPProxy(u *url.URL, enableSignature bool) http.Handler {
+	u.Scheme = "http"
+	return factory.createDockerReverseProxy(u, enableSignature)
+}
+
+func (factory *proxyFactory) newDockerSocketProxy(path string) http.Handler {
 	proxy := &socketProxy{}
 	transport := &proxyTransport{
+		enableSignature:        false,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
+		SettingsService:        factory.SettingsService,
+		RegistryService:        factory.RegistryService,
+		DockerHubService:       factory.DockerHubService,
 		dockerTransport:        newSocketTransport(path),
 	}
 	proxy.Transport = transport
 	return proxy
 }
 
-func (factory *proxyFactory) createReverseProxy(u *url.URL) *httputil.ReverseProxy {
+func (factory *proxyFactory) createDockerReverseProxy(u *url.URL, enableSignature bool) *httputil.ReverseProxy {
 	proxy := newSingleHostReverseProxyWithHostHeader(u)
 	transport := &proxyTransport{
+		enableSignature:        enableSignature,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
-		dockerTransport:        newHTTPTransport(),
+		SettingsService:        factory.SettingsService,
+		RegistryService:        factory.RegistryService,
+		DockerHubService:       factory.DockerHubService,
+		dockerTransport:        &http.Transport{},
 	}
+
+	if enableSignature {
+		transport.SignatureService = factory.SignatureService
+	}
+
 	proxy.Transport = transport
 	return proxy
 }
+
+func newSocketTransport(socketPath string) *http.Transport {
+	return &http.Transport{
+		Dial: func(proto, addr string) (conn net.Conn, err error) {
+			return net.Dial("unix", socketPath)
+		},
+	}
+}

api/http/proxy/filter.go

@@ -1,91 +0,0 @@
-package proxy
-
-import "github.com/portainer/portainer"
-
-// filterVolumeList loops through all volumes, filters volumes without any resource control (public resources) or with
-// any resource control giving access to the user (these volumes will be decorated).
-// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
-func filterVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredVolumeData := make([]interface{}, 0)
-
-	for _, volume := range volumeData {
-		volumeObject := volume.(map[string]interface{})
-		if volumeObject[volumeIdentifier] == nil {
-			return nil, ErrDockerVolumeIdentifierNotFound
-		}
-
-		volumeID := volumeObject[volumeIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(volumeID, resourceControls)
-		if resourceControl == nil {
-			filteredVolumeData = append(filteredVolumeData, volumeObject)
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			volumeObject = decorateObject(volumeObject, resourceControl)
-			filteredVolumeData = append(filteredVolumeData, volumeObject)
-		}
-	}
-
-	return filteredVolumeData, nil
-}
-
-// filterContainerList loops through all containers, filters containers without any resource control (public resources) or with
-// any resource control giving access to the user (check on container ID and optional Swarm service ID, these containers will be decorated).
-// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
-func filterContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredContainerData := make([]interface{}, 0)
-
-	for _, container := range containerData {
-		containerObject := container.(map[string]interface{})
-		if containerObject[containerIdentifier] == nil {
-			return nil, ErrDockerContainerIdentifierNotFound
-		}
-
-		containerID := containerObject[containerIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(containerID, resourceControls)
-		if resourceControl == nil {
-			// check if container is part of a Swarm service
-			containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
-			if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
-				serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-				serviceResourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-				if serviceResourceControl == nil {
-					filteredContainerData = append(filteredContainerData, containerObject)
-				} else if serviceResourceControl != nil && canUserAccessResource(userID, userTeamIDs, serviceResourceControl) {
-					containerObject = decorateObject(containerObject, serviceResourceControl)
-					filteredContainerData = append(filteredContainerData, containerObject)
-				}
-			} else {
-				filteredContainerData = append(filteredContainerData, containerObject)
-			}
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			containerObject = decorateObject(containerObject, resourceControl)
-			filteredContainerData = append(filteredContainerData, containerObject)
-		}
-	}
-
-	return filteredContainerData, nil
-}
-
-// filterServiceList loops through all services, filters services without any resource control (public resources) or with
-// any resource control giving access to the user (these services will be decorated).
-// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-func filterServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredServiceData := make([]interface{}, 0)
-
-	for _, service := range serviceData {
-		serviceObject := service.(map[string]interface{})
-		if serviceObject[serviceIdentifier] == nil {
-			return nil, ErrDockerServiceIdentifierNotFound
-		}
-
-		serviceID := serviceObject[serviceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-		if resourceControl == nil {
-			filteredServiceData = append(filteredServiceData, serviceObject)
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			serviceObject = decorateObject(serviceObject, resourceControl)
-			filteredServiceData = append(filteredServiceData, serviceObject)
-		}
-	}
-
-	return filteredServiceData, nil
-}

api/http/proxy/manager.go

@@ -3,24 +3,43 @@ package proxy
 import (
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/orcaman/concurrent-map"
 	"github.com/portainer/portainer"
 )
 
-// Manager represents a service used to manage Docker proxies.
-type Manager struct {
-	proxyFactory *proxyFactory
-	proxies      cmap.ConcurrentMap
-}
+type (
+	// Manager represents a service used to manage Docker proxies.
+	Manager struct {
+		proxyFactory     *proxyFactory
+		proxies          cmap.ConcurrentMap
+		extensionProxies cmap.ConcurrentMap
+	}
+
+	// ManagerParams represents the required parameters to create a new Manager instance.
+	ManagerParams struct {
+		ResourceControlService portainer.ResourceControlService
+		TeamMembershipService  portainer.TeamMembershipService
+		SettingsService        portainer.SettingsService
+		RegistryService        portainer.RegistryService
+		DockerHubService       portainer.DockerHubService
+		SignatureService       portainer.DigitalSignatureService
+	}
+)
 
 // NewManager initializes a new proxy Service
-func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService) *Manager {
+func NewManager(parameters *ManagerParams) *Manager {
 	return &Manager{
-		proxies: cmap.New(),
+		proxies:          cmap.New(),
+		extensionProxies: cmap.New(),
 		proxyFactory: &proxyFactory{
-			ResourceControlService: resourceControlService,
-			TeamMembershipService:  teamMembershipService,
+			ResourceControlService: parameters.ResourceControlService,
+			TeamMembershipService:  parameters.TeamMembershipService,
+			SettingsService:        parameters.SettingsService,
+			RegistryService:        parameters.RegistryService,
+			DockerHubService:       parameters.DockerHubService,
+			SignatureService:       parameters.SignatureService,
 		},
 	}
 }
@@ -35,18 +54,23 @@ func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (ht
 		return nil, err
 	}
 
+	enableSignature := false
+	if endpoint.Type == portainer.AgentOnDockerEnvironment {
+		enableSignature = true
+	}
+
 	if endpointURL.Scheme == "tcp" {
-		if endpoint.TLS {
-			proxy, err = manager.proxyFactory.newHTTPSProxy(endpointURL, endpoint)
+		if endpoint.TLSConfig.TLS {
+			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, &endpoint.TLSConfig, enableSignature)
 			if err != nil {
 				return nil, err
 			}
 		} else {
-			proxy = manager.proxyFactory.newHTTPProxy(endpointURL)
+			proxy = manager.proxyFactory.newDockerHTTPProxy(endpointURL, enableSignature)
 		}
 	} else {
 		// Assume unix:// scheme
-		proxy = manager.proxyFactory.newSocketProxy(endpointURL.Path)
+		proxy = manager.proxyFactory.newDockerSocketProxy(endpointURL.Path)
 	}
 
 	manager.proxies.Set(string(endpoint.ID), proxy)
@@ -66,3 +90,34 @@ func (manager *Manager) GetProxy(key string) http.Handler {
 func (manager *Manager) DeleteProxy(key string) {
 	manager.proxies.Remove(key)
 }
+
+// CreateAndRegisterExtensionProxy creates a new HTTP reverse proxy for an extension and adds it to the registered proxies.
+func (manager *Manager) CreateAndRegisterExtensionProxy(key, extensionAPIURL string) (http.Handler, error) {
+
+	extensionURL, err := url.Parse(extensionAPIURL)
+	if err != nil {
+		return nil, err
+	}
+
+	proxy := manager.proxyFactory.newExtensionHTTPPRoxy(extensionURL)
+	manager.extensionProxies.Set(key, proxy)
+	return proxy, nil
+}
+
+// GetExtensionProxy returns the extension proxy associated to a key
+func (manager *Manager) GetExtensionProxy(key string) http.Handler {
+	proxy, ok := manager.extensionProxies.Get(key)
+	if !ok {
+		return nil
+	}
+	return proxy.(http.Handler)
+}
+
+// DeleteExtensionProxies deletes all the extension proxies associated to a key
+func (manager *Manager) DeleteExtensionProxies(key string) {
+	for _, k := range manager.extensionProxies.Keys() {
+		if strings.Contains(k, key+"_") {
+			manager.extensionProxies.Remove(k)
+		}
+	}
+}

api/http/proxy/networks.go

@@ -0,0 +1,134 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerNetworkIdentifierNotFound defines an error raised when Portainer is unable to find a network identifier
+	ErrDockerNetworkIdentifierNotFound = portainer.Error("Docker network identifier not found")
+	networkIdentifier                  = "Id"
+	networkLabelForStackIdentifier     = "com.docker.stack.namespace"
+)
+
+// networkListOperation extracts the response as a JSON object, loop through the networks array
+// decorate and/or filter the networks based on resource controls before rewriting the response
+func networkListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+	// NetworkList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateNetworkList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterNetworkList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// networkInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the network based on resource control and either rewrite an access denied response
+// or a decorated network.
+func networkInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// NetworkInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[networkIdentifier] == nil {
+		return ErrDockerNetworkIdentifierNotFound
+	}
+
+	networkID := responseObject[networkIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, networkID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	networkLabels := extractNetworkLabelsFromNetworkInspectObject(responseObject)
+	responseObject, access = applyResourceAccessControlFromLabel(networkLabels, responseObject, networkLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// extractNetworkLabelsFromNetworkInspectObject retrieve the Labels of the network if present.
+// Container schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
+func extractNetworkLabelsFromNetworkInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// extractNetworkLabelsFromNetworkListObject retrieve the Labels of the network if present.
+// Network schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+func extractNetworkLabelsFromNetworkListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// decorateNetworkList loops through all networks and decorates any network with an existing resource control.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Network object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+func decorateNetworkList(networkData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedNetworkData := make([]interface{}, 0)
+
+	for _, network := range networkData {
+
+		networkObject := network.(map[string]interface{})
+		if networkObject[networkIdentifier] == nil {
+			return nil, ErrDockerNetworkIdentifierNotFound
+		}
+
+		networkID := networkObject[networkIdentifier].(string)
+		networkObject = decorateResourceWithAccessControl(networkObject, networkID, resourceControls)
+
+		networkLabels := extractNetworkLabelsFromNetworkListObject(networkObject)
+		networkObject = decorateResourceWithAccessControlFromLabel(networkLabels, networkObject, networkLabelForStackIdentifier, resourceControls)
+
+		decoratedNetworkData = append(decoratedNetworkData, networkObject)
+	}
+
+	return decoratedNetworkData, nil
+}
+
+// filterNetworkList loops through all networks and filters public networks (no associated resource control)
+// as well as authorized networks (access granted to the user based on existing resource control).
+// Authorized networks are decorated during the process.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Network object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+func filterNetworkList(networkData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredNetworkData := make([]interface{}, 0)
+
+	for _, network := range networkData {
+		networkObject := network.(map[string]interface{})
+		if networkObject[networkIdentifier] == nil {
+			return nil, ErrDockerNetworkIdentifierNotFound
+		}
+
+		networkID := networkObject[networkIdentifier].(string)
+		networkObject, access := applyResourceAccessControl(networkObject, networkID, context)
+		if access {
+			networkLabels := extractNetworkLabelsFromNetworkListObject(networkObject)
+			networkObject, access = applyResourceAccessControlFromLabel(networkLabels, networkObject, networkLabelForStackIdentifier, context)
+			if access {
+				filteredNetworkData = append(filteredNetworkData, networkObject)
+			}
+		}
+	}
+
+	return filteredNetworkData, nil
+}

api/http/proxy/registry.go

@@ -0,0 +1,37 @@
+package proxy
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/security"
+)
+
+func createRegistryAuthenticationHeader(serverAddress string, accessContext *registryAccessContext) *registryAuthenticationHeader {
+	var authenticationHeader *registryAuthenticationHeader
+
+	if serverAddress == "" {
+		authenticationHeader = &registryAuthenticationHeader{
+			Username:      accessContext.dockerHub.Username,
+			Password:      accessContext.dockerHub.Password,
+			Serveraddress: "docker.io",
+		}
+	} else {
+		var matchingRegistry *portainer.Registry
+		for _, registry := range accessContext.registries {
+			if registry.URL == serverAddress &&
+				(accessContext.isAdmin || (!accessContext.isAdmin && security.AuthorizedRegistryAccess(&registry, accessContext.userID, accessContext.teamMemberships))) {
+				matchingRegistry = &registry
+				break
+			}
+		}
+
+		if matchingRegistry != nil {
+			authenticationHeader = &registryAuthenticationHeader{
+				Username:      matchingRegistry.Username,
+				Password:      matchingRegistry.Password,
+				Serveraddress: matchingRegistry.URL,
+			}
+		}
+	}
+
+	return authenticationHeader
+}

api/http/proxy/response.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"io/ioutil"
+	"log"
 	"net/http"
 	"strconv"
 
@@ -13,6 +14,8 @@ import (
 const (
 	// ErrEmptyResponseBody defines an error raised when portainer excepts to parse the body of a HTTP response and there is nothing to parse
 	ErrEmptyResponseBody = portainer.Error("Empty response body")
+	// ErrInvalidResponseContent defines an error raised when Portainer excepts a JSON array and get something else.
+	ErrInvalidResponseContent = portainer.Error("Invalid Docker response")
 )
 
 func extractJSONField(jsonObject map[string]interface{}, key string) map[string]interface{} {
@@ -39,8 +42,19 @@ func getResponseAsJSONArray(response *http.Response) ([]interface{}, error) {
 		return nil, err
 	}
 
-	responseObject := responseData.([]interface{})
-	return responseObject, nil
+	switch responseObject := responseData.(type) {
+	case []interface{}:
+		return responseObject, nil
+	case map[string]interface{}:
+		if responseObject["message"] != nil {
+			return nil, portainer.Error(responseObject["message"].(string))
+		}
+		log.Printf("Response: %+v\n", responseObject)
+		return nil, ErrInvalidResponseContent
+	default:
+		log.Printf("Response: %+v\n", responseObject)
+		return nil, ErrInvalidResponseContent
+	}
 }
 
 func getResponseBodyAsGenericJSON(response *http.Response) (interface{}, error) {
@@ -85,6 +99,11 @@ func rewriteResponse(response *http.Response, newResponseData interface{}, statu
 	response.StatusCode = statusCode
 	response.Body = body
 	response.ContentLength = int64(len(jsonData))
+
+	if response.Header == nil {
+		response.Header = make(http.Header)
+	}
 	response.Header.Set("Content-Length", strconv.Itoa(len(jsonData)))
+
 	return nil
 }

api/http/proxy/secrets.go

@@ -0,0 +1,107 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerSecretIdentifierNotFound defines an error raised when Portainer is unable to find a secret identifier
+	ErrDockerSecretIdentifierNotFound = portainer.Error("Docker secret identifier not found")
+	secretIdentifier                  = "ID"
+)
+
+// secretListOperation extracts the response as a JSON object, loop through the secrets array
+// decorate and/or filter the secrets based on resource controls before rewriting the response
+func secretListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+
+	// SecretList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateSecretList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterSecretList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// secretInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the secret based on resource control (check are done based on the secretID and optional Swarm service ID)
+// and either rewrite an access denied response or a decorated secret.
+func secretInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// SecretInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/SecretInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[secretIdentifier] == nil {
+		return ErrDockerSecretIdentifierNotFound
+	}
+
+	secretID := responseObject[secretIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, secretID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// decorateSecretList loops through all secrets and decorates any secret with an existing resource control.
+// Resource controls checks are based on: resource identifier.
+// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+func decorateSecretList(secretData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedSecretData := make([]interface{}, 0)
+
+	for _, secret := range secretData {
+
+		secretObject := secret.(map[string]interface{})
+		if secretObject[secretIdentifier] == nil {
+			return nil, ErrDockerSecretIdentifierNotFound
+		}
+
+		secretID := secretObject[secretIdentifier].(string)
+		secretObject = decorateResourceWithAccessControl(secretObject, secretID, resourceControls)
+
+		decoratedSecretData = append(decoratedSecretData, secretObject)
+	}
+
+	return decoratedSecretData, nil
+}
+
+// filterSecretList loops through all secrets and filters public secrets (no associated resource control)
+// as well as authorized secrets (access granted to the user based on existing resource control).
+// Authorized secrets are decorated during the process.
+// Resource controls checks are based on: resource identifier.
+// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+func filterSecretList(secretData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredSecretData := make([]interface{}, 0)
+
+	for _, secret := range secretData {
+		secretObject := secret.(map[string]interface{})
+		if secretObject[secretIdentifier] == nil {
+			return nil, ErrDockerSecretIdentifierNotFound
+		}
+
+		secretID := secretObject[secretIdentifier].(string)
+		secretObject, access := applyResourceAccessControl(secretObject, secretID, context)
+		if access {
+			filteredSecretData = append(filteredSecretData, secretObject)
+		}
+	}
+
+	return filteredSecretData, nil
+}

api/http/proxy/service.go

@@ -1,64 +0,0 @@
-package proxy
-
-import (
-	"net/http"
-
-	"github.com/portainer/portainer"
-)
-
-const (
-	// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier
-	ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")
-	serviceIdentifier                  = "ID"
-)
-
-// serviceListOperation extracts the response as a JSON array, loop through the service array
-// decorate and/or filter the services based on resource controls before rewriting the response
-func serviceListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
-	var err error
-	// ServiceList response is a JSON array
-	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-	responseArray, err := getResponseAsJSONArray(response)
-	if err != nil {
-		return err
-	}
-
-	if operationContext.isAdmin {
-		responseArray, err = decorateServiceList(responseArray, operationContext.resourceControls)
-	} else {
-		responseArray, err = filterServiceList(responseArray, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
-	}
-	if err != nil {
-		return err
-	}
-
-	return rewriteResponse(response, responseArray, http.StatusOK)
-}
-
-// serviceInspectOperation extracts the response as a JSON object, verify that the user
-// has access to the service based on resource control and either rewrite an access denied response
-// or a decorated service.
-func serviceInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
-	// ServiceInspect response is a JSON object
-	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
-	responseObject, err := getResponseAsJSONOBject(response)
-	if err != nil {
-		return err
-	}
-
-	if responseObject[serviceIdentifier] == nil {
-		return ErrDockerServiceIdentifierNotFound
-	}
-	serviceID := responseObject[serviceIdentifier].(string)
-
-	resourceControl := getResourceControlByResourceID(serviceID, operationContext.resourceControls)
-	if resourceControl != nil {
-		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
-	}
-
-	return rewriteResponse(response, responseObject, http.StatusOK)
-}

api/http/proxy/services.go

@@ -0,0 +1,142 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier
+	ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")
+	serviceIdentifier                  = "ID"
+	serviceLabelForStackIdentifier     = "com.docker.stack.namespace"
+)
+
+// serviceListOperation extracts the response as a JSON array, loop through the service array
+// decorate and/or filter the services based on resource controls before rewriting the response
+func serviceListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+	// ServiceList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateServiceList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterServiceList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// serviceInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the service based on resource control and either rewrite an access denied response
+// or a decorated service.
+func serviceInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// ServiceInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[serviceIdentifier] == nil {
+		return ErrDockerServiceIdentifierNotFound
+	}
+
+	serviceID := responseObject[serviceIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, serviceID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	serviceLabels := extractServiceLabelsFromServiceInspectObject(responseObject)
+	responseObject, access = applyResourceAccessControlFromLabel(serviceLabels, responseObject, serviceLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// extractServiceLabelsFromServiceInspectObject retrieve the Labels of the service if present.
+// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
+func extractServiceLabelsFromServiceInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Spec.Labels
+	serviceSpecObject := extractJSONField(responseObject, "Spec")
+	if serviceSpecObject != nil {
+		return extractJSONField(serviceSpecObject, "Labels")
+	}
+	return nil
+}
+
+// extractServiceLabelsFromServiceListObject retrieve the Labels of the service if present.
+// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func extractServiceLabelsFromServiceListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Spec.Labels
+	serviceSpecObject := extractJSONField(responseObject, "Spec")
+	if serviceSpecObject != nil {
+		return extractJSONField(serviceSpecObject, "Labels")
+	}
+	return nil
+}
+
+// decorateServiceList loops through all services and decorates any service with an existing resource control.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func decorateServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedServiceData := make([]interface{}, 0)
+
+	for _, service := range serviceData {
+
+		serviceObject := service.(map[string]interface{})
+		if serviceObject[serviceIdentifier] == nil {
+			return nil, ErrDockerServiceIdentifierNotFound
+		}
+
+		serviceID := serviceObject[serviceIdentifier].(string)
+		serviceObject = decorateResourceWithAccessControl(serviceObject, serviceID, resourceControls)
+
+		serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)
+		serviceObject = decorateResourceWithAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, resourceControls)
+
+		decoratedServiceData = append(decoratedServiceData, serviceObject)
+	}
+
+	return decoratedServiceData, nil
+}
+
+// filterServiceList loops through all services and filters public services (no associated resource control)
+// as well as authorized services (access granted to the user based on existing resource control).
+// Authorized services are decorated during the process.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func filterServiceList(serviceData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredServiceData := make([]interface{}, 0)
+
+	for _, service := range serviceData {
+		serviceObject := service.(map[string]interface{})
+		if serviceObject[serviceIdentifier] == nil {
+			return nil, ErrDockerServiceIdentifierNotFound
+		}
+
+		serviceID := serviceObject[serviceIdentifier].(string)
+		serviceObject, access := applyResourceAccessControl(serviceObject, serviceID, context)
+		if access {
+			serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)
+			serviceObject, access = applyResourceAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, context)
+			if access {
+				filteredServiceData = append(filteredServiceData, serviceObject)
+			}
+		}
+	}
+
+	return filteredServiceData, nil
+}

api/http/proxy/socket.go

@@ -34,6 +34,9 @@ func (proxy *socketProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			w.Header().Add(k, v)
 		}
 	}
+
+	w.WriteHeader(res.StatusCode)
+
 	if _, err := io.Copy(w, res.Body); err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, nil)
 	}

api/http/proxy/tasks.go

@@ -0,0 +1,78 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerTaskServiceIdentifierNotFound defines an error raised when Portainer is unable to find the service identifier associated to a task
+	ErrDockerTaskServiceIdentifierNotFound = portainer.Error("Docker task service identifier not found")
+	taskServiceIdentifier                  = "ServiceID"
+	taskLabelForStackIdentifier            = "com.docker.stack.namespace"
+)
+
+// taskListOperation extracts the response as a JSON object, loop through the tasks array
+// and filter the tasks based on resource controls before rewriting the response
+func taskListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+
+	// TaskList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/TaskList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if !executor.operationContext.isAdmin {
+		responseArray, err = filterTaskList(responseArray, executor.operationContext)
+		if err != nil {
+			return err
+		}
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// extractTaskLabelsFromTaskListObject retrieve the Labels of the task if present.
+// Task schema reference: https://docs.docker.com/engine/api/v1.28/#operation/TaskList
+func extractTaskLabelsFromTaskListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Spec.ContainerSpec.Labels
+	taskSpecObject := extractJSONField(responseObject, "Spec")
+	if taskSpecObject != nil {
+		containerSpecObject := extractJSONField(taskSpecObject, "ContainerSpec")
+		if containerSpecObject != nil {
+			return extractJSONField(containerSpecObject, "Labels")
+		}
+	}
+	return nil
+}
+
+// filterTaskList loops through all tasks and filters public tasks (no associated resource control)
+// as well as authorized tasks (access granted to the user based on existing resource control).
+// Resource controls checks are based on: service identifier, stack identifier (from label).
+// Task object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/TaskList
+// any resource control giving access to the user based on the associated service identifier.
+func filterTaskList(taskData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredTaskData := make([]interface{}, 0)
+
+	for _, task := range taskData {
+		taskObject := task.(map[string]interface{})
+		if taskObject[taskServiceIdentifier] == nil {
+			return nil, ErrDockerTaskServiceIdentifierNotFound
+		}
+
+		serviceID := taskObject[taskServiceIdentifier].(string)
+		taskObject, access := applyResourceAccessControl(taskObject, serviceID, context)
+		if access {
+			taskLabels := extractTaskLabelsFromTaskListObject(taskObject)
+			taskObject, access = applyResourceAccessControlFromLabel(taskLabels, taskObject, taskLabelForStackIdentifier, context)
+			if access {
+				filteredTaskData = append(filteredTaskData, taskObject)
+			}
+		}
+	}
+
+	return filteredTaskData, nil
+}

api/http/proxy/transport.go

@@ -1,20 +1,29 @@
 package proxy
 
 import (
-	"net"
+	"encoding/base64"
+	"encoding/json"
 	"net/http"
 	"path"
+	"regexp"
 	"strings"
 
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/http/security"
 )
 
+var apiVersionRe = regexp.MustCompile(`(/v[0-9]\.[0-9]*)?`)
+
 type (
 	proxyTransport struct {
 		dockerTransport        *http.Transport
+		enableSignature        bool
 		ResourceControlService portainer.ResourceControlService
 		TeamMembershipService  portainer.TeamMembershipService
+		RegistryService        portainer.RegistryService
+		DockerHubService       portainer.DockerHubService
+		SettingsService        portainer.SettingsService
+		SignatureService       portainer.DigitalSignatureService
 	}
 	restrictedOperationContext struct {
 		isAdmin          bool
@@ -22,20 +31,25 @@ type (
 		userTeamIDs      []portainer.TeamID
 		resourceControls []portainer.ResourceControl
 	}
-	restrictedOperationRequest func(*http.Request, *http.Response, *restrictedOperationContext) error
-)
-
-func newSocketTransport(socketPath string) *http.Transport {
-	return &http.Transport{
-		Dial: func(proto, addr string) (conn net.Conn, err error) {
-			return net.Dial("unix", socketPath)
-		},
+	registryAccessContext struct {
+		isAdmin         bool
+		userID          portainer.UserID
+		teamMemberships []portainer.TeamMembership
+		registries      []portainer.Registry
+		dockerHub       *portainer.DockerHub
 	}
-}
-
-func newHTTPTransport() *http.Transport {
-	return &http.Transport{}
-}
+	registryAuthenticationHeader struct {
+		Username      string `json:"username"`
+		Password      string `json:"password"`
+		Serveraddress string `json:"serveraddress"`
+	}
+	operationExecutor struct {
+		operationContext *restrictedOperationContext
+		labelBlackList   []portainer.Pair
+	}
+	restrictedOperationRequest func(*http.Response, *operationExecutor) error
+	operationRequest           func(*http.Request) error
+)
 
 func (p *proxyTransport) RoundTrip(request *http.Request) (*http.Response, error) {
 	return p.proxyDockerRequest(request)
@@ -46,21 +60,66 @@ func (p *proxyTransport) executeDockerRequest(request *http.Request) (*http.Resp
 }
 
 func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Response, error) {
-	path := request.URL.Path
+	path := apiVersionRe.ReplaceAllString(request.URL.Path, "")
+	request.URL.Path = path
 
-	if strings.HasPrefix(path, "/containers") {
-		return p.proxyContainerRequest(request)
-	} else if strings.HasPrefix(path, "/services") {
-		return p.proxyServiceRequest(request)
-	} else if strings.HasPrefix(path, "/volumes") {
-		return p.proxyVolumeRequest(request)
+	if p.enableSignature {
+		signature, err := p.SignatureService.Sign(portainer.PortainerAgentSignatureMessage)
+		if err != nil {
+			return nil, err
+		}
+
+		request.Header.Set(portainer.PortainerAgentPublicKeyHeader, p.SignatureService.EncodedPublicKey())
+		request.Header.Set(portainer.PortainerAgentSignatureHeader, signature)
 	}
 
-	return p.executeDockerRequest(request)
+	switch {
+	case strings.HasPrefix(path, "/configs"):
+		return p.proxyConfigRequest(request)
+	case strings.HasPrefix(path, "/containers"):
+		return p.proxyContainerRequest(request)
+	case strings.HasPrefix(path, "/services"):
+		return p.proxyServiceRequest(request)
+	case strings.HasPrefix(path, "/volumes"):
+		return p.proxyVolumeRequest(request)
+	case strings.HasPrefix(path, "/networks"):
+		return p.proxyNetworkRequest(request)
+	case strings.HasPrefix(path, "/secrets"):
+		return p.proxySecretRequest(request)
+	case strings.HasPrefix(path, "/swarm"):
+		return p.proxySwarmRequest(request)
+	case strings.HasPrefix(path, "/nodes"):
+		return p.proxyNodeRequest(request)
+	case strings.HasPrefix(path, "/tasks"):
+		return p.proxyTaskRequest(request)
+	case strings.HasPrefix(path, "/build"):
+		return p.proxyBuildRequest(request)
+	case strings.HasPrefix(path, "/images"):
+		return p.proxyImageRequest(request)
+	default:
+		return p.executeDockerRequest(request)
+	}
+}
+
+func (p *proxyTransport) proxyConfigRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/configs/create":
+		return p.executeDockerRequest(request)
+
+	case "/configs":
+		return p.rewriteOperation(request, configListOperation)
+
+	default:
+		// assume /configs/{id}
+		if request.Method == http.MethodGet {
+			return p.rewriteOperation(request, configInspectOperation)
+		}
+		configID := path.Base(requestPath)
+		return p.restrictedOperation(request, configID)
+	}
 }
 
 func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Response, error) {
-	// return p.executeDockerRequest(request)
 	switch requestPath := request.URL.Path; requestPath {
 	case "/containers/create":
 		return p.executeDockerRequest(request)
@@ -69,7 +128,7 @@ func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Res
 		return p.administratorOperation(request)
 
 	case "/containers/json":
-		return p.rewriteOperation(request, containerListOperation)
+		return p.rewriteOperationWithLabelFiltering(request, containerListOperation)
 
 	default:
 		// This section assumes /containers/**
@@ -94,10 +153,7 @@ func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Res
 func (p *proxyTransport) proxyServiceRequest(request *http.Request) (*http.Response, error) {
 	switch requestPath := request.URL.Path; requestPath {
 	case "/services/create":
-		return p.executeDockerRequest(request)
-
-	case "/volumes/prune":
-		return p.administratorOperation(request)
+		return p.replaceRegistryAuthenticationHeader(request)
 
 	case "/services":
 		return p.rewriteOperation(request, serviceListOperation)
@@ -142,6 +198,125 @@ func (p *proxyTransport) proxyVolumeRequest(request *http.Request) (*http.Respon
 	}
 }
 
+func (p *proxyTransport) proxyNetworkRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/networks/create":
+		return p.executeDockerRequest(request)
+
+	case "/networks":
+		return p.rewriteOperation(request, networkListOperation)
+
+	default:
+		// assume /networks/{id}
+		if request.Method == http.MethodGet {
+			return p.rewriteOperation(request, networkInspectOperation)
+		}
+		networkID := path.Base(requestPath)
+		return p.restrictedOperation(request, networkID)
+	}
+}
+
+func (p *proxyTransport) proxySecretRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/secrets/create":
+		return p.executeDockerRequest(request)
+
+	case "/secrets":
+		return p.rewriteOperation(request, secretListOperation)
+
+	default:
+		// assume /secrets/{id}
+		if request.Method == http.MethodGet {
+			return p.rewriteOperation(request, secretInspectOperation)
+		}
+		secretID := path.Base(requestPath)
+		return p.restrictedOperation(request, secretID)
+	}
+}
+
+func (p *proxyTransport) proxyNodeRequest(request *http.Request) (*http.Response, error) {
+	requestPath := request.URL.Path
+
+	// assume /nodes/{id}
+	if path.Base(requestPath) != "nodes" {
+		return p.administratorOperation(request)
+	}
+
+	return p.executeDockerRequest(request)
+}
+
+func (p *proxyTransport) proxySwarmRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/swarm":
+		return p.executeDockerRequest(request)
+	default:
+		// assume /swarm/{action}
+		return p.administratorOperation(request)
+	}
+}
+
+func (p *proxyTransport) proxyTaskRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/tasks":
+		return p.rewriteOperation(request, taskListOperation)
+	default:
+		// assume /tasks/{id}
+		return p.executeDockerRequest(request)
+	}
+}
+
+func (p *proxyTransport) proxyBuildRequest(request *http.Request) (*http.Response, error) {
+	return p.interceptAndRewriteRequest(request, buildOperation)
+}
+
+func (p *proxyTransport) proxyImageRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/images/create":
+		return p.replaceRegistryAuthenticationHeader(request)
+	default:
+		if path.Base(requestPath) == "push" && request.Method == http.MethodPost {
+			return p.replaceRegistryAuthenticationHeader(request)
+		}
+		return p.executeDockerRequest(request)
+	}
+}
+
+func (p *proxyTransport) replaceRegistryAuthenticationHeader(request *http.Request) (*http.Response, error) {
+	accessContext, err := p.createRegistryAccessContext(request)
+	if err != nil {
+		return nil, err
+	}
+
+	originalHeader := request.Header.Get("X-Registry-Auth")
+
+	if originalHeader != "" {
+
+		decodedHeaderData, err := base64.StdEncoding.DecodeString(originalHeader)
+		if err != nil {
+			return nil, err
+		}
+
+		var originalHeaderData registryAuthenticationHeader
+		err = json.Unmarshal(decodedHeaderData, &originalHeaderData)
+		if err != nil {
+			return nil, err
+		}
+
+		authenticationHeader := createRegistryAuthenticationHeader(originalHeaderData.Serveraddress, accessContext)
+
+		headerData, err := json.Marshal(authenticationHeader)
+		if err != nil {
+			return nil, err
+		}
+
+		header := base64.StdEncoding.EncodeToString(headerData)
+
+		request.Header.Set("X-Registry-Auth", header)
+	}
+
+	return p.executeDockerRequest(request)
+}
+
 // restrictedOperation ensures that the current user has the required authorizations
 // before executing the original request.
 func (p *proxyTransport) restrictedOperation(request *http.Request, resourceID string) (*http.Response, error) {
@@ -177,9 +352,115 @@ func (p *proxyTransport) restrictedOperation(request *http.Request, resourceID s
 	return p.executeDockerRequest(request)
 }
 
+// rewriteOperationWithLabelFiltering will create a new operation context with data that will be used
+// to decorate the original request's response as well as retrieve all the black listed labels
+// to filter the resources.
+func (p *proxyTransport) rewriteOperationWithLabelFiltering(request *http.Request, operation restrictedOperationRequest) (*http.Response, error) {
+	operationContext, err := p.createOperationContext(request)
+	if err != nil {
+		return nil, err
+	}
+
+	settings, err := p.SettingsService.Settings()
+	if err != nil {
+		return nil, err
+	}
+
+	executor := &operationExecutor{
+		operationContext: operationContext,
+		labelBlackList:   settings.BlackListedLabels,
+	}
+
+	return p.executeRequestAndRewriteResponse(request, operation, executor)
+}
+
 // rewriteOperation will create a new operation context with data that will be used
 // to decorate the original request's response.
 func (p *proxyTransport) rewriteOperation(request *http.Request, operation restrictedOperationRequest) (*http.Response, error) {
+	operationContext, err := p.createOperationContext(request)
+	if err != nil {
+		return nil, err
+	}
+
+	executor := &operationExecutor{
+		operationContext: operationContext,
+	}
+
+	return p.executeRequestAndRewriteResponse(request, operation, executor)
+}
+
+func (p *proxyTransport) interceptAndRewriteRequest(request *http.Request, operation operationRequest) (*http.Response, error) {
+	err := operation(request)
+	if err != nil {
+		return nil, err
+	}
+
+	return p.executeDockerRequest(request)
+}
+
+func (p *proxyTransport) executeRequestAndRewriteResponse(request *http.Request, operation restrictedOperationRequest, executor *operationExecutor) (*http.Response, error) {
+	response, err := p.executeDockerRequest(request)
+	if err != nil {
+		return response, err
+	}
+
+	err = operation(response, executor)
+	return response, err
+}
+
+// administratorOperation ensures that the user has administrator privileges
+// before executing the original request.
+func (p *proxyTransport) administratorOperation(request *http.Request) (*http.Response, error) {
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		return writeAccessDeniedResponse()
+	}
+
+	return p.executeDockerRequest(request)
+}
+
+func (p *proxyTransport) createRegistryAccessContext(request *http.Request) (*registryAccessContext, error) {
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	accessContext := &registryAccessContext{
+		isAdmin: true,
+		userID:  tokenData.ID,
+	}
+
+	hub, err := p.DockerHubService.DockerHub()
+	if err != nil {
+		return nil, err
+	}
+	accessContext.dockerHub = hub
+
+	registries, err := p.RegistryService.Registries()
+	if err != nil {
+		return nil, err
+	}
+	accessContext.registries = registries
+
+	if tokenData.Role != portainer.AdministratorRole {
+		accessContext.isAdmin = false
+
+		teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		accessContext.teamMemberships = teamMemberships
+	}
+
+	return accessContext, nil
+}
+
+func (p *proxyTransport) createOperationContext(request *http.Request) (*restrictedOperationContext, error) {
 	var err error
 	tokenData, err := security.RetrieveTokenData(request)
 	if err != nil {
@@ -212,26 +493,5 @@ func (p *proxyTransport) rewriteOperation(request *http.Request, operation restr
 		operationContext.userTeamIDs = userTeamIDs
 	}
 
-	response, err := p.executeDockerRequest(request)
-	if err != nil {
-		return response, err
-	}
-
-	err = operation(request, response, operationContext)
-	return response, err
-}
-
-// administratorOperation ensures that the user has administrator privileges
-// before executing the original request.
-func (p *proxyTransport) administratorOperation(request *http.Request) (*http.Response, error) {
-	tokenData, err := security.RetrieveTokenData(request)
-	if err != nil {
-		return nil, err
-	}
-
-	if tokenData.Role != portainer.AdministratorRole {
-		return writeAccessDeniedResponse()
-	}
-
-	return p.executeDockerRequest(request)
+	return operationContext, nil
 }

api/http/proxy/utils.go

@@ -1,17 +0,0 @@
-package proxy
-
-import "github.com/portainer/portainer"
-
-func getResourceControlByResourceID(resourceID string, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
-	for _, resourceControl := range resourceControls {
-		if resourceID == resourceControl.ResourceID {
-			return &resourceControl
-		}
-		for _, subResourceID := range resourceControl.SubResourceIDs {
-			if resourceID == subResourceID {
-				return &resourceControl
-			}
-		}
-	}
-	return nil
-}

api/http/proxy/volumes.go

@@ -10,11 +10,12 @@ const (
 	// ErrDockerVolumeIdentifierNotFound defines an error raised when Portainer is unable to find a volume identifier
 	ErrDockerVolumeIdentifierNotFound = portainer.Error("Docker volume identifier not found")
 	volumeIdentifier                  = "Name"
+	volumeLabelForStackIdentifier     = "com.docker.stack.namespace"
 )
 
 // volumeListOperation extracts the response as a JSON object, loop through the volume array
 // decorate and/or filter the volumes based on resource controls before rewriting the response
-func volumeListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func volumeListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// VolumeList response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
@@ -28,10 +29,10 @@ func volumeListOperation(request *http.Request, response *http.Response, operati
 	if responseObject["Volumes"] != nil {
 		volumeData := responseObject["Volumes"].([]interface{})
 
-		if operationContext.isAdmin {
-			volumeData, err = decorateVolumeList(volumeData, operationContext.resourceControls)
+		if executor.operationContext.isAdmin {
+			volumeData, err = decorateVolumeList(volumeData, executor.operationContext.resourceControls)
 		} else {
-			volumeData, err = filterVolumeList(volumeData, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
+			volumeData, err = filterVolumeList(volumeData, executor.operationContext)
 		}
 		if err != nil {
 			return err
@@ -45,9 +46,9 @@ func volumeListOperation(request *http.Request, response *http.Response, operati
 }
 
 // volumeInspectOperation extracts the response as a JSON object, verify that the user
-// has access to the volume based on resource control and either rewrite an access denied response
+// has access to the volume based on any existing resource control and either rewrite an access denied response
 // or a decorated volume.
-func volumeInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func volumeInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// VolumeInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
 	responseObject, err := getResponseAsJSONOBject(response)
@@ -58,16 +59,85 @@ func volumeInspectOperation(request *http.Request, response *http.Response, oper
 	if responseObject[volumeIdentifier] == nil {
 		return ErrDockerVolumeIdentifierNotFound
 	}
-	volumeID := responseObject[volumeIdentifier].(string)
 
-	resourceControl := getResourceControlByResourceID(volumeID, operationContext.resourceControls)
-	if resourceControl != nil {
-		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
+	volumeID := responseObject[volumeIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, volumeID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	volumeLabels := extractVolumeLabelsFromVolumeInspectObject(responseObject)
+	responseObject, access = applyResourceAccessControlFromLabel(volumeLabels, responseObject, volumeLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	return rewriteResponse(response, responseObject, http.StatusOK)
 }
+
+// extractVolumeLabelsFromVolumeInspectObject retrieve the Labels of the volume if present.
+// Volume schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
+func extractVolumeLabelsFromVolumeInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// extractVolumeLabelsFromVolumeListObject retrieve the Labels of the volume if present.
+// Volume schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func extractVolumeLabelsFromVolumeListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// decorateVolumeList loops through all volumes and decorates any volume with an existing resource control.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func decorateVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedVolumeData := make([]interface{}, 0)
+
+	for _, volume := range volumeData {
+
+		volumeObject := volume.(map[string]interface{})
+		if volumeObject[volumeIdentifier] == nil {
+			return nil, ErrDockerVolumeIdentifierNotFound
+		}
+
+		volumeID := volumeObject[volumeIdentifier].(string)
+		volumeObject = decorateResourceWithAccessControl(volumeObject, volumeID, resourceControls)
+
+		volumeLabels := extractVolumeLabelsFromVolumeListObject(volumeObject)
+		volumeObject = decorateResourceWithAccessControlFromLabel(volumeLabels, volumeObject, volumeLabelForStackIdentifier, resourceControls)
+
+		decoratedVolumeData = append(decoratedVolumeData, volumeObject)
+	}
+
+	return decoratedVolumeData, nil
+}
+
+// filterVolumeList loops through all volumes and filters public volumes (no associated resource control)
+// as well as authorized volumes (access granted to the user based on existing resource control).
+// Authorized volumes are decorated during the process.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func filterVolumeList(volumeData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredVolumeData := make([]interface{}, 0)
+
+	for _, volume := range volumeData {
+		volumeObject := volume.(map[string]interface{})
+		if volumeObject[volumeIdentifier] == nil {
+			return nil, ErrDockerVolumeIdentifierNotFound
+		}
+
+		volumeID := volumeObject[volumeIdentifier].(string)
+		volumeObject, access := applyResourceAccessControl(volumeObject, volumeID, context)
+		if access {
+			volumeLabels := extractVolumeLabelsFromVolumeListObject(volumeObject)
+			volumeObject, access = applyResourceAccessControlFromLabel(volumeLabels, volumeObject, volumeLabelForStackIdentifier, context)
+			if access {
+				filteredVolumeData = append(filteredVolumeData, volumeObject)
+			}
+		}
+	}
+
+	return filteredVolumeData, nil
+}

api/http/security/authorization.go

@@ -22,7 +22,7 @@ func AuthorizedResourceControlDeletion(resourceControl *portainer.ResourceContro
 	if teamAccessesCount > 0 {
 		for _, access := range resourceControl.TeamAccesses {
 			for _, membership := range context.UserMemberships {
-				if membership.TeamID == access.TeamID && membership.Role == portainer.TeamLeader {
+				if membership.TeamID == access.TeamID {
 					return true
 				}
 			}
@@ -121,3 +121,44 @@ func AuthorizedUserManagement(userID portainer.UserID, context *RestrictedReques
 	}
 	return false
 }
+
+// AuthorizedEndpointAccess ensure that the user can access the specified endpoint.
+// It will check if the user is part of the authorized users or part of a team that is
+// listed in the authorized teams of the endpoint and the associated group.
+func AuthorizedEndpointAccess(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	groupAccess := authorizedAccess(userID, memberships, endpointGroup.AuthorizedUsers, endpointGroup.AuthorizedTeams)
+	if !groupAccess {
+		return authorizedAccess(userID, memberships, endpoint.AuthorizedUsers, endpoint.AuthorizedTeams)
+	}
+	return true
+}
+
+// AuthorizedEndpointGroupAccess ensure that the user can access the specified endpoint group.
+// It will check if the user is part of the authorized users or part of a team that is
+// listed in the authorized teams.
+func AuthorizedEndpointGroupAccess(endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	return authorizedAccess(userID, memberships, endpointGroup.AuthorizedUsers, endpointGroup.AuthorizedTeams)
+}
+
+// AuthorizedRegistryAccess ensure that the user can access the specified registry.
+// It will check if the user is part of the authorized users or part of a team that is
+// listed in the authorized teams.
+func AuthorizedRegistryAccess(registry *portainer.Registry, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	return authorizedAccess(userID, memberships, registry.AuthorizedUsers, registry.AuthorizedTeams)
+}
+
+func authorizedAccess(userID portainer.UserID, memberships []portainer.TeamMembership, authorizedUsers []portainer.UserID, authorizedTeams []portainer.TeamID) bool {
+	for _, authorizedUserID := range authorizedUsers {
+		if authorizedUserID == userID {
+			return true
+		}
+	}
+	for _, membership := range memberships {
+		for _, authorizedTeamID := range authorizedTeams {
+			if membership.TeamID == authorizedTeamID {
+				return true
+			}
+		}
+	}
+	return false
+}

api/http/security/bouncer.go

@@ -12,6 +12,7 @@ type (
 	// RequestBouncer represents an entity that manages API request accesses
 	RequestBouncer struct {
 		jwtService            portainer.JWTService
+		userService           portainer.UserService
 		teamMembershipService portainer.TeamMembershipService
 		authDisabled          bool
 	}
@@ -27,9 +28,10 @@ type (
 )
 
 // NewRequestBouncer initializes a new RequestBouncer
-func NewRequestBouncer(jwtService portainer.JWTService, teamMembershipService portainer.TeamMembershipService, authDisabled bool) *RequestBouncer {
+func NewRequestBouncer(jwtService portainer.JWTService, userService portainer.UserService, teamMembershipService portainer.TeamMembershipService, authDisabled bool) *RequestBouncer {
 	return &RequestBouncer{
 		jwtService:            jwtService,
+		userService:           userService,
 		teamMembershipService: teamMembershipService,
 		authDisabled:          authDisabled,
 	}
@@ -50,7 +52,7 @@ func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler
 	return h
 }
 
-// RestrictedAccess defines defines a security check for restricted endpoints.
+// RestrictedAccess defines a security check for restricted endpoints.
 // Authentication is required to access these endpoints.
 // The request context will be enhanced with a RestrictedRequestContext object
 // that might be used later to authorize/filter access to resources.
@@ -136,6 +138,15 @@ func (bouncer *RequestBouncer) mwCheckAuthentication(next http.Handler) http.Han
 				httperror.WriteErrorResponse(w, err, http.StatusUnauthorized, nil)
 				return
 			}
+
+			_, err = bouncer.userService.User(tokenData.ID)
+			if err != nil && err == portainer.ErrUserNotFound {
+				httperror.WriteErrorResponse(w, portainer.ErrUnauthorized, http.StatusUnauthorized, nil)
+				return
+			} else if err != nil {
+				httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, nil)
+				return
+			}
 		} else {
 			tokenData = &portainer.TokenData{
 				Role: portainer.AdministratorRole,

api/http/security/filter.go

@@ -60,16 +60,36 @@ func FilterUsers(users []portainer.User, context *RestrictedRequestContext) []po
 	return filteredUsers
 }
 
+// FilterRegistries filters registries based on user role and team memberships.
+// Non administrator users only have access to authorized registries.
+func FilterRegistries(registries []portainer.Registry, context *RestrictedRequestContext) ([]portainer.Registry, error) {
+
+	filteredRegistries := registries
+	if !context.IsAdmin {
+		filteredRegistries = make([]portainer.Registry, 0)
+
+		for _, registry := range registries {
+			if AuthorizedRegistryAccess(&registry, context.UserID, context.UserMemberships) {
+				filteredRegistries = append(filteredRegistries, registry)
+			}
+		}
+	}
+
+	return filteredRegistries, nil
+}
+
 // FilterEndpoints filters endpoints based on user role and team memberships.
-// Non administrator users only have access to authorized endpoints.
-func FilterEndpoints(endpoints []portainer.Endpoint, context *RestrictedRequestContext) ([]portainer.Endpoint, error) {
+// Non administrator users only have access to authorized endpoints (can be inherited via endoint groups).
+func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.EndpointGroup, context *RestrictedRequestContext) ([]portainer.Endpoint, error) {
 	filteredEndpoints := endpoints
 
 	if !context.IsAdmin {
 		filteredEndpoints = make([]portainer.Endpoint, 0)
 
 		for _, endpoint := range endpoints {
-			if isEndpointAccessAuthorized(&endpoint, context.UserID, context.UserMemberships) {
+			endpointGroup := getAssociatedGroup(&endpoint, groups)
+
+			if AuthorizedEndpointAccess(&endpoint, endpointGroup, context.UserID, context.UserMemberships) {
 				filteredEndpoints = append(filteredEndpoints, endpoint)
 			}
 		}
@@ -78,18 +98,29 @@ func FilterEndpoints(endpoints []portainer.Endpoint, context *RestrictedRequestC
 	return filteredEndpoints, nil
 }
 
-func isEndpointAccessAuthorized(endpoint *portainer.Endpoint, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
-	for _, authorizedUserID := range endpoint.AuthorizedUsers {
-		if authorizedUserID == userID {
-			return true
-		}
-	}
-	for _, membership := range memberships {
-		for _, authorizedTeamID := range endpoint.AuthorizedTeams {
-			if membership.TeamID == authorizedTeamID {
-				return true
+// FilterEndpointGroups filters endpoint groups based on user role and team memberships.
+// Non administrator users only have access to authorized endpoint groups.
+func FilterEndpointGroups(endpointGroups []portainer.EndpointGroup, context *RestrictedRequestContext) ([]portainer.EndpointGroup, error) {
+	filteredEndpointGroups := endpointGroups
+
+	if !context.IsAdmin {
+		filteredEndpointGroups = make([]portainer.EndpointGroup, 0)
+
+		for _, group := range endpointGroups {
+			if AuthorizedEndpointGroupAccess(&group, context.UserID, context.UserMemberships) {
+				filteredEndpointGroups = append(filteredEndpointGroups, group)
 			}
 		}
 	}
-	return false
+
+	return filteredEndpointGroups, nil
+}
+
+func getAssociatedGroup(endpoint *portainer.Endpoint, groups []portainer.EndpointGroup) *portainer.EndpointGroup {
+	for _, group := range groups {
+		if group.ID == endpoint.GroupID {
+			return &group
+		}
+	}
+	return nil
 }

api/http/security/rate_limiter.go

@@ -0,0 +1,47 @@
+package security
+
+import (
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/g07cha/defender"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+)
+
+// RateLimiter represents an entity that manages request rate limiting
+type RateLimiter struct {
+	*defender.Defender
+}
+
+// NewRateLimiter initializes a new RateLimiter
+func NewRateLimiter(maxRequests int, duration time.Duration, banDuration time.Duration) *RateLimiter {
+	messages := make(chan struct{})
+	limiter := defender.New(maxRequests, duration, banDuration)
+	go limiter.CleanupTask(messages)
+	return &RateLimiter{
+		limiter,
+	}
+}
+
+// LimitAccess wraps current request with check if remote address does not goes above the defined limits
+func (limiter *RateLimiter) LimitAccess(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ip := StripAddrPort(r.RemoteAddr)
+		if banned := limiter.Inc(ip); banned == true {
+			httperror.WriteErrorResponse(w, portainer.ErrResourceAccessDenied, http.StatusForbidden, nil)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+// StripAddrPort removes port from IP address
+func StripAddrPort(addr string) string {
+	portIndex := strings.LastIndex(addr, ":")
+	if portIndex != -1 {
+		addr = addr[:portIndex]
+	}
+	return addr
+}

api/http/security/rate_limiter_test.go

@@ -0,0 +1,69 @@
+package security
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+)
+
+func TestLimitAccess(t *testing.T) {
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	t.Run("Request below the limit", func(t *testing.T) {
+		req := httptest.NewRequest("GET", "/", nil)
+		rr := httptest.NewRecorder()
+		rateLimiter := NewRateLimiter(10, 1*time.Second, 1*time.Hour)
+		handler := rateLimiter.LimitAccess(testHandler)
+
+		handler.ServeHTTP(rr, req)
+
+		if status := rr.Code; status != http.StatusOK {
+			t.Errorf("handler returned wrong status code: got %v want %v",
+				status, http.StatusOK)
+		}
+	})
+
+	t.Run("Request above the limit", func(t *testing.T) {
+		rateLimiter := NewRateLimiter(1, 1*time.Second, 1*time.Hour)
+		handler := rateLimiter.LimitAccess(testHandler)
+
+		ts := httptest.NewServer(handler)
+		defer ts.Close()
+		http.Get(ts.URL)
+		resp, err := http.Get(ts.URL)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if status := resp.StatusCode; status != http.StatusForbidden {
+			t.Errorf("handler returned wrong status code: got %v want %v",
+				status, http.StatusForbidden)
+		}
+	})
+}
+
+func TestStripAddrPort(t *testing.T) {
+	t.Run("IP with port", func(t *testing.T) {
+		result := StripAddrPort("127.0.0.1:1000")
+		if result != "127.0.0.1" {
+			t.Errorf("Expected IP with address to be '127.0.0.1', but it was %s instead", result)
+		}
+	})
+
+	t.Run("IP without port", func(t *testing.T) {
+		result := StripAddrPort("127.0.0.1")
+		if result != "127.0.0.1" {
+			t.Errorf("Expected IP with address to be '127.0.0.1', but it was %s instead", result)
+		}
+	})
+
+	t.Run("Local IP", func(t *testing.T) {
+		result := StripAddrPort("[::1]:1000")
+		if result != "[::1]" {
+			t.Errorf("Expected IP with address to be '[::1]', but it was %s instead", result)
+		}
+	})
+}

api/http/server.go

@@ -1,12 +1,16 @@
 package http
 
 import (
+	"time"
+
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/http/handler"
+	"github.com/portainer/portainer/http/handler/extensions"
 	"github.com/portainer/portainer/http/proxy"
 	"github.com/portainer/portainer/http/security"
 
 	"net/http"
+	"path/filepath"
 )
 
 // Server implements the portainer.Server interface
@@ -15,16 +19,24 @@ type Server struct {
 	AssetsPath             string
 	AuthDisabled           bool
 	EndpointManagement     bool
+	Status                 *portainer.Status
 	UserService            portainer.UserService
 	TeamService            portainer.TeamService
 	TeamMembershipService  portainer.TeamMembershipService
 	EndpointService        portainer.EndpointService
+	EndpointGroupService   portainer.EndpointGroupService
 	ResourceControlService portainer.ResourceControlService
+	SettingsService        portainer.SettingsService
 	CryptoService          portainer.CryptoService
 	JWTService             portainer.JWTService
 	FileService            portainer.FileService
-	Settings               *portainer.Settings
-	TemplatesURL           string
+	RegistryService        portainer.RegistryService
+	DockerHubService       portainer.DockerHubService
+	StackService           portainer.StackService
+	StackManager           portainer.StackManager
+	LDAPService            portainer.LDAPService
+	GitService             portainer.GitService
+	SignatureService       portainer.DigitalSignatureService
 	Handler                *handler.Handler
 	SSL                    bool
 	SSLCert                string
@@ -33,41 +45,85 @@ type Server struct {
 
 // Start starts the HTTP server
 func (server *Server) Start() error {
-	requestBouncer := security.NewRequestBouncer(server.JWTService, server.TeamMembershipService, server.AuthDisabled)
-	proxyManager := proxy.NewManager(server.ResourceControlService, server.TeamMembershipService)
+	requestBouncer := security.NewRequestBouncer(server.JWTService, server.UserService, server.TeamMembershipService, server.AuthDisabled)
+	proxyManagerParameters := &proxy.ManagerParams{
+		ResourceControlService: server.ResourceControlService,
+		TeamMembershipService:  server.TeamMembershipService,
+		SettingsService:        server.SettingsService,
+		RegistryService:        server.RegistryService,
+		DockerHubService:       server.DockerHubService,
+		SignatureService:       server.SignatureService,
+	}
+	proxyManager := proxy.NewManager(proxyManagerParameters)
+	rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour)
 
-	var authHandler = handler.NewAuthHandler(requestBouncer, server.AuthDisabled)
+	var fileHandler = handler.NewFileHandler(filepath.Join(server.AssetsPath, "public"))
+	var authHandler = handler.NewAuthHandler(requestBouncer, rateLimiter, server.AuthDisabled)
 	authHandler.UserService = server.UserService
 	authHandler.CryptoService = server.CryptoService
 	authHandler.JWTService = server.JWTService
+	authHandler.LDAPService = server.LDAPService
+	authHandler.SettingsService = server.SettingsService
 	var userHandler = handler.NewUserHandler(requestBouncer)
 	userHandler.UserService = server.UserService
 	userHandler.TeamService = server.TeamService
 	userHandler.TeamMembershipService = server.TeamMembershipService
 	userHandler.CryptoService = server.CryptoService
 	userHandler.ResourceControlService = server.ResourceControlService
+	userHandler.SettingsService = server.SettingsService
 	var teamHandler = handler.NewTeamHandler(requestBouncer)
 	teamHandler.TeamService = server.TeamService
 	teamHandler.TeamMembershipService = server.TeamMembershipService
 	var teamMembershipHandler = handler.NewTeamMembershipHandler(requestBouncer)
 	teamMembershipHandler.TeamMembershipService = server.TeamMembershipService
-	var settingsHandler = handler.NewSettingsHandler(requestBouncer, server.Settings)
-	var templatesHandler = handler.NewTemplatesHandler(requestBouncer, server.TemplatesURL)
+	var statusHandler = handler.NewStatusHandler(requestBouncer, server.Status)
+	var settingsHandler = handler.NewSettingsHandler(requestBouncer)
+	settingsHandler.SettingsService = server.SettingsService
+	settingsHandler.LDAPService = server.LDAPService
+	settingsHandler.FileService = server.FileService
+	var templatesHandler = handler.NewTemplatesHandler(requestBouncer)
+	templatesHandler.SettingsService = server.SettingsService
 	var dockerHandler = handler.NewDockerHandler(requestBouncer)
 	dockerHandler.EndpointService = server.EndpointService
+	dockerHandler.EndpointGroupService = server.EndpointGroupService
 	dockerHandler.TeamMembershipService = server.TeamMembershipService
 	dockerHandler.ProxyManager = proxyManager
 	var websocketHandler = handler.NewWebSocketHandler()
 	websocketHandler.EndpointService = server.EndpointService
+	websocketHandler.SignatureService = server.SignatureService
 	var endpointHandler = handler.NewEndpointHandler(requestBouncer, server.EndpointManagement)
 	endpointHandler.EndpointService = server.EndpointService
+	endpointHandler.EndpointGroupService = server.EndpointGroupService
 	endpointHandler.FileService = server.FileService
 	endpointHandler.ProxyManager = proxyManager
+	var endpointGroupHandler = handler.NewEndpointGroupHandler(requestBouncer)
+	endpointGroupHandler.EndpointGroupService = server.EndpointGroupService
+	endpointGroupHandler.EndpointService = server.EndpointService
+	var registryHandler = handler.NewRegistryHandler(requestBouncer)
+	registryHandler.RegistryService = server.RegistryService
+	var dockerHubHandler = handler.NewDockerHubHandler(requestBouncer)
+	dockerHubHandler.DockerHubService = server.DockerHubService
 	var resourceHandler = handler.NewResourceHandler(requestBouncer)
 	resourceHandler.ResourceControlService = server.ResourceControlService
 	var uploadHandler = handler.NewUploadHandler(requestBouncer)
 	uploadHandler.FileService = server.FileService
-	var fileHandler = handler.NewFileHandler(server.AssetsPath)
+	var stackHandler = handler.NewStackHandler(requestBouncer)
+	stackHandler.FileService = server.FileService
+	stackHandler.StackService = server.StackService
+	stackHandler.EndpointService = server.EndpointService
+	stackHandler.ResourceControlService = server.ResourceControlService
+	stackHandler.StackManager = server.StackManager
+	stackHandler.GitService = server.GitService
+	stackHandler.RegistryService = server.RegistryService
+	stackHandler.DockerHubService = server.DockerHubService
+	var extensionHandler = handler.NewExtensionHandler(requestBouncer)
+	extensionHandler.EndpointService = server.EndpointService
+	extensionHandler.ProxyManager = proxyManager
+	var storidgeHandler = extensions.NewStoridgeHandler(requestBouncer)
+	storidgeHandler.EndpointService = server.EndpointService
+	storidgeHandler.EndpointGroupService = server.EndpointGroupService
+	storidgeHandler.TeamMembershipService = server.TeamMembershipService
+	storidgeHandler.ProxyManager = proxyManager
 
 	server.Handler = &handler.Handler{
 		AuthHandler:           authHandler,
@@ -75,13 +131,20 @@ func (server *Server) Start() error {
 		TeamHandler:           teamHandler,
 		TeamMembershipHandler: teamMembershipHandler,
 		EndpointHandler:       endpointHandler,
+		EndpointGroupHandler:  endpointGroupHandler,
+		RegistryHandler:       registryHandler,
+		DockerHubHandler:      dockerHubHandler,
 		ResourceHandler:       resourceHandler,
 		SettingsHandler:       settingsHandler,
+		StatusHandler:         statusHandler,
+		StackHandler:          stackHandler,
 		TemplatesHandler:      templatesHandler,
 		DockerHandler:         dockerHandler,
 		WebSocketHandler:      websocketHandler,
 		FileHandler:           fileHandler,
 		UploadHandler:         uploadHandler,
+		ExtensionHandler:      extensionHandler,
+		StoridgeHandler:       storidgeHandler,
 	}
 
 	if server.SSL {

api/ldap/ldap.go

@@ -0,0 +1,126 @@
+package ldap
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/crypto"
+
+	"gopkg.in/ldap.v2"
+)
+
+const (
+	// ErrUserNotFound defines an error raised when the user is not found via LDAP search
+	// or that too many entries (> 1) are returned.
+	ErrUserNotFound = portainer.Error("User not found or too many entries returned")
+)
+
+// Service represents a service used to authenticate users against a LDAP/AD.
+type Service struct{}
+
+func searchUser(username string, conn *ldap.Conn, settings []portainer.LDAPSearchSettings) (string, error) {
+	var userDN string
+	found := false
+	for _, searchSettings := range settings {
+		searchRequest := ldap.NewSearchRequest(
+			searchSettings.BaseDN,
+			ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+			fmt.Sprintf("(&%s(%s=%s))", searchSettings.Filter, searchSettings.UserNameAttribute, username),
+			[]string{"dn"},
+			nil,
+		)
+
+		// Deliberately skip errors on the search request so that we can jump to other search settings
+		// if any issue arise with the current one.
+		sr, err := conn.Search(searchRequest)
+		if err != nil {
+			continue
+		}
+
+		if len(sr.Entries) == 1 {
+			found = true
+			userDN = sr.Entries[0].DN
+			break
+		}
+	}
+
+	if !found {
+		return "", ErrUserNotFound
+	}
+
+	return userDN, nil
+}
+
+func createConnection(settings *portainer.LDAPSettings) (*ldap.Conn, error) {
+
+	if settings.TLSConfig.TLS || settings.StartTLS {
+		config, err := crypto.CreateTLSConfigurationFromDisk(settings.TLSConfig.TLSCACertPath, settings.TLSConfig.TLSCertPath, settings.TLSConfig.TLSKeyPath, settings.TLSConfig.TLSSkipVerify)
+		if err != nil {
+			return nil, err
+		}
+		config.ServerName = strings.Split(settings.URL, ":")[0]
+
+		if settings.TLSConfig.TLS {
+			return ldap.DialTLS("tcp", settings.URL, config)
+		}
+
+		conn, err := ldap.Dial("tcp", settings.URL)
+		if err != nil {
+			return nil, err
+		}
+
+		err = conn.StartTLS(config)
+		if err != nil {
+			return nil, err
+		}
+
+		return conn, nil
+	}
+
+	return ldap.Dial("tcp", settings.URL)
+}
+
+// AuthenticateUser is used to authenticate a user against a LDAP/AD.
+func (*Service) AuthenticateUser(username, password string, settings *portainer.LDAPSettings) error {
+
+	connection, err := createConnection(settings)
+	if err != nil {
+		return err
+	}
+	defer connection.Close()
+
+	err = connection.Bind(settings.ReaderDN, settings.Password)
+	if err != nil {
+		return err
+	}
+
+	userDN, err := searchUser(username, connection, settings.SearchSettings)
+	if err != nil {
+		return err
+	}
+
+	err = connection.Bind(userDN, password)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// TestConnectivity is used to test a connection against the LDAP server using the credentials
+// specified in the LDAPSettings.
+func (*Service) TestConnectivity(settings *portainer.LDAPSettings) error {
+
+	connection, err := createConnection(settings)
+	if err != nil {
+		return err
+	}
+	defer connection.Close()
+
+	err = connection.Bind(settings.ReaderDN, settings.Password)
+	if err != nil {
+		return err
+	}
+	return nil
+}

api/portainer.go

@@ -12,33 +12,73 @@ type (
 	// CLIFlags represents the available flags on the CLI.
 	CLIFlags struct {
 		Addr              *string
+		AdminPassword     *string
+		AdminPasswordFile *string
 		Assets            *string
 		Data              *string
+		EndpointURL       *string
 		ExternalEndpoints *string
-		SyncInterval      *string
-		Endpoint          *string
 		Labels            *[]Pair
 		Logo              *string
-		Templates         *string
 		NoAuth            *bool
 		NoAnalytics       *bool
-		TLSVerify         *bool
+		Templates         *string
+		TLS               *bool
+		TLSSkipVerify     *bool
 		TLSCacert         *string
 		TLSCert           *string
 		TLSKey            *string
 		SSL               *bool
 		SSLCert           *string
 		SSLKey            *string
-		AdminPassword     *string
+		SyncInterval      *string
 	}
 
-	// Settings represents Portainer settings.
+	// Status represents the application status.
+	Status struct {
+		Authentication     bool   `json:"Authentication"`
+		EndpointManagement bool   `json:"EndpointManagement"`
+		Analytics          bool   `json:"Analytics"`
+		Version            string `json:"Version"`
+	}
+
+	// LDAPSettings represents the settings used to connect to a LDAP server.
+	LDAPSettings struct {
+		ReaderDN       string               `json:"ReaderDN"`
+		Password       string               `json:"Password"`
+		URL            string               `json:"URL"`
+		TLSConfig      TLSConfiguration     `json:"TLSConfig"`
+		StartTLS       bool                 `json:"StartTLS"`
+		SearchSettings []LDAPSearchSettings `json:"SearchSettings"`
+	}
+
+	// TLSConfiguration represents a TLS configuration.
+	TLSConfiguration struct {
+		TLS           bool   `json:"TLS"`
+		TLSSkipVerify bool   `json:"TLSSkipVerify"`
+		TLSCACertPath string `json:"TLSCACert,omitempty"`
+		TLSCertPath   string `json:"TLSCert,omitempty"`
+		TLSKeyPath    string `json:"TLSKey,omitempty"`
+	}
+
+	// LDAPSearchSettings represents settings used to search for users in a LDAP server.
+	LDAPSearchSettings struct {
+		BaseDN            string `json:"BaseDN"`
+		Filter            string `json:"Filter"`
+		UserNameAttribute string `json:"UserNameAttribute"`
+	}
+
+	// Settings represents the application settings.
 	Settings struct {
-		HiddenLabels       []Pair `json:"hiddenLabels"`
-		Logo               string `json:"logo"`
-		Authentication     bool   `json:"authentication"`
-		Analytics          bool   `json:"analytics"`
-		EndpointManagement bool   `json:"endpointManagement"`
+		TemplatesURL                       string               `json:"TemplatesURL"`
+		LogoURL                            string               `json:"LogoURL"`
+		BlackListedLabels                  []Pair               `json:"BlackListedLabels"`
+		DisplayDonationHeader              bool                 `json:"DisplayDonationHeader"`
+		DisplayExternalContributors        bool                 `json:"DisplayExternalContributors"`
+		AuthenticationMethod               AuthenticationMethod `json:"AuthenticationMethod"`
+		LDAPSettings                       LDAPSettings         `json:"LDAPSettings"`
+		AllowBindMountsForRegularUsers     bool                 `json:"AllowBindMountsForRegularUsers"`
+		AllowPrivilegedModeForRegularUsers bool                 `json:"AllowPrivilegedModeForRegularUsers"`
 	}
 
 	// User represents a user account.
@@ -56,6 +96,9 @@ type (
 	// or a regular user
 	UserRole int
 
+	// AuthenticationMethod represents the authentication method used to authenticate a user.
+	AuthenticationMethod int
+
 	// Team represents a list of user accounts.
 	Team struct {
 		ID   TeamID `json:"Id"`
@@ -86,46 +129,114 @@ type (
 		Role     UserRole
 	}
 
+	// StackID represents a stack identifier (it must be composed of Name + "_" + SwarmID to create a unique identifier).
+	StackID string
+
+	// Stack represents a Docker stack created via docker stack deploy.
+	Stack struct {
+		ID          StackID `json:"Id"`
+		Name        string  `json:"Name"`
+		EntryPoint  string  `json:"EntryPoint"`
+		SwarmID     string  `json:"SwarmId"`
+		ProjectPath string
+		Env         []Pair `json:"Env"`
+	}
+
+	// RegistryID represents a registry identifier.
+	RegistryID int
+
+	// Registry represents a Docker registry with all the info required
+	// to connect to it.
+	Registry struct {
+		ID              RegistryID `json:"Id"`
+		Name            string     `json:"Name"`
+		URL             string     `json:"URL"`
+		Authentication  bool       `json:"Authentication"`
+		Username        string     `json:"Username"`
+		Password        string     `json:"Password,omitempty"`
+		AuthorizedUsers []UserID   `json:"AuthorizedUsers"`
+		AuthorizedTeams []TeamID   `json:"AuthorizedTeams"`
+	}
+
+	// DockerHub represents all the required information to connect and use the
+	// Docker Hub.
+	DockerHub struct {
+		Authentication bool   `json:"Authentication"`
+		Username       string `json:"Username"`
+		Password       string `json:"Password,omitempty"`
+	}
+
 	// EndpointID represents an endpoint identifier.
 	EndpointID int
 
+	// EndpointType represents the type of an endpoint.
+	EndpointType int
+
 	// Endpoint represents a Docker endpoint with all the info required
 	// to connect to it.
 	Endpoint struct {
-		ID              EndpointID `json:"Id"`
-		Name            string     `json:"Name"`
-		URL             string     `json:"URL"`
-		PublicURL       string     `json:"PublicURL"`
-		TLS             bool       `json:"TLS"`
-		TLSCACertPath   string     `json:"TLSCACert,omitempty"`
-		TLSCertPath     string     `json:"TLSCert,omitempty"`
-		TLSKeyPath      string     `json:"TLSKey,omitempty"`
-		AuthorizedUsers []UserID   `json:"AuthorizedUsers"`
-		AuthorizedTeams []TeamID   `json:"AuthorizedTeams"`
+		ID              EndpointID          `json:"Id"`
+		Name            string              `json:"Name"`
+		Type            EndpointType        `json:"Type"`
+		URL             string              `json:"URL"`
+		GroupID         EndpointGroupID     `json:"GroupId"`
+		PublicURL       string              `json:"PublicURL"`
+		TLSConfig       TLSConfiguration    `json:"TLSConfig"`
+		AuthorizedUsers []UserID            `json:"AuthorizedUsers"`
+		AuthorizedTeams []TeamID            `json:"AuthorizedTeams"`
+		Extensions      []EndpointExtension `json:"Extensions"`
+
+		// Deprecated fields
+		// Deprecated in DBVersion == 4
+		TLS           bool   `json:"TLS,omitempty"`
+		TLSCACertPath string `json:"TLSCACert,omitempty"`
+		TLSCertPath   string `json:"TLSCert,omitempty"`
+		TLSKeyPath    string `json:"TLSKey,omitempty"`
 	}
 
+	// EndpointGroupID represents an endpoint group identifier.
+	EndpointGroupID int
+
+	// EndpointGroup represents a group of endpoints.
+	EndpointGroup struct {
+		ID              EndpointGroupID `json:"Id"`
+		Name            string          `json:"Name"`
+		Description     string          `json:"Description"`
+		AuthorizedUsers []UserID        `json:"AuthorizedUsers"`
+		AuthorizedTeams []TeamID        `json:"AuthorizedTeams"`
+		Labels          []Pair          `json:"Labels"`
+	}
+
+	// EndpointExtension represents a extension associated to an endpoint.
+	EndpointExtension struct {
+		Type EndpointExtensionType `json:"Type"`
+		URL  string                `json:"URL"`
+	}
+
+	// EndpointExtensionType represents the type of an endpoint extension. Only
+	// one extension of each type can be associated to an endpoint.
+	EndpointExtensionType int
+
 	// ResourceControlID represents a resource control identifier.
 	ResourceControlID int
 
 	// ResourceControl represent a reference to a Docker resource with specific access controls
 	ResourceControl struct {
-		ID                 ResourceControlID   `json:"Id"`
-		ResourceID         string              `json:"ResourceId"`
-		SubResourceIDs     []string            `json:"SubResourceIds"`
-		Type               ResourceControlType `json:"Type"`
-		AdministratorsOnly bool                `json:"AdministratorsOnly"`
-
-		UserAccesses []UserResourceAccess `json:"UserAccesses"`
-		TeamAccesses []TeamResourceAccess `json:"TeamAccesses"`
+		ID                 ResourceControlID    `json:"Id"`
+		ResourceID         string               `json:"ResourceId"`
+		SubResourceIDs     []string             `json:"SubResourceIds"`
+		Type               ResourceControlType  `json:"Type"`
+		AdministratorsOnly bool                 `json:"AdministratorsOnly"`
+		UserAccesses       []UserResourceAccess `json:"UserAccesses"`
+		TeamAccesses       []TeamResourceAccess `json:"TeamAccesses"`
 
 		// Deprecated fields
-		// Deprecated: OwnerID field is deprecated in DBVersion == 2
-		OwnerID UserID `json:"OwnerId"`
-		// Deprecated: AccessLevel field is deprecated in DBVersion == 2
-		AccessLevel ResourceAccessLevel `json:"AccessLevel"`
+		// Deprecated in DBVersion == 2
+		OwnerID     UserID              `json:"OwnerId,omitempty"`
+		AccessLevel ResourceAccessLevel `json:"AccessLevel,omitempty"`
 	}
 
-	// ResourceControlType represents the type of resource associated to the resource control (volume, container, service).
+	// ResourceControlType represents the type of resource associated to the resource control (volume, container, service...).
 	ResourceControlType int
 
 	// UserResourceAccess represents the level of control on a resource for a specific user.
@@ -156,6 +267,7 @@ type (
 	// DataStore defines the interface to manage the data.
 	DataStore interface {
 		Open() error
+		Init() error
 		Close() error
 		MigrateData() error
 	}
@@ -209,6 +321,46 @@ type (
 		Synchronize(toCreate, toUpdate, toDelete []*Endpoint) error
 	}
 
+	// EndpointGroupService represents a service for managing endpoint group data.
+	EndpointGroupService interface {
+		EndpointGroup(ID EndpointGroupID) (*EndpointGroup, error)
+		EndpointGroups() ([]EndpointGroup, error)
+		CreateEndpointGroup(group *EndpointGroup) error
+		UpdateEndpointGroup(ID EndpointGroupID, group *EndpointGroup) error
+		DeleteEndpointGroup(ID EndpointGroupID) error
+	}
+
+	// RegistryService represents a service for managing registry data.
+	RegistryService interface {
+		Registry(ID RegistryID) (*Registry, error)
+		Registries() ([]Registry, error)
+		CreateRegistry(registry *Registry) error
+		UpdateRegistry(ID RegistryID, registry *Registry) error
+		DeleteRegistry(ID RegistryID) error
+	}
+
+	// StackService represents a service for managing stack data.
+	StackService interface {
+		Stack(ID StackID) (*Stack, error)
+		Stacks() ([]Stack, error)
+		StacksBySwarmID(ID string) ([]Stack, error)
+		CreateStack(stack *Stack) error
+		UpdateStack(ID StackID, stack *Stack) error
+		DeleteStack(ID StackID) error
+	}
+
+	// DockerHubService represents a service for managing the DockerHub object.
+	DockerHubService interface {
+		DockerHub() (*DockerHub, error)
+		StoreDockerHub(registry *DockerHub) error
+	}
+
+	// SettingsService represents a service for managing application settings.
+	SettingsService interface {
+		Settings() (*Settings, error)
+		StoreSettings(settings *Settings) error
+	}
+
 	// VersionService represents a service for managing version data.
 	VersionService interface {
 		DBVersion() (int, error)
@@ -231,6 +383,15 @@ type (
 		CompareHashAndData(hash string, data string) error
 	}
 
+	// DigitalSignatureService represents a service to manage digital signatures.
+	DigitalSignatureService interface {
+		ParseKeyPair(private, public []byte) error
+		GenerateKeyPair() ([]byte, []byte, error)
+		EncodedPublicKey() string
+		PEMHeaders() (string, string)
+		Sign(message string) (string, error)
+	}
+
 	// JWTService represents a service for managing JWT tokens.
 	JWTService interface {
 		GenerateToken(data *TokenData) (string, error)
@@ -239,22 +400,65 @@ type (
 
 	// FileService represents a service for managing files.
 	FileService interface {
-		StoreTLSFile(endpointID EndpointID, fileType TLSFileType, r io.Reader) error
-		GetPathForTLSFile(endpointID EndpointID, fileType TLSFileType) (string, error)
-		DeleteTLSFiles(endpointID EndpointID) error
+		GetFileContent(filePath string) (string, error)
+		RemoveDirectory(directoryPath string) error
+		StoreTLSFile(folder string, fileType TLSFileType, r io.Reader) error
+		GetPathForTLSFile(folder string, fileType TLSFileType) (string, error)
+		DeleteTLSFile(folder string, fileType TLSFileType) error
+		DeleteTLSFiles(folder string) error
+		GetStackProjectPath(stackIdentifier string) string
+		StoreStackFileFromString(stackIdentifier, fileName, stackFileContent string) (string, error)
+		StoreStackFileFromReader(stackIdentifier, fileName string, r io.Reader) (string, error)
+		KeyPairFilesExist() (bool, error)
+		StoreKeyPair(private, public []byte, privatePEMHeader, publicPEMHeader string) error
+		LoadKeyPair() ([]byte, []byte, error)
+		WriteJSONToFile(path string, content interface{}) error
+	}
+
+	// GitService represents a service for managing Git.
+	GitService interface {
+		ClonePublicRepository(repositoryURL, destination string) error
+		ClonePrivateRepositoryWithBasicAuth(repositoryURL, destination, username, password string) error
 	}
 
 	// EndpointWatcher represents a service to synchronize the endpoints via an external source.
 	EndpointWatcher interface {
 		WatchEndpointFile(endpointFilePath string) error
 	}
+
+	// LDAPService represents a service used to authenticate users against a LDAP/AD.
+	LDAPService interface {
+		AuthenticateUser(username, password string, settings *LDAPSettings) error
+		TestConnectivity(settings *LDAPSettings) error
+	}
+
+	// StackManager represents a service to manage stacks.
+	StackManager interface {
+		Login(dockerhub *DockerHub, registries []Registry, endpoint *Endpoint)
+		Logout(endpoint *Endpoint) error
+		Deploy(stack *Stack, prune bool, endpoint *Endpoint) error
+		Remove(stack *Stack, endpoint *Endpoint) error
+	}
 )
 
 const (
 	// APIVersion is the version number of the Portainer API.
-	APIVersion = "1.13.1"
+	APIVersion = "1.17.1"
 	// DBVersion is the version number of the Portainer database.
-	DBVersion = 2
+	DBVersion = 11
+	// DefaultTemplatesURL represents the default URL for the templates definitions.
+	DefaultTemplatesURL = "https://raw.githubusercontent.com/portainer/templates/master/templates.json"
+	// PortainerAgentHeader represents the name of the header available in any agent response
+	PortainerAgentHeader = "Portainer-Agent"
+	// PortainerAgentTargetHeader represent the name of the header containing the target node name.
+	PortainerAgentTargetHeader = "X-PortainerAgent-Target"
+	// PortainerAgentSignatureHeader represent the name of the header containing the digital signature
+	PortainerAgentSignatureHeader = "X-PortainerAgent-Signature"
+	// PortainerAgentPublicKeyHeader represent the name of the header containing the public key
+	PortainerAgentPublicKeyHeader = "X-PortainerAgent-PublicKey"
+	// PortainerAgentSignatureMessage represents the message used to create a digital signature
+	// to be used when communicating with an agent
+	PortainerAgentSignatureMessage = "Portainer-App"
 )
 
 const (
@@ -282,6 +486,14 @@ const (
 	StandardUserRole
 )
 
+const (
+	_ AuthenticationMethod = iota
+	// AuthenticationInternal represents the internal authentication method (authentication against Portainer API)
+	AuthenticationInternal
+	// AuthenticationLDAP represents the LDAP authentication method (authentication against a LDAP server)
+	AuthenticationLDAP
+)
+
 const (
 	_ ResourceAccessLevel = iota
 	// ReadWriteAccessLevel represents an access level with read-write permissions on a resource
@@ -296,4 +508,26 @@ const (
 	ServiceResourceControl
 	// VolumeResourceControl represents a resource control associated to a Docker volume
 	VolumeResourceControl
+	// NetworkResourceControl represents a resource control associated to a Docker network
+	NetworkResourceControl
+	// SecretResourceControl represents a resource control associated to a Docker secret
+	SecretResourceControl
+	// StackResourceControl represents a resource control associated to a stack composed of Docker services
+	StackResourceControl
+	// ConfigResourceControl represents a resource control associated to a Docker config
+	ConfigResourceControl
+)
+
+const (
+	_ EndpointExtensionType = iota
+	// StoridgeEndpointExtension represents the Storidge extension
+	StoridgeEndpointExtension
+)
+
+const (
+	_ EndpointType = iota
+	// DockerEnvironment represents an endpoint connected to a Docker environment
+	DockerEnvironment
+	// AgentOnDockerEnvironment represents an endpoint connected to a Portainer agent deployed on a Docker environment
+	AgentOnDockerEnvironment
 )

app/__module.js

@@ -0,0 +1,23 @@
+angular.module('portainer', [
+  'ui.bootstrap',
+  'ui.router',
+  'isteven-multi-select',
+  'ngCookies',
+  'ngSanitize',
+  'ngFileUpload',
+  'ngMessages',
+  'ngResource',
+  'angularUtils.directives.dirPagination',
+  'LocalStorageModule',
+  'angular-jwt',
+  'angular-google-analytics',
+  'angular-json-tree',
+  'angular-loading-bar',
+  'angular-clipboard',
+  'luegg.directives',
+  'portainer.templates',
+  'portainer.app',
+  'portainer.agent',
+  'portainer.docker',
+  'extension.storidge',
+  'rzModule']);

app/agent/_module.js

@@ -0,0 +1 @@
+angular.module('portainer.agent', []);

app/agent/components/node-selector/node-selector.js

@@ -0,0 +1,7 @@
+angular.module('portainer.agent').component('nodeSelector', {
+  templateUrl: 'app/agent/components/node-selector/nodeSelector.html',
+  controller: 'NodeSelectorController',
+  bindings: {
+    model: '='
+  }
+});

app/agent/components/node-selector/nodeSelector.html

@@ -0,0 +1,8 @@
+<div class="form-group">
+  <label for="target_node" class="col-sm-1 control-label text-left">Node</label>
+  <div class="col-sm-11">
+    <select class="form-control"
+      ng-model="$ctrl.model" ng-options="agent.NodeName as agent.NodeName for agent in $ctrl.agents"
+      ></select>
+  </div>
+</div>

app/agent/components/node-selector/nodeSelectorController.js

@@ -0,0 +1,18 @@
+angular.module('portainer.agent')
+.controller('NodeSelectorController', ['AgentService', 'Notifications', function (AgentService, Notifications) {
+  var ctrl = this;
+
+  this.$onInit = function() {
+    AgentService.agents()
+    .then(function success(data) {
+      ctrl.agents = data;
+      if (!ctrl.model) {
+        ctrl.model = data[0].NodeName;
+      }
+    })
+    .catch(function error(err) {
+      Notifications.error('Failure', err, 'Unable to load agents');
+    });
+  };
+
+}]);

app/agent/models/agent.js

@@ -0,0 +1,5 @@
+function AgentViewModel(data) {
+  this.IPAddress = data.IPAddress;
+	this.NodeName = data.NodeName;
+	this.NodeRole = data.NodeRole; 
+}

app/agent/rest/agent.js

@@ -0,0 +1,10 @@
+angular.module('portainer.agent')
+.factory('Agent', ['$resource', 'API_ENDPOINT_ENDPOINTS', 'EndpointProvider', function AgentFactory($resource, API_ENDPOINT_ENDPOINTS, EndpointProvider) {
+  'use strict';
+  return $resource(API_ENDPOINT_ENDPOINTS + '/:endpointId/docker/agents', {
+    endpointId: EndpointProvider.endpointID
+  },
+  {
+    query: {method: 'GET', isArray: true}
+  });
+}]);

app/agent/services/agentService.js

@@ -0,0 +1,24 @@
+angular.module('portainer.agent')
+.factory('AgentService', ['$q', 'Agent', function AgentServiceFactory($q, Agent) {
+  'use strict';
+  var service = {};
+
+  service.agents = function() {
+    var deferred = $q.defer();
+
+    Agent.query({}).$promise
+    .then(function success(data) {
+      var agents = data.map(function (item) {
+        return new AgentViewModel(item);
+      });
+      deferred.resolve(agents);
+    })
+    .catch(function error(err) {
+      deferred.reject({ msg: 'Unable to retrieve agents', err: err });
+    });
+
+    return deferred.promise;
+  };
+
+  return service;
+}]);

app/app.js

@@ -1,634 +1,55 @@
-angular.module('portainer.filters', []);
-angular.module('portainer.rest', ['ngResource']);
-angular.module('portainer.services', []);
-angular.module('portainer.helpers', []);
-angular.module('portainer', [
-  'ui.bootstrap',
-  'ui.router',
-  'isteven-multi-select',
-  'ngCookies',
-  'ngSanitize',
-  'ngFileUpload',
-  'angularUtils.directives.dirPagination',
-  'LocalStorageModule',
-  'angular-jwt',
-  'angular-google-analytics',
-  'portainer.templates',
-  'portainer.filters',
-  'portainer.rest',
-  'portainer.helpers',
-  'portainer.services',
-  'auth',
-  'dashboard',
-  'common.accesscontrol.panel',
-  'common.accesscontrol.form',
-  'container',
-  'containerConsole',
-  'containerLogs',
-  'containers',
-  'createContainer',
-  'createNetwork',
-  'createService',
-  'createVolume',
-  'docker',
-  'endpoint',
-  'endpointAccess',
-  'endpointInit',
-  'endpoints',
-  'events',
-  'image',
-  'images',
-  'main',
-  'network',
-  'networks',
-  'node',
-  'service',
-  'services',
-  'settings',
-  'sidebar',
-  'stats',
-  'swarm',
-  'task',
-  'team',
-  'teams',
-  'templates',
-  'user',
-  'users',
-  'volume',
-  'volumes'])
-  .config(['$stateProvider', '$urlRouterProvider', '$httpProvider', 'localStorageServiceProvider', 'jwtOptionsProvider', 'AnalyticsProvider', '$uibTooltipProvider', '$compileProvider', function ($stateProvider, $urlRouterProvider, $httpProvider, localStorageServiceProvider, jwtOptionsProvider, AnalyticsProvider, $uibTooltipProvider, $compileProvider) {
-    'use strict';
+angular.module('portainer')
+.run(['$rootScope', '$state', 'Authentication', 'authManager', 'StateManager', 'EndpointProvider', 'Notifications', 'Analytics', 'cfpLoadingBar', '$transitions', 'HttpRequestHelper',
+function ($rootScope, $state, Authentication, authManager, StateManager, EndpointProvider, Notifications, Analytics, cfpLoadingBar, $transitions, HttpRequestHelper) {
+  'use strict';
 
-    var environment = '@@ENVIRONMENT';
-    if (environment === 'production') {
-      $compileProvider.debugInfoEnabled(false);
+  EndpointProvider.initialize();
+
+  StateManager.initialize()
+  .then(function success(state) {
+    if (state.application.authentication) {
+      initAuthentication(authManager, Authentication, $rootScope, $state);
     }
+    if (state.application.analytics) {
+      initAnalytics(Analytics, $rootScope);
+    }
+  })
+  .catch(function error(err) {
+    Notifications.error('Failure', err, 'Unable to retrieve application settings');
+  });
 
-    localStorageServiceProvider
-    .setStorageType('sessionStorage')
-    .setPrefix('portainer');
+  $rootScope.$state = $state;
 
-    jwtOptionsProvider.config({
-      tokenGetter: ['LocalStorage', function(LocalStorage) {
-        return LocalStorage.getJWT();
-      }],
-      unauthenticatedRedirector: ['$state', function($state) {
-        $state.go('auth', {error: 'Your session has expired'});
-      }]
-    });
-    $httpProvider.interceptors.push('jwtInterceptor');
+  // Workaround to prevent the loading bar from going backward
+  // https://github.com/chieffancypants/angular-loading-bar/issues/273
+  var originalSet = cfpLoadingBar.set;
+  cfpLoadingBar.set = function overrideSet(n) {
+    if (n > cfpLoadingBar.status()) {
+      originalSet.apply(cfpLoadingBar, arguments);
+    }
+  };
 
-    AnalyticsProvider.setAccount('@@CONFIG_GA_ID');
-    AnalyticsProvider.startOffline(true);
+  $transitions.onBefore({ to: 'docker.**' }, function() {
+    HttpRequestHelper.resetAgentTargetQueue();
+  });
+}]);
 
-    $urlRouterProvider.otherwise('/auth');
 
-    toastr.options.timeOut = 3000;
+function initAuthentication(authManager, Authentication, $rootScope, $state) {
+  authManager.checkAuthOnRefresh();
+  authManager.redirectWhenUnauthenticated();
+  Authentication.init();
+  $rootScope.$on('tokenHasExpired', function() {
+    $state.go('portainer.auth', {error: 'Your session has expired'});
+  });
+}
 
-    $uibTooltipProvider.setTriggers({
-      'mouseenter': 'mouseleave',
-      'click': 'click',
-      'focus': 'blur',
-      'outsideClick': 'outsideClick'
-    });
-
-    $stateProvider
-    .state('root', {
-      abstract: true,
-      resolve: {
-        requiresLogin: ['StateManager', function (StateManager) {
-          var applicationState = StateManager.getState();
-          return applicationState.application.authentication;
-        }]
-      }
-    })
-    .state('auth', {
-      parent: 'root',
-      url: '/auth',
-      params: {
-        logout: false,
-        error: ''
-      },
-      views: {
-        'content@': {
-          templateUrl: 'app/components/auth/auth.html',
-          controller: 'AuthenticationController'
-        }
-      },
-      data: {
-        requiresLogin: false
-      }
-    })
-    .state('containers', {
-      parent: 'root',
-      url: '/containers/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/containers/containers.html',
-          controller: 'ContainersController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('container', {
-      url: '^/containers/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/container/container.html',
-          controller: 'ContainerController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('stats', {
-      url: '^/containers/:id/stats',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/stats/stats.html',
-          controller: 'StatsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('logs', {
-      url: '^/containers/:id/logs',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/containerLogs/containerlogs.html',
-          controller: 'ContainerLogsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('console', {
-      url: '^/containers/:id/console',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/containerConsole/containerConsole.html',
-          controller: 'ContainerConsoleController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('dashboard', {
-      parent: 'root',
-      url: '/dashboard',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/dashboard/dashboard.html',
-          controller: 'DashboardController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions', {
-      abstract: true,
-      url: '/actions',
-      views: {
-        'content@': {
-          template: '<div ui-view="content@"></div>'
-        },
-        'sidebar@': {
-          template: '<div ui-view="sidebar@"></div>'
-        }
-      }
-    })
-    .state('actions.create', {
-      abstract: true,
-      url: '/create',
-      views: {
-        'content@': {
-          template: '<div ui-view="content@"></div>'
-        },
-        'sidebar@': {
-          template: '<div ui-view="sidebar@"></div>'
-        }
-      }
-    })
-    .state('actions.create.container', {
-      url: '/container',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createContainer/createcontainer.html',
-          controller: 'CreateContainerController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions.create.network', {
-      url: '/network',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createNetwork/createnetwork.html',
-          controller: 'CreateNetworkController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions.create.service', {
-      url: '/service',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createService/createservice.html',
-          controller: 'CreateServiceController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions.create.volume', {
-      url: '/volume',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createVolume/createvolume.html',
-          controller: 'CreateVolumeController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('docker', {
-      url: '/docker/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/docker/docker.html',
-          controller: 'DockerController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('endpoints', {
-      url: '/endpoints/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/endpoints/endpoints.html',
-          controller: 'EndpointsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('endpoint', {
-      url: '^/endpoints/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/endpoint/endpoint.html',
-          controller: 'EndpointController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('endpoint.access', {
-      url: '^/endpoints/:id/access',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/endpointAccess/endpointAccess.html',
-          controller: 'EndpointAccessController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('endpointInit', {
-      url: '/init/endpoint',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/endpointInit/endpointInit.html',
-          controller: 'EndpointInitController'
-        }
-      }
-    })
-    .state('events', {
-      url: '/events/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/events/events.html',
-          controller: 'EventsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('images', {
-      url: '/images/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/images/images.html',
-          controller: 'ImagesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('image', {
-      url: '^/images/:id/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/image/image.html',
-          controller: 'ImageController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('networks', {
-      url: '/networks/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/networks/networks.html',
-          controller: 'NetworksController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('network', {
-      url: '^/networks/:id/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/network/network.html',
-          controller: 'NetworkController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('node', {
-      url: '^/nodes/:id/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/node/node.html',
-          controller: 'NodeController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('services', {
-      url: '/services/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/services/services.html',
-          controller: 'ServicesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('service', {
-      url: '^/service/:id/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/service/service.html',
-          controller: 'ServiceController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('settings', {
-      url: '/settings/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/settings/settings.html',
-          controller: 'SettingsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('task', {
-      url: '^/task/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/task/task.html',
-          controller: 'TaskController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('templates', {
-      url: '/templates/',
-      params: {
-        key: 'containers',
-        hide_descriptions: false
-      },
-      views: {
-        'content@': {
-          templateUrl: 'app/components/templates/templates.html',
-          controller: 'TemplatesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('templates_linuxserver', {
-      url: '^/templates/linuxserver.io',
-      params: {
-        key: 'linuxserver.io',
-        hide_descriptions: true
-      },
-      views: {
-        'content@': {
-          templateUrl: 'app/components/templates/templates.html',
-          controller: 'TemplatesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('volumes', {
-      url: '/volumes/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/volumes/volumes.html',
-          controller: 'VolumesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('volume', {
-      url: '^/volumes/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/volume/volume.html',
-          controller: 'VolumeController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('users', {
-      url: '/users/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/users/users.html',
-          controller: 'UsersController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('user', {
-      url: '^/users/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/user/user.html',
-          controller: 'UserController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('teams', {
-      url: '/teams/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/teams/teams.html',
-          controller: 'TeamsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('team', {
-      url: '^/teams/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/team/team.html',
-          controller: 'TeamController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('swarm', {
-      url: '/swarm/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/swarm/swarm.html',
-          controller: 'SwarmController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    });
-  }])
-  .run(['$rootScope', '$state', 'Authentication', 'authManager', 'StateManager', 'EndpointProvider', 'Notifications', 'Analytics', function ($rootScope, $state, Authentication, authManager, StateManager, EndpointProvider, Notifications, Analytics) {
-    EndpointProvider.initialize();
-    StateManager.initialize().then(function success(state) {
-      if (state.application.authentication) {
-        authManager.checkAuthOnRefresh();
-        authManager.redirectWhenUnauthenticated();
-        Authentication.init();
-        $rootScope.$on('tokenHasExpired', function($state) {
-          $state.go('auth', {error: 'Your session has expired'});
-        });
-      }
-      if (state.application.analytics) {
-        Analytics.offline(false);
-        Analytics.registerScriptTags();
-        Analytics.registerTrackers();
-        $rootScope.$on('$stateChangeSuccess', function (event, toState, toParams, fromState, fromParams) {
-          Analytics.trackPage(toState.url);
-          Analytics.pageView();
-        });
-      }
-    }, function error(err) {
-      Notifications.error('Failure', err, 'Unable to retrieve application settings');
-    });
-
-    $rootScope.$state = $state;
-  }])
-  // This is your docker url that the api will use to make requests
-  // You need to set this to the api endpoint without the port i.e. http://192.168.1.9
-  .constant('DOCKER_PORT', '') // Docker port, leave as an empty string if no port is required.  If you have a port, prefix it with a ':' i.e. :4243
-  .constant('DOCKER_ENDPOINT', 'api/docker')
-  .constant('CONFIG_ENDPOINT', 'api/settings')
-  .constant('AUTH_ENDPOINT', 'api/auth')
-  .constant('USERS_ENDPOINT', 'api/users')
-  .constant('TEAMS_ENDPOINT', 'api/teams')
-  .constant('TEAM_MEMBERSHIPS_ENDPOINT', 'api/team_memberships')
-  .constant('RESOURCE_CONTROL_ENDPOINT', 'api/resource_controls')
-  .constant('ENDPOINTS_ENDPOINT', 'api/endpoints')
-  .constant('TEMPLATES_ENDPOINT', 'api/templates')
-  .constant('PAGINATION_MAX_ITEMS', 10)
-  .constant('UI_VERSION', 'v1.13.1');
+function initAnalytics(Analytics, $rootScope) {
+  Analytics.offline(false);
+  Analytics.registerScriptTags();
+  Analytics.registerTrackers();
+  $rootScope.$on('$stateChangeSuccess', function (event, toState, toParams, fromState, fromParams) {
+    Analytics.trackPage(toState.url);
+    Analytics.pageView();
+  });
+}

app/components/auth/auth.html

@@ -1,101 +0,0 @@
-<div class="page-wrapper">
-  <!-- login box -->
-  <div class="container simple-box">
-    <div class="col-md-6 col-md-offset-3 col-sm-6 col-sm-offset-3">
-      <!-- login box logo -->
-      <div class="row">
-        <img ng-if="logo" ng-src="{{ logo }}" class="simple-box-logo">
-        <img ng-if="!logo" src="images/logo_alt.png" class="simple-box-logo" alt="Portainer">
-      </div>
-      <!-- !login box logo -->
-      <!-- init password panel -->
-      <div class="panel panel-default" ng-if="initPassword">
-        <div class="panel-body">
-          <!-- init password form -->
-          <form class="login-form form-horizontal" enctype="multipart/form-data" method="POST">
-            <!-- comment -->
-            <div class="input-group">
-              <p style="margin: 5px;">
-                Please specify a password for the <b>admin</b> user account.
-              </p>
-            </div>
-            <!-- !comment input -->
-            <!-- comment -->
-            <div class="input-group">
-              <p style="margin: 5px;">
-                <i ng-class="{true: 'fa fa-check green-icon', false: 'fa fa-times red-icon'}[initPasswordData.password.length >= 8]" aria-hidden="true"></i>
-                Your password must be at least 8 characters long
-              </p>
-            </div>
-            <!-- !comment input -->
-            <!-- password input -->
-            <div class="input-group">
-              <span class="input-group-addon"><i class="fa fa-lock" aria-hidden="true"></i></span>
-              <input id="admin_password" type="password" class="form-control" name="password" ng-model="initPasswordData.password" autofocus>
-            </div>
-            <!-- !password input -->
-            <!-- comment -->
-            <div class="input-group">
-              <p style="margin: 5px;">
-                <i ng-class="{true: 'fa fa-check green-icon', false: 'fa fa-times red-icon'}[initPasswordData.password !== '' && initPasswordData.password === initPasswordData.password_confirmation]" aria-hidden="true"></i>
-                Confirm your password
-              </p>
-            </div>
-            <!-- !comment input -->
-            <!-- password confirmation input -->
-            <div class="input-group">
-              <span class="input-group-addon"><i class="fa fa-lock" aria-hidden="true"></i></span>
-              <input id="password_confirmation" type="password" class="form-control" name="password" ng-model="initPasswordData.password_confirmation">
-            </div>
-            <!-- !password confirmation input -->
-            <!-- validate button -->
-            <div class="form-group">
-              <div class="col-sm-12 controls">
-                <p class="pull-left text-danger" ng-if="initPasswordData.error" style="margin: 5px;">
-                  <i class="fa fa-exclamation-circle" aria-hidden="true"></i> Unable to create default user
-                </p>
-                <button type="submit" class="btn btn-primary pull-right" ng-disabled="initPasswordData.password.length < 8 || initPasswordData.password !== initPasswordData.password_confirmation" ng-click="createAdminUser()"><i class="fa fa-key" aria-hidden="true"></i> Validate</button>
-              </div>
-            </div>
-            <!-- !validate button -->
-          </form>
-          <!-- !init password form -->
-        </div>
-      </div>
-      <!-- !init password panel -->
-      <!-- login panel -->
-      <div class="panel panel-default" ng-if="!initPassword">
-        <div class="panel-body">
-          <!-- login form -->
-          <form class="login-form form-horizontal" enctype="multipart/form-data" method="POST">
-            <!-- username input -->
-            <div class="input-group">
-              <span class="input-group-addon"><i class="fa fa-user" aria-hidden="true"></i></span>
-              <input id="username" type="text" class="form-control" name="username" ng-model="authData.username" placeholder="Username">
-            </div>
-            <!-- !username input -->
-            <!-- password input -->
-            <div class="input-group">
-              <span class="input-group-addon"><i class="fa fa-lock" aria-hidden="true"></i></span>
-              <input id="password" type="password" class="form-control" name="password" ng-model="authData.password" autofocus>
-            </div>
-            <!-- !password input -->
-            <!-- login button -->
-            <div class="form-group">
-              <div class="col-sm-12 controls">
-                <p class="pull-left text-danger" ng-if="authData.error" style="margin: 5px;">
-                  <i class="fa fa-exclamation-circle" aria-hidden="true"></i> {{ authData.error }}
-                </p>
-                <button type="submit" class="btn btn-primary pull-right" ng-click="authenticateUser()"><i class="fa fa-sign-in" aria-hidden="true"></i> Login</button>
-              </div>
-            </div>
-            <!-- !login button -->
-          </form>
-          <!-- !login form -->
-        </div>
-      </div>
-      <!-- !login panel -->
-    </div>
-  </div>
-  <!-- !login box -->
-</div>