feat(adsense): add a link to donation

Release 1.17.0

.codefresh/codefresh_develop.yml

@@ -13,14 +13,28 @@ steps:
     image: portainer/angular-builder:latest
     working_directory: ${{build_backend}}
     commands:
-      - npm install -g bower grunt grunt-cli && npm install
-      - bower install --allow-root
-      - grunt build-webapp
+      - yarn
+      - yarn grunt build-webapp
       - mv api/cmd/portainer/portainer dist/
 
+  get_docker_version:
+    image: alpine
+    working_directory: ${{build_frontend}}
+    commands:
+      - cf_export DOCKER_VERSION=`cat gruntfile.js | grep -m 1 'shippedDockerVersion' | cut -d\' -f2`
+
+  download_docker_binary:
+    image: busybox
+    working_directory: ${{build_frontend}}
+    commands:
+      - echo ${{DOCKER_VERSION}}
+      - wget -O /tmp/docker-binaries.tgz https://download.docker.com/linux/static/stable/x86_64/docker-${{DOCKER_VERSION}}.tgz
+      - tar -xf /tmp/docker-binaries.tgz -C /tmp
+      - mv /tmp/docker/docker dist/
+
   build_image:
     type: build
-    working_directory: ${{build_frontend}}
+    working_directory: ${{download_docker_binary}}
     dockerfile: ./build/linux/Dockerfile
     image_name: portainer/portainer
     tag: ${{CF_BRANCH}}

.codefresh/codefresh_pullrequest.yml

@@ -0,0 +1,46 @@
+version: '1.0'
+steps:
+
+  build_backend:
+    image: portainer/golang-builder:ci
+    working_directory: ${{main_clone}}
+    commands:
+      - mkdir -p /go/src/github.com/${{CF_REPO_OWNER}}
+      - ln -s /codefresh/volume/${{CF_REPO_NAME}}/api /go/src/github.com/${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
+      - /build.sh api/cmd/portainer
+
+  build_frontend:
+    image: portainer/angular-builder:latest
+    working_directory: ${{build_backend}}
+    commands:
+      - yarn
+      - yarn grunt build-webapp
+      - mv api/cmd/portainer/portainer dist/
+
+  get_docker_version:
+    image: alpine
+    working_directory: ${{build_frontend}}
+    commands:
+      - cf_export DOCKER_VERSION=`cat gruntfile.js | grep -m 1 'shippedDockerVersion' | cut -d\' -f2`
+
+  download_docker_binary:
+    image: busybox
+    working_directory: ${{build_frontend}}
+    commands:
+      - echo ${{DOCKER_VERSION}}
+      - wget -O /tmp/docker-binaries.tgz https://download.docker.com/linux/static/stable/x86_64/docker-${{DOCKER_VERSION}}.tgz
+      - tar -xf /tmp/docker-binaries.tgz -C /tmp
+      - mv /tmp/docker/docker dist/
+
+  build_image:
+    type: build
+    working_directory: ${{download_docker_binary}}
+    dockerfile: ./build/linux/Dockerfile
+    image_name: portainer/portainer
+    tag: ${{CF_BRANCH}}
+
+  push_image:
+    type: push
+    candidate: '${{build_image}}'
+    tag: 'pr${{CF_PULL_REQUEST_NUMBER}}'
+    registry: dockerhub

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -0,0 +1,47 @@
+---
+name: Bug report
+about: Create a bug report
+
+---
+
+<!--
+
+Thanks for reporting a bug for Portainer !
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+Before opening a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Bug description**
+
+A clear and concise description of what the bug is.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+Briefly describe what you were expecting.
+
+**Steps to reproduce the issue:**
+
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Technical details:**
+
+* Portainer version:
+* Docker version (managed by Portainer):
+* Platform (windows/linux):
+* Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
+* Browser:
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/Custom.md

@@ -0,0 +1,15 @@
+---
+name: Question
+about: Ask us a question about Portainer usage or deployment
+
+---
+
+<!--
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Question**:
+How can I deploy Portainer on... ?

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -0,0 +1,31 @@
+---
+name: Feature request
+about: Suggest a feature/enhancement that should be added in Portainer
+
+---
+
+<!--
+
+Thanks for opening a feature request for Portainer !
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+Before opening a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

CONTRIBUTING.md

@@ -30,9 +30,6 @@ You can have a use Github filters to list these issues:
 * intermediate labeled issues: https://github.com/portainer/portainer/labels/exp%2Fintermediate
 * advanced labeled issues: https://github.com/portainer/portainer/labels/exp%2Fadvanced
 
-### Linting
-
-Please check your code using `grunt lint` before submitting your pull requests.
 
 ### Commit Message Format
 

README.md

@@ -26,6 +26,14 @@ You can try out the public demo instance: http://demo.portainer.io/ (login with
 
 Please note that the public demo cluster is **reset every 15min**.
 
+Alternatively, you can deploy a copy of the demo stack inside a [play-with-docker (PWD)](https://labs.play-with-docker.com) playground:
+
+- Browse [PWD/?stack=portainer-demo/play-with-docker/docker-stack.yml](http://play-with-docker.com/?stack=https://raw.githubusercontent.com/portainer/portainer-demo/master/play-with-docker/docker-stack.yml)
+- Sign in with your [Docker ID](https://docs.docker.com/docker-id)
+- Follow [these](https://github.com/portainer/portainer-demo/blob/master/play-with-docker/docker-stack.yml#L5-L8) steps.
+
+Unlike the public demo, the playground sessions are deleted after 4 hours. Apart from that, all the settings are same, including default credentials.
+
 ## Getting started
 
 * [Deploy Portainer](https://portainer.readthedocs.io/en/latest/deployment.html)

api/archive/tar.go

@@ -0,0 +1,36 @@
+package archive
+
+import (
+	"archive/tar"
+	"bytes"
+)
+
+// TarFileInBuffer will create a tar archive containing a single file named via fileName and using the content
+// specified in fileContent. Returns the archive as a byte array.
+func TarFileInBuffer(fileContent []byte, fileName string) ([]byte, error) {
+	var buffer bytes.Buffer
+	tarWriter := tar.NewWriter(&buffer)
+
+	header := &tar.Header{
+		Name: fileName,
+		Mode: 0600,
+		Size: int64(len(fileContent)),
+	}
+
+	err := tarWriter.WriteHeader(header)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = tarWriter.Write(fileContent)
+	if err != nil {
+		return nil, err
+	}
+
+	err = tarWriter.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	return buffer.Bytes(), nil
+}

api/bolt/datastore.go

@@ -20,11 +20,13 @@ type Store struct {
 	TeamService            *TeamService
 	TeamMembershipService  *TeamMembershipService
 	EndpointService        *EndpointService
+	EndpointGroupService   *EndpointGroupService
 	ResourceControlService *ResourceControlService
 	VersionService         *VersionService
 	SettingsService        *SettingsService
 	RegistryService        *RegistryService
 	DockerHubService       *DockerHubService
+	StackService           *StackService
 
 	db                    *bolt.DB
 	checkForDataMigration bool
@@ -37,10 +39,12 @@ const (
 	teamBucketName            = "teams"
 	teamMembershipBucketName  = "team_membership"
 	endpointBucketName        = "endpoints"
+	endpointGroupBucketName   = "endpoint_groups"
 	resourceControlBucketName = "resource_control"
 	settingsBucketName        = "settings"
 	registryBucketName        = "registries"
 	dockerhubBucketName       = "dockerhub"
+	stackBucketName           = "stacks"
 )
 
 // NewStore initializes a new Store and the associated services
@@ -51,21 +55,25 @@ func NewStore(storePath string) (*Store, error) {
 		TeamService:            &TeamService{},
 		TeamMembershipService:  &TeamMembershipService{},
 		EndpointService:        &EndpointService{},
+		EndpointGroupService:   &EndpointGroupService{},
 		ResourceControlService: &ResourceControlService{},
 		VersionService:         &VersionService{},
 		SettingsService:        &SettingsService{},
 		RegistryService:        &RegistryService{},
 		DockerHubService:       &DockerHubService{},
+		StackService:           &StackService{},
 	}
 	store.UserService.store = store
 	store.TeamService.store = store
 	store.TeamMembershipService.store = store
 	store.EndpointService.store = store
+	store.EndpointGroupService.store = store
 	store.ResourceControlService.store = store
 	store.VersionService.store = store
 	store.SettingsService.store = store
 	store.RegistryService.store = store
 	store.DockerHubService.store = store
+	store.StackService.store = store
 
 	_, err := os.Stat(storePath + "/" + databaseFileName)
 	if err != nil && os.IsNotExist(err) {
@@ -90,8 +98,8 @@ func (store *Store) Open() error {
 	store.db = db
 
 	bucketsToCreate := []string{versionBucketName, userBucketName, teamBucketName, endpointBucketName,
-		resourceControlBucketName, teamMembershipBucketName, settingsBucketName,
-		registryBucketName, dockerhubBucketName}
+		endpointGroupBucketName, resourceControlBucketName, teamMembershipBucketName, settingsBucketName,
+		registryBucketName, dockerhubBucketName, stackBucketName}
 
 	return db.Update(func(tx *bolt.Tx) error {
 
@@ -106,6 +114,28 @@ func (store *Store) Open() error {
 	})
 }
 
+// Init creates the default data set.
+func (store *Store) Init() error {
+	groups, err := store.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	if len(groups) == 0 {
+		unassignedGroup := &portainer.EndpointGroup{
+			Name:            "Unassigned",
+			Description:     "Unassigned endpoints",
+			Labels:          []portainer.Pair{},
+			AuthorizedUsers: []portainer.UserID{},
+			AuthorizedTeams: []portainer.TeamID{},
+		}
+
+		return store.EndpointGroupService.CreateEndpointGroup(unassignedGroup)
+	}
+
+	return nil
+}
+
 // Close closes the BoltDB database.
 func (store *Store) Close() error {
 	if store.db != nil {

api/bolt/endpoint_group_service.go

@@ -0,0 +1,114 @@
+package bolt
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+// EndpointGroupService represents a service for managing endpoint groups.
+type EndpointGroupService struct {
+	store *Store
+}
+
+// EndpointGroup returns an endpoint group by ID.
+func (service *EndpointGroupService) EndpointGroup(ID portainer.EndpointGroupID) (*portainer.EndpointGroup, error) {
+	var data []byte
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+		value := bucket.Get(internal.Itob(int(ID)))
+		if value == nil {
+			return portainer.ErrEndpointGroupNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var endpointGroup portainer.EndpointGroup
+	err = internal.UnmarshalEndpointGroup(data, &endpointGroup)
+	if err != nil {
+		return nil, err
+	}
+	return &endpointGroup, nil
+}
+
+// EndpointGroups return an array containing all the endpoint groups.
+func (service *EndpointGroupService) EndpointGroups() ([]portainer.EndpointGroup, error) {
+	var endpointGroups = make([]portainer.EndpointGroup, 0)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var endpointGroup portainer.EndpointGroup
+			err := internal.UnmarshalEndpointGroup(v, &endpointGroup)
+			if err != nil {
+				return err
+			}
+			endpointGroups = append(endpointGroups, endpointGroup)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return endpointGroups, nil
+}
+
+// CreateEndpointGroup assign an ID to a new endpoint group and saves it.
+func (service *EndpointGroupService) CreateEndpointGroup(endpointGroup *portainer.EndpointGroup) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+
+		id, _ := bucket.NextSequence()
+		endpointGroup.ID = portainer.EndpointGroupID(id)
+
+		data, err := internal.MarshalEndpointGroup(endpointGroup)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put(internal.Itob(int(endpointGroup.ID)), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// UpdateEndpointGroup updates an endpoint group.
+func (service *EndpointGroupService) UpdateEndpointGroup(ID portainer.EndpointGroupID, endpointGroup *portainer.EndpointGroup) error {
+	data, err := internal.MarshalEndpointGroup(endpointGroup)
+	if err != nil {
+		return err
+	}
+
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+		err = bucket.Put(internal.Itob(int(ID)), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// DeleteEndpointGroup deletes an endpoint group.
+func (service *EndpointGroupService) DeleteEndpointGroup(ID portainer.EndpointGroupID) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(endpointGroupBucketName))
+		err := bucket.Delete(internal.Itob(int(ID)))
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}

api/bolt/internal/internal.go

@@ -47,6 +47,26 @@ func UnmarshalEndpoint(data []byte, endpoint *portainer.Endpoint) error {
 	return json.Unmarshal(data, endpoint)
 }
 
+// MarshalEndpointGroup encodes an endpoint group to binary format.
+func MarshalEndpointGroup(group *portainer.EndpointGroup) ([]byte, error) {
+	return json.Marshal(group)
+}
+
+// UnmarshalEndpointGroup decodes an endpoint group from a binary data.
+func UnmarshalEndpointGroup(data []byte, group *portainer.EndpointGroup) error {
+	return json.Unmarshal(data, group)
+}
+
+// MarshalStack encodes a stack to binary format.
+func MarshalStack(stack *portainer.Stack) ([]byte, error) {
+	return json.Marshal(stack)
+}
+
+// UnmarshalStack decodes a stack from a binary data.
+func UnmarshalStack(data []byte, stack *portainer.Stack) error {
+	return json.Unmarshal(data, stack)
+}
+
 // MarshalRegistry encodes a registry to binary format.
 func MarshalRegistry(registry *portainer.Registry) ([]byte, error) {
 	return json.Marshal(registry)

api/bolt/migrate_dbversion2.go

@@ -2,7 +2,7 @@ package bolt
 
 import "github.com/portainer/portainer"
 
-func (m *Migrator) updateSettingsToVersion3() error {
+func (m *Migrator) updateSettingsToDBVersion3() error {
 	legacySettings, err := m.SettingsService.Settings()
 	if err != nil {
 		return err

api/bolt/migrate_dbversion3.go

@@ -0,0 +1,27 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToDBVersion4() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.TLSConfig = portainer.TLSConfiguration{}
+		if endpoint.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = false
+			endpoint.TLSConfig.TLSCACertPath = endpoint.TLSCACertPath
+			endpoint.TLSConfig.TLSCertPath = endpoint.TLSCertPath
+			endpoint.TLSConfig.TLSKeyPath = endpoint.TLSKeyPath
+		}
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion4.go

@@ -0,0 +1,16 @@
+package bolt
+
+func (m *Migrator) updateSettingsToVersion5() error {
+	legacySettings, err := m.SettingsService.Settings()
+	if err != nil {
+		return err
+	}
+	legacySettings.AllowBindMountsForRegularUsers = true
+
+	err = m.SettingsService.StoreSettings(legacySettings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion5.go

@@ -0,0 +1,16 @@
+package bolt
+
+func (m *Migrator) updateSettingsToVersion6() error {
+	legacySettings, err := m.SettingsService.Settings()
+	if err != nil {
+		return err
+	}
+	legacySettings.AllowPrivilegedModeForRegularUsers = true
+
+	err = m.SettingsService.StoreSettings(legacySettings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion6.go

@@ -0,0 +1,16 @@
+package bolt
+
+func (m *Migrator) updateSettingsToVersion7() error {
+	legacySettings, err := m.SettingsService.Settings()
+	if err != nil {
+		return err
+	}
+	legacySettings.DisplayDonationHeader = true
+
+	err = m.SettingsService.StoreSettings(legacySettings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion7.go

@@ -0,0 +1,20 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion8() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.Extensions = []portainer.EndpointExtension{}
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion8.go

@@ -0,0 +1,20 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion9() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.GroupID = portainer.EndpointGroupID(1)
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrate_dbversion9.go

@@ -0,0 +1,20 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion10() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.Type = portainer.DockerEnvironment
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator.go

@@ -30,7 +30,7 @@ func NewMigrator(store *Store, version int) *Migrator {
 func (m *Migrator) Migrate() error {
 
 	// Portainer < 1.12
-	if m.CurrentDBVersion == 0 {
+	if m.CurrentDBVersion < 1 {
 		err := m.updateAdminUserToDBVersion1()
 		if err != nil {
 			return err
@@ -38,7 +38,7 @@ func (m *Migrator) Migrate() error {
 	}
 
 	// Portainer 1.12.x
-	if m.CurrentDBVersion == 1 {
+	if m.CurrentDBVersion < 2 {
 		err := m.updateResourceControlsToDBVersion2()
 		if err != nil {
 			return err
@@ -50,8 +50,63 @@ func (m *Migrator) Migrate() error {
 	}
 
 	// Portainer 1.13.x
-	if m.CurrentDBVersion == 2 {
-		err := m.updateSettingsToVersion3()
+	if m.CurrentDBVersion < 3 {
+		err := m.updateSettingsToDBVersion3()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.14.0
+	if m.CurrentDBVersion < 4 {
+		err := m.updateEndpointsToDBVersion4()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1235
+	if m.CurrentDBVersion < 5 {
+		err := m.updateSettingsToVersion5()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1236
+	if m.CurrentDBVersion < 6 {
+		err := m.updateSettingsToVersion6()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1449
+	if m.CurrentDBVersion < 7 {
+		err := m.updateSettingsToVersion7()
+		if err != nil {
+			return err
+		}
+	}
+
+	if m.CurrentDBVersion < 8 {
+		err := m.updateEndpointsToVersion8()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https: //github.com/portainer/portainer/issues/1396
+	if m.CurrentDBVersion < 9 {
+		err := m.updateEndpointsToVersion9()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/461
+	if m.CurrentDBVersion < 10 {
+		err := m.updateEndpointsToVersion10()
 		if err != nil {
 			return err
 		}

api/bolt/stack_service.go

@@ -0,0 +1,138 @@
+package bolt
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+// StackService represents a service for managing stacks.
+type StackService struct {
+	store *Store
+}
+
+// Stack returns a stack object by ID.
+func (service *StackService) Stack(ID portainer.StackID) (*portainer.Stack, error) {
+	var data []byte
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+		value := bucket.Get([]byte(ID))
+		if value == nil {
+			return portainer.ErrStackNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var stack portainer.Stack
+	err = internal.UnmarshalStack(data, &stack)
+	if err != nil {
+		return nil, err
+	}
+	return &stack, nil
+}
+
+// Stacks returns an array containing all the stacks.
+func (service *StackService) Stacks() ([]portainer.Stack, error) {
+	var stacks = make([]portainer.Stack, 0)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var stack portainer.Stack
+			err := internal.UnmarshalStack(v, &stack)
+			if err != nil {
+				return err
+			}
+			stacks = append(stacks, stack)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return stacks, nil
+}
+
+// StacksBySwarmID return an array containing all the stacks related to the specified Swarm ID.
+func (service *StackService) StacksBySwarmID(id string) ([]portainer.Stack, error) {
+	var stacks = make([]portainer.Stack, 0)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var stack portainer.Stack
+			err := internal.UnmarshalStack(v, &stack)
+			if err != nil {
+				return err
+			}
+			if stack.SwarmID == id {
+				stacks = append(stacks, stack)
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return stacks, nil
+}
+
+// CreateStack creates a new stack.
+func (service *StackService) CreateStack(stack *portainer.Stack) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+
+		data, err := internal.MarshalStack(stack)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put([]byte(stack.ID), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// UpdateStack updates an stack.
+func (service *StackService) UpdateStack(ID portainer.StackID, stack *portainer.Stack) error {
+	data, err := internal.MarshalStack(stack)
+	if err != nil {
+		return err
+	}
+
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+		err = bucket.Put([]byte(ID), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// DeleteStack deletes an stack.
+func (service *StackService) DeleteStack(ID portainer.StackID) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stackBucketName))
+		err := bucket.Delete([]byte(ID))
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}

api/cli/cli.go

@@ -1,12 +1,12 @@
 package cli
 
 import (
-	"log"
 	"time"
 
 	"github.com/portainer/portainer"
 
 	"os"
+	"path/filepath"
 	"strings"
 
 	"gopkg.in/alecthomas/kingpin.v2"
@@ -16,12 +16,13 @@ import (
 type Service struct{}
 
 const (
-	errInvalidEndpointProtocol    = portainer.Error("Invalid endpoint protocol: Portainer only supports unix:// or tcp://")
-	errSocketNotFound             = portainer.Error("Unable to locate Unix socket")
-	errEndpointsFileNotFound      = portainer.Error("Unable to locate external endpoints file")
-	errInvalidSyncInterval        = portainer.Error("Invalid synchronization interval")
-	errEndpointExcludeExternal    = portainer.Error("Cannot use the -H flag mutually with --external-endpoints")
-	errNoAuthExcludeAdminPassword = portainer.Error("Cannot use --no-auth with --admin-password")
+	errInvalidEndpointProtocol       = portainer.Error("Invalid endpoint protocol: Portainer only supports unix:// or tcp://")
+	errSocketNotFound                = portainer.Error("Unable to locate Unix socket")
+	errEndpointsFileNotFound         = portainer.Error("Unable to locate external endpoints file")
+	errInvalidSyncInterval           = portainer.Error("Invalid synchronization interval")
+	errEndpointExcludeExternal       = portainer.Error("Cannot use the -H flag mutually with --external-endpoints")
+	errNoAuthExcludeAdminPassword    = portainer.Error("Cannot use --no-auth with --admin-password or --admin-password-file")
+	errAdminPassExcludeAdminPassFile = portainer.Error("Cannot use --admin-password with --admin-password-file")
 )
 
 // ParseFlags parse the CLI flags and return a portainer.Flags struct
@@ -29,29 +30,39 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 	kingpin.Version(version)
 
 	flags := &portainer.CLIFlags{
-		Endpoint:          kingpin.Flag("host", "Dockerd endpoint").Short('H').String(),
-		ExternalEndpoints: kingpin.Flag("external-endpoints", "Path to a file defining available endpoints").String(),
-		SyncInterval:      kingpin.Flag("sync-interval", "Duration between each synchronization via the external endpoints source").Default(defaultSyncInterval).String(),
 		Addr:              kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
 		Assets:            kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:              kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
+		Endpoint:          kingpin.Flag("host", "Dockerd endpoint").Short('H').String(),
+		ExternalEndpoints: kingpin.Flag("external-endpoints", "Path to a file defining available endpoints").String(),
 		NoAuth:            kingpin.Flag("no-auth", "Disable authentication").Default(defaultNoAuth).Bool(),
-		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAuth).Bool(),
+		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAnalytics).Bool(),
 		TLSVerify:         kingpin.Flag("tlsverify", "TLS support").Default(defaultTLSVerify).Bool(),
+		TLSSkipVerify:     kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
 		TLSCacert:         kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
 		TLSCert:           kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
 		TLSKey:            kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
 		SSL:               kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
 		SSLCert:           kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
 		SSLKey:            kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
+		SyncInterval:      kingpin.Flag("sync-interval", "Duration between each synchronization via the external endpoints source").Default(defaultSyncInterval).String(),
 		AdminPassword:     kingpin.Flag("admin-password", "Hashed admin password").String(),
-		// Deprecated flags
-		Labels:    pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
-		Logo:      kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
-		Templates: kingpin.Flag("templates", "URL to the templates (apps) definitions").Short('t').String(),
+		AdminPasswordFile: kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
+		Labels:            pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
+		Logo:              kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
+		Templates:         kingpin.Flag("templates", "URL to the templates (apps) definitions").Short('t').String(),
 	}
 
 	kingpin.Parse()
+
+	if !filepath.IsAbs(*flags.Assets) {
+		ex, err := os.Executable()
+		if err != nil {
+			panic(err)
+		}
+		*flags.Assets = filepath.Join(filepath.Dir(ex), *flags.Assets)
+	}
+
 	return flags, nil
 }
 
@@ -77,11 +88,13 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 		return err
 	}
 
-	if *flags.NoAuth && (*flags.AdminPassword != "") {
+	if *flags.NoAuth && (*flags.AdminPassword != "" || *flags.AdminPasswordFile != "") {
 		return errNoAuthExcludeAdminPassword
 	}
 
-	displayDeprecationWarnings(*flags.Templates, *flags.Logo, *flags.Labels)
+	if *flags.AdminPassword != "" && *flags.AdminPasswordFile != "" {
+		return errAdminPassExcludeAdminPassFile
+	}
 
 	return nil
 }
@@ -126,15 +139,3 @@ func validateSyncInterval(syncInterval string) error {
 	}
 	return nil
 }
-
-func displayDeprecationWarnings(templates, logo string, labels []portainer.Pair) {
-	if templates != "" {
-		log.Println("Warning: the --templates / -t flag is deprecated and will be removed in future versions.")
-	}
-	if logo != "" {
-		log.Println("Warning: the --logo flag is deprecated and will be removed in future versions.")
-	}
-	if labels != nil {
-		log.Println("Warning: the --hide-label / -l flag is deprecated and will be removed in future versions.")
-	}
-}

api/cli/defaults.go

@@ -5,10 +5,11 @@ package cli
 const (
 	defaultBindAddress     = ":9000"
 	defaultDataDirectory   = "/data"
-	defaultAssetsDirectory = "."
+	defaultAssetsDirectory = "./"
 	defaultNoAuth          = "false"
 	defaultNoAnalytics     = "false"
 	defaultTLSVerify       = "false"
+	defaultTLSSkipVerify   = "false"
 	defaultTLSCACertPath   = "/certs/ca.pem"
 	defaultTLSCertPath     = "/certs/cert.pem"
 	defaultTLSKeyPath      = "/certs/key.pem"

api/cli/defaults_windows.go

@@ -3,10 +3,11 @@ package cli
 const (
 	defaultBindAddress     = ":9000"
 	defaultDataDirectory   = "C:\\data"
-	defaultAssetsDirectory = "."
+	defaultAssetsDirectory = "./"
 	defaultNoAuth          = "false"
 	defaultNoAnalytics     = "false"
 	defaultTLSVerify       = "false"
+	defaultTLSSkipVerify   = "false"
 	defaultTLSCACertPath   = "C:\\certs\\ca.pem"
 	defaultTLSCertPath     = "C:\\certs\\cert.pem"
 	defaultTLSKeyPath      = "C:\\certs\\key.pem"

api/cmd/portainer/main.go

@@ -6,8 +6,11 @@ import (
 	"github.com/portainer/portainer/cli"
 	"github.com/portainer/portainer/cron"
 	"github.com/portainer/portainer/crypto"
-	"github.com/portainer/portainer/file"
+	"github.com/portainer/portainer/exec"
+	"github.com/portainer/portainer/filesystem"
+	"github.com/portainer/portainer/git"
 	"github.com/portainer/portainer/http"
+	"github.com/portainer/portainer/http/client"
 	"github.com/portainer/portainer/jwt"
 	"github.com/portainer/portainer/ldap"
 
@@ -29,7 +32,7 @@ func initCLI() *portainer.CLIFlags {
 }
 
 func initFileService(dataStorePath string) portainer.FileService {
-	fileService, err := file.NewService(dataStorePath, "")
+	fileService, err := filesystem.NewService(dataStorePath, "")
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -47,6 +50,11 @@ func initStore(dataStorePath string) *bolt.Store {
 		log.Fatal(err)
 	}
 
+	err = store.Init()
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	err = store.MigrateData()
 	if err != nil {
 		log.Fatal(err)
@@ -54,6 +62,10 @@ func initStore(dataStorePath string) *bolt.Store {
 	return store
 }
 
+func initStackManager(assetsPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (portainer.StackManager, error) {
+	return exec.NewStackManager(assetsPath, signatureService, fileService)
+}
+
 func initJWTService(authenticationEnabled bool) portainer.JWTService {
 	if authenticationEnabled {
 		jwtService, err := jwt.NewService()
@@ -65,6 +77,10 @@ func initJWTService(authenticationEnabled bool) portainer.JWTService {
 	return nil
 }
 
+func initDigitalSignatureService() portainer.DigitalSignatureService {
+	return &crypto.ECDSAService{}
+}
+
 func initCryptoService() portainer.CryptoService {
 	return &crypto.Service{}
 }
@@ -73,6 +89,10 @@ func initLDAPService() portainer.LDAPService {
 	return &ldap.Service{}
 }
 
+func initGitService() portainer.GitService {
+	return &git.Service{}
+}
+
 func initEndpointWatcher(endpointService portainer.EndpointService, externalEnpointFile string, syncInterval string) bool {
 	authorizeEndpointMgmt := true
 	if externalEnpointFile != "" {
@@ -117,7 +137,8 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL
 	if err == portainer.ErrSettingsNotFound {
 		settings := &portainer.Settings{
 			LogoURL:                     *flags.Logo,
-			DisplayExternalContributors: true,
+			DisplayDonationHeader:       true,
+			DisplayExternalContributors: false,
 			AuthenticationMethod:        portainer.AuthenticationInternal,
 			LDAPSettings: portainer.LDAPSettings{
 				TLSConfig: portainer.TLSConfiguration{},
@@ -125,6 +146,8 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL
 					portainer.LDAPSearchSettings{},
 				},
 			},
+			AllowBindMountsForRegularUsers:     true,
+			AllowPrivilegedModeForRegularUsers: true,
 		}
 
 		if *flags.Templates != "" {
@@ -155,6 +178,35 @@ func retrieveFirstEndpointFromDatabase(endpointService portainer.EndpointService
 	return &endpoints[0]
 }
 
+func loadAndParseKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	private, public, err := fileService.LoadKeyPair()
+	if err != nil {
+		return err
+	}
+	return signatureService.ParseKeyPair(private, public)
+}
+
+func generateAndStoreKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	private, public, err := signatureService.GenerateKeyPair()
+	if err != nil {
+		return err
+	}
+	privateHeader, publicHeader := signatureService.PEMHeaders()
+	return fileService.StoreKeyPair(private, public, privateHeader, publicHeader)
+}
+
+func initKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	existingKeyPair, err := fileService.KeyPairFilesExist()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if existingKeyPair {
+		return loadAndParseKeyPair(fileService, signatureService)
+	}
+	return generateAndStoreKeyPair(fileService, signatureService)
+}
+
 func main() {
 	flags := initCLI()
 
@@ -167,11 +219,25 @@ func main() {
 
 	cryptoService := initCryptoService()
 
+	digitalSignatureService := initDigitalSignatureService()
+
 	ldapService := initLDAPService()
 
+	gitService := initGitService()
+
 	authorizeEndpointMgmt := initEndpointWatcher(store.EndpointService, *flags.ExternalEndpoints, *flags.SyncInterval)
 
-	err := initSettings(store.SettingsService, flags)
+	err := initKeyPair(fileService, digitalSignatureService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	stackManager, err := initStackManager(*flags.Assets, digitalSignatureService, fileService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = initSettings(store.SettingsService, flags)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -184,22 +250,36 @@ func main() {
 	applicationStatus := initStatus(authorizeEndpointMgmt, flags)
 
 	if *flags.Endpoint != "" {
-		var endpoints []portainer.Endpoint
 		endpoints, err := store.EndpointService.Endpoints()
 		if err != nil {
 			log.Fatal(err)
 		}
 		if len(endpoints) == 0 {
 			endpoint := &portainer.Endpoint{
-				Name:            "primary",
-				URL:             *flags.Endpoint,
-				TLS:             *flags.TLSVerify,
-				TLSCACertPath:   *flags.TLSCacert,
-				TLSCertPath:     *flags.TLSCert,
-				TLSKeyPath:      *flags.TLSKey,
+				Name: "primary",
+				URL:  *flags.Endpoint,
+				Type: portainer.DockerEnvironment,
+				TLSConfig: portainer.TLSConfiguration{
+					TLS:           *flags.TLSVerify,
+					TLSSkipVerify: *flags.TLSSkipVerify,
+					TLSCACertPath: *flags.TLSCacert,
+					TLSCertPath:   *flags.TLSCert,
+					TLSKeyPath:    *flags.TLSKey,
+				},
 				AuthorizedUsers: []portainer.UserID{},
 				AuthorizedTeams: []portainer.TeamID{},
+				Extensions:      []portainer.EndpointExtension{},
 			}
+
+			agentOnDockerEnvironment, err := client.ExecutePingOperationFromEndpoint(endpoint)
+			if err != nil {
+				log.Fatal(err)
+			}
+
+			if agentOnDockerEnvironment {
+				endpoint.Type = portainer.AgentOnDockerEnvironment
+			}
+
 			err = store.EndpointService.CreateEndpoint(endpoint)
 			if err != nil {
 				log.Fatal(err)
@@ -209,17 +289,40 @@ func main() {
 		}
 	}
 
-	if *flags.AdminPassword != "" {
-		log.Printf("Creating admin user with password hash %s", *flags.AdminPassword)
-		user := &portainer.User{
-			Username: "admin",
-			Role:     portainer.AdministratorRole,
-			Password: *flags.AdminPassword,
-		}
-		err := store.UserService.CreateUser(user)
+	adminPasswordHash := ""
+	if *flags.AdminPasswordFile != "" {
+		content, err := fileService.GetFileContent(*flags.AdminPasswordFile)
 		if err != nil {
 			log.Fatal(err)
 		}
+		adminPasswordHash, err = cryptoService.Hash(content)
+		if err != nil {
+			log.Fatal(err)
+		}
+	} else if *flags.AdminPassword != "" {
+		adminPasswordHash = *flags.AdminPassword
+	}
+
+	if adminPasswordHash != "" {
+		users, err := store.UserService.UsersByRole(portainer.AdministratorRole)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		if len(users) == 0 {
+			log.Printf("Creating admin user with password hash %s", adminPasswordHash)
+			user := &portainer.User{
+				Username: "admin",
+				Role:     portainer.AdministratorRole,
+				Password: adminPasswordHash,
+			}
+			err := store.UserService.CreateUser(user)
+			if err != nil {
+				log.Fatal(err)
+			}
+		} else {
+			log.Println("Instance already has an administrator user defined. Skipping admin password related flags.")
+		}
 	}
 
 	var server portainer.Server = &http.Server{
@@ -232,20 +335,25 @@ func main() {
 		TeamService:            store.TeamService,
 		TeamMembershipService:  store.TeamMembershipService,
 		EndpointService:        store.EndpointService,
+		EndpointGroupService:   store.EndpointGroupService,
 		ResourceControlService: store.ResourceControlService,
 		SettingsService:        store.SettingsService,
 		RegistryService:        store.RegistryService,
 		DockerHubService:       store.DockerHubService,
+		StackService:           store.StackService,
+		StackManager:           stackManager,
 		CryptoService:          cryptoService,
 		JWTService:             jwtService,
 		FileService:            fileService,
 		LDAPService:            ldapService,
+		GitService:             gitService,
+		SignatureService:       digitalSignatureService,
 		SSL:                    *flags.SSL,
 		SSLCert:                *flags.SSLCert,
 		SSLKey:                 *flags.SSLKey,
 	}
 
-	log.Printf("Starting Portainer on %s", *flags.Addr)
+	log.Printf("Starting Portainer %s on %s", portainer.APIVersion, *flags.Addr)
 	err = server.Start()
 	if err != nil {
 		log.Fatal(err)

api/cron/endpoint_sync.go

@@ -22,6 +22,16 @@ type (
 		endpointsToUpdate []*portainer.Endpoint
 		endpointsToDelete []*portainer.Endpoint
 	}
+
+	fileEndpoint struct {
+		Name          string `json:"Name"`
+		URL           string `json:"URL"`
+		TLS           bool   `json:"TLS,omitempty"`
+		TLSSkipVerify bool   `json:"TLSSkipVerify,omitempty"`
+		TLSCACert     string `json:"TLSCACert,omitempty"`
+		TLSCert       string `json:"TLSCert,omitempty"`
+		TLSKey        string `json:"TLSKey,omitempty"`
+	}
 )
 
 const (
@@ -55,6 +65,28 @@ func isValidEndpoint(endpoint *portainer.Endpoint) bool {
 	return false
 }
 
+func convertFileEndpoints(fileEndpoints []fileEndpoint) []portainer.Endpoint {
+	convertedEndpoints := make([]portainer.Endpoint, 0)
+
+	for _, e := range fileEndpoints {
+		endpoint := portainer.Endpoint{
+			Name:      e.Name,
+			URL:       e.URL,
+			TLSConfig: portainer.TLSConfiguration{},
+		}
+		if e.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = e.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = e.TLSCACert
+			endpoint.TLSConfig.TLSCertPath = e.TLSCert
+			endpoint.TLSConfig.TLSKeyPath = e.TLSKey
+		}
+		convertedEndpoints = append(convertedEndpoints, endpoint)
+	}
+
+	return convertedEndpoints
+}
+
 func endpointExists(endpoint *portainer.Endpoint, endpoints []portainer.Endpoint) int {
 	for idx, v := range endpoints {
 		if endpoint.Name == v.Name && isValidEndpoint(&v) {
@@ -66,22 +98,25 @@ func endpointExists(endpoint *portainer.Endpoint, endpoints []portainer.Endpoint
 
 func mergeEndpointIfRequired(original, updated *portainer.Endpoint) *portainer.Endpoint {
 	var endpoint *portainer.Endpoint
-	if original.URL != updated.URL || original.TLS != updated.TLS ||
-		(updated.TLS && original.TLSCACertPath != updated.TLSCACertPath) ||
-		(updated.TLS && original.TLSCertPath != updated.TLSCertPath) ||
-		(updated.TLS && original.TLSKeyPath != updated.TLSKeyPath) {
+	if original.URL != updated.URL || original.TLSConfig.TLS != updated.TLSConfig.TLS ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSSkipVerify != updated.TLSConfig.TLSSkipVerify) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCACertPath != updated.TLSConfig.TLSCACertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCertPath != updated.TLSConfig.TLSCertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSKeyPath != updated.TLSConfig.TLSKeyPath) {
 		endpoint = original
 		endpoint.URL = updated.URL
-		if updated.TLS {
-			endpoint.TLS = true
-			endpoint.TLSCACertPath = updated.TLSCACertPath
-			endpoint.TLSCertPath = updated.TLSCertPath
-			endpoint.TLSKeyPath = updated.TLSKeyPath
+		if updated.TLSConfig.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = updated.TLSConfig.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = updated.TLSConfig.TLSCACertPath
+			endpoint.TLSConfig.TLSCertPath = updated.TLSConfig.TLSCertPath
+			endpoint.TLSConfig.TLSKeyPath = updated.TLSConfig.TLSKeyPath
 		} else {
-			endpoint.TLS = false
-			endpoint.TLSCACertPath = ""
-			endpoint.TLSCertPath = ""
-			endpoint.TLSKeyPath = ""
+			endpoint.TLSConfig.TLS = false
+			endpoint.TLSConfig.TLSSkipVerify = false
+			endpoint.TLSConfig.TLSCACertPath = ""
+			endpoint.TLSConfig.TLSCertPath = ""
+			endpoint.TLSConfig.TLSKeyPath = ""
 		}
 	}
 	return endpoint
@@ -107,8 +142,6 @@ func (job endpointSyncJob) prepareSyncData(storedEndpoints, fileEndpoints []port
 			if endpoint != nil {
 				job.logger.Printf("New definition for a stored endpoint found in file, updating database. [name: %v] [url: %v]\n", endpoint.Name, endpoint.URL)
 				endpointsToUpdate = append(endpointsToUpdate, endpoint)
-			} else {
-				job.logger.Printf("No change detected for a stored endpoint. [name: %v] [url: %v]\n", storedEndpoints[idx].Name, storedEndpoints[idx].URL)
 			}
 		} else {
 			job.logger.Printf("Stored endpoint not found in file (definition might be invalid), removing from database. [name: %v] [url: %v]", storedEndpoints[idx].Name, storedEndpoints[idx].URL)
@@ -141,7 +174,7 @@ func (job endpointSyncJob) Sync() error {
 		return err
 	}
 
-	var fileEndpoints []portainer.Endpoint
+	var fileEndpoints []fileEndpoint
 	err = json.Unmarshal(data, &fileEndpoints)
 	if endpointSyncError(err, job.logger) {
 		return err
@@ -156,7 +189,9 @@ func (job endpointSyncJob) Sync() error {
 		return err
 	}
 
-	sync := job.prepareSyncData(storedEndpoints, fileEndpoints)
+	convertedFileEndpoints := convertFileEndpoints(fileEndpoints)
+
+	sync := job.prepareSyncData(storedEndpoints, convertedFileEndpoints)
 	if sync.requireSync() {
 		err = job.endpointService.Synchronize(sync.endpointsToCreate, sync.endpointsToUpdate, sync.endpointsToDelete)
 		if endpointSyncError(err, job.logger) {

api/crypto/ecdsa.go

@@ -0,0 +1,125 @@
+package crypto
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/md5"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"math/big"
+)
+
+const (
+	// PrivateKeyPemHeader represents the header that is appended to the PEM file when
+	// storing the private key.
+	PrivateKeyPemHeader = "EC PRIVATE KEY"
+	// PublicKeyPemHeader represents the header that is appended to the PEM file when
+	// storing the public key.
+	PublicKeyPemHeader = "ECDSA PUBLIC KEY"
+)
+
+// ECDSAService is a service used to create digital signatures when communicating with
+// an agent based environment. It will automatically generates a key pair using ECDSA or
+// can also reuse an existing ECDSA key pair.
+type ECDSAService struct {
+	privateKey    *ecdsa.PrivateKey
+	publicKey     *ecdsa.PublicKey
+	encodedPubKey string
+}
+
+// EncodedPublicKey returns the encoded version of the public that can be used
+// to be shared with other services. It's the hexadecimal encoding of the public key
+// content.
+func (service *ECDSAService) EncodedPublicKey() string {
+	return service.encodedPubKey
+}
+
+// PEMHeaders returns the ECDSA PEM headers.
+func (service *ECDSAService) PEMHeaders() (string, string) {
+	return PrivateKeyPemHeader, PublicKeyPemHeader
+}
+
+// ParseKeyPair parses existing private/public key pair content and associate
+// the parsed keys to the service.
+func (service *ECDSAService) ParseKeyPair(private, public []byte) error {
+	privateKey, err := x509.ParseECPrivateKey(private)
+	if err != nil {
+		return err
+	}
+
+	service.privateKey = privateKey
+
+	encodedKey := hex.EncodeToString(public)
+	service.encodedPubKey = encodedKey
+
+	publicKey, err := x509.ParsePKIXPublicKey(public)
+	if err != nil {
+		return err
+	}
+
+	service.publicKey = publicKey.(*ecdsa.PublicKey)
+
+	return nil
+}
+
+// GenerateKeyPair will create a new key pair using ECDSA.
+func (service *ECDSAService) GenerateKeyPair() ([]byte, []byte, error) {
+	pubkeyCurve := elliptic.P256()
+
+	privatekey, err := ecdsa.GenerateKey(pubkeyCurve, rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	service.privateKey = privatekey
+	service.publicKey = &privatekey.PublicKey
+
+	private, err := x509.MarshalECPrivateKey(service.privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(service.publicKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	encodedKey := hex.EncodeToString(public)
+	service.encodedPubKey = encodedKey
+
+	return private, public, nil
+}
+
+// Sign creates a signature from a message.
+// It automatically hash the message using MD5 and creates a signature from
+// that hash.
+// It then encodes the generated signature in base64.
+func (service *ECDSAService) Sign(message string) (string, error) {
+	digest := md5.New()
+	digest.Write([]byte(message))
+	hash := digest.Sum(nil)
+
+	r := big.NewInt(0)
+	s := big.NewInt(0)
+
+	r, s, err := ecdsa.Sign(rand.Reader, service.privateKey, hash)
+	if err != nil {
+		return "", err
+	}
+
+	keyBytes := service.privateKey.Params().BitSize / 8
+
+	rBytes := r.Bytes()
+	rBytesPadded := make([]byte, keyBytes)
+	copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
+
+	sBytes := s.Bytes()
+	sBytesPadded := make([]byte, keyBytes)
+	copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
+
+	signature := append(rBytesPadded, sBytesPadded...)
+
+	return base64.RawStdEncoding.EncodeToString(signature), nil
+}

api/crypto/tls.go

@@ -4,31 +4,57 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"io/ioutil"
+
+	"github.com/portainer/portainer"
 )
 
-// CreateTLSConfiguration initializes a tls.Config using a CA certificate, a certificate and a key
-func CreateTLSConfiguration(caCertPath, certPath, keyPath string, skipTLSVerify bool) (*tls.Config, error) {
-
+func CreateTLSConfig(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {
 	config := &tls.Config{}
+	config.InsecureSkipVerify = skipServerVerification
 
-	if certPath != "" && keyPath != "" {
-		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if !skipClientVerification {
+		certificate, err := tls.X509KeyPair(cert, key)
 		if err != nil {
 			return nil, err
 		}
-		config.Certificates = []tls.Certificate{cert}
+		config.Certificates = []tls.Certificate{certificate}
 	}
 
-	if caCertPath != "" {
-		caCert, err := ioutil.ReadFile(caCertPath)
-		if err != nil {
-			return nil, err
-		}
+	if !skipServerVerification {
 		caCertPool := x509.NewCertPool()
 		caCertPool.AppendCertsFromPEM(caCert)
 		config.RootCAs = caCertPool
 	}
 
-	config.InsecureSkipVerify = skipTLSVerify
 	return config, nil
 }
+
+// CreateTLSConfiguration initializes a tls.Config using a CA certificate, a certificate and a key
+func CreateTLSConfiguration(config *portainer.TLSConfiguration) (*tls.Config, error) {
+	TLSConfig := &tls.Config{}
+
+	if config.TLS && config.TLSCertPath != "" && config.TLSKeyPath != "" {
+		cert, err := tls.LoadX509KeyPair(config.TLSCertPath, config.TLSKeyPath)
+		if err != nil {
+			return nil, err
+		}
+
+		TLSConfig.Certificates = []tls.Certificate{cert}
+	}
+
+	if config.TLS && !config.TLSSkipVerify {
+		caCert, err := ioutil.ReadFile(config.TLSCACertPath)
+		if err != nil {
+			return nil, err
+		}
+
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		TLSConfig.RootCAs = caCertPool
+	}
+
+	TLSConfig.InsecureSkipVerify = config.TLSSkipVerify
+
+	return TLSConfig, nil
+}

api/errors.go

@@ -13,8 +13,10 @@ const (
 const (
 	ErrUserNotFound            = Error("User not found")
 	ErrUserAlreadyExists       = Error("User already exists")
-	ErrInvalidUsername         = Error("Invalid username. White spaces are not allowed.")
-	ErrAdminAlreadyInitialized = Error("Admin user already initialized")
+	ErrInvalidUsername         = Error("Invalid username. White spaces are not allowed")
+	ErrAdminAlreadyInitialized = Error("An administrator user already exists")
+	ErrCannotRemoveAdmin       = Error("Cannot remove the default administrator account")
+	ErrAdminCannotRemoveSelf   = Error("Cannot remove your own user account. Contact another administrator")
 )
 
 // Team errors.
@@ -26,7 +28,7 @@ const (
 // TeamMembership errors.
 const (
 	ErrTeamMembershipNotFound      = Error("Team membership not found")
-	ErrTeamMembershipAlreadyExists = Error("Team membership already exists for this user and team.")
+	ErrTeamMembershipAlreadyExists = Error("Team membership already exists for this user and team")
 )
 
 // ResourceControl errors.
@@ -42,12 +44,31 @@ const (
 	ErrEndpointAccessDenied = Error("Access denied to endpoint")
 )
 
+// Endpoint group errors.
+const (
+	ErrEndpointGroupNotFound    = Error("Endpoint group not found")
+	ErrCannotRemoveDefaultGroup = Error("Cannot remove the default endpoint group")
+)
+
 // Registry errors.
 const (
 	ErrRegistryNotFound      = Error("Registry not found")
 	ErrRegistryAlreadyExists = Error("A registry is already defined for this URL")
 )
 
+// Stack errors
+const (
+	ErrStackNotFound                   = Error("Stack not found")
+	ErrStackAlreadyExists              = Error("A stack already exists with this name")
+	ErrComposeFileNotFoundInRepository = Error("Unable to find a Compose file in the repository")
+)
+
+// Endpoint extensions error
+const (
+	ErrEndpointExtensionNotSupported      = Error("This extension is not supported")
+	ErrEndpointExtensionAlreadyAssociated = Error("This extension is already associated to the endpoint")
+)
+
 // Version errors.
 const (
 	ErrDBVersionNotFound = Error("DB version not found")

api/exec/stack_manager.go

@@ -0,0 +1,160 @@
+package exec
+
+import (
+	"bytes"
+	"os"
+	"os/exec"
+	"path"
+	"runtime"
+
+	"github.com/portainer/portainer"
+)
+
+// StackManager represents a service for managing stacks.
+type StackManager struct {
+	binaryPath       string
+	signatureService portainer.DigitalSignatureService
+	fileService      portainer.FileService
+}
+
+type dockerCLIConfiguration struct {
+	HTTPHeaders struct {
+		ManagerOperationHeader string `json:"X-PortainerAgent-ManagerOperation"`
+		SignatureHeader        string `json:"X-PortainerAgent-Signature"`
+		PublicKey              string `json:"X-PortainerAgent-PublicKey"`
+	} `json:"HttpHeaders"`
+}
+
+// NewStackManager initializes a new StackManager service.
+// It also updates the configuration of the Docker CLI binary.
+func NewStackManager(binaryPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (*StackManager, error) {
+	manager := &StackManager{
+		binaryPath:       binaryPath,
+		signatureService: signatureService,
+		fileService:      fileService,
+	}
+
+	err := manager.updateDockerCLIConfiguration(binaryPath)
+	if err != nil {
+		return nil, err
+	}
+
+	return manager, nil
+}
+
+// Login executes the docker login command against a list of registries (including DockerHub).
+func (manager *StackManager) Login(dockerhub *portainer.DockerHub, registries []portainer.Registry, endpoint *portainer.Endpoint) {
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, endpoint)
+	for _, registry := range registries {
+		if registry.Authentication {
+			registryArgs := append(args, "login", "--username", registry.Username, "--password", registry.Password, registry.URL)
+			runCommandAndCaptureStdErr(command, registryArgs, nil, "")
+		}
+	}
+
+	if dockerhub.Authentication {
+		dockerhubArgs := append(args, "login", "--username", dockerhub.Username, "--password", dockerhub.Password)
+		runCommandAndCaptureStdErr(command, dockerhubArgs, nil, "")
+	}
+}
+
+// Logout executes the docker logout command.
+func (manager *StackManager) Logout(endpoint *portainer.Endpoint) error {
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, endpoint)
+	args = append(args, "logout")
+	return runCommandAndCaptureStdErr(command, args, nil, "")
+}
+
+// Deploy executes the docker stack deploy command.
+func (manager *StackManager) Deploy(stack *portainer.Stack, prune bool, endpoint *portainer.Endpoint) error {
+	stackFilePath := path.Join(stack.ProjectPath, stack.EntryPoint)
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, endpoint)
+
+	if prune {
+		args = append(args, "stack", "deploy", "--prune", "--with-registry-auth", "--compose-file", stackFilePath, stack.Name)
+	} else {
+		args = append(args, "stack", "deploy", "--with-registry-auth", "--compose-file", stackFilePath, stack.Name)
+	}
+
+	env := make([]string, 0)
+	for _, envvar := range stack.Env {
+		env = append(env, envvar.Name+"="+envvar.Value)
+	}
+
+	stackFolder := path.Dir(stackFilePath)
+	return runCommandAndCaptureStdErr(command, args, env, stackFolder)
+}
+
+// Remove executes the docker stack rm command.
+func (manager *StackManager) Remove(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, endpoint)
+	args = append(args, "stack", "rm", stack.Name)
+	return runCommandAndCaptureStdErr(command, args, nil, "")
+}
+
+func runCommandAndCaptureStdErr(command string, args []string, env []string, workingDir string) error {
+	var stderr bytes.Buffer
+	cmd := exec.Command(command, args...)
+	cmd.Stderr = &stderr
+	cmd.Dir = workingDir
+
+	if env != nil {
+		cmd.Env = os.Environ()
+		cmd.Env = append(cmd.Env, env...)
+	}
+
+	err := cmd.Run()
+	if err != nil {
+		return portainer.Error(stderr.String())
+	}
+
+	return nil
+}
+
+func prepareDockerCommandAndArgs(binaryPath string, endpoint *portainer.Endpoint) (string, []string) {
+	// Assume Linux as a default
+	command := path.Join(binaryPath, "docker")
+
+	if runtime.GOOS == "windows" {
+		command = path.Join(binaryPath, "docker.exe")
+	}
+
+	args := make([]string, 0)
+	args = append(args, "--config", binaryPath)
+	args = append(args, "-H", endpoint.URL)
+
+	if !endpoint.TLSConfig.TLS && endpoint.TLSConfig.TLSSkipVerify {
+		args = append(args, "--tls")
+	} else if endpoint.TLSConfig.TLS {
+		args = append(args, "--tls")
+
+		if !endpoint.TLSConfig.TLSSkipVerify {
+			args = append(args, "--tlsverify", "--tlscacert", endpoint.TLSConfig.TLSCACertPath)
+		}
+
+		if endpoint.TLSConfig.TLSCertPath != "" && endpoint.TLSConfig.TLSKeyPath != "" {
+			args = append(args, "--tlscert", endpoint.TLSConfig.TLSCertPath, "--tlskey", endpoint.TLSConfig.TLSKeyPath)
+		}
+	}
+
+	return command, args
+}
+
+func (manager *StackManager) updateDockerCLIConfiguration(binaryPath string) error {
+	config := dockerCLIConfiguration{}
+	config.HTTPHeaders.ManagerOperationHeader = "1"
+
+	signature, err := manager.signatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return err
+	}
+	config.HTTPHeaders.SignatureHeader = signature
+	config.HTTPHeaders.PublicKey = manager.signatureService.EncodedPublicKey()
+
+	err = manager.fileService.WriteJSONToFile(path.Join(binaryPath, "config.json"), config)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/file/file.go

@@ -1,141 +0,0 @@
-package file
-
-import (
-	"github.com/portainer/portainer"
-
-	"io"
-	"os"
-	"path"
-)
-
-const (
-	// TLSStorePath represents the subfolder where TLS files are stored in the file store folder.
-	TLSStorePath = "tls"
-	// LDAPStorePath represents the subfolder where LDAP TLS files are stored in the TLSStorePath.
-	LDAPStorePath = "ldap"
-	// TLSCACertFile represents the name on disk for a TLS CA file.
-	TLSCACertFile = "ca.pem"
-	// TLSCertFile represents the name on disk for a TLS certificate file.
-	TLSCertFile = "cert.pem"
-	// TLSKeyFile represents the name on disk for a TLS key file.
-	TLSKeyFile = "key.pem"
-)
-
-// Service represents a service for managing files and directories.
-type Service struct {
-	dataStorePath string
-	fileStorePath string
-}
-
-// NewService initializes a new service. It creates a data directory and a directory to store files
-// inside this directory if they don't exist.
-func NewService(dataStorePath, fileStorePath string) (*Service, error) {
-	service := &Service{
-		dataStorePath: dataStorePath,
-		fileStorePath: path.Join(dataStorePath, fileStorePath),
-	}
-
-	// Checking if a mount directory exists is broken with Go on Windows.
-	// This will need to be reviewed after the issue has been fixed in Go.
-	// See: https://github.com/portainer/portainer/issues/474
-	// err := createDirectoryIfNotExist(dataStorePath, 0755)
-	// if err != nil {
-	// 	return nil, err
-	// }
-
-	err := service.createDirectoryInStoreIfNotExist(TLSStorePath)
-	if err != nil {
-		return nil, err
-	}
-
-	return service, nil
-}
-
-// StoreTLSFile creates a folder in the TLSStorePath and stores a new file with the content from r.
-func (service *Service) StoreTLSFile(folder string, fileType portainer.TLSFileType, r io.Reader) error {
-	storePath := path.Join(TLSStorePath, folder)
-	err := service.createDirectoryInStoreIfNotExist(storePath)
-	if err != nil {
-		return err
-	}
-
-	var fileName string
-	switch fileType {
-	case portainer.TLSFileCA:
-		fileName = TLSCACertFile
-	case portainer.TLSFileCert:
-		fileName = TLSCertFile
-	case portainer.TLSFileKey:
-		fileName = TLSKeyFile
-	default:
-		return portainer.ErrUndefinedTLSFileType
-	}
-
-	tlsFilePath := path.Join(storePath, fileName)
-	err = service.createFileInStore(tlsFilePath, r)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPathForTLSFile returns the absolute path to a specific TLS file for an endpoint.
-func (service *Service) GetPathForTLSFile(folder string, fileType portainer.TLSFileType) (string, error) {
-	var fileName string
-	switch fileType {
-	case portainer.TLSFileCA:
-		fileName = TLSCACertFile
-	case portainer.TLSFileCert:
-		fileName = TLSCertFile
-	case portainer.TLSFileKey:
-		fileName = TLSKeyFile
-	default:
-		return "", portainer.ErrUndefinedTLSFileType
-	}
-	return path.Join(service.fileStorePath, TLSStorePath, folder, fileName), nil
-}
-
-// DeleteTLSFiles deletes a folder containing the TLS files for an endpoint.
-func (service *Service) DeleteTLSFiles(folder string) error {
-	storePath := path.Join(service.fileStorePath, TLSStorePath, folder)
-	err := os.RemoveAll(storePath)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// createDirectoryInStoreIfNotExist creates a new directory in the file store if it doesn't exists on the file system.
-func (service *Service) createDirectoryInStoreIfNotExist(name string) error {
-	path := path.Join(service.fileStorePath, name)
-	return createDirectoryIfNotExist(path, 0700)
-}
-
-// createDirectoryIfNotExist creates a directory if it doesn't exists on the file system.
-func createDirectoryIfNotExist(path string, mode uint32) error {
-	_, err := os.Stat(path)
-	if os.IsNotExist(err) {
-		err = os.Mkdir(path, os.FileMode(mode))
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
-	}
-	return nil
-}
-
-// createFile creates a new file in the file store with the content from r.
-func (service *Service) createFileInStore(filePath string, r io.Reader) error {
-	path := path.Join(service.fileStorePath, filePath)
-	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return err
-	}
-	defer out.Close()
-	_, err = io.Copy(out, r)
-	if err != nil {
-		return err
-	}
-	return nil
-}

api/filesystem/filesystem.go

@@ -0,0 +1,332 @@
+package filesystem
+
+import (
+	"bytes"
+	"encoding/json"
+	"encoding/pem"
+	"io/ioutil"
+
+	"github.com/portainer/portainer"
+
+	"io"
+	"os"
+	"path"
+)
+
+const (
+	// TLSStorePath represents the subfolder where TLS files are stored in the file store folder.
+	TLSStorePath = "tls"
+	// LDAPStorePath represents the subfolder where LDAP TLS files are stored in the TLSStorePath.
+	LDAPStorePath = "ldap"
+	// TLSCACertFile represents the name on disk for a TLS CA file.
+	TLSCACertFile = "ca.pem"
+	// TLSCertFile represents the name on disk for a TLS certificate file.
+	TLSCertFile = "cert.pem"
+	// TLSKeyFile represents the name on disk for a TLS key file.
+	TLSKeyFile = "key.pem"
+	// ComposeStorePath represents the subfolder where compose files are stored in the file store folder.
+	ComposeStorePath = "compose"
+	// ComposeFileDefaultName represents the default name of a compose file.
+	ComposeFileDefaultName = "docker-compose.yml"
+	// PrivateKeyFile represents the name on disk of the file containing the private key.
+	PrivateKeyFile = "portainer.key"
+	// PublicKeyFile represents the name on disk of the file containing the public key.
+	PublicKeyFile = "portainer.pub"
+)
+
+// Service represents a service for managing files and directories.
+type Service struct {
+	dataStorePath string
+	fileStorePath string
+}
+
+// NewService initializes a new service. It creates a data directory and a directory to store files
+// inside this directory if they don't exist.
+func NewService(dataStorePath, fileStorePath string) (*Service, error) {
+	service := &Service{
+		dataStorePath: dataStorePath,
+		fileStorePath: path.Join(dataStorePath, fileStorePath),
+	}
+
+	err := os.MkdirAll(dataStorePath, 0755)
+	if err != nil {
+		return nil, err
+	}
+
+	err = service.createDirectoryInStore(TLSStorePath)
+	if err != nil {
+		return nil, err
+	}
+
+	err = service.createDirectoryInStore(ComposeStorePath)
+	if err != nil {
+		return nil, err
+	}
+
+	return service, nil
+}
+
+// RemoveDirectory removes a directory on the filesystem.
+func (service *Service) RemoveDirectory(directoryPath string) error {
+	return os.RemoveAll(directoryPath)
+}
+
+// GetStackProjectPath returns the absolute path on the FS for a stack based
+// on its identifier.
+func (service *Service) GetStackProjectPath(stackIdentifier string) string {
+	return path.Join(service.fileStorePath, ComposeStorePath, stackIdentifier)
+}
+
+// StoreStackFileFromString creates a subfolder in the ComposeStorePath and stores a new file using the content from a string.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreStackFileFromString(stackIdentifier, fileName, stackFileContent string) (string, error) {
+	stackStorePath := path.Join(ComposeStorePath, stackIdentifier)
+	err := service.createDirectoryInStore(stackStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	composeFilePath := path.Join(stackStorePath, fileName)
+	data := []byte(stackFileContent)
+	r := bytes.NewReader(data)
+
+	err = service.createFileInStore(composeFilePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, stackStorePath), nil
+}
+
+// StoreStackFileFromReader creates a subfolder in the ComposeStorePath and stores a new file using the content from an io.Reader.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreStackFileFromReader(stackIdentifier, fileName string, r io.Reader) (string, error) {
+	stackStorePath := path.Join(ComposeStorePath, stackIdentifier)
+	err := service.createDirectoryInStore(stackStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	composeFilePath := path.Join(stackStorePath, fileName)
+
+	err = service.createFileInStore(composeFilePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, stackStorePath), nil
+}
+
+// StoreTLSFile creates a folder in the TLSStorePath and stores a new file with the content from r.
+func (service *Service) StoreTLSFile(folder string, fileType portainer.TLSFileType, r io.Reader) error {
+	storePath := path.Join(TLSStorePath, folder)
+	err := service.createDirectoryInStore(storePath)
+	if err != nil {
+		return err
+	}
+
+	var fileName string
+	switch fileType {
+	case portainer.TLSFileCA:
+		fileName = TLSCACertFile
+	case portainer.TLSFileCert:
+		fileName = TLSCertFile
+	case portainer.TLSFileKey:
+		fileName = TLSKeyFile
+	default:
+		return portainer.ErrUndefinedTLSFileType
+	}
+
+	tlsFilePath := path.Join(storePath, fileName)
+	err = service.createFileInStore(tlsFilePath, r)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPathForTLSFile returns the absolute path to a specific TLS file for an endpoint.
+func (service *Service) GetPathForTLSFile(folder string, fileType portainer.TLSFileType) (string, error) {
+	var fileName string
+	switch fileType {
+	case portainer.TLSFileCA:
+		fileName = TLSCACertFile
+	case portainer.TLSFileCert:
+		fileName = TLSCertFile
+	case portainer.TLSFileKey:
+		fileName = TLSKeyFile
+	default:
+		return "", portainer.ErrUndefinedTLSFileType
+	}
+	return path.Join(service.fileStorePath, TLSStorePath, folder, fileName), nil
+}
+
+// DeleteTLSFiles deletes a folder in the TLS store path.
+func (service *Service) DeleteTLSFiles(folder string) error {
+	storePath := path.Join(service.fileStorePath, TLSStorePath, folder)
+	err := os.RemoveAll(storePath)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// DeleteTLSFile deletes a specific TLS file from a folder.
+func (service *Service) DeleteTLSFile(folder string, fileType portainer.TLSFileType) error {
+	var fileName string
+	switch fileType {
+	case portainer.TLSFileCA:
+		fileName = TLSCACertFile
+	case portainer.TLSFileCert:
+		fileName = TLSCertFile
+	case portainer.TLSFileKey:
+		fileName = TLSKeyFile
+	default:
+		return portainer.ErrUndefinedTLSFileType
+	}
+
+	filePath := path.Join(service.fileStorePath, TLSStorePath, folder, fileName)
+
+	err := os.Remove(filePath)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetFileContent returns a string content from file.
+func (service *Service) GetFileContent(filePath string) (string, error) {
+	content, err := ioutil.ReadFile(filePath)
+	if err != nil {
+		return "", err
+	}
+
+	return string(content), nil
+}
+
+// WriteJSONToFile writes JSON to the specified file.
+func (service *Service) WriteJSONToFile(path string, content interface{}) error {
+	jsonContent, err := json.Marshal(content)
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(path, jsonContent, 0644)
+}
+
+// KeyPairFilesExist checks for the existence of the key files.
+func (service *Service) KeyPairFilesExist() (bool, error) {
+	privateKeyPath := path.Join(service.dataStorePath, PrivateKeyFile)
+	exists, err := fileExists(privateKeyPath)
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+
+	publicKeyPath := path.Join(service.dataStorePath, PublicKeyFile)
+	exists, err = fileExists(publicKeyPath)
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// StoreKeyPair store the specified keys content as PEM files on disk.
+func (service *Service) StoreKeyPair(private, public []byte, privatePEMHeader, publicPEMHeader string) error {
+	err := service.createPEMFileInStore(private, privatePEMHeader, PrivateKeyFile)
+	if err != nil {
+		return err
+	}
+
+	err = service.createPEMFileInStore(public, publicPEMHeader, PublicKeyFile)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// LoadKeyPair retrieve the content of both key files on disk.
+func (service *Service) LoadKeyPair() ([]byte, []byte, error) {
+	privateKey, err := service.getContentFromPEMFile(PrivateKeyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	publicKey, err := service.getContentFromPEMFile(PublicKeyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return privateKey, publicKey, nil
+}
+
+// createDirectoryInStore creates a new directory in the file store
+func (service *Service) createDirectoryInStore(name string) error {
+	path := path.Join(service.fileStorePath, name)
+	return os.MkdirAll(path, 0700)
+}
+
+// createFile creates a new file in the file store with the content from r.
+func (service *Service) createFileInStore(filePath string, r io.Reader) error {
+	path := path.Join(service.fileStorePath, filePath)
+
+	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, r)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) createPEMFileInStore(content []byte, fileType, filePath string) error {
+	path := path.Join(service.fileStorePath, filePath)
+	block := &pem.Block{Type: fileType, Bytes: content}
+
+	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	err = pem.Encode(out, block)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) getContentFromPEMFile(filePath string) ([]byte, error) {
+	path := path.Join(service.fileStorePath, filePath)
+
+	fileContent, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(fileContent)
+	return block.Bytes, nil
+}
+
+func fileExists(filePath string) (bool, error) {
+	if _, err := os.Stat(filePath); err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}

api/git/git.go

@@ -0,0 +1,39 @@
+package git
+
+import (
+	"net/url"
+	"strings"
+
+	"gopkg.in/src-d/go-git.v4"
+)
+
+// Service represents a service for managing Git.
+type Service struct{}
+
+// NewService initializes a new service.
+func NewService(dataStorePath string) (*Service, error) {
+	service := &Service{}
+
+	return service, nil
+}
+
+// ClonePublicRepository clones a public git repository using the specified URL in the specified
+// destination folder.
+func (service *Service) ClonePublicRepository(repositoryURL, destination string) error {
+	return cloneRepository(repositoryURL, destination)
+}
+
+// ClonePrivateRepositoryWithBasicAuth clones a private git repository using the specified URL in the specified
+// destination folder. It will use the specified username and password for basic HTTP authentication.
+func (service *Service) ClonePrivateRepositoryWithBasicAuth(repositoryURL, destination, username, password string) error {
+	credentials := username + ":" + url.PathEscape(password)
+	repositoryURL = strings.Replace(repositoryURL, "://", "://"+credentials+"@", 1)
+	return cloneRepository(repositoryURL, destination)
+}
+
+func cloneRepository(repositoryURL, destination string) error {
+	_, err := git.PlainClone(destination, false, &git.CloneOptions{
+		URL: repositoryURL,
+	})
+	return err
+}

api/http/client/client.go

@@ -0,0 +1,77 @@
+package client
+
+import (
+	"crypto/tls"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/crypto"
+)
+
+// ExecutePingOperationFromEndpoint will send a SystemPing operation HTTP request to a Docker environment
+// using the specified endpoint configuration. It is used exclusively when
+// specifying an endpoint from the CLI via the -H flag.
+func ExecutePingOperationFromEndpoint(endpoint *portainer.Endpoint) (bool, error) {
+	if strings.HasPrefix(endpoint.URL, "unix://") {
+		return false, nil
+	}
+
+	transport := &http.Transport{}
+
+	scheme := "http"
+
+	if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
+		tlsConfig, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+		if err != nil {
+			return false, err
+		}
+		scheme = "https"
+		transport.TLSClientConfig = tlsConfig
+	}
+
+	client := &http.Client{
+		Timeout:   time.Second * 3,
+		Transport: transport,
+	}
+
+	target := strings.Replace(endpoint.URL, "tcp://", scheme+"://", 1)
+	return pingOperation(client, target)
+}
+
+// ExecutePingOperation will send a SystemPing operation HTTP request to a Docker environment
+// using the specified host and optional TLS configuration.
+func ExecutePingOperation(host string, tlsConfig *tls.Config) (bool, error) {
+	transport := &http.Transport{}
+
+	scheme := "http"
+	if tlsConfig != nil {
+		transport.TLSClientConfig = tlsConfig
+		scheme = "https"
+	}
+
+	client := &http.Client{
+		Timeout:   time.Second * 3,
+		Transport: transport,
+	}
+
+	target := strings.Replace(host, "tcp://", scheme+"://", 1)
+	return pingOperation(client, target)
+}
+
+func pingOperation(client *http.Client, target string) (bool, error) {
+	pingOperationURL := target + "/_ping"
+
+	response, err := client.Get(pingOperationURL)
+	if err != nil {
+		return false, err
+	}
+
+	agentOnDockerEnvironment := false
+	if response.Header.Get(portainer.PortainerAgentHeader) != "" {
+		agentOnDockerEnvironment = true
+	}
+
+	return agentOnDockerEnvironment, nil
+}

api/http/error/error.go

@@ -17,6 +17,7 @@ func WriteErrorResponse(w http.ResponseWriter, err error, code int, logger *log.
 		logger.Printf("http error: %s (code=%d)", err, code)
 	}
 
+	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(code)
 	json.NewEncoder(w).Encode(&errorResponse{Err: err.Error()})
 }

api/http/handler/auth.go

@@ -37,14 +37,14 @@ const (
 )
 
 // NewAuthHandler returns a new instance of AuthHandler.
-func NewAuthHandler(bouncer *security.RequestBouncer, authDisabled bool) *AuthHandler {
+func NewAuthHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter, authDisabled bool) *AuthHandler {
 	h := &AuthHandler{
 		Router:       mux.NewRouter(),
 		Logger:       log.New(os.Stderr, "", log.LstdFlags),
 		authDisabled: authDisabled,
 	}
 	h.Handle("/auth",
-		bouncer.PublicAccess(http.HandlerFunc(h.handlePostAuth))).Methods(http.MethodPost)
+		rateLimiter.LimitAccess(bouncer.PublicAccess(http.HandlerFunc(h.handlePostAuth)))).Methods(http.MethodPost)
 
 	return h
 }

api/http/handler/docker.go

@@ -20,6 +20,7 @@ type DockerHandler struct {
 	*mux.Router
 	Logger                *log.Logger
 	EndpointService       portainer.EndpointService
+	EndpointGroupService  portainer.EndpointGroupService
 	TeamMembershipService portainer.TeamMembershipService
 	ProxyManager          *proxy.Manager
 }
@@ -35,24 +36,6 @@ func NewDockerHandler(bouncer *security.RequestBouncer) *DockerHandler {
 	return h
 }
 
-func (handler *DockerHandler) checkEndpointAccessControl(endpoint *portainer.Endpoint, userID portainer.UserID) bool {
-	for _, authorizedUserID := range endpoint.AuthorizedUsers {
-		if authorizedUserID == userID {
-			return true
-		}
-	}
-
-	memberships, _ := handler.TeamMembershipService.TeamMembershipsByUserID(userID)
-	for _, authorizedTeamID := range endpoint.AuthorizedTeams {
-		for _, membership := range memberships {
-			if membership.TeamID == authorizedTeamID {
-				return true
-			}
-		}
-	}
-	return false
-}
-
 func (handler *DockerHandler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
@@ -75,17 +58,32 @@ func (handler *DockerHandler) proxyRequestsToDockerAPI(w http.ResponseWriter, r
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
-	if tokenData.Role != portainer.AdministratorRole && !handler.checkEndpointAccessControl(endpoint, tokenData.ID) {
-		httperror.WriteErrorResponse(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)
+
+	memberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
+	if tokenData.Role != portainer.AdministratorRole {
+		group, err := handler.EndpointGroupService.EndpointGroup(endpoint.GroupID)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+
+		if !security.AuthorizedEndpointAccess(endpoint, group, tokenData.ID, memberships) {
+			httperror.WriteErrorResponse(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)
+			return
+		}
+	}
+
 	var proxy http.Handler
 	proxy = handler.ProxyManager.GetProxy(string(endpointID))
 	if proxy == nil {
 		proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
 		if err != nil {
-			httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 			return
 		}
 	}

api/http/handler/dockerhub.go

@@ -22,7 +22,7 @@ type DockerHubHandler struct {
 	DockerHubService portainer.DockerHubService
 }
 
-// NewDockerHubHandler returns a new instance of NewDockerHubHandler.
+// NewDockerHubHandler returns a new instance of DockerHubHandler.
 func NewDockerHubHandler(bouncer *security.RequestBouncer) *DockerHubHandler {
 	h := &DockerHubHandler{
 		Router: mux.NewRouter(),
@@ -52,6 +52,8 @@ func (handler *DockerHubHandler) handleGetDockerHub(w http.ResponseWriter, r *ht
 		return
 	}
 
+	dockerhub.Password = ""
+
 	encodeJSON(w, dockerhub, handler.Logger)
 	return
 }

api/http/handler/endpoint.go

@@ -1,7 +1,12 @@
 package handler
 
 import (
+	"bytes"
+	"strings"
+
 	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/crypto"
+	"github.com/portainer/portainer/http/client"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/proxy"
 	"github.com/portainer/portainer/http/security"
@@ -22,6 +27,7 @@ type EndpointHandler struct {
 	Logger                      *log.Logger
 	authorizeEndpointManagement bool
 	EndpointService             portainer.EndpointService
+	EndpointGroupService        portainer.EndpointGroupService
 	FileService                 portainer.FileService
 	ProxyManager                *proxy.Manager
 }
@@ -56,27 +62,32 @@ func NewEndpointHandler(bouncer *security.RequestBouncer, authorizeEndpointManag
 }
 
 type (
-	postEndpointsRequest struct {
-		Name      string `valid:"required"`
-		URL       string `valid:"required"`
-		PublicURL string `valid:"-"`
-		TLS       bool
-	}
-
-	postEndpointsResponse struct {
-		ID int `json:"Id"`
-	}
-
 	putEndpointAccessRequest struct {
 		AuthorizedUsers []int `valid:"-"`
 		AuthorizedTeams []int `valid:"-"`
 	}
 
 	putEndpointsRequest struct {
-		Name      string `valid:"-"`
-		URL       string `valid:"-"`
-		PublicURL string `valid:"-"`
-		TLS       bool   `valid:"-"`
+		Name                string `valid:"-"`
+		URL                 string `valid:"-"`
+		PublicURL           string `valid:"-"`
+		GroupID             int    `valid:"-"`
+		TLS                 bool   `valid:"-"`
+		TLSSkipVerify       bool   `valid:"-"`
+		TLSSkipClientVerify bool   `valid:"-"`
+	}
+
+	postEndpointPayload struct {
+		name                      string
+		url                       string
+		publicURL                 string
+		groupID                   int
+		useTLS                    bool
+		skipTLSServerVerification bool
+		skipTLSClientVerification bool
+		caCert                    []byte
+		cert                      []byte
+		key                       []byte
 	}
 )
 
@@ -94,7 +105,13 @@ func (handler *EndpointHandler) handleGetEndpoints(w http.ResponseWriter, r *htt
 		return
 	}
 
-	filteredEndpoints, err := security.FilterEndpoints(endpoints, securityContext)
+	groups, err := handler.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredEndpoints, err := security.FilterEndpoints(endpoints, groups, securityContext)
 	if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
@@ -103,6 +120,180 @@ func (handler *EndpointHandler) handleGetEndpoints(w http.ResponseWriter, r *htt
 	encodeJSON(w, filteredEndpoints, handler.Logger)
 }
 
+func (handler *EndpointHandler) createTLSSecuredEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
+	tlsConfig, err := crypto.CreateTLSConfig(payload.caCert, payload.cert, payload.key, payload.skipTLSClientVerification, payload.skipTLSServerVerification)
+	if err != nil {
+		return nil, err
+	}
+
+	agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.url, tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	endpointType := portainer.DockerEnvironment
+	if agentOnDockerEnvironment {
+		endpointType = portainer.AgentOnDockerEnvironment
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:      payload.name,
+		URL:       payload.url,
+		Type:      endpointType,
+		GroupID:   portainer.EndpointGroupID(payload.groupID),
+		PublicURL: payload.publicURL,
+		TLSConfig: portainer.TLSConfiguration{
+			TLS:           payload.useTLS,
+			TLSSkipVerify: payload.skipTLSServerVerification,
+		},
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+	}
+
+	err = handler.EndpointService.CreateEndpoint(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	folder := strconv.Itoa(int(endpoint.ID))
+
+	if !payload.skipTLSServerVerification {
+		r := bytes.NewReader(payload.caCert)
+		// TODO: review the API exposed by the FileService to store
+		// a file from a byte slice and return the path to the stored file instead
+		// of using multiple legacy calls (StoreTLSFile, GetPathForTLSFile) here.
+		err = handler.FileService.StoreTLSFile(folder, portainer.TLSFileCA, r)
+		if err != nil {
+			handler.EndpointService.DeleteEndpoint(endpoint.ID)
+			return nil, err
+		}
+		caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
+		endpoint.TLSConfig.TLSCACertPath = caCertPath
+	}
+
+	if !payload.skipTLSClientVerification {
+		r := bytes.NewReader(payload.cert)
+		err = handler.FileService.StoreTLSFile(folder, portainer.TLSFileCert, r)
+		if err != nil {
+			handler.EndpointService.DeleteEndpoint(endpoint.ID)
+			return nil, err
+		}
+		certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
+		endpoint.TLSConfig.TLSCertPath = certPath
+
+		r = bytes.NewReader(payload.key)
+		err = handler.FileService.StoreTLSFile(folder, portainer.TLSFileKey, r)
+		if err != nil {
+			handler.EndpointService.DeleteEndpoint(endpoint.ID)
+			return nil, err
+		}
+		keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
+		endpoint.TLSConfig.TLSKeyPath = keyPath
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return endpoint, nil
+}
+
+func (handler *EndpointHandler) createUnsecuredEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
+	endpointType := portainer.DockerEnvironment
+
+	if !strings.HasPrefix(payload.url, "unix://") {
+		agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.url, nil)
+		if err != nil {
+			return nil, err
+		}
+		if agentOnDockerEnvironment {
+			endpointType = portainer.AgentOnDockerEnvironment
+		}
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:      payload.name,
+		URL:       payload.url,
+		Type:      endpointType,
+		GroupID:   portainer.EndpointGroupID(payload.groupID),
+		PublicURL: payload.publicURL,
+		TLSConfig: portainer.TLSConfiguration{
+			TLS: false,
+		},
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+	}
+
+	err := handler.EndpointService.CreateEndpoint(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return endpoint, nil
+}
+
+func (handler *EndpointHandler) createEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
+	if payload.useTLS {
+		return handler.createTLSSecuredEndpoint(payload)
+	}
+	return handler.createUnsecuredEndpoint(payload)
+}
+
+func convertPostEndpointRequestToPayload(r *http.Request) (*postEndpointPayload, error) {
+	payload := &postEndpointPayload{}
+	payload.name = r.FormValue("Name")
+	payload.url = r.FormValue("URL")
+	payload.publicURL = r.FormValue("PublicURL")
+
+	if payload.name == "" || payload.url == "" {
+		return nil, ErrInvalidRequestFormat
+	}
+
+	rawGroupID := r.FormValue("GroupID")
+	if rawGroupID == "" {
+		payload.groupID = 1
+	} else {
+		groupID, err := strconv.Atoi(rawGroupID)
+		if err != nil {
+			return nil, err
+		}
+		payload.groupID = groupID
+	}
+
+	payload.useTLS = r.FormValue("TLS") == "true"
+
+	if payload.useTLS {
+		payload.skipTLSServerVerification = r.FormValue("TLSSkipVerify") == "true"
+		payload.skipTLSClientVerification = r.FormValue("TLSSkipClientVerify") == "true"
+
+		if !payload.skipTLSServerVerification {
+			caCert, err := getUploadedFileContent(r, "TLSCACertFile")
+			if err != nil {
+				return nil, err
+			}
+			payload.caCert = caCert
+		}
+
+		if !payload.skipTLSClientVerification {
+			cert, err := getUploadedFileContent(r, "TLSCertFile")
+			if err != nil {
+				return nil, err
+			}
+			payload.cert = cert
+			key, err := getUploadedFileContent(r, "TLSKeyFile")
+			if err != nil {
+				return nil, err
+			}
+			payload.key = key
+		}
+	}
+
+	return payload, nil
+}
+
 // handlePostEndpoints handles POST requests on /endpoints
 func (handler *EndpointHandler) handlePostEndpoints(w http.ResponseWriter, r *http.Request) {
 	if !handler.authorizeEndpointManagement {
@@ -110,49 +301,19 @@ func (handler *EndpointHandler) handlePostEndpoints(w http.ResponseWriter, r *ht
 		return
 	}
 
-	var req postEndpointsRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
-		return
-	}
-
-	_, err := govalidator.ValidateStruct(req)
+	payload, err := convertPostEndpointRequestToPayload(r)
 	if err != nil {
-		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpoint := &portainer.Endpoint{
-		Name:            req.Name,
-		URL:             req.URL,
-		PublicURL:       req.PublicURL,
-		TLS:             req.TLS,
-		AuthorizedUsers: []portainer.UserID{},
-		AuthorizedTeams: []portainer.TeamID{},
-	}
-
-	err = handler.EndpointService.CreateEndpoint(endpoint)
+	endpoint, err := handler.createEndpoint(payload)
 	if err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
-	if req.TLS {
-		folder := strconv.Itoa(int(endpoint.ID))
-		caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
-		endpoint.TLSCACertPath = caCertPath
-		certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
-		endpoint.TLSCertPath = certPath
-		keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
-		endpoint.TLSKeyPath = keyPath
-		err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
-		if err != nil {
-			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
-			return
-		}
-	}
-
-	encodeJSON(w, &postEndpointsResponse{ID: int(endpoint.ID)}, handler.Logger)
+	encodeJSON(w, &endpoint, handler.Logger)
 }
 
 // handleGetEndpoint handles GET requests on /endpoints/:id
@@ -282,20 +443,39 @@ func (handler *EndpointHandler) handlePutEndpoint(w http.ResponseWriter, r *http
 		endpoint.PublicURL = req.PublicURL
 	}
 
+	if req.GroupID != 0 {
+		endpoint.GroupID = portainer.EndpointGroupID(req.GroupID)
+	}
+
 	folder := strconv.Itoa(int(endpoint.ID))
 	if req.TLS {
-		endpoint.TLS = true
-		caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
-		endpoint.TLSCACertPath = caCertPath
-		certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
-		endpoint.TLSCertPath = certPath
-		keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
-		endpoint.TLSKeyPath = keyPath
+		endpoint.TLSConfig.TLS = true
+		endpoint.TLSConfig.TLSSkipVerify = req.TLSSkipVerify
+		if !req.TLSSkipVerify {
+			caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
+			endpoint.TLSConfig.TLSCACertPath = caCertPath
+		} else {
+			endpoint.TLSConfig.TLSCACertPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileCA)
+		}
+
+		if !req.TLSSkipClientVerify {
+			certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
+			endpoint.TLSConfig.TLSCertPath = certPath
+			keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
+			endpoint.TLSConfig.TLSKeyPath = keyPath
+		} else {
+			endpoint.TLSConfig.TLSCertPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileCert)
+			endpoint.TLSConfig.TLSKeyPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileKey)
+		}
 	} else {
-		endpoint.TLS = false
-		endpoint.TLSCACertPath = ""
-		endpoint.TLSCertPath = ""
-		endpoint.TLSKeyPath = ""
+		endpoint.TLSConfig.TLS = false
+		endpoint.TLSConfig.TLSSkipVerify = true
+		endpoint.TLSConfig.TLSCACertPath = ""
+		endpoint.TLSConfig.TLSCertPath = ""
+		endpoint.TLSConfig.TLSKeyPath = ""
 		err = handler.FileService.DeleteTLSFiles(folder)
 		if err != nil {
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
@@ -343,6 +523,7 @@ func (handler *EndpointHandler) handleDeleteEndpoint(w http.ResponseWriter, r *h
 	}
 
 	handler.ProxyManager.DeleteProxy(string(endpointID))
+	handler.ProxyManager.DeleteExtensionProxies(string(endpointID))
 
 	err = handler.EndpointService.DeleteEndpoint(portainer.EndpointID(endpointID))
 	if err != nil {
@@ -350,7 +531,7 @@ func (handler *EndpointHandler) handleDeleteEndpoint(w http.ResponseWriter, r *h
 		return
 	}
 
-	if endpoint.TLS {
+	if endpoint.TLSConfig.TLS {
 		err = handler.FileService.DeleteTLSFiles(id)
 		if err != nil {
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)

api/http/handler/endpoint_group.go

@@ -0,0 +1,364 @@
+package handler
+
+import (
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
+
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+	"strconv"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/gorilla/mux"
+)
+
+// EndpointGroupHandler represents an HTTP API handler for managing endpoint groups.
+type EndpointGroupHandler struct {
+	*mux.Router
+	Logger               *log.Logger
+	EndpointService      portainer.EndpointService
+	EndpointGroupService portainer.EndpointGroupService
+}
+
+// NewEndpointGroupHandler returns a new instance of EndpointGroupHandler.
+func NewEndpointGroupHandler(bouncer *security.RequestBouncer) *EndpointGroupHandler {
+	h := &EndpointGroupHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/endpoint_groups",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePostEndpointGroups))).Methods(http.MethodPost)
+	h.Handle("/endpoint_groups",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetEndpointGroups))).Methods(http.MethodGet)
+	h.Handle("/endpoint_groups/{id}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handleGetEndpointGroup))).Methods(http.MethodGet)
+	h.Handle("/endpoint_groups/{id}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutEndpointGroup))).Methods(http.MethodPut)
+	h.Handle("/endpoint_groups/{id}/access",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handlePutEndpointGroupAccess))).Methods(http.MethodPut)
+	h.Handle("/endpoint_groups/{id}",
+		bouncer.AdministratorAccess(http.HandlerFunc(h.handleDeleteEndpointGroup))).Methods(http.MethodDelete)
+
+	return h
+}
+
+type (
+	postEndpointGroupsResponse struct {
+		ID int `json:"Id"`
+	}
+
+	postEndpointGroupsRequest struct {
+		Name                string                 `valid:"required"`
+		Description         string                 `valid:"-"`
+		Labels              []portainer.Pair       `valid:""`
+		AssociatedEndpoints []portainer.EndpointID `valid:""`
+	}
+
+	putEndpointGroupAccessRequest struct {
+		AuthorizedUsers []int `valid:"-"`
+		AuthorizedTeams []int `valid:"-"`
+	}
+
+	putEndpointGroupsRequest struct {
+		Name                string                 `valid:"-"`
+		Description         string                 `valid:"-"`
+		Labels              []portainer.Pair       `valid:""`
+		AssociatedEndpoints []portainer.EndpointID `valid:""`
+	}
+)
+
+// handleGetEndpointGroups handles GET requests on /endpoint_groups
+func (handler *EndpointGroupHandler) handleGetEndpointGroups(w http.ResponseWriter, r *http.Request) {
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredEndpointGroups, err := security.FilterEndpointGroups(endpointGroups, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, filteredEndpointGroups, handler.Logger)
+}
+
+// handlePostEndpointGroups handles POST requests on /endpoint_groups
+func (handler *EndpointGroupHandler) handlePostEndpointGroups(w http.ResponseWriter, r *http.Request) {
+	var req postEndpointGroupsRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpointGroup := &portainer.EndpointGroup{
+		Name:            req.Name,
+		Description:     req.Description,
+		Labels:          req.Labels,
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+	}
+
+	err = handler.EndpointGroupService.CreateEndpointGroup(endpointGroup)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, endpoint := range endpoints {
+		if endpoint.GroupID == portainer.EndpointGroupID(1) {
+			err = handler.checkForGroupAssignment(endpoint, endpointGroup.ID, req.AssociatedEndpoints)
+			if err != nil {
+				httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+				return
+			}
+		}
+	}
+
+	encodeJSON(w, &postEndpointGroupsResponse{ID: int(endpointGroup.ID)}, handler.Logger)
+}
+
+// handleGetEndpointGroup handles GET requests on /endpoint_groups/:id
+func (handler *EndpointGroupHandler) handleGetEndpointGroup(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	endpointGroupID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err == portainer.ErrEndpointGroupNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, endpointGroup, handler.Logger)
+}
+
+// handlePutEndpointGroupAccess handles PUT requests on /endpoint_groups/:id/access
+func (handler *EndpointGroupHandler) handlePutEndpointGroupAccess(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	endpointGroupID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	var req putEndpointGroupAccessRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err == portainer.ErrEndpointGroupNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if req.AuthorizedUsers != nil {
+		authorizedUserIDs := []portainer.UserID{}
+		for _, value := range req.AuthorizedUsers {
+			authorizedUserIDs = append(authorizedUserIDs, portainer.UserID(value))
+		}
+		endpointGroup.AuthorizedUsers = authorizedUserIDs
+	}
+
+	if req.AuthorizedTeams != nil {
+		authorizedTeamIDs := []portainer.TeamID{}
+		for _, value := range req.AuthorizedTeams {
+			authorizedTeamIDs = append(authorizedTeamIDs, portainer.TeamID(value))
+		}
+		endpointGroup.AuthorizedTeams = authorizedTeamIDs
+	}
+
+	err = handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, endpointGroup)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+// handlePutEndpointGroup handles PUT requests on /endpoint_groups/:id
+func (handler *EndpointGroupHandler) handlePutEndpointGroup(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	endpointGroupID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	var req putEndpointGroupsRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	groupID := portainer.EndpointGroupID(endpointGroupID)
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(groupID)
+	if err == portainer.ErrEndpointGroupNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if req.Name != "" {
+		endpointGroup.Name = req.Name
+	}
+
+	if req.Description != "" {
+		endpointGroup.Description = req.Description
+	}
+
+	endpointGroup.Labels = req.Labels
+
+	err = handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, endpointGroup)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, endpoint := range endpoints {
+		err = handler.updateEndpointGroup(endpoint, groupID, req.AssociatedEndpoints)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+	}
+}
+
+func (handler *EndpointGroupHandler) updateEndpointGroup(endpoint portainer.Endpoint, groupID portainer.EndpointGroupID, associatedEndpoints []portainer.EndpointID) error {
+	if endpoint.GroupID == groupID {
+		return handler.checkForGroupUnassignment(endpoint, associatedEndpoints)
+	} else if endpoint.GroupID == portainer.EndpointGroupID(1) {
+		return handler.checkForGroupAssignment(endpoint, groupID, associatedEndpoints)
+	}
+	return nil
+}
+
+func (handler *EndpointGroupHandler) checkForGroupUnassignment(endpoint portainer.Endpoint, associatedEndpoints []portainer.EndpointID) error {
+	for _, id := range associatedEndpoints {
+		if id == endpoint.ID {
+			return nil
+		}
+	}
+
+	endpoint.GroupID = portainer.EndpointGroupID(1)
+	return handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+}
+
+func (handler *EndpointGroupHandler) checkForGroupAssignment(endpoint portainer.Endpoint, groupID portainer.EndpointGroupID, associatedEndpoints []portainer.EndpointID) error {
+	for _, id := range associatedEndpoints {
+
+		if id == endpoint.ID {
+			endpoint.GroupID = groupID
+			return handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		}
+	}
+	return nil
+}
+
+// handleDeleteEndpointGroup handles DELETE requests on /endpoint_groups/:id
+func (handler *EndpointGroupHandler) handleDeleteEndpointGroup(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	endpointGroupID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if endpointGroupID == 1 {
+		httperror.WriteErrorResponse(w, portainer.ErrCannotRemoveDefaultGroup, http.StatusForbidden, handler.Logger)
+		return
+	}
+
+	groupID := portainer.EndpointGroupID(endpointGroupID)
+	_, err = handler.EndpointGroupService.EndpointGroup(groupID)
+	if err == portainer.ErrEndpointGroupNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.EndpointGroupService.DeleteEndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, endpoint := range endpoints {
+		if endpoint.GroupID == groupID {
+			endpoint.GroupID = portainer.EndpointGroupID(1)
+			err = handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+			if err != nil {
+				httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+				return
+			}
+		}
+	}
+}

api/http/handler/extensions.go

@@ -0,0 +1,143 @@
+package handler
+
+import (
+	"encoding/json"
+	"strconv"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// ExtensionHandler represents an HTTP API handler for managing Settings.
+type ExtensionHandler struct {
+	*mux.Router
+	Logger          *log.Logger
+	EndpointService portainer.EndpointService
+	ProxyManager    *proxy.Manager
+}
+
+// NewExtensionHandler returns a new instance of ExtensionHandler.
+func NewExtensionHandler(bouncer *security.RequestBouncer) *ExtensionHandler {
+	h := &ExtensionHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/{endpointId}/extensions",
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handlePostExtensions))).Methods(http.MethodPost)
+	h.Handle("/{endpointId}/extensions/{extensionType}",
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handleDeleteExtensions))).Methods(http.MethodDelete)
+	return h
+}
+
+type (
+	postExtensionRequest struct {
+		Type int    `valid:"required"`
+		URL  string `valid:"required"`
+	}
+)
+
+func (handler *ExtensionHandler) handlePostExtensions(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req postExtensionRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	extensionType := portainer.EndpointExtensionType(req.Type)
+
+	var extension *portainer.EndpointExtension
+
+	for _, ext := range endpoint.Extensions {
+		if ext.Type == extensionType {
+			extension = &ext
+		}
+	}
+
+	if extension != nil {
+		extension.URL = req.URL
+	} else {
+		extension = &portainer.EndpointExtension{
+			Type: extensionType,
+			URL:  req.URL,
+		}
+		endpoint.Extensions = append(endpoint.Extensions, *extension)
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, extension, handler.Logger)
+}
+
+func (handler *ExtensionHandler) handleDeleteExtensions(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	extType, err := strconv.Atoi(vars["extensionType"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	extensionType := portainer.EndpointExtensionType(extType)
+
+	for idx, ext := range endpoint.Extensions {
+		if ext.Type == extensionType {
+			endpoint.Extensions = append(endpoint.Extensions[:idx], endpoint.Extensions[idx+1:]...)
+		}
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}

api/http/handler/extensions/storidge.go

@@ -0,0 +1,106 @@
+package extensions
+
+import (
+	"strconv"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// StoridgeHandler represents an HTTP API handler for proxying requests to the Docker API.
+type StoridgeHandler struct {
+	*mux.Router
+	Logger                *log.Logger
+	EndpointService       portainer.EndpointService
+	EndpointGroupService  portainer.EndpointGroupService
+	TeamMembershipService portainer.TeamMembershipService
+	ProxyManager          *proxy.Manager
+}
+
+// NewStoridgeHandler returns a new instance of StoridgeHandler.
+func NewStoridgeHandler(bouncer *security.RequestBouncer) *StoridgeHandler {
+	h := &StoridgeHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.PathPrefix("/{id}/extensions/storidge").Handler(
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.proxyRequestsToStoridgeAPI)))
+	return h
+}
+
+func (handler *StoridgeHandler) proxyRequestsToStoridgeAPI(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+
+	parsedID, err := strconv.Atoi(id)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpointID := portainer.EndpointID(parsedID)
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	memberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		group, err := handler.EndpointGroupService.EndpointGroup(endpoint.GroupID)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+
+		if !security.AuthorizedEndpointAccess(endpoint, group, tokenData.ID, memberships) {
+			httperror.WriteErrorResponse(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)
+			return
+		}
+	}
+
+	var storidgeExtension *portainer.EndpointExtension
+	for _, extension := range endpoint.Extensions {
+		if extension.Type == portainer.StoridgeEndpointExtension {
+			storidgeExtension = &extension
+		}
+	}
+
+	if storidgeExtension == nil {
+		httperror.WriteErrorResponse(w, portainer.ErrEndpointExtensionNotSupported, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	proxyExtensionKey := string(endpoint.ID) + "_" + string(portainer.StoridgeEndpointExtension)
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetExtensionProxy(proxyExtensionKey)
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterExtensionProxy(proxyExtensionKey, storidgeExtension.URL)
+		if err != nil {
+			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+			return
+		}
+	}
+
+	http.StripPrefix("/"+id+"/extensions/storidge", proxy).ServeHTTP(w, r)
+}

api/http/handler/file.go

@@ -3,34 +3,22 @@ package handler
 import (
 	"os"
 
-	"github.com/portainer/portainer"
-	httperror "github.com/portainer/portainer/http/error"
-
 	"log"
 	"net/http"
-	"path"
 	"strings"
 )
 
 // FileHandler represents an HTTP API handler for managing static files.
 type FileHandler struct {
 	http.Handler
-	Logger             *log.Logger
-	allowedDirectories map[string]bool
+	Logger *log.Logger
 }
 
 // NewFileHandler returns a new instance of FileHandler.
-func NewFileHandler(assetPath string) *FileHandler {
+func NewFileHandler(assetPublicPath string) *FileHandler {
 	h := &FileHandler{
-		Handler: http.FileServer(http.Dir(assetPath)),
+		Handler: http.FileServer(http.Dir(assetPublicPath)),
 		Logger:  log.New(os.Stderr, "", log.LstdFlags),
-		allowedDirectories: map[string]bool{
-			"/":       true,
-			"/css":    true,
-			"/js":     true,
-			"/images": true,
-			"/fonts":  true,
-		},
 	}
 	return h
 }
@@ -45,17 +33,10 @@ func isHTML(acceptContent []string) bool {
 }
 
 func (handler *FileHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	requestDirectory := path.Dir(r.URL.Path)
-	if !handler.allowedDirectories[requestDirectory] {
-		httperror.WriteErrorResponse(w, portainer.ErrResourceNotFound, http.StatusNotFound, handler.Logger)
-		return
-	}
-
 	if !isHTML(r.Header["Accept"]) {
 		w.Header().Set("Cache-Control", "max-age=31536000")
 	} else {
 		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 	}
-
 	handler.Handler.ServeHTTP(w, r)
 }

api/http/handler/handler.go

@@ -2,12 +2,14 @@ package handler
 
 import (
 	"encoding/json"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"strings"
 
 	"github.com/portainer/portainer"
 	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/handler/extensions"
 )
 
 // Handler is a collection of all the service handlers.
@@ -17,9 +19,13 @@ type Handler struct {
 	TeamHandler           *TeamHandler
 	TeamMembershipHandler *TeamMembershipHandler
 	EndpointHandler       *EndpointHandler
+	EndpointGroupHandler  *EndpointGroupHandler
 	RegistryHandler       *RegistryHandler
 	DockerHubHandler      *DockerHubHandler
+	ExtensionHandler      *ExtensionHandler
+	StoridgeHandler       *extensions.StoridgeHandler
 	ResourceHandler       *ResourceHandler
+	StackHandler          *StackHandler
 	StatusHandler         *StatusHandler
 	SettingsHandler       *SettingsHandler
 	TemplatesHandler      *TemplatesHandler
@@ -46,10 +52,19 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/dockerhub"):
 		http.StripPrefix("/api", h.DockerHubHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/endpoint_groups"):
+		http.StripPrefix("/api", h.EndpointGroupHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/endpoints"):
-		if strings.Contains(r.URL.Path, "/docker") {
+		switch {
+		case strings.Contains(r.URL.Path, "/docker/"):
 			http.StripPrefix("/api/endpoints", h.DockerHandler).ServeHTTP(w, r)
-		} else {
+		case strings.Contains(r.URL.Path, "/stacks"):
+			http.StripPrefix("/api/endpoints", h.StackHandler).ServeHTTP(w, r)
+		case strings.Contains(r.URL.Path, "/extensions/storidge"):
+			http.StripPrefix("/api/endpoints", h.StoridgeHandler).ServeHTTP(w, r)
+		case strings.Contains(r.URL.Path, "/extensions"):
+			http.StripPrefix("/api/endpoints", h.ExtensionHandler).ServeHTTP(w, r)
+		default:
 			http.StripPrefix("/api", h.EndpointHandler).ServeHTTP(w, r)
 		}
 	case strings.HasPrefix(r.URL.Path, "/api/registries"):
@@ -79,7 +94,24 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 // encodeJSON encodes v to w in JSON format. WriteErrorResponse() is called if encoding fails.
 func encodeJSON(w http.ResponseWriter, v interface{}, logger *log.Logger) {
+	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(v); err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, logger)
 	}
 }
+
+// getUploadedFileContent retrieve the content of a file uploaded in the request.
+// Uses requestParameter as the key to retrieve the file in the request payload.
+func getUploadedFileContent(request *http.Request, requestParameter string) ([]byte, error) {
+	file, _, err := request.FormFile(requestParameter)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	fileContent, err := ioutil.ReadAll(file)
+	if err != nil {
+		return nil, err
+	}
+	return fileContent, nil
+}

api/http/handler/registry.go

@@ -91,6 +91,10 @@ func (handler *RegistryHandler) handleGetRegistries(w http.ResponseWriter, r *ht
 		return
 	}
 
+	for i := range filteredRegistries {
+		filteredRegistries[i].Password = ""
+	}
+
 	encodeJSON(w, filteredRegistries, handler.Logger)
 }
 
@@ -159,6 +163,8 @@ func (handler *RegistryHandler) handleGetRegistry(w http.ResponseWriter, r *http
 		return
 	}
 
+	registry.Password = ""
+
 	encodeJSON(w, registry, handler.Logger)
 }
 

api/http/handler/resource_control.go

@@ -78,6 +78,14 @@ func (handler *ResourceHandler) handlePostResources(w http.ResponseWriter, r *ht
 		resourceControlType = portainer.ServiceResourceControl
 	case "volume":
 		resourceControlType = portainer.VolumeResourceControl
+	case "network":
+		resourceControlType = portainer.NetworkResourceControl
+	case "secret":
+		resourceControlType = portainer.SecretResourceControl
+	case "stack":
+		resourceControlType = portainer.StackResourceControl
+	case "config":
+		resourceControlType = portainer.ConfigResourceControl
 	default:
 		httperror.WriteErrorResponse(w, portainer.ErrInvalidResourceControlType, http.StatusBadRequest, handler.Logger)
 		return

api/http/handler/settings.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/asaskevich/govalidator"
 	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/file"
+	"github.com/portainer/portainer/filesystem"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/security"
 
@@ -45,18 +45,24 @@ func NewSettingsHandler(bouncer *security.RequestBouncer) *SettingsHandler {
 
 type (
 	publicSettingsResponse struct {
-		LogoURL                     string                         `json:"LogoURL"`
-		DisplayExternalContributors bool                           `json:"DisplayExternalContributors"`
-		AuthenticationMethod        portainer.AuthenticationMethod `json:"AuthenticationMethod"`
+		LogoURL                            string                         `json:"LogoURL"`
+		DisplayDonationHeader              bool                           `json:"DisplayDonationHeader"`
+		DisplayExternalContributors        bool                           `json:"DisplayExternalContributors"`
+		AuthenticationMethod               portainer.AuthenticationMethod `json:"AuthenticationMethod"`
+		AllowBindMountsForRegularUsers     bool                           `json:"AllowBindMountsForRegularUsers"`
+		AllowPrivilegedModeForRegularUsers bool                           `json:"AllowPrivilegedModeForRegularUsers"`
 	}
 
 	putSettingsRequest struct {
-		TemplatesURL                string                 `valid:"required"`
-		LogoURL                     string                 `valid:""`
-		BlackListedLabels           []portainer.Pair       `valid:""`
-		DisplayExternalContributors bool                   `valid:""`
-		AuthenticationMethod        int                    `valid:"required"`
-		LDAPSettings                portainer.LDAPSettings `valid:""`
+		TemplatesURL                       string                 `valid:"required"`
+		LogoURL                            string                 `valid:""`
+		BlackListedLabels                  []portainer.Pair       `valid:""`
+		DisplayDonationHeader              bool                   `valid:""`
+		DisplayExternalContributors        bool                   `valid:""`
+		AuthenticationMethod               int                    `valid:"required"`
+		LDAPSettings                       portainer.LDAPSettings `valid:""`
+		AllowBindMountsForRegularUsers     bool                   `valid:""`
+		AllowPrivilegedModeForRegularUsers bool                   `valid:""`
 	}
 
 	putSettingsLDAPCheckRequest struct {
@@ -85,9 +91,12 @@ func (handler *SettingsHandler) handleGetPublicSettings(w http.ResponseWriter, r
 	}
 
 	publicSettings := &publicSettingsResponse{
-		LogoURL:                     settings.LogoURL,
-		DisplayExternalContributors: settings.DisplayExternalContributors,
-		AuthenticationMethod:        settings.AuthenticationMethod,
+		LogoURL:                            settings.LogoURL,
+		DisplayDonationHeader:              settings.DisplayDonationHeader,
+		DisplayExternalContributors:        settings.DisplayExternalContributors,
+		AuthenticationMethod:               settings.AuthenticationMethod,
+		AllowBindMountsForRegularUsers:     settings.AllowBindMountsForRegularUsers,
+		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
 	}
 
 	encodeJSON(w, publicSettings, handler.Logger)
@@ -109,11 +118,14 @@ func (handler *SettingsHandler) handlePutSettings(w http.ResponseWriter, r *http
 	}
 
 	settings := &portainer.Settings{
-		TemplatesURL:                req.TemplatesURL,
-		LogoURL:                     req.LogoURL,
-		BlackListedLabels:           req.BlackListedLabels,
-		DisplayExternalContributors: req.DisplayExternalContributors,
-		LDAPSettings:                req.LDAPSettings,
+		TemplatesURL:                       req.TemplatesURL,
+		LogoURL:                            req.LogoURL,
+		BlackListedLabels:                  req.BlackListedLabels,
+		DisplayDonationHeader:              req.DisplayDonationHeader,
+		DisplayExternalContributors:        req.DisplayExternalContributors,
+		LDAPSettings:                       req.LDAPSettings,
+		AllowBindMountsForRegularUsers:     req.AllowBindMountsForRegularUsers,
+		AllowPrivilegedModeForRegularUsers: req.AllowPrivilegedModeForRegularUsers,
 	}
 
 	if req.AuthenticationMethod == 1 {
@@ -126,11 +138,11 @@ func (handler *SettingsHandler) handlePutSettings(w http.ResponseWriter, r *http
 	}
 
 	if (settings.LDAPSettings.TLSConfig.TLS || settings.LDAPSettings.StartTLS) && !settings.LDAPSettings.TLSConfig.TLSSkipVerify {
-		caCertPath, _ := handler.FileService.GetPathForTLSFile(file.LDAPStorePath, portainer.TLSFileCA)
+		caCertPath, _ := handler.FileService.GetPathForTLSFile(filesystem.LDAPStorePath, portainer.TLSFileCA)
 		settings.LDAPSettings.TLSConfig.TLSCACertPath = caCertPath
 	} else {
 		settings.LDAPSettings.TLSConfig.TLSCACertPath = ""
-		err := handler.FileService.DeleteTLSFiles(file.LDAPStorePath)
+		err := handler.FileService.DeleteTLSFiles(filesystem.LDAPStorePath)
 		if err != nil {
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		}
@@ -157,7 +169,7 @@ func (handler *SettingsHandler) handlePutSettingsLDAPCheck(w http.ResponseWriter
 	}
 
 	if (req.LDAPSettings.TLSConfig.TLS || req.LDAPSettings.StartTLS) && !req.LDAPSettings.TLSConfig.TLSSkipVerify {
-		caCertPath, _ := handler.FileService.GetPathForTLSFile(file.LDAPStorePath, portainer.TLSFileCA)
+		caCertPath, _ := handler.FileService.GetPathForTLSFile(filesystem.LDAPStorePath, portainer.TLSFileCA)
 		req.LDAPSettings.TLSConfig.TLSCACertPath = caCertPath
 	}
 

api/http/handler/stack.go

@@ -0,0 +1,794 @@
+package handler
+
+import (
+	"encoding/json"
+	"path"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/filesystem"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// StackHandler represents an HTTP API handler for managing Stack.
+type StackHandler struct {
+	stackCreationMutex *sync.Mutex
+	stackDeletionMutex *sync.Mutex
+	*mux.Router
+	Logger                 *log.Logger
+	FileService            portainer.FileService
+	GitService             portainer.GitService
+	StackService           portainer.StackService
+	EndpointService        portainer.EndpointService
+	ResourceControlService portainer.ResourceControlService
+	RegistryService        portainer.RegistryService
+	DockerHubService       portainer.DockerHubService
+	StackManager           portainer.StackManager
+}
+
+type stackDeploymentConfig struct {
+	endpoint   *portainer.Endpoint
+	stack      *portainer.Stack
+	prune      bool
+	dockerhub  *portainer.DockerHub
+	registries []portainer.Registry
+}
+
+// NewStackHandler returns a new instance of StackHandler.
+func NewStackHandler(bouncer *security.RequestBouncer) *StackHandler {
+	h := &StackHandler{
+		Router:             mux.NewRouter(),
+		stackCreationMutex: &sync.Mutex{},
+		stackDeletionMutex: &sync.Mutex{},
+		Logger:             log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/{endpointId}/stacks",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handlePostStacks))).Methods(http.MethodPost)
+	h.Handle("/{endpointId}/stacks",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetStacks))).Methods(http.MethodGet)
+	h.Handle("/{endpointId}/stacks/{id}",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetStack))).Methods(http.MethodGet)
+	h.Handle("/{endpointId}/stacks/{id}",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleDeleteStack))).Methods(http.MethodDelete)
+	h.Handle("/{endpointId}/stacks/{id}",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handlePutStack))).Methods(http.MethodPut)
+	h.Handle("/{endpointId}/stacks/{id}/stackfile",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetStackFile))).Methods(http.MethodGet)
+	return h
+}
+
+type (
+	postStacksRequest struct {
+		Name                        string           `valid:"required"`
+		SwarmID                     string           `valid:"required"`
+		StackFileContent            string           `valid:""`
+		RepositoryURL               string           `valid:""`
+		RepositoryAuthentication    bool             `valid:""`
+		RepositoryUsername          string           `valid:""`
+		RepositoryPassword          string           `valid:""`
+		ComposeFilePathInRepository string           `valid:""`
+		Env                         []portainer.Pair `valid:""`
+	}
+	postStacksResponse struct {
+		ID string `json:"Id"`
+	}
+	getStackFileResponse struct {
+		StackFileContent string `json:"StackFileContent"`
+	}
+	putStackRequest struct {
+		StackFileContent string           `valid:"required"`
+		Env              []portainer.Pair `valid:""`
+		Prune            bool             `valid:"-"`
+	}
+)
+
+// handlePostStacks handles POST requests on /:endpointId/stacks?method=<method>
+func (handler *StackHandler) handlePostStacks(w http.ResponseWriter, r *http.Request) {
+	method := r.FormValue("method")
+	if method == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if method == "string" {
+		handler.handlePostStacksStringMethod(w, r)
+	} else if method == "repository" {
+		handler.handlePostStacksRepositoryMethod(w, r)
+	} else if method == "file" {
+		handler.handlePostStacksFileMethod(w, r)
+	} else {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+}
+
+func (handler *StackHandler) handlePostStacksStringMethod(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req postStacksRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackName := req.Name
+	if stackName == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackFileContent := req.StackFileContent
+	if stackFileContent == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	swarmID := req.SwarmID
+	if swarmID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stacks, err := handler.StackService.Stacks()
+	if err != nil && err != portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, stack := range stacks {
+		if strings.EqualFold(stack.Name, stackName) {
+			httperror.WriteErrorResponse(w, portainer.ErrStackAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackName + "_" + swarmID),
+		Name:       stackName,
+		SwarmID:    swarmID,
+		EntryPoint: filesystem.ComposeFileDefaultName,
+		Env:        req.Env,
+	}
+
+	projectPath, err := handler.FileService.StoreStackFileFromString(string(stack.ID), stack.EntryPoint, stackFileContent)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	stack.ProjectPath = projectPath
+
+	err = handler.StackService.CreateStack(stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredRegistries, err := security.FilterRegistries(registries, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	config := stackDeploymentConfig{
+		stack:      stack,
+		endpoint:   endpoint,
+		dockerhub:  dockerhub,
+		registries: filteredRegistries,
+		prune:      false,
+	}
+	err = handler.deployStack(&config)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postStacksResponse{ID: string(stack.ID)}, handler.Logger)
+}
+
+func (handler *StackHandler) handlePostStacksRepositoryMethod(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req postStacksRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackName := req.Name
+	swarmID := req.SwarmID
+
+	if stackName == "" || swarmID == "" || req.RepositoryURL == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if req.RepositoryAuthentication && (req.RepositoryUsername == "" || req.RepositoryPassword == "") {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if req.ComposeFilePathInRepository == "" {
+		req.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
+	}
+
+	stacks, err := handler.StackService.Stacks()
+	if err != nil && err != portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, stack := range stacks {
+		if strings.EqualFold(stack.Name, stackName) {
+			httperror.WriteErrorResponse(w, portainer.ErrStackAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackName + "_" + swarmID),
+		Name:       stackName,
+		SwarmID:    swarmID,
+		EntryPoint: req.ComposeFilePathInRepository,
+		Env:        req.Env,
+	}
+
+	projectPath := handler.FileService.GetStackProjectPath(string(stack.ID))
+	stack.ProjectPath = projectPath
+
+	// Ensure projectPath is empty
+	err = handler.FileService.RemoveDirectory(projectPath)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if req.RepositoryAuthentication {
+		err = handler.GitService.ClonePrivateRepositoryWithBasicAuth(req.RepositoryURL, projectPath, req.RepositoryUsername, req.RepositoryPassword)
+	} else {
+		err = handler.GitService.ClonePublicRepository(req.RepositoryURL, projectPath)
+	}
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackService.CreateStack(stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredRegistries, err := security.FilterRegistries(registries, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	config := stackDeploymentConfig{
+		stack:      stack,
+		endpoint:   endpoint,
+		dockerhub:  dockerhub,
+		registries: filteredRegistries,
+		prune:      false,
+	}
+	err = handler.deployStack(&config)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postStacksResponse{ID: string(stack.ID)}, handler.Logger)
+}
+
+func (handler *StackHandler) handlePostStacksFileMethod(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stackName := r.FormValue("Name")
+	if stackName == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	swarmID := r.FormValue("SwarmID")
+	if swarmID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	envParam := r.FormValue("Env")
+	var env []portainer.Pair
+	if err = json.Unmarshal([]byte(envParam), &env); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackFile, _, err := r.FormFile("file")
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	defer stackFile.Close()
+
+	stacks, err := handler.StackService.Stacks()
+	if err != nil && err != portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, stack := range stacks {
+		if strings.EqualFold(stack.Name, stackName) {
+			httperror.WriteErrorResponse(w, portainer.ErrStackAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackName + "_" + swarmID),
+		Name:       stackName,
+		SwarmID:    swarmID,
+		EntryPoint: filesystem.ComposeFileDefaultName,
+		Env:        env,
+	}
+
+	projectPath, err := handler.FileService.StoreStackFileFromReader(string(stack.ID), stack.EntryPoint, stackFile)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	stack.ProjectPath = projectPath
+
+	err = handler.StackService.CreateStack(stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredRegistries, err := security.FilterRegistries(registries, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	config := stackDeploymentConfig{
+		stack:      stack,
+		endpoint:   endpoint,
+		dockerhub:  dockerhub,
+		registries: filteredRegistries,
+		prune:      false,
+	}
+	err = handler.deployStack(&config)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postStacksResponse{ID: string(stack.ID)}, handler.Logger)
+}
+
+// handleGetStacks handles GET requests on /:endpointId/stacks?swarmId=<swarmId>
+func (handler *StackHandler) handleGetStacks(w http.ResponseWriter, r *http.Request) {
+	swarmID := r.FormValue("swarmId")
+
+	vars := mux.Vars(r)
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	_, err = handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var stacks []portainer.Stack
+	if swarmID == "" {
+		stacks, err = handler.StackService.Stacks()
+	} else {
+		stacks, err = handler.StackService.StacksBySwarmID(swarmID)
+	}
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	resourceControls, err := handler.ResourceControlService.ResourceControls()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredStacks := proxy.FilterStacks(stacks, resourceControls, securityContext.IsAdmin,
+		securityContext.UserID, securityContext.UserMemberships)
+
+	encodeJSON(w, filteredStacks, handler.Logger)
+}
+
+// handleGetStack handles GET requests on /:endpointId/stacks/:id
+func (handler *StackHandler) handleGetStack(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	resourceControl, err := handler.ResourceControlService.ResourceControlByResourceID(stack.Name)
+	if err != nil && err != portainer.ErrResourceControlNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	extendedStack := proxy.ExtendedStack{*stack, portainer.ResourceControl{}}
+	if resourceControl != nil {
+		if securityContext.IsAdmin || proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
+			extendedStack.ResourceControl = *resourceControl
+		} else {
+			httperror.WriteErrorResponse(w, portainer.ErrResourceAccessDenied, http.StatusForbidden, handler.Logger)
+			return
+		}
+	}
+
+	encodeJSON(w, extendedStack, handler.Logger)
+}
+
+// handlePutStack handles PUT requests on /:endpointId/stacks/:id
+func (handler *StackHandler) handlePutStack(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req putStackRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	stack.Env = req.Env
+
+	_, err = handler.FileService.StoreStackFileFromString(string(stack.ID), stack.EntryPoint, req.StackFileContent)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackService.UpdateStack(stack.ID, stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredRegistries, err := security.FilterRegistries(registries, securityContext)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	config := stackDeploymentConfig{
+		stack:      stack,
+		endpoint:   endpoint,
+		dockerhub:  dockerhub,
+		registries: filteredRegistries,
+		prune:      req.Prune,
+	}
+	err = handler.deployStack(&config)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+// handleGetStackFile handles GET requests on /:endpointId/stacks/:id/stackfile
+func (handler *StackHandler) handleGetStackFile(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stackFileContent, err := handler.FileService.GetFileContent(path.Join(stack.ProjectPath, stack.EntryPoint))
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &getStackFileResponse{StackFileContent: stackFileContent}, handler.Logger)
+}
+
+// handleDeleteStack handles DELETE requests on /:endpointId/stacks/:id
+func (handler *StackHandler) handleDeleteStack(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	handler.stackDeletionMutex.Lock()
+	err = handler.StackManager.Remove(stack, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	handler.stackDeletionMutex.Unlock()
+
+	err = handler.StackService.DeleteStack(portainer.StackID(stackID))
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.FileService.RemoveDirectory(stack.ProjectPath)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+func (handler *StackHandler) deployStack(config *stackDeploymentConfig) error {
+	handler.stackCreationMutex.Lock()
+
+	handler.StackManager.Login(config.dockerhub, config.registries, config.endpoint)
+
+	err := handler.StackManager.Deploy(config.stack, config.prune, config.endpoint)
+	if err != nil {
+		handler.stackCreationMutex.Unlock()
+		return err
+	}
+
+	err = handler.StackManager.Logout(config.endpoint)
+	if err != nil {
+		handler.stackCreationMutex.Unlock()
+		return err
+	}
+
+	handler.stackCreationMutex.Unlock()
+	return nil
+}

api/http/handler/templates.go

@@ -43,16 +43,17 @@ func (handler *TemplatesHandler) handleGetTemplates(w http.ResponseWriter, r *ht
 	}
 
 	var templatesURL string
-	if key == "containers" {
+	switch key {
+	case "containers":
 		settings, err := handler.SettingsService.Settings()
 		if err != nil {
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 			return
 		}
 		templatesURL = settings.TemplatesURL
-	} else if key == "linuxserver.io" {
+	case "linuxserver.io":
 		templatesURL = containerTemplatesURLLinuxServerIo
-	} else {
+	default:
 		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
 		return
 	}

api/http/handler/upload.go

@@ -30,7 +30,7 @@ func NewUploadHandler(bouncer *security.RequestBouncer) *UploadHandler {
 	return h
 }
 
-// handlePostUploadTLS handles POST requests on /upload/tls/{certificate:(?:ca|cert|key)}?folder=folder
+// handlePostUploadTLS handles POST requests on /upload/tls/{certificate:(?:ca|cert|key)}?folder=<folder>
 func (handler *UploadHandler) handlePostUploadTLS(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	certificate := vars["certificate"]

api/http/handler/user.go

@@ -82,6 +82,7 @@ type (
 	}
 
 	postAdminInitRequest struct {
+		Username string `valid:"required"`
 		Password string `valid:"required"`
 	}
 )
@@ -358,10 +359,14 @@ func (handler *UserHandler) handlePostAdminInit(w http.ResponseWriter, r *http.R
 		return
 	}
 
-	user, err := handler.UserService.UserByUsername("admin")
-	if err == portainer.ErrUserNotFound {
+	users, err := handler.UserService.UsersByRole(portainer.AdministratorRole)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	if len(users) == 0 {
 		user := &portainer.User{
-			Username: "admin",
+			Username: req.Username,
 			Role:     portainer.AdministratorRole,
 		}
 		user.Password, err = handler.CryptoService.Hash(req.Password)
@@ -375,11 +380,7 @@ func (handler *UserHandler) handlePostAdminInit(w http.ResponseWriter, r *http.R
 			httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 			return
 		}
-	} else if err != nil {
-		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
-		return
-	}
-	if user != nil {
+	} else {
 		httperror.WriteErrorResponse(w, portainer.ErrAdminAlreadyInitialized, http.StatusConflict, handler.Logger)
 		return
 	}
@@ -396,6 +397,22 @@ func (handler *UserHandler) handleDeleteUser(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
+	if userID == 1 {
+		httperror.WriteErrorResponse(w, portainer.ErrCannotRemoveAdmin, http.StatusForbidden, handler.Logger)
+		return
+	}
+
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	if tokenData.ID == portainer.UserID(userID) {
+		httperror.WriteErrorResponse(w, portainer.ErrAdminCannotRemoveSelf, http.StatusForbidden, handler.Logger)
+		return
+	}
+
 	_, err = handler.UserService.User(portainer.UserID(userID))
 
 	if err == portainer.ErrUserNotFound {

api/http/handler/websocket.go

@@ -1,11 +1,11 @@
 package handler
 
 import (
+	"bufio"
 	"bytes"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"io"
 	"log"
 	"net"
 	"net/http"
@@ -16,119 +16,135 @@ import (
 	"time"
 
 	"github.com/gorilla/mux"
+	"github.com/gorilla/websocket"
+	"github.com/koding/websocketproxy"
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/crypto"
-	"golang.org/x/net/websocket"
+	httperror "github.com/portainer/portainer/http/error"
 )
 
-// WebSocketHandler represents an HTTP API handler for proxying requests to a web socket.
-type WebSocketHandler struct {
-	*mux.Router
-	Logger          *log.Logger
-	EndpointService portainer.EndpointService
-}
+type (
+	// WebSocketHandler represents an HTTP API handler for proxying requests to a web socket.
+	WebSocketHandler struct {
+		*mux.Router
+		Logger             *log.Logger
+		EndpointService    portainer.EndpointService
+		SignatureService   portainer.DigitalSignatureService
+		connectionUpgrader websocket.Upgrader
+	}
+
+	webSocketExecRequestParams struct {
+		execID   string
+		nodeName string
+		endpoint *portainer.Endpoint
+	}
+
+	execStartOperationPayload struct {
+		Tty    bool
+		Detach bool
+	}
+)
 
 // NewWebSocketHandler returns a new instance of WebSocketHandler.
 func NewWebSocketHandler() *WebSocketHandler {
 	h := &WebSocketHandler{
-		Router: mux.NewRouter(),
-		Logger: log.New(os.Stderr, "", log.LstdFlags),
+		Router:             mux.NewRouter(),
+		Logger:             log.New(os.Stderr, "", log.LstdFlags),
+		connectionUpgrader: websocket.Upgrader{},
 	}
-	h.Handle("/websocket/exec", websocket.Handler(h.webSocketDockerExec))
+	h.HandleFunc("/websocket/exec", h.handleWebsocketExec).Methods(http.MethodGet)
 	return h
 }
 
-func (handler *WebSocketHandler) webSocketDockerExec(ws *websocket.Conn) {
-	qry := ws.Request().URL.Query()
-	execID := qry.Get("id")
-	edpID := qry.Get("endpointId")
-
-	parsedID, err := strconv.Atoi(edpID)
-	if err != nil {
-		log.Printf("Unable to parse endpoint ID: %s", err)
+// handleWebsocketExec handles GET requests on /websocket/exec?id=<execID>&endpointId=<endpointID>&nodeName=<nodeName>
+// If the nodeName query parameter is present, the request will be proxied to the underlying agent endpoint.
+// If the nodeName query parameter is not specified, the request will be upgraded to the websocket protocol and
+// an ExecStart operation HTTP request will be created and hijacked.
+func (handler *WebSocketHandler) handleWebsocketExec(w http.ResponseWriter, r *http.Request) {
+	paramExecID := r.FormValue("id")
+	paramEndpointID := r.FormValue("endpointId")
+	if paramExecID == "" || paramEndpointID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpointID := portainer.EndpointID(parsedID)
-	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	endpointID, err := strconv.Atoi(paramEndpointID)
 	if err != nil {
-		log.Printf("Unable to retrieve endpoint: %s", err)
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpointURL, err := url.Parse(endpoint.URL)
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err != nil {
-		log.Printf("Unable to parse endpoint URL: %s", err)
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
-	var host string
-	if endpointURL.Scheme == "tcp" {
-		host = endpointURL.Host
-	} else if endpointURL.Scheme == "unix" {
-		host = endpointURL.Path
+	params := &webSocketExecRequestParams{
+		endpoint: endpoint,
+		execID:   paramExecID,
+		nodeName: r.FormValue("nodeName"),
 	}
 
-	// Should not be managed here
-	var tlsConfig *tls.Config
-	if endpoint.TLS {
-		tlsConfig, err = crypto.CreateTLSConfiguration(endpoint.TLSCACertPath, endpoint.TLSCertPath, endpoint.TLSKeyPath, false)
-		if err != nil {
-			log.Fatalf("Unable to create TLS configuration: %s", err)
-			return
+	err = handler.handleRequest(w, r, params)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+func (handler *WebSocketHandler) handleRequest(w http.ResponseWriter, r *http.Request, params *webSocketExecRequestParams) error {
+	if params.nodeName != "" {
+		return handler.proxyWebsocketRequest(w, r, params)
+	}
+
+	websocketConn, err := handler.connectionUpgrader.Upgrade(w, r, nil)
+	if err != nil {
+		return err
+	}
+	defer websocketConn.Close()
+
+	return hijackExecStartOperation(websocketConn, params.endpoint, params.execID)
+}
+
+func (handler *WebSocketHandler) proxyWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketExecRequestParams) error {
+	agentURL, err := url.Parse(params.endpoint.URL)
+	if err != nil {
+		return err
+	}
+
+	agentURL.Scheme = "ws"
+	proxy := websocketproxy.NewProxy(agentURL)
+
+	if params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify {
+		agentURL.Scheme = "wss"
+		proxy.Dialer = &websocket.Dialer{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: params.endpoint.TLSConfig.TLSSkipVerify,
+			},
 		}
 	}
 
-	if err := hijack(host, endpointURL.Scheme, "POST", "/exec/"+execID+"/start", tlsConfig, true, ws, ws, ws, nil, nil); err != nil {
-		log.Fatalf("error during hijack: %s", err)
-		return
+	signature, err := handler.SignatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return err
 	}
+
+	proxy.Director = func(incoming *http.Request, out http.Header) {
+		out.Set(portainer.PortainerAgentSignatureHeader, signature)
+		out.Set(portainer.PortainerAgentTargetHeader, params.nodeName)
+	}
+
+	r.Header.Del("Origin")
+	proxy.ServeHTTP(w, r)
+
+	return nil
 }
 
-type execConfig struct {
-	Tty    bool
-	Detach bool
-}
-
-// hijack allows to upgrade an HTTP connection to a TCP connection
-// It redirects IO streams for stdin, stdout and stderr to a websocket
-func hijack(addr, scheme, method, path string, tlsConfig *tls.Config, setRawTerminal bool, in io.ReadCloser, stdout, stderr io.Writer, started chan io.Closer, data interface{}) error {
-	execConfig := &execConfig{
-		Tty:    true,
-		Detach: false,
-	}
-
-	buf, err := json.Marshal(execConfig)
+func hijackExecStartOperation(websocketConn *websocket.Conn, endpoint *portainer.Endpoint, execID string) error {
+	dial, err := createDial(endpoint)
 	if err != nil {
-		return fmt.Errorf("error marshaling exec config: %s", err)
-	}
-
-	rdr := bytes.NewReader(buf)
-
-	req, err := http.NewRequest(method, path, rdr)
-	if err != nil {
-		return fmt.Errorf("error during hijack request: %s", err)
-	}
-
-	req.Header.Set("User-Agent", "Docker-Client")
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Connection", "Upgrade")
-	req.Header.Set("Upgrade", "tcp")
-	req.Host = addr
-
-	var (
-		dial    net.Conn
-		dialErr error
-	)
-
-	if tlsConfig == nil {
-		dial, dialErr = net.Dial(scheme, addr)
-	} else {
-		dial, dialErr = tls.Dial(scheme, addr, tlsConfig)
-	}
-
-	if dialErr != nil {
-		return dialErr
+		return err
 	}
 
 	// When we set up a TCP connection for hijack, there could be long periods
@@ -140,57 +156,128 @@ func hijack(addr, scheme, method, path string, tlsConfig *tls.Config, setRawTerm
 		tcpConn.SetKeepAlive(true)
 		tcpConn.SetKeepAlivePeriod(30 * time.Second)
 	}
+
+	httpConn := httputil.NewClientConn(dial, nil)
+	defer httpConn.Close()
+
+	execStartRequest, err := createExecStartRequest(execID)
 	if err != nil {
 		return err
 	}
-	clientconn := httputil.NewClientConn(dial, nil)
-	defer clientconn.Close()
 
-	// Server hijacks the connection, error 'connection closed' expected
-	clientconn.Do(req)
-
-	rwc, br := clientconn.Hijack()
-	defer rwc.Close()
-
-	if started != nil {
-		started <- rwc
+	err = hijackRequest(websocketConn, httpConn, execStartRequest)
+	if err != nil {
+		return err
 	}
 
-	var receiveStdout chan error
-
-	if stdout != nil || stderr != nil {
-		go func() (err error) {
-			if setRawTerminal && stdout != nil {
-				_, err = io.Copy(stdout, br)
-			}
-			return err
-		}()
-	}
-
-	go func() error {
-		if in != nil {
-			io.Copy(rwc, in)
-		}
-
-		if conn, ok := rwc.(interface {
-			CloseWrite() error
-		}); ok {
-			if err := conn.CloseWrite(); err != nil {
-			}
-		}
-		return nil
-	}()
-
-	if stdout != nil || stderr != nil {
-		if err := <-receiveStdout; err != nil {
-			return err
-		}
-	}
-	go func() {
-		for {
-			fmt.Println(br)
-		}
-	}()
-
 	return nil
 }
+
+func createDial(endpoint *portainer.Endpoint) (net.Conn, error) {
+	url, err := url.Parse(endpoint.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	var host string
+	if url.Scheme == "tcp" {
+		host = url.Host
+	} else if url.Scheme == "unix" {
+		host = url.Path
+	}
+
+	if endpoint.TLSConfig.TLS {
+		tlsConfig, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+		if err != nil {
+			return nil, err
+		}
+		return tls.Dial(url.Scheme, host, tlsConfig)
+	}
+
+	return net.Dial(url.Scheme, host)
+}
+
+func createExecStartRequest(execID string) (*http.Request, error) {
+	execStartOperationPayload := &execStartOperationPayload{
+		Tty:    true,
+		Detach: false,
+	}
+
+	encodedBody := bytes.NewBuffer(nil)
+	err := json.NewEncoder(encodedBody).Encode(execStartOperationPayload)
+	if err != nil {
+		return nil, err
+	}
+
+	request, err := http.NewRequest("POST", "/exec/"+execID+"/start", encodedBody)
+	if err != nil {
+		return nil, err
+	}
+
+	request.Header.Set("Content-Type", "application/json")
+	request.Header.Set("Connection", "Upgrade")
+	request.Header.Set("Upgrade", "tcp")
+
+	return request, nil
+}
+
+func hijackRequest(websocketConn *websocket.Conn, httpConn *httputil.ClientConn, request *http.Request) error {
+	// Server hijacks the connection, error 'connection closed' expected
+	resp, err := httpConn.Do(request)
+	if err != httputil.ErrPersistEOF {
+		if err != nil {
+			return err
+		}
+		if resp.StatusCode != http.StatusSwitchingProtocols {
+			resp.Body.Close()
+			return fmt.Errorf("unable to upgrade to tcp, received %d", resp.StatusCode)
+		}
+	}
+
+	tcpConn, brw := httpConn.Hijack()
+	defer tcpConn.Close()
+
+	errorChan := make(chan error, 1)
+	go streamFromTCPConnToWebsocketConn(websocketConn, brw, errorChan)
+	go streamFromWebsocketConnToTCPConn(websocketConn, tcpConn, errorChan)
+
+	err = <-errorChan
+	if websocket.IsUnexpectedCloseError(err, websocket.CloseGoingAway, websocket.CloseNoStatusReceived) {
+		return err
+	}
+
+	return nil
+}
+
+func streamFromWebsocketConnToTCPConn(websocketConn *websocket.Conn, tcpConn net.Conn, errorChan chan error) {
+	for {
+		_, in, err := websocketConn.ReadMessage()
+		if err != nil {
+			errorChan <- err
+			break
+		}
+
+		_, err = tcpConn.Write(in)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+	}
+}
+
+func streamFromTCPConnToWebsocketConn(websocketConn *websocket.Conn, br *bufio.Reader, errorChan chan error) {
+	for {
+		out := make([]byte, 1024)
+		_, err := br.Read(out)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+
+		err = websocketConn.WriteMessage(websocket.TextMessage, out)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+	}
+}

api/http/proxy/access_control.go

@@ -2,6 +2,83 @@ package proxy
 
 import "github.com/portainer/portainer"
 
+type (
+	// ExtendedStack represents a stack combined with its associated access control
+	ExtendedStack struct {
+		portainer.Stack
+		ResourceControl portainer.ResourceControl `json:"ResourceControl"`
+	}
+)
+
+// applyResourceAccessControl returns an optionally decorated object as the first return value and the
+// access level for the user (granted or denied) as the second return value.
+// It will retrieve an identifier from the labels object. If an identifier exists, it will check for
+// an existing resource control associated to it.
+// Returns a decorated object and authorized access (true) when a resource control is found and the user can access the resource.
+// Returns the original object and authorized access (true) when no resource control is found.
+// Returns the original object and denied access (false) when a resource control is found and the user cannot access the resource.
+func applyResourceAccessControlFromLabel(labelsObject, resourceObject map[string]interface{}, labelIdentifier string,
+	context *restrictedOperationContext) (map[string]interface{}, bool) {
+
+	if labelsObject != nil && labelsObject[labelIdentifier] != nil {
+		resourceIdentifier := labelsObject[labelIdentifier].(string)
+		return applyResourceAccessControl(resourceObject, resourceIdentifier, context)
+	}
+	return resourceObject, true
+}
+
+// applyResourceAccessControl returns an optionally decorated object as the first return value and the
+// access level for the user (granted or denied) as the second return value.
+// Returns a decorated object and authorized access (true) when a resource control is found to the specified resource
+// identifier and the user can access the resource.
+// Returns the original object and authorized access (true) when no resource control is found for the specified
+// resource identifier.
+// Returns the original object and denied access (false) when a resource control is associated to the resource
+// and the user cannot access the resource.
+func applyResourceAccessControl(resourceObject map[string]interface{}, resourceIdentifier string,
+	context *restrictedOperationContext) (map[string]interface{}, bool) {
+
+	authorizedAccess := true
+
+	resourceControl := getResourceControlByResourceID(resourceIdentifier, context.resourceControls)
+	if resourceControl != nil {
+		if context.isAdmin || canUserAccessResource(context.userID, context.userTeamIDs, resourceControl) {
+			resourceObject = decorateObject(resourceObject, resourceControl)
+		} else {
+			authorizedAccess = false
+		}
+	}
+
+	return resourceObject, authorizedAccess
+}
+
+// decorateResourceWithAccessControlFromLabel will retrieve an identifier from the labels object. If an identifier exists,
+// it will check for an existing resource control associated to it. If a resource control is found, the resource object will be
+// decorated. If no identifier can be found in the labels or no resource control is associated to the identifier, the resource
+// object will not be changed.
+func decorateResourceWithAccessControlFromLabel(labelsObject, resourceObject map[string]interface{}, labelIdentifier string,
+	resourceControls []portainer.ResourceControl) map[string]interface{} {
+
+	if labelsObject != nil && labelsObject[labelIdentifier] != nil {
+		resourceIdentifier := labelsObject[labelIdentifier].(string)
+		resourceObject = decorateResourceWithAccessControl(resourceObject, resourceIdentifier, resourceControls)
+	}
+
+	return resourceObject
+}
+
+// decorateResourceWithAccessControl will check if a resource control is associated to the specified resource identifier.
+// If a resource control is found, the resource object will be decorated, otherwise it will not be changed.
+func decorateResourceWithAccessControl(resourceObject map[string]interface{}, resourceIdentifier string,
+	resourceControls []portainer.ResourceControl) map[string]interface{} {
+
+	resourceControl := getResourceControlByResourceID(resourceIdentifier, resourceControls)
+	if resourceControl != nil {
+		return decorateObject(resourceObject, resourceControl)
+	}
+	return resourceObject
+}
+
 func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.TeamID, resourceControl *portainer.ResourceControl) bool {
 	for _, authorizedUserAccess := range resourceControl.UserAccesses {
 		if userID == authorizedUserAccess.UserID {
@@ -19,3 +96,66 @@ func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.Team
 
 	return false
 }
+
+func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
+	if object["Portainer"] == nil {
+		object["Portainer"] = make(map[string]interface{})
+	}
+
+	portainerMetadata := object["Portainer"].(map[string]interface{})
+	portainerMetadata["ResourceControl"] = resourceControl
+	return object
+}
+
+func getResourceControlByResourceID(resourceID string, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
+	for _, resourceControl := range resourceControls {
+		if resourceID == resourceControl.ResourceID {
+			return &resourceControl
+		}
+		for _, subResourceID := range resourceControl.SubResourceIDs {
+			if resourceID == subResourceID {
+				return &resourceControl
+			}
+		}
+	}
+	return nil
+}
+
+// CanAccessStack checks if a user can access a stack
+func CanAccessStack(stack *portainer.Stack, resourceControl *portainer.ResourceControl, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	userTeamIDs := make([]portainer.TeamID, 0)
+	for _, membership := range memberships {
+		userTeamIDs = append(userTeamIDs, membership.TeamID)
+	}
+
+	if canUserAccessResource(userID, userTeamIDs, resourceControl) {
+		return true
+	}
+
+	return false
+}
+
+// FilterStacks filters stacks based on user role and resource controls.
+func FilterStacks(stacks []portainer.Stack, resourceControls []portainer.ResourceControl, isAdmin bool,
+	userID portainer.UserID, memberships []portainer.TeamMembership) []ExtendedStack {
+
+	filteredStacks := make([]ExtendedStack, 0)
+
+	userTeamIDs := make([]portainer.TeamID, 0)
+	for _, membership := range memberships {
+		userTeamIDs = append(userTeamIDs, membership.TeamID)
+	}
+
+	for _, stack := range stacks {
+		extendedStack := ExtendedStack{stack, portainer.ResourceControl{}}
+		resourceControl := getResourceControlByResourceID(stack.Name, resourceControls)
+		if resourceControl == nil {
+			filteredStacks = append(filteredStacks, extendedStack)
+		} else if resourceControl != nil && (isAdmin || canUserAccessResource(userID, userTeamIDs, resourceControl)) {
+			extendedStack.ResourceControl = *resourceControl
+			filteredStacks = append(filteredStacks, extendedStack)
+		}
+	}
+
+	return filteredStacks
+}

api/http/proxy/build.go

@@ -0,0 +1,56 @@
+package proxy
+
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/portainer/portainer/archive"
+)
+
+type postDockerfileRequest struct {
+	Content string
+}
+
+// buildOperation inspects the "Content-Type" header to determine if it needs to alter the request.
+// If the value of the header is empty, it means that a Dockerfile is posted via upload, the function
+// will extract the file content from the request body, tar it, and rewrite the body.
+// If the value of the header contains "application/json", it means that the content of a Dockerfile is posted
+// in the request payload as JSON, the function will create a new file called Dockerfile inside a tar archive and
+// rewrite the body of the request.
+// In any other case, it will leave the request unaltered.
+func buildOperation(request *http.Request) error {
+	contentTypeHeader := request.Header.Get("Content-Type")
+	if contentTypeHeader != "" && !strings.Contains(contentTypeHeader, "application/json") {
+		return nil
+	}
+
+	var dockerfileContent []byte
+
+	if contentTypeHeader == "" {
+		body, err := ioutil.ReadAll(request.Body)
+		if err != nil {
+			return err
+		}
+		dockerfileContent = body
+	} else {
+		var req postDockerfileRequest
+		if err := json.NewDecoder(request.Body).Decode(&req); err != nil {
+			return err
+		}
+		dockerfileContent = []byte(req.Content)
+	}
+
+	buffer, err := archive.TarFileInBuffer(dockerfileContent, "Dockerfile")
+	if err != nil {
+		return err
+	}
+
+	request.Body = ioutil.NopCloser(bytes.NewReader(buffer))
+	request.ContentLength = int64(len(buffer))
+	request.Header.Set("Content-Type", "application/x-tar")
+
+	return nil
+}

api/http/proxy/configs.go

@@ -0,0 +1,107 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerConfigIdentifierNotFound defines an error raised when Portainer is unable to find a config identifier
+	ErrDockerConfigIdentifierNotFound = portainer.Error("Docker config identifier not found")
+	configIdentifier                  = "ID"
+)
+
+// configListOperation extracts the response as a JSON object, loop through the configs array
+// decorate and/or filter the configs based on resource controls before rewriting the response
+func configListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+
+	// ConfigList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateConfigList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterConfigList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// configInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the config based on resource control (check are done based on the configID and optional Swarm service ID)
+// and either rewrite an access denied response or a decorated config.
+func configInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// ConfigInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[configIdentifier] == nil {
+		return ErrDockerConfigIdentifierNotFound
+	}
+
+	configID := responseObject[configIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, configID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// decorateConfigList loops through all configs and decorates any config with an existing resource control.
+// Resource controls checks are based on: resource identifier.
+// Config object schema reference: https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
+func decorateConfigList(configData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedConfigData := make([]interface{}, 0)
+
+	for _, config := range configData {
+
+		configObject := config.(map[string]interface{})
+		if configObject[configIdentifier] == nil {
+			return nil, ErrDockerConfigIdentifierNotFound
+		}
+
+		configID := configObject[configIdentifier].(string)
+		configObject = decorateResourceWithAccessControl(configObject, configID, resourceControls)
+
+		decoratedConfigData = append(decoratedConfigData, configObject)
+	}
+
+	return decoratedConfigData, nil
+}
+
+// filterConfigList loops through all configs and filters public configs (no associated resource control)
+// as well as authorized configs (access granted to the user based on existing resource control).
+// Authorized configs are decorated during the process.
+// Resource controls checks are based on: resource identifier.
+// Config object schema reference: https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
+func filterConfigList(configData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredConfigData := make([]interface{}, 0)
+
+	for _, config := range configData {
+		configObject := config.(map[string]interface{})
+		if configObject[configIdentifier] == nil {
+			return nil, ErrDockerConfigIdentifierNotFound
+		}
+
+		configID := configObject[configIdentifier].(string)
+		configObject, access := applyResourceAccessControl(configObject, configID, context)
+		if access {
+			filteredConfigData = append(filteredConfigData, configObject)
+		}
+	}
+
+	return filteredConfigData, nil
+}

api/http/proxy/containers.go

@@ -11,11 +11,12 @@ const (
 	ErrDockerContainerIdentifierNotFound = portainer.Error("Docker container identifier not found")
 	containerIdentifier                  = "Id"
 	containerLabelForServiceIdentifier   = "com.docker.swarm.service.id"
+	containerLabelForStackIdentifier     = "com.docker.stack.namespace"
 )
 
 // containerListOperation extracts the response as a JSON object, loop through the containers array
 // decorate and/or filter the containers based on resource controls before rewriting the response
-func containerListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func containerListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ContainerList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
@@ -27,8 +28,7 @@ func containerListOperation(request *http.Request, response *http.Response, exec
 	if executor.operationContext.isAdmin {
 		responseArray, err = decorateContainerList(responseArray, executor.operationContext.resourceControls)
 	} else {
-		responseArray, err = filterContainerList(responseArray, executor.operationContext.resourceControls,
-			executor.operationContext.userID, executor.operationContext.userTeamIDs)
+		responseArray, err = filterContainerList(responseArray, executor.operationContext)
 	}
 	if err != nil {
 		return err
@@ -47,7 +47,7 @@ func containerListOperation(request *http.Request, response *http.Response, exec
 // containerInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the container based on resource control (check are done based on the containerID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated container.
-func containerInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func containerInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ContainerInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
 	responseObject, err := getResponseAsJSONOBject(response)
@@ -58,30 +58,22 @@ func containerInspectOperation(request *http.Request, response *http.Response, e
 	if responseObject[containerIdentifier] == nil {
 		return ErrDockerContainerIdentifierNotFound
 	}
-	containerID := responseObject[containerIdentifier].(string)
 
-	resourceControl := getResourceControlByResourceID(containerID, executor.operationContext.resourceControls)
-	if resourceControl != nil {
-		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
-			executor.operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
+	containerID := responseObject[containerIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, containerID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	containerLabels := extractContainerLabelsFromContainerInspectObject(responseObject)
-	if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
-		serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, executor.operationContext.resourceControls)
-		if resourceControl != nil {
-			if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
-				executor.operationContext.userTeamIDs, resourceControl) {
-				responseObject = decorateObject(responseObject, resourceControl)
-			} else {
-				return rewriteAccessDeniedResponse(response)
-			}
-		}
+	responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForServiceIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	return rewriteResponse(response, responseObject, http.StatusOK)
@@ -106,3 +98,96 @@ func extractContainerLabelsFromContainerListObject(responseObject map[string]int
 	containerLabelsObject := extractJSONField(responseObject, "Labels")
 	return containerLabelsObject
 }
+
+// decorateContainerList loops through all containers and decorates any container with an existing resource control.
+// Resource controls checks are based on: resource identifier, service identifier (from label), stack identifier (from label).
+// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+func decorateContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+
+		containerObject := container.(map[string]interface{})
+		if containerObject[containerIdentifier] == nil {
+			return nil, ErrDockerContainerIdentifierNotFound
+		}
+
+		containerID := containerObject[containerIdentifier].(string)
+		containerObject = decorateResourceWithAccessControl(containerObject, containerID, resourceControls)
+
+		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+		containerObject = decorateResourceWithAccessControlFromLabel(containerLabels, containerObject, containerLabelForServiceIdentifier, resourceControls)
+		containerObject = decorateResourceWithAccessControlFromLabel(containerLabels, containerObject, containerLabelForStackIdentifier, resourceControls)
+
+		decoratedContainerData = append(decoratedContainerData, containerObject)
+	}
+
+	return decoratedContainerData, nil
+}
+
+// filterContainerList loops through all containers and filters public containers (no associated resource control)
+// as well as authorized containers (access granted to the user based on existing resource control).
+// Authorized containers are decorated during the process.
+// Resource controls checks are based on: resource identifier, service identifier (from label), stack identifier (from label).
+// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+func filterContainerList(containerData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+		containerObject := container.(map[string]interface{})
+		if containerObject[containerIdentifier] == nil {
+			return nil, ErrDockerContainerIdentifierNotFound
+		}
+
+		containerID := containerObject[containerIdentifier].(string)
+		containerObject, access := applyResourceAccessControl(containerObject, containerID, context)
+		if access {
+			containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+			containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForServiceIdentifier, context)
+			if access {
+				containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForStackIdentifier, context)
+				if access {
+					filteredContainerData = append(filteredContainerData, containerObject)
+				}
+			}
+		}
+	}
+
+	return filteredContainerData, nil
+}
+
+// filterContainersWithLabels loops through a list of containers, and filters containers that do not contains
+// any labels in the labels black list.
+func filterContainersWithBlackListedLabels(containerData []interface{}, labelBlackList []portainer.Pair) ([]interface{}, error) {
+	filteredContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+		containerObject := container.(map[string]interface{})
+
+		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+		if containerLabels != nil {
+			if !containerHasBlackListedLabel(containerLabels, labelBlackList) {
+				filteredContainerData = append(filteredContainerData, containerObject)
+			}
+		} else {
+			filteredContainerData = append(filteredContainerData, containerObject)
+		}
+	}
+
+	return filteredContainerData, nil
+}
+
+func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelBlackList []portainer.Pair) bool {
+	for key, value := range containerLabels {
+		labelName := key
+		labelValue := value.(string)
+
+		for _, blackListedLabel := range labelBlackList {
+			if blackListedLabel.Name == labelName && blackListedLabel.Value == labelValue {
+				return true
+			}
+		}
+	}
+
+	return false
+}

api/http/proxy/decorator.go

@@ -1,90 +0,0 @@
-package proxy
-
-import "github.com/portainer/portainer"
-
-// decorateVolumeList loops through all volumes and will decorate any volume with an existing resource control.
-// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
-func decorateVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedVolumeData := make([]interface{}, 0)
-
-	for _, volume := range volumeData {
-
-		volumeObject := volume.(map[string]interface{})
-		if volumeObject[volumeIdentifier] == nil {
-			return nil, ErrDockerVolumeIdentifierNotFound
-		}
-
-		volumeID := volumeObject[volumeIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(volumeID, resourceControls)
-		if resourceControl != nil {
-			volumeObject = decorateObject(volumeObject, resourceControl)
-		}
-		decoratedVolumeData = append(decoratedVolumeData, volumeObject)
-	}
-
-	return decoratedVolumeData, nil
-}
-
-// decorateContainerList loops through all containers and will decorate any container with an existing resource control.
-// Check is based on the container ID and optional Swarm service ID.
-// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
-func decorateContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedContainerData := make([]interface{}, 0)
-
-	for _, container := range containerData {
-
-		containerObject := container.(map[string]interface{})
-		if containerObject[containerIdentifier] == nil {
-			return nil, ErrDockerContainerIdentifierNotFound
-		}
-
-		containerID := containerObject[containerIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(containerID, resourceControls)
-		if resourceControl != nil {
-			containerObject = decorateObject(containerObject, resourceControl)
-		}
-
-		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
-		if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
-			serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-			resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-			if resourceControl != nil {
-				containerObject = decorateObject(containerObject, resourceControl)
-			}
-		}
-
-		decoratedContainerData = append(decoratedContainerData, containerObject)
-	}
-
-	return decoratedContainerData, nil
-}
-
-// decorateServiceList loops through all services and will decorate any service with an existing resource control.
-// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-func decorateServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedServiceData := make([]interface{}, 0)
-
-	for _, service := range serviceData {
-
-		serviceObject := service.(map[string]interface{})
-		if serviceObject[serviceIdentifier] == nil {
-			return nil, ErrDockerServiceIdentifierNotFound
-		}
-
-		serviceID := serviceObject[serviceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-		if resourceControl != nil {
-			serviceObject = decorateObject(serviceObject, resourceControl)
-		}
-		decoratedServiceData = append(decoratedServiceData, serviceObject)
-	}
-
-	return decoratedServiceData, nil
-}
-
-func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
-	metadata := make(map[string]interface{})
-	metadata["ResourceControl"] = resourceControl
-	object["Portainer"] = metadata
-	return object
-}

api/http/proxy/factory.go

@@ -1,6 +1,7 @@
 package proxy
 
 import (
+	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -14,17 +15,21 @@ type proxyFactory struct {
 	ResourceControlService portainer.ResourceControlService
 	TeamMembershipService  portainer.TeamMembershipService
 	SettingsService        portainer.SettingsService
+	RegistryService        portainer.RegistryService
+	DockerHubService       portainer.DockerHubService
+	SignatureService       portainer.DigitalSignatureService
 }
 
-func (factory *proxyFactory) newHTTPProxy(u *url.URL) http.Handler {
+func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
 	u.Scheme = "http"
-	return factory.createReverseProxy(u)
+	return newSingleHostReverseProxyWithHostHeader(u)
 }
 
-func (factory *proxyFactory) newHTTPSProxy(u *url.URL, endpoint *portainer.Endpoint) (http.Handler, error) {
+func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, tlsConfig *portainer.TLSConfiguration, enableSignature bool) (http.Handler, error) {
 	u.Scheme = "https"
-	proxy := factory.createReverseProxy(u)
-	config, err := crypto.CreateTLSConfiguration(endpoint.TLSCACertPath, endpoint.TLSCertPath, endpoint.TLSKeyPath, false)
+
+	proxy := factory.createDockerReverseProxy(u, enableSignature)
+	config, err := crypto.CreateTLSConfiguration(tlsConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -33,26 +38,50 @@ func (factory *proxyFactory) newHTTPSProxy(u *url.URL, endpoint *portainer.Endpo
 	return proxy, nil
 }
 
-func (factory *proxyFactory) newSocketProxy(path string) http.Handler {
+func (factory *proxyFactory) newDockerHTTPProxy(u *url.URL, enableSignature bool) http.Handler {
+	u.Scheme = "http"
+	return factory.createDockerReverseProxy(u, enableSignature)
+}
+
+func (factory *proxyFactory) newDockerSocketProxy(path string) http.Handler {
 	proxy := &socketProxy{}
 	transport := &proxyTransport{
+		enableSignature:        false,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
+		RegistryService:        factory.RegistryService,
+		DockerHubService:       factory.DockerHubService,
 		dockerTransport:        newSocketTransport(path),
 	}
 	proxy.Transport = transport
 	return proxy
 }
 
-func (factory *proxyFactory) createReverseProxy(u *url.URL) *httputil.ReverseProxy {
+func (factory *proxyFactory) createDockerReverseProxy(u *url.URL, enableSignature bool) *httputil.ReverseProxy {
 	proxy := newSingleHostReverseProxyWithHostHeader(u)
 	transport := &proxyTransport{
+		enableSignature:        enableSignature,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
-		dockerTransport:        newHTTPTransport(),
+		RegistryService:        factory.RegistryService,
+		DockerHubService:       factory.DockerHubService,
+		dockerTransport:        &http.Transport{},
 	}
+
+	if enableSignature {
+		transport.SignatureService = factory.SignatureService
+	}
+
 	proxy.Transport = transport
 	return proxy
 }
+
+func newSocketTransport(socketPath string) *http.Transport {
+	return &http.Transport{
+		Dial: func(proto, addr string) (conn net.Conn, err error) {
+			return net.Dial("unix", socketPath)
+		},
+	}
+}

api/http/proxy/filter.go

@@ -1,112 +0,0 @@
-package proxy
-
-import "github.com/portainer/portainer"
-
-// filterVolumeList loops through all volumes, filters volumes without any resource control (public resources) or with
-// any resource control giving access to the user (these volumes will be decorated).
-// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
-func filterVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredVolumeData := make([]interface{}, 0)
-
-	for _, volume := range volumeData {
-		volumeObject := volume.(map[string]interface{})
-		if volumeObject[volumeIdentifier] == nil {
-			return nil, ErrDockerVolumeIdentifierNotFound
-		}
-
-		volumeID := volumeObject[volumeIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(volumeID, resourceControls)
-		if resourceControl == nil {
-			filteredVolumeData = append(filteredVolumeData, volumeObject)
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			volumeObject = decorateObject(volumeObject, resourceControl)
-			filteredVolumeData = append(filteredVolumeData, volumeObject)
-		}
-	}
-
-	return filteredVolumeData, nil
-}
-
-// filterContainerList loops through all containers, filters containers without any resource control (public resources) or with
-// any resource control giving access to the user (check on container ID and optional Swarm service ID, these containers will be decorated).
-// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
-func filterContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredContainerData := make([]interface{}, 0)
-
-	for _, container := range containerData {
-		containerObject := container.(map[string]interface{})
-		if containerObject[containerIdentifier] == nil {
-			return nil, ErrDockerContainerIdentifierNotFound
-		}
-
-		containerID := containerObject[containerIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(containerID, resourceControls)
-		if resourceControl == nil {
-			// check if container is part of a Swarm service
-			containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
-			if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
-				serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-				serviceResourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-				if serviceResourceControl == nil {
-					filteredContainerData = append(filteredContainerData, containerObject)
-				} else if serviceResourceControl != nil && canUserAccessResource(userID, userTeamIDs, serviceResourceControl) {
-					containerObject = decorateObject(containerObject, serviceResourceControl)
-					filteredContainerData = append(filteredContainerData, containerObject)
-				}
-			} else {
-				filteredContainerData = append(filteredContainerData, containerObject)
-			}
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			containerObject = decorateObject(containerObject, resourceControl)
-			filteredContainerData = append(filteredContainerData, containerObject)
-		}
-	}
-
-	return filteredContainerData, nil
-}
-
-// filterContainersWithLabels loops through a list of containers, and filters containers that do not contains
-// any labels in the labels black list.
-func filterContainersWithBlackListedLabels(containerData []interface{}, labelBlackList []portainer.Pair) ([]interface{}, error) {
-	filteredContainerData := make([]interface{}, 0)
-
-	for _, container := range containerData {
-		containerObject := container.(map[string]interface{})
-
-		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
-		if containerLabels != nil {
-			if !containerHasBlackListedLabel(containerLabels, labelBlackList) {
-				filteredContainerData = append(filteredContainerData, containerObject)
-			}
-		} else {
-			filteredContainerData = append(filteredContainerData, containerObject)
-		}
-	}
-
-	return filteredContainerData, nil
-}
-
-// filterServiceList loops through all services, filters services without any resource control (public resources) or with
-// any resource control giving access to the user (these services will be decorated).
-// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-func filterServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredServiceData := make([]interface{}, 0)
-
-	for _, service := range serviceData {
-		serviceObject := service.(map[string]interface{})
-		if serviceObject[serviceIdentifier] == nil {
-			return nil, ErrDockerServiceIdentifierNotFound
-		}
-
-		serviceID := serviceObject[serviceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-		if resourceControl == nil {
-			filteredServiceData = append(filteredServiceData, serviceObject)
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			serviceObject = decorateObject(serviceObject, resourceControl)
-			filteredServiceData = append(filteredServiceData, serviceObject)
-		}
-	}
-
-	return filteredServiceData, nil
-}

api/http/proxy/manager.go

@@ -3,25 +3,43 @@ package proxy
 import (
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/orcaman/concurrent-map"
 	"github.com/portainer/portainer"
 )
 
-// Manager represents a service used to manage Docker proxies.
-type Manager struct {
-	proxyFactory *proxyFactory
-	proxies      cmap.ConcurrentMap
-}
+type (
+	// Manager represents a service used to manage Docker proxies.
+	Manager struct {
+		proxyFactory     *proxyFactory
+		proxies          cmap.ConcurrentMap
+		extensionProxies cmap.ConcurrentMap
+	}
+
+	// ManagerParams represents the required parameters to create a new Manager instance.
+	ManagerParams struct {
+		ResourceControlService portainer.ResourceControlService
+		TeamMembershipService  portainer.TeamMembershipService
+		SettingsService        portainer.SettingsService
+		RegistryService        portainer.RegistryService
+		DockerHubService       portainer.DockerHubService
+		SignatureService       portainer.DigitalSignatureService
+	}
+)
 
 // NewManager initializes a new proxy Service
-func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService, settingsService portainer.SettingsService) *Manager {
+func NewManager(parameters *ManagerParams) *Manager {
 	return &Manager{
-		proxies: cmap.New(),
+		proxies:          cmap.New(),
+		extensionProxies: cmap.New(),
 		proxyFactory: &proxyFactory{
-			ResourceControlService: resourceControlService,
-			TeamMembershipService:  teamMembershipService,
-			SettingsService:        settingsService,
+			ResourceControlService: parameters.ResourceControlService,
+			TeamMembershipService:  parameters.TeamMembershipService,
+			SettingsService:        parameters.SettingsService,
+			RegistryService:        parameters.RegistryService,
+			DockerHubService:       parameters.DockerHubService,
+			SignatureService:       parameters.SignatureService,
 		},
 	}
 }
@@ -36,18 +54,23 @@ func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (ht
 		return nil, err
 	}
 
+	enableSignature := false
+	if endpoint.Type == portainer.AgentOnDockerEnvironment {
+		enableSignature = true
+	}
+
 	if endpointURL.Scheme == "tcp" {
-		if endpoint.TLS {
-			proxy, err = manager.proxyFactory.newHTTPSProxy(endpointURL, endpoint)
+		if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
+			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, &endpoint.TLSConfig, enableSignature)
 			if err != nil {
 				return nil, err
 			}
 		} else {
-			proxy = manager.proxyFactory.newHTTPProxy(endpointURL)
+			proxy = manager.proxyFactory.newDockerHTTPProxy(endpointURL, enableSignature)
 		}
 	} else {
 		// Assume unix:// scheme
-		proxy = manager.proxyFactory.newSocketProxy(endpointURL.Path)
+		proxy = manager.proxyFactory.newDockerSocketProxy(endpointURL.Path)
 	}
 
 	manager.proxies.Set(string(endpoint.ID), proxy)
@@ -67,3 +90,34 @@ func (manager *Manager) GetProxy(key string) http.Handler {
 func (manager *Manager) DeleteProxy(key string) {
 	manager.proxies.Remove(key)
 }
+
+// CreateAndRegisterExtensionProxy creates a new HTTP reverse proxy for an extension and adds it to the registered proxies.
+func (manager *Manager) CreateAndRegisterExtensionProxy(key, extensionAPIURL string) (http.Handler, error) {
+
+	extensionURL, err := url.Parse(extensionAPIURL)
+	if err != nil {
+		return nil, err
+	}
+
+	proxy := manager.proxyFactory.newExtensionHTTPPRoxy(extensionURL)
+	manager.extensionProxies.Set(key, proxy)
+	return proxy, nil
+}
+
+// GetExtensionProxy returns the extension proxy associated to a key
+func (manager *Manager) GetExtensionProxy(key string) http.Handler {
+	proxy, ok := manager.extensionProxies.Get(key)
+	if !ok {
+		return nil
+	}
+	return proxy.(http.Handler)
+}
+
+// DeleteExtensionProxies deletes all the extension proxies associated to a key
+func (manager *Manager) DeleteExtensionProxies(key string) {
+	for _, k := range manager.extensionProxies.Keys() {
+		if strings.Contains(k, key+"_") {
+			manager.extensionProxies.Remove(k)
+		}
+	}
+}

api/http/proxy/networks.go

@@ -0,0 +1,134 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerNetworkIdentifierNotFound defines an error raised when Portainer is unable to find a network identifier
+	ErrDockerNetworkIdentifierNotFound = portainer.Error("Docker network identifier not found")
+	networkIdentifier                  = "Id"
+	networkLabelForStackIdentifier     = "com.docker.stack.namespace"
+)
+
+// networkListOperation extracts the response as a JSON object, loop through the networks array
+// decorate and/or filter the networks based on resource controls before rewriting the response
+func networkListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+	// NetworkList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateNetworkList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterNetworkList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// networkInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the network based on resource control and either rewrite an access denied response
+// or a decorated network.
+func networkInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// NetworkInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[networkIdentifier] == nil {
+		return ErrDockerNetworkIdentifierNotFound
+	}
+
+	networkID := responseObject[networkIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, networkID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	networkLabels := extractNetworkLabelsFromNetworkInspectObject(responseObject)
+	responseObject, access = applyResourceAccessControlFromLabel(networkLabels, responseObject, networkLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// extractNetworkLabelsFromNetworkInspectObject retrieve the Labels of the network if present.
+// Container schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
+func extractNetworkLabelsFromNetworkInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// extractNetworkLabelsFromNetworkListObject retrieve the Labels of the network if present.
+// Network schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+func extractNetworkLabelsFromNetworkListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// decorateNetworkList loops through all networks and decorates any network with an existing resource control.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Network object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+func decorateNetworkList(networkData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedNetworkData := make([]interface{}, 0)
+
+	for _, network := range networkData {
+
+		networkObject := network.(map[string]interface{})
+		if networkObject[networkIdentifier] == nil {
+			return nil, ErrDockerNetworkIdentifierNotFound
+		}
+
+		networkID := networkObject[networkIdentifier].(string)
+		networkObject = decorateResourceWithAccessControl(networkObject, networkID, resourceControls)
+
+		networkLabels := extractNetworkLabelsFromNetworkListObject(networkObject)
+		networkObject = decorateResourceWithAccessControlFromLabel(networkLabels, networkObject, networkLabelForStackIdentifier, resourceControls)
+
+		decoratedNetworkData = append(decoratedNetworkData, networkObject)
+	}
+
+	return decoratedNetworkData, nil
+}
+
+// filterNetworkList loops through all networks and filters public networks (no associated resource control)
+// as well as authorized networks (access granted to the user based on existing resource control).
+// Authorized networks are decorated during the process.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Network object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+func filterNetworkList(networkData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredNetworkData := make([]interface{}, 0)
+
+	for _, network := range networkData {
+		networkObject := network.(map[string]interface{})
+		if networkObject[networkIdentifier] == nil {
+			return nil, ErrDockerNetworkIdentifierNotFound
+		}
+
+		networkID := networkObject[networkIdentifier].(string)
+		networkObject, access := applyResourceAccessControl(networkObject, networkID, context)
+		if access {
+			networkLabels := extractNetworkLabelsFromNetworkListObject(networkObject)
+			networkObject, access = applyResourceAccessControlFromLabel(networkLabels, networkObject, networkLabelForStackIdentifier, context)
+			if access {
+				filteredNetworkData = append(filteredNetworkData, networkObject)
+			}
+		}
+	}
+
+	return filteredNetworkData, nil
+}

api/http/proxy/registry.go

@@ -0,0 +1,37 @@
+package proxy
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/security"
+)
+
+func createRegistryAuthenticationHeader(serverAddress string, accessContext *registryAccessContext) *registryAuthenticationHeader {
+	var authenticationHeader *registryAuthenticationHeader
+
+	if serverAddress == "" {
+		authenticationHeader = &registryAuthenticationHeader{
+			Username:      accessContext.dockerHub.Username,
+			Password:      accessContext.dockerHub.Password,
+			Serveraddress: "docker.io",
+		}
+	} else {
+		var matchingRegistry *portainer.Registry
+		for _, registry := range accessContext.registries {
+			if registry.URL == serverAddress &&
+				(accessContext.isAdmin || (!accessContext.isAdmin && security.AuthorizedRegistryAccess(&registry, accessContext.userID, accessContext.teamMemberships))) {
+				matchingRegistry = &registry
+				break
+			}
+		}
+
+		if matchingRegistry != nil {
+			authenticationHeader = &registryAuthenticationHeader{
+				Username:      matchingRegistry.Username,
+				Password:      matchingRegistry.Password,
+				Serveraddress: matchingRegistry.URL,
+			}
+		}
+	}
+
+	return authenticationHeader
+}

api/http/proxy/response.go

@@ -13,6 +13,8 @@ import (
 const (
 	// ErrEmptyResponseBody defines an error raised when portainer excepts to parse the body of a HTTP response and there is nothing to parse
 	ErrEmptyResponseBody = portainer.Error("Empty response body")
+	// ErrInvalidResponseContent defines an error raised when Portainer excepts a JSON array and get something else.
+	ErrInvalidResponseContent = portainer.Error("Invalid Docker response")
 )
 
 func extractJSONField(jsonObject map[string]interface{}, key string) map[string]interface{} {
@@ -39,8 +41,17 @@ func getResponseAsJSONArray(response *http.Response) ([]interface{}, error) {
 		return nil, err
 	}
 
-	responseObject := responseData.([]interface{})
-	return responseObject, nil
+	switch responseObject := responseData.(type) {
+	case []interface{}:
+		return responseObject, nil
+	case map[string]interface{}:
+		if responseObject["message"] != nil {
+			return nil, portainer.Error(responseObject["message"].(string))
+		}
+		return nil, ErrInvalidResponseContent
+	default:
+		return nil, ErrInvalidResponseContent
+	}
 }
 
 func getResponseBodyAsGenericJSON(response *http.Response) (interface{}, error) {

api/http/proxy/secrets.go

@@ -0,0 +1,107 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerSecretIdentifierNotFound defines an error raised when Portainer is unable to find a secret identifier
+	ErrDockerSecretIdentifierNotFound = portainer.Error("Docker secret identifier not found")
+	secretIdentifier                  = "ID"
+)
+
+// secretListOperation extracts the response as a JSON object, loop through the secrets array
+// decorate and/or filter the secrets based on resource controls before rewriting the response
+func secretListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+
+	// SecretList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateSecretList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterSecretList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// secretInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the secret based on resource control (check are done based on the secretID and optional Swarm service ID)
+// and either rewrite an access denied response or a decorated secret.
+func secretInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// SecretInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/SecretInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[secretIdentifier] == nil {
+		return ErrDockerSecretIdentifierNotFound
+	}
+
+	secretID := responseObject[secretIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, secretID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// decorateSecretList loops through all secrets and decorates any secret with an existing resource control.
+// Resource controls checks are based on: resource identifier.
+// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+func decorateSecretList(secretData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedSecretData := make([]interface{}, 0)
+
+	for _, secret := range secretData {
+
+		secretObject := secret.(map[string]interface{})
+		if secretObject[secretIdentifier] == nil {
+			return nil, ErrDockerSecretIdentifierNotFound
+		}
+
+		secretID := secretObject[secretIdentifier].(string)
+		secretObject = decorateResourceWithAccessControl(secretObject, secretID, resourceControls)
+
+		decoratedSecretData = append(decoratedSecretData, secretObject)
+	}
+
+	return decoratedSecretData, nil
+}
+
+// filterSecretList loops through all secrets and filters public secrets (no associated resource control)
+// as well as authorized secrets (access granted to the user based on existing resource control).
+// Authorized secrets are decorated during the process.
+// Resource controls checks are based on: resource identifier.
+// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+func filterSecretList(secretData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredSecretData := make([]interface{}, 0)
+
+	for _, secret := range secretData {
+		secretObject := secret.(map[string]interface{})
+		if secretObject[secretIdentifier] == nil {
+			return nil, ErrDockerSecretIdentifierNotFound
+		}
+
+		secretID := secretObject[secretIdentifier].(string)
+		secretObject, access := applyResourceAccessControl(secretObject, secretID, context)
+		if access {
+			filteredSecretData = append(filteredSecretData, secretObject)
+		}
+	}
+
+	return filteredSecretData, nil
+}

api/http/proxy/service.go

@@ -1,64 +0,0 @@
-package proxy
-
-import (
-	"net/http"
-
-	"github.com/portainer/portainer"
-)
-
-const (
-	// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier
-	ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")
-	serviceIdentifier                  = "ID"
-)
-
-// serviceListOperation extracts the response as a JSON array, loop through the service array
-// decorate and/or filter the services based on resource controls before rewriting the response
-func serviceListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
-	var err error
-	// ServiceList response is a JSON array
-	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-	responseArray, err := getResponseAsJSONArray(response)
-	if err != nil {
-		return err
-	}
-
-	if executor.operationContext.isAdmin {
-		responseArray, err = decorateServiceList(responseArray, executor.operationContext.resourceControls)
-	} else {
-		responseArray, err = filterServiceList(responseArray, executor.operationContext.resourceControls, executor.operationContext.userID, executor.operationContext.userTeamIDs)
-	}
-	if err != nil {
-		return err
-	}
-
-	return rewriteResponse(response, responseArray, http.StatusOK)
-}
-
-// serviceInspectOperation extracts the response as a JSON object, verify that the user
-// has access to the service based on resource control and either rewrite an access denied response
-// or a decorated service.
-func serviceInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
-	// ServiceInspect response is a JSON object
-	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
-	responseObject, err := getResponseAsJSONOBject(response)
-	if err != nil {
-		return err
-	}
-
-	if responseObject[serviceIdentifier] == nil {
-		return ErrDockerServiceIdentifierNotFound
-	}
-	serviceID := responseObject[serviceIdentifier].(string)
-
-	resourceControl := getResourceControlByResourceID(serviceID, executor.operationContext.resourceControls)
-	if resourceControl != nil {
-		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
-	}
-
-	return rewriteResponse(response, responseObject, http.StatusOK)
-}

api/http/proxy/services.go

@@ -0,0 +1,142 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier
+	ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")
+	serviceIdentifier                  = "ID"
+	serviceLabelForStackIdentifier     = "com.docker.stack.namespace"
+)
+
+// serviceListOperation extracts the response as a JSON array, loop through the service array
+// decorate and/or filter the services based on resource controls before rewriting the response
+func serviceListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+	// ServiceList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateServiceList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterServiceList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// serviceInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the service based on resource control and either rewrite an access denied response
+// or a decorated service.
+func serviceInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// ServiceInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[serviceIdentifier] == nil {
+		return ErrDockerServiceIdentifierNotFound
+	}
+
+	serviceID := responseObject[serviceIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, serviceID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	serviceLabels := extractServiceLabelsFromServiceInspectObject(responseObject)
+	responseObject, access = applyResourceAccessControlFromLabel(serviceLabels, responseObject, serviceLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// extractServiceLabelsFromServiceInspectObject retrieve the Labels of the service if present.
+// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
+func extractServiceLabelsFromServiceInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Spec.Labels
+	serviceSpecObject := extractJSONField(responseObject, "Spec")
+	if serviceSpecObject != nil {
+		return extractJSONField(serviceSpecObject, "Labels")
+	}
+	return nil
+}
+
+// extractServiceLabelsFromServiceListObject retrieve the Labels of the service if present.
+// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func extractServiceLabelsFromServiceListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Spec.Labels
+	serviceSpecObject := extractJSONField(responseObject, "Spec")
+	if serviceSpecObject != nil {
+		return extractJSONField(serviceSpecObject, "Labels")
+	}
+	return nil
+}
+
+// decorateServiceList loops through all services and decorates any service with an existing resource control.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func decorateServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedServiceData := make([]interface{}, 0)
+
+	for _, service := range serviceData {
+
+		serviceObject := service.(map[string]interface{})
+		if serviceObject[serviceIdentifier] == nil {
+			return nil, ErrDockerServiceIdentifierNotFound
+		}
+
+		serviceID := serviceObject[serviceIdentifier].(string)
+		serviceObject = decorateResourceWithAccessControl(serviceObject, serviceID, resourceControls)
+
+		serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)
+		serviceObject = decorateResourceWithAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, resourceControls)
+
+		decoratedServiceData = append(decoratedServiceData, serviceObject)
+	}
+
+	return decoratedServiceData, nil
+}
+
+// filterServiceList loops through all services and filters public services (no associated resource control)
+// as well as authorized services (access granted to the user based on existing resource control).
+// Authorized services are decorated during the process.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func filterServiceList(serviceData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredServiceData := make([]interface{}, 0)
+
+	for _, service := range serviceData {
+		serviceObject := service.(map[string]interface{})
+		if serviceObject[serviceIdentifier] == nil {
+			return nil, ErrDockerServiceIdentifierNotFound
+		}
+
+		serviceID := serviceObject[serviceIdentifier].(string)
+		serviceObject, access := applyResourceAccessControl(serviceObject, serviceID, context)
+		if access {
+			serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)
+			serviceObject, access = applyResourceAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, context)
+			if access {
+				filteredServiceData = append(filteredServiceData, serviceObject)
+			}
+		}
+	}
+
+	return filteredServiceData, nil
+}

api/http/proxy/socket.go

@@ -34,6 +34,9 @@ func (proxy *socketProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			w.Header().Add(k, v)
 		}
 	}
+
+	w.WriteHeader(res.StatusCode)
+
 	if _, err := io.Copy(w, res.Body); err != nil {
 		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, nil)
 	}

api/http/proxy/tasks.go

@@ -0,0 +1,78 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerTaskServiceIdentifierNotFound defines an error raised when Portainer is unable to find the service identifier associated to a task
+	ErrDockerTaskServiceIdentifierNotFound = portainer.Error("Docker task service identifier not found")
+	taskServiceIdentifier                  = "ServiceID"
+	taskLabelForStackIdentifier            = "com.docker.stack.namespace"
+)
+
+// taskListOperation extracts the response as a JSON object, loop through the tasks array
+// and filter the tasks based on resource controls before rewriting the response
+func taskListOperation(response *http.Response, executor *operationExecutor) error {
+	var err error
+
+	// TaskList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/TaskList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if !executor.operationContext.isAdmin {
+		responseArray, err = filterTaskList(responseArray, executor.operationContext)
+		if err != nil {
+			return err
+		}
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// extractTaskLabelsFromTaskListObject retrieve the Labels of the task if present.
+// Task schema reference: https://docs.docker.com/engine/api/v1.28/#operation/TaskList
+func extractTaskLabelsFromTaskListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Spec.ContainerSpec.Labels
+	taskSpecObject := extractJSONField(responseObject, "Spec")
+	if taskSpecObject != nil {
+		containerSpecObject := extractJSONField(taskSpecObject, "ContainerSpec")
+		if containerSpecObject != nil {
+			return extractJSONField(containerSpecObject, "Labels")
+		}
+	}
+	return nil
+}
+
+// filterTaskList loops through all tasks and filters public tasks (no associated resource control)
+// as well as authorized tasks (access granted to the user based on existing resource control).
+// Resource controls checks are based on: service identifier, stack identifier (from label).
+// Task object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/TaskList
+// any resource control giving access to the user based on the associated service identifier.
+func filterTaskList(taskData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredTaskData := make([]interface{}, 0)
+
+	for _, task := range taskData {
+		taskObject := task.(map[string]interface{})
+		if taskObject[taskServiceIdentifier] == nil {
+			return nil, ErrDockerTaskServiceIdentifierNotFound
+		}
+
+		serviceID := taskObject[taskServiceIdentifier].(string)
+		taskObject, access := applyResourceAccessControl(taskObject, serviceID, context)
+		if access {
+			taskLabels := extractTaskLabelsFromTaskListObject(taskObject)
+			taskObject, access = applyResourceAccessControlFromLabel(taskLabels, taskObject, taskLabelForStackIdentifier, context)
+			if access {
+				filteredTaskData = append(filteredTaskData, taskObject)
+			}
+		}
+	}
+
+	return filteredTaskData, nil
+}

api/http/proxy/transport.go

@@ -1,21 +1,29 @@
 package proxy
 
 import (
-	"net"
+	"encoding/base64"
+	"encoding/json"
 	"net/http"
 	"path"
+	"regexp"
 	"strings"
 
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/http/security"
 )
 
+var apiVersionRe = regexp.MustCompile(`(/v[0-9]\.[0-9]*)?`)
+
 type (
 	proxyTransport struct {
 		dockerTransport        *http.Transport
+		enableSignature        bool
 		ResourceControlService portainer.ResourceControlService
 		TeamMembershipService  portainer.TeamMembershipService
+		RegistryService        portainer.RegistryService
+		DockerHubService       portainer.DockerHubService
 		SettingsService        portainer.SettingsService
+		SignatureService       portainer.DigitalSignatureService
 	}
 	restrictedOperationContext struct {
 		isAdmin          bool
@@ -23,25 +31,26 @@ type (
 		userTeamIDs      []portainer.TeamID
 		resourceControls []portainer.ResourceControl
 	}
+	registryAccessContext struct {
+		isAdmin         bool
+		userID          portainer.UserID
+		teamMemberships []portainer.TeamMembership
+		registries      []portainer.Registry
+		dockerHub       *portainer.DockerHub
+	}
+	registryAuthenticationHeader struct {
+		Username      string `json:"username"`
+		Password      string `json:"password"`
+		Serveraddress string `json:"serveraddress"`
+	}
 	operationExecutor struct {
 		operationContext *restrictedOperationContext
 		labelBlackList   []portainer.Pair
 	}
-	restrictedOperationRequest func(*http.Request, *http.Response, *operationExecutor) error
+	restrictedOperationRequest func(*http.Response, *operationExecutor) error
+	operationRequest           func(*http.Request) error
 )
 
-func newSocketTransport(socketPath string) *http.Transport {
-	return &http.Transport{
-		Dial: func(proto, addr string) (conn net.Conn, err error) {
-			return net.Dial("unix", socketPath)
-		},
-	}
-}
-
-func newHTTPTransport() *http.Transport {
-	return &http.Transport{}
-}
-
 func (p *proxyTransport) RoundTrip(request *http.Request) (*http.Response, error) {
 	return p.proxyDockerRequest(request)
 }
@@ -51,19 +60,63 @@ func (p *proxyTransport) executeDockerRequest(request *http.Request) (*http.Resp
 }
 
 func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Response, error) {
-	path := request.URL.Path
+	path := apiVersionRe.ReplaceAllString(request.URL.Path, "")
+	request.URL.Path = path
 
-	if strings.HasPrefix(path, "/containers") {
-		return p.proxyContainerRequest(request)
-	} else if strings.HasPrefix(path, "/services") {
-		return p.proxyServiceRequest(request)
-	} else if strings.HasPrefix(path, "/volumes") {
-		return p.proxyVolumeRequest(request)
-	} else if strings.HasPrefix(path, "/swarm") {
-		return p.proxySwarmRequest(request)
+	if p.enableSignature {
+		signature, err := p.SignatureService.Sign(portainer.PortainerAgentSignatureMessage)
+		if err != nil {
+			return nil, err
+		}
+
+		request.Header.Set(portainer.PortainerAgentPublicKeyHeader, p.SignatureService.EncodedPublicKey())
+		request.Header.Set(portainer.PortainerAgentSignatureHeader, signature)
 	}
 
-	return p.executeDockerRequest(request)
+	switch {
+	case strings.HasPrefix(path, "/configs"):
+		return p.proxyConfigRequest(request)
+	case strings.HasPrefix(path, "/containers"):
+		return p.proxyContainerRequest(request)
+	case strings.HasPrefix(path, "/services"):
+		return p.proxyServiceRequest(request)
+	case strings.HasPrefix(path, "/volumes"):
+		return p.proxyVolumeRequest(request)
+	case strings.HasPrefix(path, "/networks"):
+		return p.proxyNetworkRequest(request)
+	case strings.HasPrefix(path, "/secrets"):
+		return p.proxySecretRequest(request)
+	case strings.HasPrefix(path, "/swarm"):
+		return p.proxySwarmRequest(request)
+	case strings.HasPrefix(path, "/nodes"):
+		return p.proxyNodeRequest(request)
+	case strings.HasPrefix(path, "/tasks"):
+		return p.proxyTaskRequest(request)
+	case strings.HasPrefix(path, "/build"):
+		return p.proxyBuildRequest(request)
+	case strings.HasPrefix(path, "/images"):
+		return p.proxyImageRequest(request)
+	default:
+		return p.executeDockerRequest(request)
+	}
+}
+
+func (p *proxyTransport) proxyConfigRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/configs/create":
+		return p.executeDockerRequest(request)
+
+	case "/configs":
+		return p.rewriteOperation(request, configListOperation)
+
+	default:
+		// assume /configs/{id}
+		if request.Method == http.MethodGet {
+			return p.rewriteOperation(request, configInspectOperation)
+		}
+		configID := path.Base(requestPath)
+		return p.restrictedOperation(request, configID)
+	}
 }
 
 func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Response, error) {
@@ -100,7 +153,7 @@ func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Res
 func (p *proxyTransport) proxyServiceRequest(request *http.Request) (*http.Response, error) {
 	switch requestPath := request.URL.Path; requestPath {
 	case "/services/create":
-		return p.executeDockerRequest(request)
+		return p.replaceRegistryAuthenticationHeader(request)
 
 	case "/services":
 		return p.rewriteOperation(request, serviceListOperation)
@@ -145,8 +198,123 @@ func (p *proxyTransport) proxyVolumeRequest(request *http.Request) (*http.Respon
 	}
 }
 
+func (p *proxyTransport) proxyNetworkRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/networks/create":
+		return p.executeDockerRequest(request)
+
+	case "/networks":
+		return p.rewriteOperation(request, networkListOperation)
+
+	default:
+		// assume /networks/{id}
+		if request.Method == http.MethodGet {
+			return p.rewriteOperation(request, networkInspectOperation)
+		}
+		networkID := path.Base(requestPath)
+		return p.restrictedOperation(request, networkID)
+	}
+}
+
+func (p *proxyTransport) proxySecretRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/secrets/create":
+		return p.executeDockerRequest(request)
+
+	case "/secrets":
+		return p.rewriteOperation(request, secretListOperation)
+
+	default:
+		// assume /secrets/{id}
+		if request.Method == http.MethodGet {
+			return p.rewriteOperation(request, secretInspectOperation)
+		}
+		secretID := path.Base(requestPath)
+		return p.restrictedOperation(request, secretID)
+	}
+}
+
+func (p *proxyTransport) proxyNodeRequest(request *http.Request) (*http.Response, error) {
+	requestPath := request.URL.Path
+
+	// assume /nodes/{id}
+	if path.Base(requestPath) != "nodes" {
+		return p.administratorOperation(request)
+	}
+
+	return p.executeDockerRequest(request)
+}
+
 func (p *proxyTransport) proxySwarmRequest(request *http.Request) (*http.Response, error) {
-	return p.administratorOperation(request)
+	switch requestPath := request.URL.Path; requestPath {
+	case "/swarm":
+		return p.executeDockerRequest(request)
+	default:
+		// assume /swarm/{action}
+		return p.administratorOperation(request)
+	}
+}
+
+func (p *proxyTransport) proxyTaskRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/tasks":
+		return p.rewriteOperation(request, taskListOperation)
+	default:
+		// assume /tasks/{id}
+		return p.executeDockerRequest(request)
+	}
+}
+
+func (p *proxyTransport) proxyBuildRequest(request *http.Request) (*http.Response, error) {
+	return p.interceptAndRewriteRequest(request, buildOperation)
+}
+
+func (p *proxyTransport) proxyImageRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/images/create":
+		return p.replaceRegistryAuthenticationHeader(request)
+	default:
+		if path.Base(requestPath) == "push" && request.Method == http.MethodPost {
+			return p.replaceRegistryAuthenticationHeader(request)
+		}
+		return p.executeDockerRequest(request)
+	}
+}
+
+func (p *proxyTransport) replaceRegistryAuthenticationHeader(request *http.Request) (*http.Response, error) {
+	accessContext, err := p.createRegistryAccessContext(request)
+	if err != nil {
+		return nil, err
+	}
+
+	originalHeader := request.Header.Get("X-Registry-Auth")
+
+	if originalHeader != "" {
+
+		decodedHeaderData, err := base64.StdEncoding.DecodeString(originalHeader)
+		if err != nil {
+			return nil, err
+		}
+
+		var originalHeaderData registryAuthenticationHeader
+		err = json.Unmarshal(decodedHeaderData, &originalHeaderData)
+		if err != nil {
+			return nil, err
+		}
+
+		authenticationHeader := createRegistryAuthenticationHeader(originalHeaderData.Serveraddress, accessContext)
+
+		headerData, err := json.Marshal(authenticationHeader)
+		if err != nil {
+			return nil, err
+		}
+
+		header := base64.StdEncoding.EncodeToString(headerData)
+
+		request.Header.Set("X-Registry-Auth", header)
+	}
+
+	return p.executeDockerRequest(request)
 }
 
 // restrictedOperation ensures that the current user has the required authorizations
@@ -184,7 +352,7 @@ func (p *proxyTransport) restrictedOperation(request *http.Request, resourceID s
 	return p.executeDockerRequest(request)
 }
 
-// rewriteOperation will create a new operation context with data that will be used
+// rewriteOperationWithLabelFiltering will create a new operation context with data that will be used
 // to decorate the original request's response as well as retrieve all the black listed labels
 // to filter the resources.
 func (p *proxyTransport) rewriteOperationWithLabelFiltering(request *http.Request, operation restrictedOperationRequest) (*http.Response, error) {
@@ -221,13 +389,22 @@ func (p *proxyTransport) rewriteOperation(request *http.Request, operation restr
 	return p.executeRequestAndRewriteResponse(request, operation, executor)
 }
 
+func (p *proxyTransport) interceptAndRewriteRequest(request *http.Request, operation operationRequest) (*http.Response, error) {
+	err := operation(request)
+	if err != nil {
+		return nil, err
+	}
+
+	return p.executeDockerRequest(request)
+}
+
 func (p *proxyTransport) executeRequestAndRewriteResponse(request *http.Request, operation restrictedOperationRequest, executor *operationExecutor) (*http.Response, error) {
 	response, err := p.executeDockerRequest(request)
 	if err != nil {
 		return response, err
 	}
 
-	err = operation(request, response, executor)
+	err = operation(response, executor)
 	return response, err
 }
 
@@ -246,6 +423,43 @@ func (p *proxyTransport) administratorOperation(request *http.Request) (*http.Re
 	return p.executeDockerRequest(request)
 }
 
+func (p *proxyTransport) createRegistryAccessContext(request *http.Request) (*registryAccessContext, error) {
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	accessContext := &registryAccessContext{
+		isAdmin: true,
+		userID:  tokenData.ID,
+	}
+
+	hub, err := p.DockerHubService.DockerHub()
+	if err != nil {
+		return nil, err
+	}
+	accessContext.dockerHub = hub
+
+	registries, err := p.RegistryService.Registries()
+	if err != nil {
+		return nil, err
+	}
+	accessContext.registries = registries
+
+	if tokenData.Role != portainer.AdministratorRole {
+		accessContext.isAdmin = false
+
+		teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		accessContext.teamMemberships = teamMemberships
+	}
+
+	return accessContext, nil
+}
+
 func (p *proxyTransport) createOperationContext(request *http.Request) (*restrictedOperationContext, error) {
 	var err error
 	tokenData, err := security.RetrieveTokenData(request)

api/http/proxy/utils.go

@@ -1,32 +0,0 @@
-package proxy
-
-import "github.com/portainer/portainer"
-
-func getResourceControlByResourceID(resourceID string, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
-	for _, resourceControl := range resourceControls {
-		if resourceID == resourceControl.ResourceID {
-			return &resourceControl
-		}
-		for _, subResourceID := range resourceControl.SubResourceIDs {
-			if resourceID == subResourceID {
-				return &resourceControl
-			}
-		}
-	}
-	return nil
-}
-
-func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelBlackList []portainer.Pair) bool {
-	for key, value := range containerLabels {
-		labelName := key
-		labelValue := value.(string)
-
-		for _, blackListedLabel := range labelBlackList {
-			if blackListedLabel.Name == labelName && blackListedLabel.Value == labelValue {
-				return true
-			}
-		}
-	}
-
-	return false
-}

api/http/proxy/volumes.go

@@ -10,11 +10,12 @@ const (
 	// ErrDockerVolumeIdentifierNotFound defines an error raised when Portainer is unable to find a volume identifier
 	ErrDockerVolumeIdentifierNotFound = portainer.Error("Docker volume identifier not found")
 	volumeIdentifier                  = "Name"
+	volumeLabelForStackIdentifier     = "com.docker.stack.namespace"
 )
 
 // volumeListOperation extracts the response as a JSON object, loop through the volume array
 // decorate and/or filter the volumes based on resource controls before rewriting the response
-func volumeListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func volumeListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// VolumeList response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
@@ -31,7 +32,7 @@ func volumeListOperation(request *http.Request, response *http.Response, executo
 		if executor.operationContext.isAdmin {
 			volumeData, err = decorateVolumeList(volumeData, executor.operationContext.resourceControls)
 		} else {
-			volumeData, err = filterVolumeList(volumeData, executor.operationContext.resourceControls, executor.operationContext.userID, executor.operationContext.userTeamIDs)
+			volumeData, err = filterVolumeList(volumeData, executor.operationContext)
 		}
 		if err != nil {
 			return err
@@ -45,9 +46,9 @@ func volumeListOperation(request *http.Request, response *http.Response, executo
 }
 
 // volumeInspectOperation extracts the response as a JSON object, verify that the user
-// has access to the volume based on resource control and either rewrite an access denied response
+// has access to the volume based on any existing resource control and either rewrite an access denied response
 // or a decorated volume.
-func volumeInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func volumeInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// VolumeInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
 	responseObject, err := getResponseAsJSONOBject(response)
@@ -58,16 +59,85 @@ func volumeInspectOperation(request *http.Request, response *http.Response, exec
 	if responseObject[volumeIdentifier] == nil {
 		return ErrDockerVolumeIdentifierNotFound
 	}
-	volumeID := responseObject[volumeIdentifier].(string)
 
-	resourceControl := getResourceControlByResourceID(volumeID, executor.operationContext.resourceControls)
-	if resourceControl != nil {
-		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
+	volumeID := responseObject[volumeIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, volumeID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	volumeLabels := extractVolumeLabelsFromVolumeInspectObject(responseObject)
+	responseObject, access = applyResourceAccessControlFromLabel(volumeLabels, responseObject, volumeLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	return rewriteResponse(response, responseObject, http.StatusOK)
 }
+
+// extractVolumeLabelsFromVolumeInspectObject retrieve the Labels of the volume if present.
+// Volume schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
+func extractVolumeLabelsFromVolumeInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// extractVolumeLabelsFromVolumeListObject retrieve the Labels of the volume if present.
+// Volume schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func extractVolumeLabelsFromVolumeListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// decorateVolumeList loops through all volumes and decorates any volume with an existing resource control.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func decorateVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedVolumeData := make([]interface{}, 0)
+
+	for _, volume := range volumeData {
+
+		volumeObject := volume.(map[string]interface{})
+		if volumeObject[volumeIdentifier] == nil {
+			return nil, ErrDockerVolumeIdentifierNotFound
+		}
+
+		volumeID := volumeObject[volumeIdentifier].(string)
+		volumeObject = decorateResourceWithAccessControl(volumeObject, volumeID, resourceControls)
+
+		volumeLabels := extractVolumeLabelsFromVolumeListObject(volumeObject)
+		volumeObject = decorateResourceWithAccessControlFromLabel(volumeLabels, volumeObject, volumeLabelForStackIdentifier, resourceControls)
+
+		decoratedVolumeData = append(decoratedVolumeData, volumeObject)
+	}
+
+	return decoratedVolumeData, nil
+}
+
+// filterVolumeList loops through all volumes and filters public volumes (no associated resource control)
+// as well as authorized volumes (access granted to the user based on existing resource control).
+// Authorized volumes are decorated during the process.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func filterVolumeList(volumeData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredVolumeData := make([]interface{}, 0)
+
+	for _, volume := range volumeData {
+		volumeObject := volume.(map[string]interface{})
+		if volumeObject[volumeIdentifier] == nil {
+			return nil, ErrDockerVolumeIdentifierNotFound
+		}
+
+		volumeID := volumeObject[volumeIdentifier].(string)
+		volumeObject, access := applyResourceAccessControl(volumeObject, volumeID, context)
+		if access {
+			volumeLabels := extractVolumeLabelsFromVolumeListObject(volumeObject)
+			volumeObject, access = applyResourceAccessControlFromLabel(volumeLabels, volumeObject, volumeLabelForStackIdentifier, context)
+			if access {
+				filteredVolumeData = append(filteredVolumeData, volumeObject)
+			}
+		}
+	}
+
+	return filteredVolumeData, nil
+}

api/http/security/authorization.go

@@ -121,3 +121,44 @@ func AuthorizedUserManagement(userID portainer.UserID, context *RestrictedReques
 	}
 	return false
 }
+
+// AuthorizedEndpointAccess ensure that the user can access the specified endpoint.
+// It will check if the user is part of the authorized users or part of a team that is
+// listed in the authorized teams of the endpoint and the associated group.
+func AuthorizedEndpointAccess(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	groupAccess := authorizedAccess(userID, memberships, endpointGroup.AuthorizedUsers, endpointGroup.AuthorizedTeams)
+	if !groupAccess {
+		return authorizedAccess(userID, memberships, endpoint.AuthorizedUsers, endpoint.AuthorizedTeams)
+	}
+	return true
+}
+
+// AuthorizedEndpointGroupAccess ensure that the user can access the specified endpoint group.
+// It will check if the user is part of the authorized users or part of a team that is
+// listed in the authorized teams.
+func AuthorizedEndpointGroupAccess(endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	return authorizedAccess(userID, memberships, endpointGroup.AuthorizedUsers, endpointGroup.AuthorizedTeams)
+}
+
+// AuthorizedRegistryAccess ensure that the user can access the specified registry.
+// It will check if the user is part of the authorized users or part of a team that is
+// listed in the authorized teams.
+func AuthorizedRegistryAccess(registry *portainer.Registry, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	return authorizedAccess(userID, memberships, registry.AuthorizedUsers, registry.AuthorizedTeams)
+}
+
+func authorizedAccess(userID portainer.UserID, memberships []portainer.TeamMembership, authorizedUsers []portainer.UserID, authorizedTeams []portainer.TeamID) bool {
+	for _, authorizedUserID := range authorizedUsers {
+		if authorizedUserID == userID {
+			return true
+		}
+	}
+	for _, membership := range memberships {
+		for _, authorizedTeamID := range authorizedTeams {
+			if membership.TeamID == authorizedTeamID {
+				return true
+			}
+		}
+	}
+	return false
+}

api/http/security/bouncer.go

@@ -12,6 +12,7 @@ type (
 	// RequestBouncer represents an entity that manages API request accesses
 	RequestBouncer struct {
 		jwtService            portainer.JWTService
+		userService           portainer.UserService
 		teamMembershipService portainer.TeamMembershipService
 		authDisabled          bool
 	}
@@ -27,9 +28,10 @@ type (
 )
 
 // NewRequestBouncer initializes a new RequestBouncer
-func NewRequestBouncer(jwtService portainer.JWTService, teamMembershipService portainer.TeamMembershipService, authDisabled bool) *RequestBouncer {
+func NewRequestBouncer(jwtService portainer.JWTService, userService portainer.UserService, teamMembershipService portainer.TeamMembershipService, authDisabled bool) *RequestBouncer {
 	return &RequestBouncer{
 		jwtService:            jwtService,
+		userService:           userService,
 		teamMembershipService: teamMembershipService,
 		authDisabled:          authDisabled,
 	}
@@ -136,6 +138,15 @@ func (bouncer *RequestBouncer) mwCheckAuthentication(next http.Handler) http.Han
 				httperror.WriteErrorResponse(w, err, http.StatusUnauthorized, nil)
 				return
 			}
+
+			_, err = bouncer.userService.User(tokenData.ID)
+			if err != nil && err == portainer.ErrUserNotFound {
+				httperror.WriteErrorResponse(w, portainer.ErrUnauthorized, http.StatusUnauthorized, nil)
+				return
+			} else if err != nil {
+				httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, nil)
+				return
+			}
 		} else {
 			tokenData = &portainer.TokenData{
 				Role: portainer.AdministratorRole,

api/http/security/filter.go

@@ -61,7 +61,7 @@ func FilterUsers(users []portainer.User, context *RestrictedRequestContext) []po
 }
 
 // FilterRegistries filters registries based on user role and team memberships.
-// Non administrator users only have access to authorized endpoints.
+// Non administrator users only have access to authorized registries.
 func FilterRegistries(registries []portainer.Registry, context *RestrictedRequestContext) ([]portainer.Registry, error) {
 
 	filteredRegistries := registries
@@ -69,7 +69,7 @@ func FilterRegistries(registries []portainer.Registry, context *RestrictedReques
 		filteredRegistries = make([]portainer.Registry, 0)
 
 		for _, registry := range registries {
-			if isRegistryAccessAuthorized(&registry, context.UserID, context.UserMemberships) {
+			if AuthorizedRegistryAccess(&registry, context.UserID, context.UserMemberships) {
 				filteredRegistries = append(filteredRegistries, registry)
 			}
 		}
@@ -79,15 +79,17 @@ func FilterRegistries(registries []portainer.Registry, context *RestrictedReques
 }
 
 // FilterEndpoints filters endpoints based on user role and team memberships.
-// Non administrator users only have access to authorized endpoints.
-func FilterEndpoints(endpoints []portainer.Endpoint, context *RestrictedRequestContext) ([]portainer.Endpoint, error) {
+// Non administrator users only have access to authorized endpoints (can be inherited via endoint groups).
+func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.EndpointGroup, context *RestrictedRequestContext) ([]portainer.Endpoint, error) {
 	filteredEndpoints := endpoints
 
 	if !context.IsAdmin {
 		filteredEndpoints = make([]portainer.Endpoint, 0)
 
 		for _, endpoint := range endpoints {
-			if isEndpointAccessAuthorized(&endpoint, context.UserID, context.UserMemberships) {
+			endpointGroup := getAssociatedGroup(&endpoint, groups)
+
+			if AuthorizedEndpointAccess(&endpoint, endpointGroup, context.UserID, context.UserMemberships) {
 				filteredEndpoints = append(filteredEndpoints, endpoint)
 			}
 		}
@@ -96,34 +98,29 @@ func FilterEndpoints(endpoints []portainer.Endpoint, context *RestrictedRequestC
 	return filteredEndpoints, nil
 }
 
-func isRegistryAccessAuthorized(registry *portainer.Registry, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
-	for _, authorizedUserID := range registry.AuthorizedUsers {
-		if authorizedUserID == userID {
-			return true
-		}
-	}
-	for _, membership := range memberships {
-		for _, authorizedTeamID := range registry.AuthorizedTeams {
-			if membership.TeamID == authorizedTeamID {
-				return true
+// FilterEndpointGroups filters endpoint groups based on user role and team memberships.
+// Non administrator users only have access to authorized endpoint groups.
+func FilterEndpointGroups(endpointGroups []portainer.EndpointGroup, context *RestrictedRequestContext) ([]portainer.EndpointGroup, error) {
+	filteredEndpointGroups := endpointGroups
+
+	if !context.IsAdmin {
+		filteredEndpointGroups = make([]portainer.EndpointGroup, 0)
+
+		for _, group := range endpointGroups {
+			if AuthorizedEndpointGroupAccess(&group, context.UserID, context.UserMemberships) {
+				filteredEndpointGroups = append(filteredEndpointGroups, group)
 			}
 		}
 	}
-	return false
+
+	return filteredEndpointGroups, nil
 }
 
-func isEndpointAccessAuthorized(endpoint *portainer.Endpoint, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
-	for _, authorizedUserID := range endpoint.AuthorizedUsers {
-		if authorizedUserID == userID {
-			return true
+func getAssociatedGroup(endpoint *portainer.Endpoint, groups []portainer.EndpointGroup) *portainer.EndpointGroup {
+	for _, group := range groups {
+		if group.ID == endpoint.GroupID {
+			return &group
 		}
 	}
-	for _, membership := range memberships {
-		for _, authorizedTeamID := range endpoint.AuthorizedTeams {
-			if membership.TeamID == authorizedTeamID {
-				return true
-			}
-		}
-	}
-	return false
+	return nil
 }

api/http/security/rate_limiter.go

@@ -0,0 +1,47 @@
+package security
+
+import (
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/g07cha/defender"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+)
+
+// RateLimiter represents an entity that manages request rate limiting
+type RateLimiter struct {
+	*defender.Defender
+}
+
+// NewRateLimiter initializes a new RateLimiter
+func NewRateLimiter(maxRequests int, duration time.Duration, banDuration time.Duration) *RateLimiter {
+	messages := make(chan struct{})
+	limiter := defender.New(maxRequests, duration, banDuration)
+	go limiter.CleanupTask(messages)
+	return &RateLimiter{
+		limiter,
+	}
+}
+
+// LimitAccess wraps current request with check if remote address does not goes above the defined limits
+func (limiter *RateLimiter) LimitAccess(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ip := StripAddrPort(r.RemoteAddr)
+		if banned := limiter.Inc(ip); banned == true {
+			httperror.WriteErrorResponse(w, portainer.ErrResourceAccessDenied, http.StatusForbidden, nil)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+// StripAddrPort removes port from IP address
+func StripAddrPort(addr string) string {
+	portIndex := strings.LastIndex(addr, ":")
+	if portIndex != -1 {
+		addr = addr[:portIndex]
+	}
+	return addr
+}

api/http/security/rate_limiter_test.go

@@ -0,0 +1,69 @@
+package security
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+)
+
+func TestLimitAccess(t *testing.T) {
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	t.Run("Request below the limit", func(t *testing.T) {
+		req := httptest.NewRequest("GET", "/", nil)
+		rr := httptest.NewRecorder()
+		rateLimiter := NewRateLimiter(10, 1*time.Second, 1*time.Hour)
+		handler := rateLimiter.LimitAccess(testHandler)
+
+		handler.ServeHTTP(rr, req)
+
+		if status := rr.Code; status != http.StatusOK {
+			t.Errorf("handler returned wrong status code: got %v want %v",
+				status, http.StatusOK)
+		}
+	})
+
+	t.Run("Request above the limit", func(t *testing.T) {
+		rateLimiter := NewRateLimiter(1, 1*time.Second, 1*time.Hour)
+		handler := rateLimiter.LimitAccess(testHandler)
+
+		ts := httptest.NewServer(handler)
+		defer ts.Close()
+		http.Get(ts.URL)
+		resp, err := http.Get(ts.URL)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if status := resp.StatusCode; status != http.StatusForbidden {
+			t.Errorf("handler returned wrong status code: got %v want %v",
+				status, http.StatusForbidden)
+		}
+	})
+}
+
+func TestStripAddrPort(t *testing.T) {
+	t.Run("IP with port", func(t *testing.T) {
+		result := StripAddrPort("127.0.0.1:1000")
+		if result != "127.0.0.1" {
+			t.Errorf("Expected IP with address to be '127.0.0.1', but it was %s instead", result)
+		}
+	})
+
+	t.Run("IP without port", func(t *testing.T) {
+		result := StripAddrPort("127.0.0.1")
+		if result != "127.0.0.1" {
+			t.Errorf("Expected IP with address to be '127.0.0.1', but it was %s instead", result)
+		}
+	})
+
+	t.Run("Local IP", func(t *testing.T) {
+		result := StripAddrPort("[::1]:1000")
+		if result != "[::1]" {
+			t.Errorf("Expected IP with address to be '[::1]', but it was %s instead", result)
+		}
+	})
+}

api/http/server.go

@@ -1,12 +1,16 @@
 package http
 
 import (
+	"time"
+
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/http/handler"
+	"github.com/portainer/portainer/http/handler/extensions"
 	"github.com/portainer/portainer/http/proxy"
 	"github.com/portainer/portainer/http/security"
 
 	"net/http"
+	"path/filepath"
 )
 
 // Server implements the portainer.Server interface
@@ -20,6 +24,7 @@ type Server struct {
 	TeamService            portainer.TeamService
 	TeamMembershipService  portainer.TeamMembershipService
 	EndpointService        portainer.EndpointService
+	EndpointGroupService   portainer.EndpointGroupService
 	ResourceControlService portainer.ResourceControlService
 	SettingsService        portainer.SettingsService
 	CryptoService          portainer.CryptoService
@@ -27,7 +32,11 @@ type Server struct {
 	FileService            portainer.FileService
 	RegistryService        portainer.RegistryService
 	DockerHubService       portainer.DockerHubService
+	StackService           portainer.StackService
+	StackManager           portainer.StackManager
 	LDAPService            portainer.LDAPService
+	GitService             portainer.GitService
+	SignatureService       portainer.DigitalSignatureService
 	Handler                *handler.Handler
 	SSL                    bool
 	SSLCert                string
@@ -36,10 +45,20 @@ type Server struct {
 
 // Start starts the HTTP server
 func (server *Server) Start() error {
-	requestBouncer := security.NewRequestBouncer(server.JWTService, server.TeamMembershipService, server.AuthDisabled)
-	proxyManager := proxy.NewManager(server.ResourceControlService, server.TeamMembershipService, server.SettingsService)
+	requestBouncer := security.NewRequestBouncer(server.JWTService, server.UserService, server.TeamMembershipService, server.AuthDisabled)
+	proxyManagerParameters := &proxy.ManagerParams{
+		ResourceControlService: server.ResourceControlService,
+		TeamMembershipService:  server.TeamMembershipService,
+		SettingsService:        server.SettingsService,
+		RegistryService:        server.RegistryService,
+		DockerHubService:       server.DockerHubService,
+		SignatureService:       server.SignatureService,
+	}
+	proxyManager := proxy.NewManager(proxyManagerParameters)
+	rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour)
 
-	var authHandler = handler.NewAuthHandler(requestBouncer, server.AuthDisabled)
+	var fileHandler = handler.NewFileHandler(filepath.Join(server.AssetsPath, "public"))
+	var authHandler = handler.NewAuthHandler(requestBouncer, rateLimiter, server.AuthDisabled)
 	authHandler.UserService = server.UserService
 	authHandler.CryptoService = server.CryptoService
 	authHandler.JWTService = server.JWTService
@@ -66,14 +85,20 @@ func (server *Server) Start() error {
 	templatesHandler.SettingsService = server.SettingsService
 	var dockerHandler = handler.NewDockerHandler(requestBouncer)
 	dockerHandler.EndpointService = server.EndpointService
+	dockerHandler.EndpointGroupService = server.EndpointGroupService
 	dockerHandler.TeamMembershipService = server.TeamMembershipService
 	dockerHandler.ProxyManager = proxyManager
 	var websocketHandler = handler.NewWebSocketHandler()
 	websocketHandler.EndpointService = server.EndpointService
+	websocketHandler.SignatureService = server.SignatureService
 	var endpointHandler = handler.NewEndpointHandler(requestBouncer, server.EndpointManagement)
 	endpointHandler.EndpointService = server.EndpointService
+	endpointHandler.EndpointGroupService = server.EndpointGroupService
 	endpointHandler.FileService = server.FileService
 	endpointHandler.ProxyManager = proxyManager
+	var endpointGroupHandler = handler.NewEndpointGroupHandler(requestBouncer)
+	endpointGroupHandler.EndpointGroupService = server.EndpointGroupService
+	endpointGroupHandler.EndpointService = server.EndpointService
 	var registryHandler = handler.NewRegistryHandler(requestBouncer)
 	registryHandler.RegistryService = server.RegistryService
 	var dockerHubHandler = handler.NewDockerHubHandler(requestBouncer)
@@ -82,7 +107,23 @@ func (server *Server) Start() error {
 	resourceHandler.ResourceControlService = server.ResourceControlService
 	var uploadHandler = handler.NewUploadHandler(requestBouncer)
 	uploadHandler.FileService = server.FileService
-	var fileHandler = handler.NewFileHandler(server.AssetsPath)
+	var stackHandler = handler.NewStackHandler(requestBouncer)
+	stackHandler.FileService = server.FileService
+	stackHandler.StackService = server.StackService
+	stackHandler.EndpointService = server.EndpointService
+	stackHandler.ResourceControlService = server.ResourceControlService
+	stackHandler.StackManager = server.StackManager
+	stackHandler.GitService = server.GitService
+	stackHandler.RegistryService = server.RegistryService
+	stackHandler.DockerHubService = server.DockerHubService
+	var extensionHandler = handler.NewExtensionHandler(requestBouncer)
+	extensionHandler.EndpointService = server.EndpointService
+	extensionHandler.ProxyManager = proxyManager
+	var storidgeHandler = extensions.NewStoridgeHandler(requestBouncer)
+	storidgeHandler.EndpointService = server.EndpointService
+	storidgeHandler.EndpointGroupService = server.EndpointGroupService
+	storidgeHandler.TeamMembershipService = server.TeamMembershipService
+	storidgeHandler.ProxyManager = proxyManager
 
 	server.Handler = &handler.Handler{
 		AuthHandler:           authHandler,
@@ -90,16 +131,20 @@ func (server *Server) Start() error {
 		TeamHandler:           teamHandler,
 		TeamMembershipHandler: teamMembershipHandler,
 		EndpointHandler:       endpointHandler,
+		EndpointGroupHandler:  endpointGroupHandler,
 		RegistryHandler:       registryHandler,
 		DockerHubHandler:      dockerHubHandler,
 		ResourceHandler:       resourceHandler,
 		SettingsHandler:       settingsHandler,
 		StatusHandler:         statusHandler,
+		StackHandler:          stackHandler,
 		TemplatesHandler:      templatesHandler,
 		DockerHandler:         dockerHandler,
 		WebSocketHandler:      websocketHandler,
 		FileHandler:           fileHandler,
 		UploadHandler:         uploadHandler,
+		ExtensionHandler:      extensionHandler,
+		StoridgeHandler:       storidgeHandler,
 	}
 
 	if server.SSL {

api/ldap/ldap.go

@@ -33,7 +33,10 @@ func searchUser(username string, conn *ldap.Conn, settings []portainer.LDAPSearc
 
 		// Deliberately skip errors on the search request so that we can jump to other search settings
 		// if any issue arise with the current one.
-		sr, _ := conn.Search(searchRequest)
+		sr, err := conn.Search(searchRequest)
+		if err != nil {
+			continue
+		}
 
 		if len(sr.Entries) == 1 {
 			found = true
@@ -52,7 +55,7 @@ func searchUser(username string, conn *ldap.Conn, settings []portainer.LDAPSearc
 func createConnection(settings *portainer.LDAPSettings) (*ldap.Conn, error) {
 
 	if settings.TLSConfig.TLS || settings.StartTLS {
-		config, err := crypto.CreateTLSConfiguration(settings.TLSConfig.TLSCACertPath, "", "", settings.TLSConfig.TLSSkipVerify)
+		config, err := crypto.CreateTLSConfiguration(&settings.TLSConfig)
 		if err != nil {
 			return nil, err
 		}

api/portainer.go

@@ -12,25 +12,26 @@ type (
 	// CLIFlags represents the available flags on the CLI.
 	CLIFlags struct {
 		Addr              *string
+		AdminPassword     *string
+		AdminPasswordFile *string
 		Assets            *string
 		Data              *string
-		ExternalEndpoints *string
-		SyncInterval      *string
 		Endpoint          *string
+		ExternalEndpoints *string
+		Labels            *[]Pair
+		Logo              *string
 		NoAuth            *bool
 		NoAnalytics       *bool
+		Templates         *string
 		TLSVerify         *bool
+		TLSSkipVerify     *bool
 		TLSCacert         *string
 		TLSCert           *string
 		TLSKey            *string
 		SSL               *bool
 		SSLCert           *string
 		SSLKey            *string
-		AdminPassword     *string
-		// Deprecated fields
-		Logo      *string
-		Templates *string
-		Labels    *[]Pair
+		SyncInterval      *string
 	}
 
 	// Status represents the application status.
@@ -69,12 +70,15 @@ type (
 
 	// Settings represents the application settings.
 	Settings struct {
-		TemplatesURL                string               `json:"TemplatesURL"`
-		LogoURL                     string               `json:"LogoURL"`
-		BlackListedLabels           []Pair               `json:"BlackListedLabels"`
-		DisplayExternalContributors bool                 `json:"DisplayExternalContributors"`
-		AuthenticationMethod        AuthenticationMethod `json:"AuthenticationMethod"`
-		LDAPSettings                LDAPSettings         `json:"LDAPSettings"`
+		TemplatesURL                       string               `json:"TemplatesURL"`
+		LogoURL                            string               `json:"LogoURL"`
+		BlackListedLabels                  []Pair               `json:"BlackListedLabels"`
+		DisplayDonationHeader              bool                 `json:"DisplayDonationHeader"`
+		DisplayExternalContributors        bool                 `json:"DisplayExternalContributors"`
+		AuthenticationMethod               AuthenticationMethod `json:"AuthenticationMethod"`
+		LDAPSettings                       LDAPSettings         `json:"LDAPSettings"`
+		AllowBindMountsForRegularUsers     bool                 `json:"AllowBindMountsForRegularUsers"`
+		AllowPrivilegedModeForRegularUsers bool                 `json:"AllowPrivilegedModeForRegularUsers"`
 	}
 
 	// User represents a user account.
@@ -125,6 +129,19 @@ type (
 		Role     UserRole
 	}
 
+	// StackID represents a stack identifier (it must be composed of Name + "_" + SwarmID to create a unique identifier).
+	StackID string
+
+	// Stack represents a Docker stack created via docker stack deploy.
+	Stack struct {
+		ID          StackID `json:"Id"`
+		Name        string  `json:"Name"`
+		EntryPoint  string  `json:"EntryPoint"`
+		SwarmID     string  `json:"SwarmId"`
+		ProjectPath string
+		Env         []Pair `json:"Env"`
+	}
+
 	// RegistryID represents a registry identifier.
 	RegistryID int
 
@@ -136,7 +153,7 @@ type (
 		URL             string     `json:"URL"`
 		Authentication  bool       `json:"Authentication"`
 		Username        string     `json:"Username"`
-		Password        string     `json:"Password"`
+		Password        string     `json:"Password,omitempty"`
 		AuthorizedUsers []UserID   `json:"AuthorizedUsers"`
 		AuthorizedTeams []TeamID   `json:"AuthorizedTeams"`
 	}
@@ -146,49 +163,80 @@ type (
 	DockerHub struct {
 		Authentication bool   `json:"Authentication"`
 		Username       string `json:"Username"`
-		Password       string `json:"Password"`
+		Password       string `json:"Password,omitempty"`
 	}
 
 	// EndpointID represents an endpoint identifier.
 	EndpointID int
 
+	// EndpointType represents the type of an endpoint.
+	EndpointType int
+
 	// Endpoint represents a Docker endpoint with all the info required
 	// to connect to it.
 	Endpoint struct {
-		ID              EndpointID `json:"Id"`
-		Name            string     `json:"Name"`
-		URL             string     `json:"URL"`
-		PublicURL       string     `json:"PublicURL"`
-		TLS             bool       `json:"TLS"`
-		TLSCACertPath   string     `json:"TLSCACert,omitempty"`
-		TLSCertPath     string     `json:"TLSCert,omitempty"`
-		TLSKeyPath      string     `json:"TLSKey,omitempty"`
-		AuthorizedUsers []UserID   `json:"AuthorizedUsers"`
-		AuthorizedTeams []TeamID   `json:"AuthorizedTeams"`
+		ID              EndpointID          `json:"Id"`
+		Name            string              `json:"Name"`
+		Type            EndpointType        `json:"Type"`
+		URL             string              `json:"URL"`
+		GroupID         EndpointGroupID     `json:"GroupId"`
+		PublicURL       string              `json:"PublicURL"`
+		TLSConfig       TLSConfiguration    `json:"TLSConfig"`
+		AuthorizedUsers []UserID            `json:"AuthorizedUsers"`
+		AuthorizedTeams []TeamID            `json:"AuthorizedTeams"`
+		Extensions      []EndpointExtension `json:"Extensions"`
+
+		// Deprecated fields
+		// Deprecated in DBVersion == 4
+		TLS           bool   `json:"TLS,omitempty"`
+		TLSCACertPath string `json:"TLSCACert,omitempty"`
+		TLSCertPath   string `json:"TLSCert,omitempty"`
+		TLSKeyPath    string `json:"TLSKey,omitempty"`
 	}
 
+	// EndpointGroupID represents an endpoint group identifier.
+	EndpointGroupID int
+
+	// EndpointGroup represents a group of endpoints.
+	EndpointGroup struct {
+		ID              EndpointGroupID `json:"Id"`
+		Name            string          `json:"Name"`
+		Description     string          `json:"Description"`
+		AuthorizedUsers []UserID        `json:"AuthorizedUsers"`
+		AuthorizedTeams []TeamID        `json:"AuthorizedTeams"`
+		Labels          []Pair          `json:"Labels"`
+	}
+
+	// EndpointExtension represents a extension associated to an endpoint.
+	EndpointExtension struct {
+		Type EndpointExtensionType `json:"Type"`
+		URL  string                `json:"URL"`
+	}
+
+	// EndpointExtensionType represents the type of an endpoint extension. Only
+	// one extension of each type can be associated to an endpoint.
+	EndpointExtensionType int
+
 	// ResourceControlID represents a resource control identifier.
 	ResourceControlID int
 
 	// ResourceControl represent a reference to a Docker resource with specific access controls
 	ResourceControl struct {
-		ID                 ResourceControlID   `json:"Id"`
-		ResourceID         string              `json:"ResourceId"`
-		SubResourceIDs     []string            `json:"SubResourceIds"`
-		Type               ResourceControlType `json:"Type"`
-		AdministratorsOnly bool                `json:"AdministratorsOnly"`
-
-		UserAccesses []UserResourceAccess `json:"UserAccesses"`
-		TeamAccesses []TeamResourceAccess `json:"TeamAccesses"`
+		ID                 ResourceControlID    `json:"Id"`
+		ResourceID         string               `json:"ResourceId"`
+		SubResourceIDs     []string             `json:"SubResourceIds"`
+		Type               ResourceControlType  `json:"Type"`
+		AdministratorsOnly bool                 `json:"AdministratorsOnly"`
+		UserAccesses       []UserResourceAccess `json:"UserAccesses"`
+		TeamAccesses       []TeamResourceAccess `json:"TeamAccesses"`
 
 		// Deprecated fields
-		// Deprecated: OwnerID field is deprecated in DBVersion == 2
-		OwnerID UserID `json:"OwnerId"`
-		// Deprecated: AccessLevel field is deprecated in DBVersion == 2
-		AccessLevel ResourceAccessLevel `json:"AccessLevel"`
+		// Deprecated in DBVersion == 2
+		OwnerID     UserID              `json:"OwnerId,omitempty"`
+		AccessLevel ResourceAccessLevel `json:"AccessLevel,omitempty"`
 	}
 
-	// ResourceControlType represents the type of resource associated to the resource control (volume, container, service).
+	// ResourceControlType represents the type of resource associated to the resource control (volume, container, service...).
 	ResourceControlType int
 
 	// UserResourceAccess represents the level of control on a resource for a specific user.
@@ -219,6 +267,7 @@ type (
 	// DataStore defines the interface to manage the data.
 	DataStore interface {
 		Open() error
+		Init() error
 		Close() error
 		MigrateData() error
 	}
@@ -272,6 +321,15 @@ type (
 		Synchronize(toCreate, toUpdate, toDelete []*Endpoint) error
 	}
 
+	// EndpointGroupService represents a service for managing endpoint group data.
+	EndpointGroupService interface {
+		EndpointGroup(ID EndpointGroupID) (*EndpointGroup, error)
+		EndpointGroups() ([]EndpointGroup, error)
+		CreateEndpointGroup(group *EndpointGroup) error
+		UpdateEndpointGroup(ID EndpointGroupID, group *EndpointGroup) error
+		DeleteEndpointGroup(ID EndpointGroupID) error
+	}
+
 	// RegistryService represents a service for managing registry data.
 	RegistryService interface {
 		Registry(ID RegistryID) (*Registry, error)
@@ -281,6 +339,16 @@ type (
 		DeleteRegistry(ID RegistryID) error
 	}
 
+	// StackService represents a service for managing stack data.
+	StackService interface {
+		Stack(ID StackID) (*Stack, error)
+		Stacks() ([]Stack, error)
+		StacksBySwarmID(ID string) ([]Stack, error)
+		CreateStack(stack *Stack) error
+		UpdateStack(ID StackID, stack *Stack) error
+		DeleteStack(ID StackID) error
+	}
+
 	// DockerHubService represents a service for managing the DockerHub object.
 	DockerHubService interface {
 		DockerHub() (*DockerHub, error)
@@ -315,6 +383,15 @@ type (
 		CompareHashAndData(hash string, data string) error
 	}
 
+	// DigitalSignatureService represents a service to manage digital signatures.
+	DigitalSignatureService interface {
+		ParseKeyPair(private, public []byte) error
+		GenerateKeyPair() ([]byte, []byte, error)
+		EncodedPublicKey() string
+		PEMHeaders() (string, string)
+		Sign(message string) (string, error)
+	}
+
 	// JWTService represents a service for managing JWT tokens.
 	JWTService interface {
 		GenerateToken(data *TokenData) (string, error)
@@ -323,9 +400,25 @@ type (
 
 	// FileService represents a service for managing files.
 	FileService interface {
+		GetFileContent(filePath string) (string, error)
+		RemoveDirectory(directoryPath string) error
 		StoreTLSFile(folder string, fileType TLSFileType, r io.Reader) error
 		GetPathForTLSFile(folder string, fileType TLSFileType) (string, error)
+		DeleteTLSFile(folder string, fileType TLSFileType) error
 		DeleteTLSFiles(folder string) error
+		GetStackProjectPath(stackIdentifier string) string
+		StoreStackFileFromString(stackIdentifier, fileName, stackFileContent string) (string, error)
+		StoreStackFileFromReader(stackIdentifier, fileName string, r io.Reader) (string, error)
+		KeyPairFilesExist() (bool, error)
+		StoreKeyPair(private, public []byte, privatePEMHeader, publicPEMHeader string) error
+		LoadKeyPair() ([]byte, []byte, error)
+		WriteJSONToFile(path string, content interface{}) error
+	}
+
+	// GitService represents a service for managing Git.
+	GitService interface {
+		ClonePublicRepository(repositoryURL, destination string) error
+		ClonePrivateRepositoryWithBasicAuth(repositoryURL, destination, username, password string) error
 	}
 
 	// EndpointWatcher represents a service to synchronize the endpoints via an external source.
@@ -338,15 +431,34 @@ type (
 		AuthenticateUser(username, password string, settings *LDAPSettings) error
 		TestConnectivity(settings *LDAPSettings) error
 	}
+
+	// StackManager represents a service to manage stacks.
+	StackManager interface {
+		Login(dockerhub *DockerHub, registries []Registry, endpoint *Endpoint)
+		Logout(endpoint *Endpoint) error
+		Deploy(stack *Stack, prune bool, endpoint *Endpoint) error
+		Remove(stack *Stack, endpoint *Endpoint) error
+	}
 )
 
 const (
 	// APIVersion is the version number of the Portainer API.
-	APIVersion = "1.14.0"
+	APIVersion = "1.17.0"
 	// DBVersion is the version number of the Portainer database.
-	DBVersion = 3
+	DBVersion = 10
 	// DefaultTemplatesURL represents the default URL for the templates definitions.
 	DefaultTemplatesURL = "https://raw.githubusercontent.com/portainer/templates/master/templates.json"
+	// PortainerAgentHeader represents the name of the header available in any agent response
+	PortainerAgentHeader = "Portainer-Agent"
+	// PortainerAgentTargetHeader represent the name of the header containing the target node name.
+	PortainerAgentTargetHeader = "X-PortainerAgent-Target"
+	// PortainerAgentSignatureHeader represent the name of the header containing the digital signature
+	PortainerAgentSignatureHeader = "X-PortainerAgent-Signature"
+	// PortainerAgentPublicKeyHeader represent the name of the header containing the public key
+	PortainerAgentPublicKeyHeader = "X-PortainerAgent-PublicKey"
+	// PortainerAgentSignatureMessage represents the message used to create a digital signature
+	// to be used when communicating with an agent
+	PortainerAgentSignatureMessage = "Portainer-App"
 )
 
 const (
@@ -396,4 +508,26 @@ const (
 	ServiceResourceControl
 	// VolumeResourceControl represents a resource control associated to a Docker volume
 	VolumeResourceControl
+	// NetworkResourceControl represents a resource control associated to a Docker network
+	NetworkResourceControl
+	// SecretResourceControl represents a resource control associated to a Docker secret
+	SecretResourceControl
+	// StackResourceControl represents a resource control associated to a stack composed of Docker services
+	StackResourceControl
+	// ConfigResourceControl represents a resource control associated to a Docker config
+	ConfigResourceControl
+)
+
+const (
+	_ EndpointExtensionType = iota
+	// StoridgeEndpointExtension represents the Storidge extension
+	StoridgeEndpointExtension
+)
+
+const (
+	_ EndpointType = iota
+	// DockerEnvironment represents an endpoint connected to a Docker environment
+	DockerEnvironment
+	// AgentOnDockerEnvironment represents an endpoint connected to a Portainer agent deployed on a Docker environment
+	AgentOnDockerEnvironment
 )

app/__module.js

@@ -0,0 +1,24 @@
+angular.module('portainer', [
+  'ui.bootstrap',
+  'ui.router',
+  'isteven-multi-select',
+  'ngCookies',
+  'ngSanitize',
+  'ngFileUpload',
+  'ngMessages',
+  'ngResource',
+  'angularUtils.directives.dirPagination',
+  'LocalStorageModule',
+  'angular-jwt',
+  'angular-google-analytics',
+  'angular-google-adsense',
+  'angular-json-tree',
+  'angular-loading-bar',
+  'angular-clipboard',
+  'luegg.directives',
+  'portainer.templates',
+  'portainer.app',
+  'portainer.agent',
+  'portainer.docker',
+  'extension.storidge',
+  'rzModule']);

app/agent/_module.js

@@ -0,0 +1 @@
+angular.module('portainer.agent', []);

app/agent/components/node-selector/node-selector.js

@@ -0,0 +1,7 @@
+angular.module('portainer.agent').component('nodeSelector', {
+  templateUrl: 'app/agent/components/node-selector/nodeSelector.html',
+  controller: 'NodeSelectorController',
+  bindings: {
+    model: '='
+  }
+});

app/agent/components/node-selector/nodeSelector.html

@@ -0,0 +1,8 @@
+<div class="form-group">
+  <label for="target_node" class="col-sm-1 control-label text-left">Node</label>
+  <div class="col-sm-11">
+    <select class="form-control"
+      ng-model="$ctrl.model" ng-options="agent.NodeName as agent.NodeName for agent in $ctrl.agents"
+      ></select>
+  </div>
+</div>

app/agent/components/node-selector/nodeSelectorController.js

@@ -0,0 +1,18 @@
+angular.module('portainer.agent')
+.controller('NodeSelectorController', ['AgentService', 'Notifications', function (AgentService, Notifications) {
+  var ctrl = this;
+
+  this.$onInit = function() {
+    AgentService.agents()
+    .then(function success(data) {
+      ctrl.agents = data;
+      if (!ctrl.model) {
+        ctrl.model = data[0].NodeName;
+      }
+    })
+    .catch(function error(err) {
+      Notifications.error('Failure', err, 'Unable to load agents');
+    });
+  };
+
+}]);

app/agent/models/agent.js

@@ -0,0 +1,5 @@
+function AgentViewModel(data) {
+  this.IPAddress = data.IPAddress;
+	this.NodeName = data.NodeName;
+	this.NodeRole = data.NodeRole; 
+}

app/agent/rest/agent.js

@@ -0,0 +1,10 @@
+angular.module('portainer.agent')
+.factory('Agent', ['$resource', 'API_ENDPOINT_ENDPOINTS', 'EndpointProvider', function AgentFactory($resource, API_ENDPOINT_ENDPOINTS, EndpointProvider) {
+  'use strict';
+  return $resource(API_ENDPOINT_ENDPOINTS + '/:endpointId/docker/agents', {
+    endpointId: EndpointProvider.endpointID
+  },
+  {
+    query: {method: 'GET', isArray: true}
+  });
+}]);

app/agent/services/agentService.js

@@ -0,0 +1,24 @@
+angular.module('portainer.agent')
+.factory('AgentService', ['$q', 'Agent', function AgentServiceFactory($q, Agent) {
+  'use strict';
+  var service = {};
+
+  service.agents = function() {
+    var deferred = $q.defer();
+
+    Agent.query({}).$promise
+    .then(function success(data) {
+      var agents = data.map(function (item) {
+        return new AgentViewModel(item);
+      });
+      deferred.resolve(agents);
+    })
+    .catch(function error(err) {
+      deferred.reject({ msg: 'Unable to retrieve agents', err: err });
+    });
+
+    return deferred.promise;
+  };
+
+  return service;
+}]);

app/app.js

@@ -1,773 +1,55 @@
-angular.module('portainer.filters', []);
-angular.module('portainer.rest', ['ngResource']);
-angular.module('portainer.services', []);
-angular.module('portainer.helpers', []);
-angular.module('portainer', [
-  'ui.bootstrap',
-  'ui.router',
-  'isteven-multi-select',
-  'ngCookies',
-  'ngSanitize',
-  'ngFileUpload',
-  'angularUtils.directives.dirPagination',
-  'LocalStorageModule',
-  'angular-jwt',
-  'angular-google-analytics',
-  'portainer.templates',
-  'portainer.filters',
-  'portainer.rest',
-  'portainer.helpers',
-  'portainer.services',
-  'auth',
-  'dashboard',
-  'container',
-  'containerConsole',
-  'containerLogs',
-  'serviceLogs',
-  'containers',
-  'createContainer',
-  'createNetwork',
-  'createRegistry',
-  'createSecret',
-  'createService',
-  'createVolume',
-  'docker',
-  'endpoint',
-  'endpointAccess',
-  'endpointInit',
-  'endpoints',
-  'events',
-  'image',
-  'images',
-  'main',
-  'network',
-  'networks',
-  'node',
-  'registries',
-  'registry',
-  'registryAccess',
-  'secrets',
-  'secret',
-  'service',
-  'services',
-  'settings',
-  'settingsAuthentication',
-  'sidebar',
-  'stats',
-  'swarm',
-  'task',
-  'team',
-  'teams',
-  'templates',
-  'user',
-  'users',
-  'userSettings',
-  'volume',
-  'volumes'])
-  .config(['$stateProvider', '$urlRouterProvider', '$httpProvider', 'localStorageServiceProvider', 'jwtOptionsProvider', 'AnalyticsProvider', '$uibTooltipProvider', '$compileProvider', function ($stateProvider, $urlRouterProvider, $httpProvider, localStorageServiceProvider, jwtOptionsProvider, AnalyticsProvider, $uibTooltipProvider, $compileProvider) {
-    'use strict';
+angular.module('portainer')
+.run(['$rootScope', '$state', 'Authentication', 'authManager', 'StateManager', 'EndpointProvider', 'Notifications', 'Analytics', 'cfpLoadingBar', '$transitions', 'HttpRequestHelper',
+function ($rootScope, $state, Authentication, authManager, StateManager, EndpointProvider, Notifications, Analytics, cfpLoadingBar, $transitions, HttpRequestHelper) {
+  'use strict';
 
-    var environment = '@@ENVIRONMENT';
-    if (environment === 'production') {
-      $compileProvider.debugInfoEnabled(false);
+  EndpointProvider.initialize();
+
+  StateManager.initialize()
+  .then(function success(state) {
+    if (state.application.authentication) {
+      initAuthentication(authManager, Authentication, $rootScope, $state);
     }
+    if (state.application.analytics) {
+      initAnalytics(Analytics, $rootScope);
+    }
+  })
+  .catch(function error(err) {
+    Notifications.error('Failure', err, 'Unable to retrieve application settings');
+  });
 
-    localStorageServiceProvider
-    .setPrefix('portainer');
+  $rootScope.$state = $state;
 
-    jwtOptionsProvider.config({
-      tokenGetter: ['LocalStorage', function(LocalStorage) {
-        return LocalStorage.getJWT();
-      }],
-      unauthenticatedRedirector: ['$state', function($state) {
-        $state.go('auth', {error: 'Your session has expired'});
-      }]
-    });
-    $httpProvider.interceptors.push('jwtInterceptor');
+  // Workaround to prevent the loading bar from going backward
+  // https://github.com/chieffancypants/angular-loading-bar/issues/273
+  var originalSet = cfpLoadingBar.set;
+  cfpLoadingBar.set = function overrideSet(n) {
+    if (n > cfpLoadingBar.status()) {
+      originalSet.apply(cfpLoadingBar, arguments);
+    }
+  };
 
-    AnalyticsProvider.setAccount('@@CONFIG_GA_ID');
-    AnalyticsProvider.startOffline(true);
+  $transitions.onBefore({ to: 'docker.**' }, function() {
+    HttpRequestHelper.resetAgentTargetQueue();
+  });
+}]);
 
-    $urlRouterProvider.otherwise('/auth');
 
-    toastr.options.timeOut = 3000;
+function initAuthentication(authManager, Authentication, $rootScope, $state) {
+  authManager.checkAuthOnRefresh();
+  authManager.redirectWhenUnauthenticated();
+  Authentication.init();
+  $rootScope.$on('tokenHasExpired', function() {
+    $state.go('portainer.auth', {error: 'Your session has expired'});
+  });
+}
 
-    $uibTooltipProvider.setTriggers({
-      'mouseenter': 'mouseleave',
-      'click': 'click',
-      'focus': 'blur',
-      'outsideClick': 'outsideClick'
-    });
-
-    $stateProvider
-    .state('root', {
-      abstract: true,
-      resolve: {
-        requiresLogin: ['StateManager', function (StateManager) {
-          var applicationState = StateManager.getState();
-          return applicationState.application.authentication;
-        }]
-      }
-    })
-    .state('auth', {
-      parent: 'root',
-      url: '/auth',
-      params: {
-        logout: false,
-        error: ''
-      },
-      views: {
-        'content@': {
-          templateUrl: 'app/components/auth/auth.html',
-          controller: 'AuthenticationController'
-        }
-      },
-      data: {
-        requiresLogin: false
-      }
-    })
-    .state('containers', {
-      parent: 'root',
-      url: '/containers/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/containers/containers.html',
-          controller: 'ContainersController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('container', {
-      url: '^/containers/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/container/container.html',
-          controller: 'ContainerController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('stats', {
-      url: '^/containers/:id/stats',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/stats/stats.html',
-          controller: 'StatsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('containerlogs', {
-      url: '^/containers/:id/logs',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/containerLogs/containerlogs.html',
-          controller: 'ContainerLogsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('servicelogs', {
-      url: '^/services/:id/logs',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/serviceLogs/servicelogs.html',
-          controller: 'ServiceLogsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('console', {
-      url: '^/containers/:id/console',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/containerConsole/containerConsole.html',
-          controller: 'ContainerConsoleController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('dashboard', {
-      parent: 'root',
-      url: '/dashboard',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/dashboard/dashboard.html',
-          controller: 'DashboardController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions', {
-      abstract: true,
-      url: '/actions',
-      views: {
-        'content@': {
-          template: '<div ui-view="content@"></div>'
-        },
-        'sidebar@': {
-          template: '<div ui-view="sidebar@"></div>'
-        }
-      }
-    })
-    .state('actions.create', {
-      abstract: true,
-      url: '/create',
-      views: {
-        'content@': {
-          template: '<div ui-view="content@"></div>'
-        },
-        'sidebar@': {
-          template: '<div ui-view="sidebar@"></div>'
-        }
-      }
-    })
-    .state('actions.create.container', {
-      url: '/container/:from',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createContainer/createcontainer.html',
-          controller: 'CreateContainerController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions.create.network', {
-      url: '/network',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createNetwork/createnetwork.html',
-          controller: 'CreateNetworkController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions.create.registry', {
-      url: '/registry',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createRegistry/createregistry.html',
-          controller: 'CreateRegistryController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions.create.secret', {
-      url: '/secret',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createSecret/createsecret.html',
-          controller: 'CreateSecretController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions.create.service', {
-      url: '/service',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createService/createservice.html',
-          controller: 'CreateServiceController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('actions.create.volume', {
-      url: '/volume',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/createVolume/createvolume.html',
-          controller: 'CreateVolumeController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('docker', {
-      url: '/docker/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/docker/docker.html',
-          controller: 'DockerController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('endpoints', {
-      url: '/endpoints/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/endpoints/endpoints.html',
-          controller: 'EndpointsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('endpoint', {
-      url: '^/endpoints/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/endpoint/endpoint.html',
-          controller: 'EndpointController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('endpoint.access', {
-      url: '^/endpoints/:id/access',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/endpointAccess/endpointAccess.html',
-          controller: 'EndpointAccessController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('endpointInit', {
-      url: '/init/endpoint',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/endpointInit/endpointInit.html',
-          controller: 'EndpointInitController'
-        }
-      }
-    })
-    .state('events', {
-      url: '/events/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/events/events.html',
-          controller: 'EventsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('images', {
-      url: '/images/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/images/images.html',
-          controller: 'ImagesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('image', {
-      url: '^/images/:id/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/image/image.html',
-          controller: 'ImageController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('networks', {
-      url: '/networks/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/networks/networks.html',
-          controller: 'NetworksController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('network', {
-      url: '^/networks/:id/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/network/network.html',
-          controller: 'NetworkController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('node', {
-      url: '^/nodes/:id/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/node/node.html',
-          controller: 'NodeController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('registries', {
-      url: '/registries/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/registries/registries.html',
-          controller: 'RegistriesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('registry', {
-      url: '^/registries/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/registry/registry.html',
-          controller: 'RegistryController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('registry.access', {
-      url: '^/registries/:id/access',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/registryAccess/registryAccess.html',
-          controller: 'RegistryAccessController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('secrets', {
-      url: '^/secrets/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/secrets/secrets.html',
-          controller: 'SecretsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('secret', {
-      url: '^/secret/:id/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/secret/secret.html',
-          controller: 'SecretController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('services', {
-      url: '/services/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/services/services.html',
-          controller: 'ServicesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('service', {
-      url: '^/service/:id/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/service/service.html',
-          controller: 'ServiceController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('settings', {
-      url: '/settings/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/settings/settings.html',
-          controller: 'SettingsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('settings_authentication', {
-      url: '^/settings/authentication',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/settingsAuthentication/settingsAuthentication.html',
-          controller: 'SettingsAuthenticationController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('task', {
-      url: '^/task/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/task/task.html',
-          controller: 'TaskController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('templates', {
-      url: '/templates/',
-      params: {
-        key: 'containers',
-        hide_descriptions: false
-      },
-      views: {
-        'content@': {
-          templateUrl: 'app/components/templates/templates.html',
-          controller: 'TemplatesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('templates_linuxserver', {
-      url: '^/templates/linuxserver.io',
-      params: {
-        key: 'linuxserver.io',
-        hide_descriptions: true
-      },
-      views: {
-        'content@': {
-          templateUrl: 'app/components/templates/templates.html',
-          controller: 'TemplatesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('volumes', {
-      url: '/volumes/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/volumes/volumes.html',
-          controller: 'VolumesController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('volume', {
-      url: '^/volumes/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/volume/volume.html',
-          controller: 'VolumeController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('users', {
-      url: '/users/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/users/users.html',
-          controller: 'UsersController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('user', {
-      url: '^/users/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/user/user.html',
-          controller: 'UserController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('userSettings', {
-      url: '/userSettings/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/userSettings/userSettings.html',
-          controller: 'UserSettingsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('teams', {
-      url: '/teams/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/teams/teams.html',
-          controller: 'TeamsController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('team', {
-      url: '^/teams/:id',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/team/team.html',
-          controller: 'TeamController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    })
-    .state('swarm', {
-      url: '/swarm/',
-      views: {
-        'content@': {
-          templateUrl: 'app/components/swarm/swarm.html',
-          controller: 'SwarmController'
-        },
-        'sidebar@': {
-          templateUrl: 'app/components/sidebar/sidebar.html',
-          controller: 'SidebarController'
-        }
-      }
-    });
-  }])
-  .run(['$rootScope', '$state', 'Authentication', 'authManager', 'StateManager', 'EndpointProvider', 'Notifications', 'Analytics', function ($rootScope, $state, Authentication, authManager, StateManager, EndpointProvider, Notifications, Analytics) {
-    EndpointProvider.initialize();
-    StateManager.initialize().then(function success(state) {
-      if (state.application.authentication) {
-        authManager.checkAuthOnRefresh();
-        authManager.redirectWhenUnauthenticated();
-        Authentication.init();
-        $rootScope.$on('tokenHasExpired', function($state) {
-          $state.go('auth', {error: 'Your session has expired'});
-        });
-      }
-      if (state.application.analytics) {
-        Analytics.offline(false);
-        Analytics.registerScriptTags();
-        Analytics.registerTrackers();
-        $rootScope.$on('$stateChangeSuccess', function (event, toState, toParams, fromState, fromParams) {
-          Analytics.trackPage(toState.url);
-          Analytics.pageView();
-        });
-      }
-    }, function error(err) {
-      Notifications.error('Failure', err, 'Unable to retrieve application settings');
-    });
-
-    $rootScope.$state = $state;
-  }])
-  // This is your docker url that the api will use to make requests
-  // You need to set this to the api endpoint without the port i.e. http://192.168.1.9
-  // .constant('DOCKER_PORT', '') // Docker port, leave as an empty string if no port is required.  If you have a port, prefix it with a ':' i.e. :4243
-  .constant('API_ENDPOINT_AUTH', 'api/auth')
-  .constant('API_ENDPOINT_DOCKERHUB', 'api/dockerhub')
-  .constant('API_ENDPOINT_ENDPOINTS', 'api/endpoints')
-  .constant('API_ENDPOINT_REGISTRIES', 'api/registries')
-  .constant('API_ENDPOINT_RESOURCE_CONTROLS', 'api/resource_controls')
-  .constant('API_ENDPOINT_SETTINGS', 'api/settings')
-  .constant('API_ENDPOINT_STATUS', 'api/status')
-  .constant('API_ENDPOINT_USERS', 'api/users')
-  .constant('API_ENDPOINT_TEAMS', 'api/teams')
-  .constant('API_ENDPOINT_TEAM_MEMBERSHIPS', 'api/team_memberships')
-  .constant('API_ENDPOINT_TEMPLATES', 'api/templates')
-  .constant('DEFAULT_TEMPLATES_URL', 'https://raw.githubusercontent.com/portainer/templates/master/templates.json')
-  .constant('PAGINATION_MAX_ITEMS', 10);
+function initAnalytics(Analytics, $rootScope) {
+  Analytics.offline(false);
+  Analytics.registerScriptTags();
+  Analytics.registerTrackers();
+  $rootScope.$on('$stateChangeSuccess', function (event, toState, toParams, fromState, fromParams) {
+    Analytics.trackPage(toState.url);
+    Analytics.pageView();
+  });
+}

app/components/auth/auth.html

@@ -1,101 +0,0 @@
-<div class="page-wrapper">
-  <!-- login box -->
-  <div class="container simple-box">
-    <div class="col-md-6 col-md-offset-3 col-sm-6 col-sm-offset-3">
-      <!-- login box logo -->
-      <div class="row">
-        <img ng-if="logo" ng-src="{{ logo }}" class="simple-box-logo">
-        <img ng-if="!logo" src="images/logo_alt.png" class="simple-box-logo" alt="Portainer">
-      </div>
-      <!-- !login box logo -->
-      <!-- init password panel -->
-      <div class="panel panel-default" ng-if="initPassword">
-        <div class="panel-body">
-          <!-- init password form -->
-          <form class="login-form form-horizontal" enctype="multipart/form-data" method="POST">
-            <!-- comment -->
-            <div class="input-group">
-              <p style="margin: 5px;">
-                Please specify a password for the <b>admin</b> user account.
-              </p>
-            </div>
-            <!-- !comment input -->
-            <!-- comment -->
-            <div class="input-group">
-              <p style="margin: 5px;">
-                <i ng-class="{true: 'fa fa-check green-icon', false: 'fa fa-times red-icon'}[initPasswordData.password.length >= 8]" aria-hidden="true"></i>
-                Your password must be at least 8 characters long
-              </p>
-            </div>
-            <!-- !comment input -->
-            <!-- password input -->
-            <div class="input-group">
-              <span class="input-group-addon"><i class="fa fa-lock" aria-hidden="true"></i></span>
-              <input id="admin_password" type="password" class="form-control" name="password" ng-model="initPasswordData.password" autofocus>
-            </div>
-            <!-- !password input -->
-            <!-- comment -->
-            <div class="input-group">
-              <p style="margin: 5px;">
-                <i ng-class="{true: 'fa fa-check green-icon', false: 'fa fa-times red-icon'}[initPasswordData.password !== '' && initPasswordData.password === initPasswordData.password_confirmation]" aria-hidden="true"></i>
-                Confirm your password
-              </p>
-            </div>
-            <!-- !comment input -->
-            <!-- password confirmation input -->
-            <div class="input-group">
-              <span class="input-group-addon"><i class="fa fa-lock" aria-hidden="true"></i></span>
-              <input id="password_confirmation" type="password" class="form-control" name="password" ng-model="initPasswordData.password_confirmation">
-            </div>
-            <!-- !password confirmation input -->
-            <!-- validate button -->
-            <div class="form-group">
-              <div class="col-sm-12 controls">
-                <p class="pull-left text-danger" ng-if="initPasswordData.error" style="margin: 5px;">
-                  <i class="fa fa-exclamation-circle" aria-hidden="true"></i> Unable to create default user
-                </p>
-                <button type="submit" class="btn btn-primary pull-right" ng-disabled="initPasswordData.password.length < 8 || initPasswordData.password !== initPasswordData.password_confirmation" ng-click="createAdminUser()"><i class="fa fa-key" aria-hidden="true"></i> Validate</button>
-              </div>
-            </div>
-            <!-- !validate button -->
-          </form>
-          <!-- !init password form -->
-        </div>
-      </div>
-      <!-- !init password panel -->
-      <!-- login panel -->
-      <div class="panel panel-default" ng-if="!initPassword">
-        <div class="panel-body">
-          <!-- login form -->
-          <form class="login-form form-horizontal" enctype="multipart/form-data" method="POST">
-            <!-- username input -->
-            <div class="input-group">
-              <span class="input-group-addon"><i class="fa fa-user" aria-hidden="true"></i></span>
-              <input id="username" type="text" class="form-control" name="username" ng-model="authData.username" placeholder="Username">
-            </div>
-            <!-- !username input -->
-            <!-- password input -->
-            <div class="input-group">
-              <span class="input-group-addon"><i class="fa fa-lock" aria-hidden="true"></i></span>
-              <input id="password" type="password" class="form-control" name="password" ng-model="authData.password" autofocus>
-            </div>
-            <!-- !password input -->
-            <!-- login button -->
-            <div class="form-group">
-              <div class="col-sm-12 controls">
-                <p class="pull-left text-danger" ng-if="authData.error" style="margin: 5px;">
-                  <i class="fa fa-exclamation-circle" aria-hidden="true"></i> {{ authData.error }}
-                </p>
-                <button type="submit" class="btn btn-primary pull-right" ng-click="authenticateUser()"><i class="fa fa-sign-in" aria-hidden="true"></i> Login</button>
-              </div>
-            </div>
-            <!-- !login button -->
-          </form>
-          <!-- !login form -->
-        </div>
-      </div>
-      <!-- !login panel -->
-    </div>
-  </div>
-  <!-- !login box -->
-</div>

app/components/auth/authController.js

@@ -1,113 +0,0 @@
-angular.module('auth', [])
-.controller('AuthenticationController', ['$scope', '$state', '$stateParams', '$window', '$timeout', '$sanitize', 'Authentication', 'Users', 'EndpointService', 'StateManager', 'EndpointProvider', 'Notifications',
-function ($scope, $state, $stateParams, $window, $timeout, $sanitize, Authentication, Users, EndpointService, StateManager, EndpointProvider, Notifications) {
-
-  $scope.authData = {
-    username: 'admin',
-    password: '',
-    error: ''
-  };
-  $scope.initPasswordData = {
-    password: '',
-    password_confirmation: '',
-    error: false
-  };
-
-  $scope.logo = StateManager.getState().application.logo;
-
-  if (!$scope.applicationState.application.authentication) {
-    EndpointService.endpoints()
-    .then(function success(data) {
-      if (data.length > 0)  {
-        endpointID = EndpointProvider.endpointID();
-        if (!endpointID) {
-          endpointID = data[0].Id;
-          EndpointProvider.setEndpointID(endpointID);
-        }
-        StateManager.updateEndpointState(true)
-        .then(function success() {
-          $state.go('dashboard');
-        }, function error(err) {
-          Notifications.error('Failure', err, 'Unable to connect to the Docker endpoint');
-        });
-      }
-      else {
-        $state.go('endpointInit');
-      }
-    }, function error(err) {
-      Notifications.error('Failure', err, 'Unable to retrieve endpoints');
-    });
-  } else {
-    Users.checkAdminUser({}, function () {},
-    function (e) {
-      if (e.status === 404) {
-        $scope.initPassword = true;
-      } else {
-        Notifications.error('Failure', e, 'Unable to verify administrator account existence');
-      }
-    });
-  }
-
-  if ($stateParams.logout) {
-    Authentication.logout();
-  }
-
-  if ($stateParams.error) {
-    $scope.authData.error = $stateParams.error;
-    Authentication.logout();
-  }
-
-  if (Authentication.isAuthenticated()) {
-    $state.go('dashboard');
-  }
-
-  $scope.createAdminUser = function() {
-    var password = $sanitize($scope.initPasswordData.password);
-    Users.initAdminUser({password: password}, function (d) {
-      $scope.initPassword = false;
-      $timeout(function() {
-        var element = $window.document.getElementById('password');
-        if(element) {
-          element.focus();
-        }
-      });
-    }, function (e) {
-      $scope.initPassword.error = true;
-    });
-  };
-
-  $scope.authenticateUser = function() {
-    $scope.authenticationError = false;
-    var username = $sanitize($scope.authData.username);
-    var password = $sanitize($scope.authData.password);
-    Authentication.login(username, password)
-    .then(function success(data) {
-      return EndpointService.endpoints();
-    })
-    .then(function success(data) {
-      var userDetails = Authentication.getUserDetails();
-      if (data.length > 0)  {
-        endpointID = EndpointProvider.endpointID();
-        if (!endpointID) {
-          endpointID = data[0].Id;
-          EndpointProvider.setEndpointID(endpointID);
-        }
-        StateManager.updateEndpointState(true)
-        .then(function success() {
-          $state.go('dashboard');
-        }, function error(err) {
-          Notifications.error('Failure', err, 'Unable to connect to the Docker endpoint');
-        });
-      }
-      else if (data.length === 0 && userDetails.role === 1) {
-        $state.go('endpointInit');
-      } else if (data.length === 0 && userDetails.role === 2) {
-        Authentication.logout();
-        $scope.authData.error = 'User not allowed. Please contact your administrator.';
-      }
-    })
-    .catch(function error(err) {
-      $scope.authData.error = 'Authentication error';
-    });
-  };
-}]);

app/components/container/container.html

@@ -1,328 +0,0 @@
-<rd-header>
-  <rd-header-title title="Container details">
-    <i id="loadingViewSpinner" class="fa fa-cog fa-spin"></i>
-  </rd-header-title>
-  <rd-header-content>
-    <a ui-sref="containers">Containers</a> &gt; <a ui-sref="container({id: container.Id})">{{ container.Name|trimcontainername }}</a>
-  </rd-header-content>
-</rd-header>
-
-<div class="row">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-header icon="fa-cogs" title="Actions"></rd-widget-header>
-      <rd-widget-body classes="padding">
-        <div class="btn-group" role="group" aria-label="...">
-          <button class="btn btn-success" ng-click="start()" ng-disabled="container.State.Running"><i class="fa fa-play space-right" aria-hidden="true"></i>Start</button>
-          <button class="btn btn-danger" ng-click="stop()" ng-disabled="!container.State.Running"><i class="fa fa-stop space-right" aria-hidden="true"></i>Stop</button>
-          <button class="btn btn-danger" ng-click="kill()" ng-disabled="!container.State.Running"><i class="fa fa-bomb space-right" aria-hidden="true"></i>Kill</button>
-          <button class="btn btn-primary" ng-click="restart()" ng-disabled="!container.State.Running"><i class="fa fa-refresh space-right" aria-hidden="true"></i>Restart</button>
-          <button class="btn btn-primary" ng-click="pause()" ng-disabled="!container.State.Running || container.State.Paused"><i class="fa fa-pause space-right" aria-hidden="true"></i>Pause</button>
-          <button class="btn btn-primary" ng-click="unpause()" ng-disabled="!container.State.Paused"><i class="fa fa-play space-right" aria-hidden="true"></i>Resume</button>
-          <button class="btn btn-danger" ng-click="confirmRemove()"><i class="fa fa-trash space-right" aria-hidden="true"></i>Remove</button>
-          <button class="btn btn-danger" ng-click="recreate()"><i class="fa fa-refresh space-right" aria-hidden="true"></i>Recreate</button>
-          <button class="btn btn-primary" ng-click="duplicate()"><i class="fa fa-files-o space-right" aria-hidden="true"></i>Duplicate/Edit</button>
-        </div>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>
-
-<div class="row">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-header icon="fa-server" title="Container status"></rd-widget-header>
-      <rd-widget-body classes="no-padding">
-        <table class="table">
-          <tbody>
-            <tr>
-              <td>ID</td>
-              <td>{{ container.Id }}</td>
-            </tr>
-            <tr>
-              <td>Name</td>
-              <td ng-if="!container.edit">
-                {{ container.Name|trimcontainername }}
-                <a href="" data-toggle="tooltip" title="Edit container name" ng-click="container.edit = true;"><i class="fa fa-edit"></i></a>
-              </td>
-              <td ng-if="container.edit">
-                <form ng-submit="renameContainer()">
-                  <input type="text" class="containerNameInput" ng-model="container.newContainerName">
-                  <a href="" ng-click="container.edit = false;"><i class="fa fa-times"></i></a>
-                  <a href="" ng-click="renameContainer()"><i class="fa fa-check-square-o"></i></a>
-                </form>
-              </td>
-            </tr>
-            <tr ng-if="container.NetworkSettings.IPAddress">
-              <td>IP address</td>
-              <td>{{ container.NetworkSettings.IPAddress }}</td>
-            </tr>
-            <tr>
-              <td>Status</td>
-              <td>
-                <i class="fa fa-heartbeat space-right green-icon" ng-if="container.State.Running"></i>
-                <i class="fa fa-heartbeat space-right red-icon" ng-if="!container.State.Running && container.State.Status !== 'created'"></i>
-                {{ container.State|getstatetext }} since {{ activityTime }}<span ng-if="!container.State.Running && container.State.Status !== 'created'"> with exit code {{ container.State.ExitCode }}</span>
-              </td>
-            </tr>
-            <tr>
-              <td>Created</td>
-              <td>{{ container.Created|getisodate }}</td>
-            </tr>
-            <tr ng-if="container.State.Running">
-              <td>Start time</td>
-              <td>{{ container.State.StartedAt|getisodate }}</td>
-            </tr>
-            <tr ng-if="!container.State.Running && container.State.Status !== 'created'">
-              <td>Finished</td>
-              <td>{{ container.State.FinishedAt|getisodate }}</td>
-            </tr>
-            <tr>
-              <td colspan="2">
-                <div class="btn-group" role="group" aria-label="...">
-                  <a class="btn btn-outline-secondary" type="button" ui-sref="stats({id: container.Id})"><i class="fa fa-area-chart space-right" aria-hidden="true"></i>Stats</a>
-                  <a class="btn btn-outline-secondary" type="button" ui-sref="containerlogs({id: container.Id})"><i class="fa fa-exclamation-circle space-right" aria-hidden="true"></i>Logs</a>
-                  <a class="btn btn-outline-secondary" type="button" ui-sref="console({id: container.Id})"><i class="fa fa-terminal space-right" aria-hidden="true"></i>Console</a>
-                </div>
-              </td>
-            </tr>
-          </tbody>
-        </table>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>
-
-<!-- access-control-panel -->
-<por-access-control-panel
-  ng-if="container && applicationState.application.authentication"
-  resource-id="container.Id"
-  resource-control="container.ResourceControl"
-  resource-type="'container'">
-</por-access-control-panel>
-<!-- !access-control-panel -->
-
-<div ng-if="container.State.Health" class="row">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-header icon="fa-server" title="Container health"></rd-widget-header>
-      <rd-widget-body classes="no-padding">
-        <table class="table">
-          <tbody>
-            <tr>
-              <td>Status</td>
-              <td>
-                <i ng-class="{'healthy': 'fa fa-heartbeat space-right green-icon', 'unhealthy': 'fa fa-heartbeat space-right red-icon', 'starting': 'fa fa-heartbeat space-right orange-icon'}[container.State.Health.Status]"></i>
-                {{ container.State.Health.Status }}
-              </td>
-            </tr>
-            <tr>
-              <td>Failure count</td>
-              <td>{{ container.State.Health.FailingStreak }}</td>
-            </tr>
-            <tr>
-              <td>Last output</td>
-              <td>{{ container.State.Health.Log[container.State.Health.Log.length - 1].Output }}</td>
-            </tr>
-          </tbody>
-        </table>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>
-
-<div class="row">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-header icon="fa-clone" title="Create image"></rd-widget-header>
-      <rd-widget-body>
-        <form class="form-horizontal">
-          <!-- tag-description -->
-          <div class="form-group">
-            <div class="col-sm-12">
-              <span class="small text-muted">
-                You can create an image from this container, this allows you to backup important data or save
-                helpful configurations. You'll be able to spin up another container based on this image afterward.
-              </span>
-            </div>
-          </div>
-          <!-- !tag-description -->
-          <!-- image-and-registry -->
-          <div class="form-group">
-            <por-image-registry image="config.Image" registry="config.Registry"></por-image-registry>
-          </div>
-          <!-- !image-and-registry -->
-          <!-- tag-note -->
-          <div class="form-group">
-            <div class="col-sm-12">
-              <span class="small text-muted">Note: if you don't specify the tag in the image name, <span class="label label-default">latest</span> will be used.</span>
-            </div>
-          </div>
-          <!-- !tag-note -->
-          <div class="form-group">
-            <div class="col-sm-12">
-              <button type="button" class="btn btn-primary btn-sm" ng-disabled="!config.Image" ng-click="commit()">Create</button>
-              <i id="createImageSpinner" class="fa fa-cog fa-spin" style="margin-left: 5px; display: none;"></i>
-            </div>
-          </div>
-        </form>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>
-
-<div class="row">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-header icon="fa-server" title="Container details"></rd-widget-header>
-      <rd-widget-body classes="no-padding">
-        <table class="table">
-          <tbody>
-            <tr>
-              <td>Image</td>
-              <td><a ui-sref="image({id: container.Image})">{{ container.Image }}</a></td>
-            </tr>
-            <tr ng-if="portBindings.length > 0">
-              <td>Port configuration</td>
-              <td>
-                <div ng-repeat="portMapping in portBindings">
-                  {{ portMapping.container }} <i class="fa fa-long-arrow-right"></i> {{ portMapping.host }}
-                </div>
-              </td>
-            </tr>
-            <tr>
-              <td>CMD</td>
-              <td><code>{{ container.Config.Cmd|command }}</code></td>
-            </tr>
-            <tr>
-              <td>ENV</td>
-              <td>
-                <table class="table table-bordered table-condensed">
-                  <tr ng-repeat="var in container.Config.Env track by $index">
-                    <td>{{ var|key: '=' }}</td>
-                    <td>{{ var|value: '=' }}</td>
-                  </tr>
-                </table>
-              </td>
-            </tr>
-            <tr ng-if="!(container.Config.Labels | emptyobject)">
-              <td>Labels</td>
-              <td>
-                <table class="table table-bordered table-condensed">
-                  <tr ng-repeat="(k, v) in container.Config.Labels">
-                    <td>{{ k }}</td>
-                    <td>{{ v }}</td>
-                  </tr>
-                </table>
-              </td>
-            </tr>
-            <tr ng-if="container.HostConfig.RestartPolicy.Name !== 'no'">
-              <td>Restart policies</td>
-              <td>
-                <table class="table table-bordered table-condensed">
-                  <tr>
-                    <td class="col-md-3">Name</td>
-                    <td>{{ container.HostConfig.RestartPolicy.Name }}</td>
-                  </tr>
-                  <tr>
-                    <td class="col-md-3">MaximumRetryCount</td>
-                    <td>
-                      {{ container.HostConfig.RestartPolicy.MaximumRetryCount }}
-                    </td>
-                  </tr>
-                </table>
-              </td>
-            </tr>
-          </tbody>
-        </table>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>
-
-<div class="row" ng-if="container.HostConfig.Binds.length > 0">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-header icon="fa-cubes" title="Volumes"></rd-widget-header>
-      <rd-widget-body classes="no-padding">
-        <table class="table">
-          <thead>
-            <tr>
-              <th>Host</th>
-              <th>Container</th>
-            </tr>
-          </thead>
-          <tbody>
-            <tr ng-repeat="vol in container.HostConfig.Binds">
-              <td>{{ vol|key: ':' }}</td>
-              <td>{{ vol|value: ':' }}</td>
-            </tr>
-          </tbody>
-        </table>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>
-
-<div class="row">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-header icon="fa-sitemap" title="Connected networks">
-        <div class="pull-right">
-          Items per page:
-          <select ng-model="state.pagination_count" ng-change="changePaginationCount()">
-            <option value="0">All</option>
-            <option value="10">10</option>
-            <option value="25">25</option>
-            <option value="50">50</option>
-            <option value="100">100</option>
-          </select>
-        </div>
-      </rd-widget-header>
-      <rd-widget-body classes="no-padding">
-        <table class="table">
-          <thead>
-            <th>Network Name</th>
-            <th>IP Address</th>
-            <th>Gateway</th>
-            <th>MacAddress</th>
-            <th>Actions</th>
-          </thead>
-          <tbody>
-            <tr dir-paginate="(key, value) in container.NetworkSettings.Networks | itemsPerPage: state.pagination_count">
-              <td><a ui-sref="network({id: value.NetworkID})">{{ key }}</a></td>
-              <td>{{ value.IPAddress || '-' }}</td>
-              <td>{{ value.Gateway || '-' }}</td>
-              <td>{{ value.MacAddress || '-' }}</td>
-              <td>
-                <button type="button" class="btn btn-xs btn-danger" ng-click="containerLeaveNetwork(container, value.NetworkID)"><i class="fa fa-trash space-right" aria-hidden="true"></i>Leave Network</button>
-              </td>
-            </tr>
-            <tr ng-if="(container.NetworkSettings.Networks | emptyobject)">
-              <td colspan="5" class="text-center text-muted">No networks connected.</td>
-            </tr>
-          </tbody>
-        </table>
-        <div class="pagination-controls">
-          <dir-pagination-controls></dir-pagination-controls>
-        </div>
-        <hr />
-        <form class="form-horizontal">
-          <!-- network-input -->
-          <div class="row">
-            <label for="container_network" class="col-sm-3 col-lg-2 control-label text-left">Join a Network</label>
-            <div class="col-sm-5 col-lg-4">
-              <select class="form-control" ng-model="selectedNetwork" id="container_network">
-                <option selected disabled hidden value="">Select a network</option>
-                <option ng-repeat="net in availableNetworks" ng-value="net.Id">{{ net.Name }}</option>
-              </select>
-            </div>
-            <div class="col-sm-1">
-              <button type="button" class="btn btn-primary btn-sm" ng-disabled="!selectedNetwork" ng-click="containerJoinNetwork(container, selectedNetwork)">Join Network</button>
-            </div>
-          </div>
-        </form>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>

app/components/container/containerController.js

@@ -1,315 +0,0 @@
-angular.module('container', [])
-.controller('ContainerController', ['$q', '$scope', '$state','$stateParams', '$filter', 'Container', 'ContainerCommit', 'ContainerHelper', 'ContainerService', 'ImageHelper', 'Network', 'NetworkService', 'Notifications', 'Pagination', 'ModalService', 'ResourceControlService', 'RegistryService', 'ImageService',
-function ($q, $scope, $state, $stateParams, $filter, Container, ContainerCommit, ContainerHelper, ContainerService, ImageHelper, Network, NetworkService, Notifications, Pagination, ModalService, ResourceControlService, RegistryService, ImageService) {
-  $scope.activityTime = 0;
-  $scope.portBindings = [];
-  $scope.config = {
-    Image: '',
-    Registry: ''
-  };
-  $scope.state = {};
-  $scope.state.pagination_count = Pagination.getPaginationCount('container_networks');
-
-  $scope.changePaginationCount = function() {
-    Pagination.setPaginationCount('container_networks', $scope.state.pagination_count);
-  };
-
-  var update = function () {
-    $('#loadingViewSpinner').show();
-    Container.get({id: $stateParams.id}, function (d) {
-      var container = new ContainerDetailsViewModel(d);
-      $scope.container = container;
-      $scope.container.edit = false;
-      $scope.container.newContainerName = $filter('trimcontainername')(container.Name);
-
-      if (container.State.Running) {
-        $scope.activityTime = moment.duration(moment(container.State.StartedAt).utc().diff(moment().utc())).humanize();
-      } else if (container.State.Status === 'created') {
-        $scope.activityTime = moment.duration(moment(container.Created).utc().diff(moment().utc())).humanize();
-      } else {
-        $scope.activityTime = moment.duration(moment().utc().diff(moment(container.State.FinishedAt).utc())).humanize();
-      }
-
-      $scope.portBindings = [];
-      if (container.NetworkSettings.Ports) {
-        angular.forEach(Object.keys(container.NetworkSettings.Ports), function(portMapping) {
-          if (container.NetworkSettings.Ports[portMapping]) {
-            var mapping = {};
-            mapping.container = portMapping;
-            mapping.host = container.NetworkSettings.Ports[portMapping][0].HostIp + ':' + container.NetworkSettings.Ports[portMapping][0].HostPort;
-            $scope.portBindings.push(mapping);
-          }
-        });
-      }
-      $('#loadingViewSpinner').hide();
-    }, function (e) {
-      $('#loadingViewSpinner').hide();
-      Notifications.error('Failure', e, 'Unable to retrieve container info');
-    });
-  };
-
-  $scope.start = function () {
-    $('#loadingViewSpinner').show();
-    Container.start({id: $scope.container.Id}, {}, function (d) {
-      update();
-      Notifications.success('Container started', $stateParams.id);
-    }, function (e) {
-      update();
-      Notifications.error('Failure', e, 'Unable to start container');
-    });
-  };
-
-  $scope.stop = function () {
-    $('#loadingViewSpinner').show();
-    Container.stop({id: $stateParams.id}, function (d) {
-      update();
-      Notifications.success('Container stopped', $stateParams.id);
-    }, function (e) {
-      update();
-      Notifications.error('Failure', e, 'Unable to stop container');
-    });
-  };
-
-  $scope.kill = function () {
-    $('#loadingViewSpinner').show();
-    Container.kill({id: $stateParams.id}, function (d) {
-      update();
-      Notifications.success('Container killed', $stateParams.id);
-    }, function (e) {
-      update();
-      Notifications.error('Failure', e, 'Unable to kill container');
-    });
-  };
-
-  $scope.commit = function () {
-    $('#createImageSpinner').show();
-    var image = $scope.config.Image;
-    var registry = $scope.config.Registry;
-    var imageConfig = ImageHelper.createImageConfigForCommit(image, registry.URL);
-    ContainerCommit.commit({id: $stateParams.id, tag: imageConfig.tag, repo: imageConfig.repo}, function (d) {
-      $('#createImageSpinner').hide();
-      update();
-      Notifications.success('Container commited', $stateParams.id);
-    }, function (e) {
-      $('#createImageSpinner').hide();
-      update();
-      Notifications.error('Failure', e, 'Unable to commit container');
-    });
-  };
-
-  $scope.pause = function () {
-    $('#loadingViewSpinner').show();
-    Container.pause({id: $stateParams.id}, function (d) {
-      update();
-      Notifications.success('Container paused', $stateParams.id);
-    }, function (e) {
-      update();
-      Notifications.error('Failure', e, 'Unable to pause container');
-    });
-  };
-
-  $scope.unpause = function () {
-    $('#loadingViewSpinner').show();
-    Container.unpause({id: $stateParams.id}, function (d) {
-      update();
-      Notifications.success('Container unpaused', $stateParams.id);
-    }, function (e) {
-      update();
-      Notifications.error('Failure', e, 'Unable to unpause container');
-    });
-  };
-
-  $scope.confirmRemove = function () {
-    var title = 'You are about to remove a container.';
-    if ($scope.container.State.Running) {
-      title = 'You are about to remove a running container.';
-    }
-    ModalService.confirmContainerDeletion(
-      title,
-      function (result) {
-        if(!result) { return; }
-        var cleanAssociatedVolumes = false;
-        if (result[0]) {
-          cleanAssociatedVolumes = true;
-        }
-        $scope.remove(cleanAssociatedVolumes);
-      }
-    );
-  };
-
-  $scope.remove = function(cleanAssociatedVolumes) {
-    $('#loadingViewSpinner').show();
-    ContainerService.remove($scope.container, cleanAssociatedVolumes)
-    .then(function success() {
-      Notifications.success('Container successfully removed');
-      $state.go('containers', {}, {reload: true});
-    })
-    .catch(function error(err) {
-      Notifications.error('Failure', err, 'Unable to remove container');
-    })
-    .finally(function final() {
-      $('#loadingViewSpinner').hide();
-    });
-  };
-
-  $scope.restart = function () {
-    $('#loadingViewSpinner').show();
-    Container.restart({id: $stateParams.id}, function (d) {
-      update();
-      Notifications.success('Container restarted', $stateParams.id);
-    }, function (e) {
-      update();
-      Notifications.error('Failure', e, 'Unable to restart container');
-    });
-  };
-
-  $scope.renameContainer = function () {
-    var container = $scope.container;
-    Container.rename({id: $stateParams.id, 'name': container.newContainerName}, function (d) {
-      if (d.message) {
-        container.newContainerName = container.Name;
-        Notifications.error('Unable to rename container', {}, d.message);
-      } else {
-        container.Name = container.newContainerName;
-        Notifications.success('Container successfully renamed', container.Name);
-      }
-    }, function (e) {
-      Notifications.error('Failure', e, 'Unable to rename container');
-    });
-    $scope.container.edit = false;
-  };
-
-  $scope.containerLeaveNetwork = function containerLeaveNetwork(container, networkId) {
-    $('#loadingViewSpinner').show();
-    Network.disconnect({id: networkId}, { Container: $stateParams.id, Force: false }, function (d) {
-      if (container.message) {
-        $('#loadingViewSpinner').hide();
-        Notifications.error('Error', d, 'Unable to disconnect container from network');
-      } else {
-        $('#loadingViewSpinner').hide();
-        Notifications.success('Container left network', $stateParams.id);
-        $state.go('container', {id: $stateParams.id}, {reload: true});
-      }
-    }, function (e) {
-      $('#loadingViewSpinner').hide();
-      Notifications.error('Failure', e, 'Unable to disconnect container from network');
-    });
-  };
-
-  $scope.duplicate = function() {
-    ModalService.confirmExperimentalFeature(function (experimental) {
-      if(!experimental) { return; }
-      $state.go('actions.create.container', {from: $stateParams.id}, {reload: true});
-    });
-  };
-
-  $scope.confirmRemove = function () {
-    var title = 'You are about to remove a container.';
-    if ($scope.container.State.Running) {
-      title = 'You are about to remove a running container.';
-    }
-    ModalService.confirmContainerDeletion(
-      title,
-      function (result) {
-        if(!result) { return; }
-        var cleanAssociatedVolumes = false;
-        if (result[0]) {
-          cleanAssociatedVolumes = true;
-        }
-        $scope.remove(cleanAssociatedVolumes);
-      }
-    );
-  };
-
-  function recreateContainer(pullImage) {
-    $('#loadingViewSpinner').show();
-    var container = $scope.container;
-    var config = ContainerHelper.configFromContainer(container.Model);
-    ContainerService.remove(container, true)
-    .then(function success() {
-      return RegistryService.retrieveRegistryFromRepository(container.Config.Image);
-    })
-    .then(function success(data) {
-      return $q.when(!pullImage || ImageService.pullImage(container.Config.Image, data, true));
-    })
-    .then(function success() {
-      return ContainerService.createAndStartContainer(config);
-    })
-    .then(function success(data) {
-      if (!container.ResourceControl) {
-        return true;
-      } else {
-        var containerIdentifier = data.Id;
-        var resourceControl = container.ResourceControl;
-        var users = resourceControl.UserAccesses.map(function(u) {
-          return u.UserId;
-        });
-        var teams = resourceControl.TeamAccesses.map(function(t) {
-          return t.TeamId;
-        });
-        return ResourceControlService.createResourceControl(resourceControl.AdministratorsOnly,
-          users, teams, containerIdentifier, 'container', []);
-      }
-    })
-    .then(function success(data) {
-      Notifications.success('Container successfully re-created');
-      $state.go('containers', {}, {reload: true});
-    })
-    .catch(function error(err) {
-      Notifications.error('Failure', err, 'Unable to re-create container');
-    })
-    .finally(function final() {
-      $('#loadingViewSpinner').hide();
-    });
-  }
-
-  $scope.recreate = function() {
-    ModalService.confirmExperimentalFeature(function (experimental) {
-      if(!experimental) { return; }
-
-      ModalService.confirmContainerRecreation(function (result) {
-        if(!result) { return; }
-        var pullImage = false;
-        if (result[0]) {
-          pullImage = true;
-        }
-        recreateContainer(pullImage);
-      });
-    });
-  };
-
-  $scope.containerJoinNetwork = function containerJoinNetwork(container, networkId) {
-    $('#joinNetworkSpinner').show();
-    Network.connect({id: networkId}, { Container: $stateParams.id }, function (d) {
-      if (container.message) {
-        $('#joinNetworkSpinner').hide();
-        Notifications.error('Error', d, 'Unable to connect container to network');
-      } else {
-        $('#joinNetworkSpinner').hide();
-        Notifications.success('Container joined network', $stateParams.id);
-        $state.go('container', {id: $stateParams.id}, {reload: true});
-      }
-    }, function (e) {
-      $('#joinNetworkSpinner').hide();
-      Notifications.error('Failure', e, 'Unable to connect container to network');
-    });
-  };
-
-  var provider = $scope.applicationState.endpoint.mode.provider;
-  var apiVersion = $scope.applicationState.endpoint.apiVersion;
-  NetworkService.networks(
-    provider === 'DOCKER_STANDALONE' || provider === 'DOCKER_SWARM_MODE',
-    false,
-    provider === 'DOCKER_SWARM_MODE' && apiVersion >= 1.25,
-    provider === 'DOCKER_SWARM'
-  )
-  .then(function success(data) {
-    var networks = data;
-    $scope.availableNetworks = networks;
-  })
-  .catch(function error(err) {
-    Notifications.error('Failure', err, 'Unable to retrieve networks');
-  });
-
-  update();
-}]);

app/components/containerLogs/containerLogsController.js

@@ -1,75 +0,0 @@
-angular.module('containerLogs', [])
-.controller('ContainerLogsController', ['$scope', '$stateParams', '$anchorScroll', 'ContainerLogs', 'Container',
-function ($scope, $stateParams, $anchorScroll, ContainerLogs, Container) {
-  $scope.state = {};
-  $scope.state.displayTimestampsOut = false;
-  $scope.state.displayTimestampsErr = false;
-  $scope.stdout = '';
-  $scope.stderr = '';
-  $scope.tailLines = 2000;
-
-  $('#loadingViewSpinner').show();
-  Container.get({id: $stateParams.id}, function (d) {
-    $scope.container = d;
-    $('#loadingViewSpinner').hide();
-  }, function (e) {
-    $('#loadingViewSpinner').hide();
-    Notifications.error('Failure', e, 'Unable to retrieve container info');
-  });
-
-  function getLogs() {
-    $('#loadingViewSpinner').show();
-    getLogsStdout();
-    getLogsStderr();
-    $('#loadingViewSpinner').hide();
-  }
-
-  function getLogsStderr() {
-    ContainerLogs.get($stateParams.id, {
-      stdout: 0,
-      stderr: 1,
-      timestamps: $scope.state.displayTimestampsErr,
-      tail: $scope.tailLines
-    }, function (data, status, headers, config) {
-      // Replace carriage returns with newlines to clean up output
-      data = data.replace(/[\r]/g, '\n');
-      // Strip 8 byte header from each line of output
-      data = data.substring(8);
-      data = data.replace(/\n(.{8})/g, '\n');
-      $scope.stderr = data;
-    });
-  }
-
-  function getLogsStdout() {
-    ContainerLogs.get($stateParams.id, {
-      stdout: 1,
-      stderr: 0,
-      timestamps: $scope.state.displayTimestampsOut,
-      tail: $scope.tailLines
-    }, function (data, status, headers, config) {
-      // Replace carriage returns with newlines to clean up output
-      data = data.replace(/[\r]/g, '\n');
-      // Strip 8 byte header from each line of output
-      data = data.substring(8);
-      data = data.replace(/\n(.{8})/g, '\n');
-      $scope.stdout = data;
-    });
-  }
-
-  // initial call
-  getLogs();
-  var logIntervalId = window.setInterval(getLogs, 5000);
-
-  $scope.$on('$destroy', function () {
-    // clearing interval when view changes
-    clearInterval(logIntervalId);
-  });
-
-  $scope.toggleTimestampsOut = function () {
-    getLogsStdout();
-  };
-
-  $scope.toggleTimestampsErr = function () {
-    getLogsStderr();
-  };
-}]);

app/components/containerLogs/containerlogs.html

@@ -1,56 +0,0 @@
-<rd-header>
-  <rd-header-title title="Container logs">
-      <i id="loadingViewSpinner" class="fa fa-cog fa-spin"></i>
-  </rd-header-title>
-  <rd-header-content>
-    <a ui-sref="containers">Containers</a> &gt; <a ui-sref="container({id: container.Id})">{{ container.Name|trimcontainername }}</a> &gt; Logs
-  </rd-header-content>
-</rd-header>
-
-<div class="row">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-body>
-        <div class="widget-icon grey pull-left">
-          <i class="fa fa-server"></i>
-        </div>
-        <div class="title">{{ container.Name|trimcontainername }}</div>
-        <div class="comment">Name</div>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>
-
-<div class="row">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-header icon="fa-info-circle" title="Stdout logs"></rd-widget-header>
-      <rd-widget-taskbar>
-        <input type="checkbox" ng-model="state.displayTimestampsOut" id="displayAllTsOut" ng-change="toggleTimestampsOut()"/>
-        <label for="displayAllTsOut">Display timestamps</label>
-      </rd-widget-taskbar>
-      <rd-widget-body classes="no-padding">
-        <div class="panel-body">
-          <pre id="stdoutLog" class="pre-scrollable pre-x-scrollable">{{stdout}}</pre>
-        </div>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>
-
-<div class="row">
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <rd-widget>
-      <rd-widget-header icon="fa-exclamation-triangle" title="Stderr logs"></rd-widget-header>
-      <rd-widget-taskbar>
-        <input type="checkbox" ng-model="state.displayTimestampsErr" id="displayAllTsErr" ng-change="toggleTimestampsErr()"/>
-        <label for="displayAllTsErr">Display timestamps</label>
-      </rd-widget-taskbar>
-      <rd-widget-body classes="no-padding">
-        <div class="panel-body">
-          <pre id="stderrLog" class="pre-scrollable pre-x-scrollable">{{stderr}}</pre>
-        </div>
-      </rd-widget-body>
-    </rd-widget>
-  </div>
-</div>

app/components/containers/containers.html

@@ -1,141 +0,0 @@
-<rd-header>
-  <rd-header-title title="Container list">
-    <a data-toggle="tooltip" title="Refresh" ui-sref="containers" ui-sref-opts="{reload: true}">
-      <i class="fa fa-refresh" aria-hidden="true"></i>
-    </a>
-    <i id="loadContainersSpinner" class="fa fa-cog fa-spin" style="margin-left: 5px;"></i>
-  </rd-header-title>
-  <rd-header-content>Containers</rd-header-content>
-</rd-header>
-
-<div class="col-lg-12">
-  <rd-widget>
-    <rd-widget-header icon="fa-server" title="Containers">
-      <div class="pull-right">
-        Items per page:
-        <select ng-model="state.pagination_count" ng-change="changePaginationCount()">
-          <option value="0">All</option>
-          <option value="10">10</option>
-          <option value="25">25</option>
-          <option value="50">50</option>
-          <option value="100">100</option>
-        </select>
-      </div>
-    </rd-widget-header>
-    <rd-widget-taskbar classes="col-lg-12">
-      <div class="pull-left">
-        <div class="btn-group" role="group" aria-label="...">
-          <button type="button" class="btn btn-success btn-responsive" ng-click="startAction()" ng-disabled="!state.selectedItemCount || state.noStoppedItemsSelected"><i class="fa fa-play space-right" aria-hidden="true"></i>Start</button>
-          <button type="button" class="btn btn-danger btn-responsive" ng-click="stopAction()" ng-disabled="!state.selectedItemCount || state.noRunningItemsSelected"><i class="fa fa-stop space-right" aria-hidden="true"></i>Stop</button>
-          <button type="button" class="btn btn-danger btn-responsive" ng-click="killAction()" ng-disabled="!state.selectedItemCount"><i class="fa fa-bomb space-right" aria-hidden="true"></i>Kill</button>
-          <button type="button" class="btn btn-primary btn-responsive" ng-click="restartAction()" ng-disabled="!state.selectedItemCount"><i class="fa fa-refresh space-right" aria-hidden="true"></i>Restart</button>
-          <button type="button" class="btn btn-primary btn-responsive" ng-click="pauseAction()" ng-disabled="!state.selectedItemCount || state.noRunningItemsSelected"><i class="fa fa-pause space-right" aria-hidden="true"></i>Pause</button>
-          <button type="button" class="btn btn-primary btn-responsive" ng-click="unpauseAction()" ng-disabled="!state.selectedItemCount || state.noPausedItemsSelected"><i class="fa fa-play space-right" aria-hidden="true"></i>Resume</button>
-          <button type="button" class="btn btn-danger btn-responsive" ng-click="confirmRemoveAction()" ng-disabled="!state.selectedItemCount"><i class="fa fa-trash space-right" aria-hidden="true"></i>Remove</button>
-        </div>
-        <a class="btn btn-primary" type="button" ui-sref="actions.create.container"><i class="fa fa-plus space-right" aria-hidden="true"></i>Add container</a>
-      </div>
-      <div class="pull-right">
-        <input type="checkbox" ng-model="state.displayAll" id="displayAll" ng-change="toggleGetAll()" style="margin-top: -2px; margin-right: 5px;"/><label for="displayAll">Show all containers</label>
-        <input type="text" id="filter" ng-model="state.filter" placeholder="Filter..." class="form-control input-sm" />
-      </div>
-    </rd-widget-taskbar>
-    <rd-widget-body classes="no-padding">
-      <div class="table-responsive">
-        <table class="table table-hover">
-          <thead>
-            <tr>
-              <th>
-                <input type="checkbox" ng-model="allSelected" ng-change="selectItems(allSelected)" />
-              </th>
-              <th>
-                <a ui-sref="containers" ng-click="order('Status')">
-                  State
-                  <span ng-show="sortType == 'Status' && !sortReverse" class="glyphicon glyphicon-chevron-down"></span>
-                  <span ng-show="sortType == 'Status' && sortReverse" class="glyphicon glyphicon-chevron-up"></span>
-                </a>
-              </th>
-              <th>
-                <a ui-sref="containers" ng-click="order('Names')">
-                  Name
-                  <span ng-show="sortType == 'Names' && !sortReverse" class="glyphicon glyphicon-chevron-down"></span>
-                  <span ng-show="sortType == 'Names' && sortReverse" class="glyphicon glyphicon-chevron-up"></span>
-                </a>
-              </th>
-              <th>
-                <a ui-sref="containers" ng-click="order('Image')">
-                  Image
-                  <span ng-show="sortType == 'Image' && !sortReverse" class="glyphicon glyphicon-chevron-down"></span>
-                  <span ng-show="sortType == 'Image' && sortReverse" class="glyphicon glyphicon-chevron-up"></span>
-                </a>
-              </th>
-              <th ng-if="state.displayIP">
-                <a ui-sref="containers" ng-click="order('IP')">
-                  IP Address
-                  <span ng-show="sortType == 'IP' && !sortReverse" class="glyphicon glyphicon-chevron-down"></span>
-                  <span ng-show="sortType == 'IP' && sortReverse" class="glyphicon glyphicon-chevron-up"></span>
-                </a>
-              </th>
-              <th ng-if="applicationState.endpoint.mode.provider === 'DOCKER_SWARM'">
-                <a ui-sref="containers" ng-click="order('Host')">
-                  Host IP
-                  <span ng-show="sortType == 'Host' && !sortReverse" class="glyphicon glyphicon-chevron-down"></span>
-                  <span ng-show="sortType == 'Host' && sortReverse" class="glyphicon glyphicon-chevron-up"></span>
-                </a>
-              </th>
-              <th>
-                <a ui-sref="containers" ng-click="order('Ports')">
-                  Published Ports
-                  <span ng-show="sortType == 'Ports' && !sortReverse" class="glyphicon glyphicon-chevron-down"></span>
-                  <span ng-show="sortType == 'Ports' && sortReverse" class="glyphicon glyphicon-chevron-up"></span>
-                </a>
-              </th>
-              <th ng-if="applicationState.application.authentication">
-                <a ui-sref="containers" ng-click="order('ResourceControl.Ownership')">
-                  Ownership
-                  <span ng-show="sortType == 'ResourceControl.Ownership' && !sortReverse" class="glyphicon glyphicon-chevron-down"></span>
-                  <span ng-show="sortType == 'ResourceControl.Ownership' && sortReverse" class="glyphicon glyphicon-chevron-up"></span>
-                </a>
-              </th>
-            </tr>
-          </thead>
-          <tbody>
-            <tr dir-paginate="container in (state.filteredContainers = ( containers | filter:state.filter | orderBy:sortType:sortReverse | itemsPerPage: state.pagination_count))">
-              <td><input type="checkbox" ng-model="container.Checked" ng-change="selectItem(container)"/></td>
-              <td>
-                <span ng-if="['starting','healthy','unhealthy'].indexOf(container.Status) !== -1" class="label label-{{ container.Status|containerstatusbadge }} interactive" uib-tooltip="This container has a health check">{{ container.Status }}</span>
-                <span ng-if="['starting','healthy','unhealthy'].indexOf(container.Status) === -1" class="label label-{{ container.Status|containerstatusbadge }}">{{ container.Status }}</span>
-              </td>
-              <td ng-if="applicationState.endpoint.mode.provider === 'DOCKER_SWARM'"><a ui-sref="container({id: container.Id})">{{ container|swarmcontainername|truncate: 40}}</a></td>
-              <td ng-if="applicationState.endpoint.mode.provider !== 'DOCKER_SWARM'"><a ui-sref="container({id: container.Id})">{{ container|containername|truncate: 40}}</a></td>
-              <td><a ui-sref="image({id: container.Image})">{{ container.Image | hideshasum }}</a></td>
-              <td ng-if="state.displayIP">{{ container.IP ? container.IP : '-' }}</td>
-              <td ng-if="applicationState.endpoint.mode.provider === 'DOCKER_SWARM'">{{ container.hostIP }}</td>
-              <td>
-                <a ng-if="container.Ports.length > 0" ng-repeat="p in container.Ports" class="image-tag" ng-href="http://{{ PublicURL || p.host }}:{{p.public}}" target="_blank">
-                  <i class="fa fa-external-link" aria-hidden="true"></i> {{p.public}}:{{ p.private }}
-                </a>
-                <span ng-if="container.Ports.length == 0" >-</span>
-              </td>
-              <td ng-if="applicationState.application.authentication">
-                <span>
-                  <i ng-class="container.ResourceControl.Ownership | ownershipicon" aria-hidden="true"></i>
-                  {{ container.ResourceControl.Ownership ? container.ResourceControl.Ownership : container.ResourceControl.Ownership = 'public' }}
-                </span>
-              </td>
-            </tr>
-            <tr ng-if="!containers">
-              <td colspan="9" class="text-center text-muted">Loading...</td>
-            </tr>
-            <tr ng-if="containers.length == 0">
-              <td colspan="9" class="text-center text-muted">No containers available.</td>
-            </tr>
-          </tbody>
-        </table>
-        <div ng-if="containers" class="pull-left pagination-controls">
-          <dir-pagination-controls></dir-pagination-controls>
-        </div>
-      </div>
-    </rd-widget-body>
-  </rd-widget>
-</div>

app/components/containers/containersController.js

@@ -1,247 +0,0 @@
-angular.module('containers', [])
-  .controller('ContainersController', ['$q', '$scope', '$filter', 'Container', 'ContainerService', 'ContainerHelper', 'SystemService', 'Notifications', 'Pagination', 'EntityListService', 'ModalService', 'ResourceControlService', 'EndpointProvider',
-  function ($q, $scope, $filter, Container, ContainerService, ContainerHelper, SystemService, Notifications, Pagination, EntityListService, ModalService, ResourceControlService, EndpointProvider) {
-  $scope.state = {};
-  $scope.state.pagination_count = Pagination.getPaginationCount('containers');
-  $scope.state.displayAll = true;
-  $scope.state.displayIP = false;
-  $scope.sortType = 'State';
-  $scope.sortReverse = false;
-  $scope.state.selectedItemCount = 0;
-  $scope.order = function (sortType) {
-    $scope.sortReverse = ($scope.sortType === sortType) ? !$scope.sortReverse : false;
-    $scope.sortType = sortType;
-  };
-  $scope.PublicURL = EndpointProvider.endpointPublicURL();
-
-  $scope.changePaginationCount = function() {
-    Pagination.setPaginationCount('containers', $scope.state.pagination_count);
-  };
-
-  $scope.cleanAssociatedVolumes = false;
-
-  var update = function (data) {
-    $('#loadContainersSpinner').show();
-    $scope.state.selectedItemCount = 0;
-    Container.query(data, function (d) {
-      var containers = d;
-      $scope.containers = containers.map(function (container) {
-        var model = new ContainerViewModel(container);
-        model.Status = $filter('containerstatus')(model.Status);
-
-        EntityListService.rememberPreviousSelection($scope.containers, model, function onSelect(model){
-          $scope.selectItem(model);
-        });
-
-        if (model.IP) {
-          $scope.state.displayIP = true;
-        }
-        if ($scope.applicationState.endpoint.mode.provider === 'DOCKER_SWARM') {
-          model.hostIP = $scope.swarm_hosts[_.split(container.Names[0], '/')[1]];
-        }
-        return model;
-      });
-      updateSelectionFlags();
-      $('#loadContainersSpinner').hide();
-    }, function (e) {
-      $('#loadContainersSpinner').hide();
-      Notifications.error('Failure', e, 'Unable to retrieve containers');
-      $scope.containers = [];
-    });
-  };
-
-  var batch = function (items, action, msg) {
-    $('#loadContainersSpinner').show();
-    var counter = 0;
-    var complete = function () {
-      counter = counter - 1;
-      if (counter === 0) {
-        $('#loadContainersSpinner').hide();
-        update({all: $scope.state.displayAll ? 1 : 0});
-      }
-    };
-    angular.forEach(items, function (c) {
-      if (c.Checked) {
-        counter = counter + 1;
-        if (action === Container.start) {
-          action({id: c.Id}, {}, function (d) {
-            Notifications.success('Container ' + msg, c.Id);
-            complete();
-          }, function (e) {
-            Notifications.error('Failure', e, 'Unable to start container');
-            complete();
-          });
-        }
-        else if (action === Container.remove) {
-          ContainerService.remove(c, $scope.cleanAssociatedVolumes)
-          .then(function success() {
-            Notifications.success('Container successfully removed');
-          })
-          .catch(function error(err) {
-            Notifications.error('Failure', err, 'Unable to remove container');
-          })
-          .finally(function final() {
-            complete();
-          });
-        }
-        else if (action === Container.pause) {
-          action({id: c.Id}, function (d) {
-            if (d.message) {
-              Notifications.success('Container is already paused', c.Id);
-            } else {
-              Notifications.success('Container ' + msg, c.Id);
-            }
-            complete();
-          }, function (e) {
-            Notifications.error('Failure', e, 'Unable to pause container');
-            complete();
-          });
-        }
-        else {
-          action({id: c.Id}, function (d) {
-            Notifications.success('Container ' + msg, c.Id);
-            complete();
-          }, function (e) {
-            Notifications.error('Failure', e, 'An error occured');
-            complete();
-          });
-
-        }
-      }
-    });
-    if (counter === 0) {
-      $('#loadContainersSpinner').hide();
-    }
-  };
-
-  $scope.selectItems = function (allSelected) {
-    angular.forEach($scope.state.filteredContainers, function (container) {
-      if (container.Checked !== allSelected) {
-        container.Checked = allSelected;
-        toggleItemSelection(container);
-      }
-    });
-    updateSelectionFlags();
-  };
-
-  $scope.selectItem = function (item) {
-    toggleItemSelection(item);
-    updateSelectionFlags();
-  };
-
-  $scope.toggleGetAll = function () {
-    update({all: $scope.state.displayAll ? 1 : 0});
-  };
-
-  $scope.startAction = function () {
-    batch($scope.containers, Container.start, 'Started');
-  };
-
-  $scope.stopAction = function () {
-    batch($scope.containers, Container.stop, 'Stopped');
-  };
-
-  $scope.restartAction = function () {
-    batch($scope.containers, Container.restart, 'Restarted');
-  };
-
-  $scope.killAction = function () {
-    batch($scope.containers, Container.kill, 'Killed');
-  };
-
-  $scope.pauseAction = function () {
-    batch($scope.containers, Container.pause, 'Paused');
-  };
-
-  $scope.unpauseAction = function () {
-    batch($scope.containers, Container.unpause, 'Unpaused');
-  };
-
-  $scope.removeAction = function () {
-    batch($scope.containers, Container.remove, 'Removed');
-  };
-
-  $scope.confirmRemoveAction = function () {
-    var isOneContainerRunning = false;
-    angular.forEach($scope.containers, function (c) {
-      if (c.Checked && c.State === 'running') {
-        isOneContainerRunning = true;
-        return;
-      }
-    });
-    var title = 'You are about to remove one or more container.';
-    if (isOneContainerRunning) {
-      title = 'You are about to remove one or more running containers.';
-    }
-    ModalService.confirmContainerDeletion(
-      title,
-      function (result) {
-        if(!result) { return; }
-        $scope.cleanAssociatedVolumes = false;
-        if (result[0]) {
-          $scope.cleanAssociatedVolumes = true;
-        }
-        $scope.removeAction();
-      }
-    );
-  };
-
-  function toggleItemSelection(item) {
-    if (item.Checked) {
-      $scope.state.selectedItemCount++;
-    } else {
-      $scope.state.selectedItemCount--;
-    }
-  }
-
-  function updateSelectionFlags() {
-    $scope.state.noStoppedItemsSelected = true;
-    $scope.state.noRunningItemsSelected = true;
-    $scope.state.noPausedItemsSelected = true;
-    $scope.containers.forEach(function(container) {
-      if(!container.Checked) {
-        return;
-      }
-
-      if(container.Status === 'paused') {
-        $scope.state.noPausedItemsSelected = false;
-      } else if(container.Status === 'stopped' || 
-                container.Status === 'created') {
-        $scope.state.noStoppedItemsSelected = false;
-      } else if(container.Status === 'running') {
-        $scope.state.noRunningItemsSelected = false;
-      }
-    } );
-  }
-
-  function retrieveSwarmHostsInfo(data) {
-    var swarm_hosts = {};
-    var systemStatus = data.SystemStatus;
-    var node_count = parseInt(systemStatus[3][1], 10);
-    var node_offset = 4;
-    for (i = 0; i < node_count; i++) {
-      var host = {};
-      host.name = _.trim(systemStatus[node_offset][0]);
-      host.ip = _.split(systemStatus[node_offset][1], ':')[0];
-      swarm_hosts[host.name] = host.ip;
-      node_offset += 9;
-    }
-    return swarm_hosts;
-  }
-
-  function initView() {
-    var provider = $scope.applicationState.endpoint.mode.provider;
-    $q.when(provider !== 'DOCKER_SWARM' || SystemService.info())
-    .then(function success(data) {
-      if (provider === 'DOCKER_SWARM') {
-        $scope.swarm_hosts = retrieveSwarmHostsInfo(data);
-      }
-      update({all: $scope.state.displayAll ? 1 : 0});
-    })
-    .catch(function error(err) {
-      Notifications.error('Failure', err, 'Unable to retrieve cluster information');
-    });
-  }
-
-  initView();
-}]);

app/components/createNetwork/createNetworkController.js

@@ -1,92 +0,0 @@
-angular.module('createNetwork', [])
-.controller('CreateNetworkController', ['$scope', '$state', 'Notifications', 'Network', 'LabelHelper',
-function ($scope, $state, Notifications, Network, LabelHelper) {
-  $scope.formValues = {
-    DriverOptions: [],
-    Subnet: '',
-    Gateway: '',
-    Labels: []
-  };
-
-  $scope.config = {
-    Driver: 'bridge',
-    CheckDuplicate: true,
-    Internal: false,
-    // Force IPAM Driver to 'default', should not be required.
-    // See: https://github.com/docker/docker/issues/25735
-    IPAM: {
-      Driver: 'default',
-      Config: []
-    },
-    Labels: {}
-  };
-
-  $scope.addDriverOption = function() {
-    $scope.formValues.DriverOptions.push({ name: '', value: '' });
-  };
-
-  $scope.removeDriverOption = function(index) {
-    $scope.formValues.DriverOptions.splice(index, 1);
-  };
-
-  $scope.addLabel = function() {
-    $scope.formValues.Labels.push({ key: '', value: ''});
-  };
-
-  $scope.removeLabel = function(index) {
-    $scope.formValues.Labels.splice(index, 1);
-  };
-
-  function createNetwork(config) {
-    $('#createNetworkSpinner').show();
-    Network.create(config, function (d) {
-      if (d.message) {
-        $('#createNetworkSpinner').hide();
-        Notifications.error('Unable to create network', {}, d.message);
-      } else {
-        Notifications.success('Network created', d.Id);
-        $('#createNetworkSpinner').hide();
-        $state.go('networks', {}, {reload: true});
-      }
-    }, function (e) {
-      $('#createNetworkSpinner').hide();
-      Notifications.error('Failure', e, 'Unable to create network');
-    });
-  }
-
-  function prepareIPAMConfiguration(config) {
-    if ($scope.formValues.Subnet) {
-      var ipamConfig = {};
-      ipamConfig.Subnet = $scope.formValues.Subnet;
-      if ($scope.formValues.Gateway) {
-        ipamConfig.Gateway = $scope.formValues.Gateway  ;
-      }
-      config.IPAM.Config.push(ipamConfig);
-    }
-  }
-
-  function prepareDriverOptions(config) {
-    var options = {};
-    $scope.formValues.DriverOptions.forEach(function (option) {
-      options[option.name] = option.value;
-    });
-    config.Options = options;
-  }
-
-  function prepareLabelsConfig(config) {
-    config.Labels = LabelHelper.fromKeyValueToLabelHash($scope.formValues.Labels);
-  }
-
-  function prepareConfiguration() {
-    var config = angular.copy($scope.config);
-    prepareIPAMConfiguration(config);
-    prepareDriverOptions(config);
-    prepareLabelsConfig(config);
-    return config;
-  }
-
-  $scope.create = function () {
-    var config = prepareConfiguration();
-    createNetwork(config);
-  };
-}]);

app/components/createSecret/createSecretController.js

@@ -1,58 +0,0 @@
-angular.module('createSecret', [])
-.controller('CreateSecretController', ['$scope', '$state', 'Notifications', 'SecretService', 'LabelHelper',
-function ($scope, $state, Notifications, SecretService, LabelHelper) {
-  $scope.formValues = {
-    Name: '',
-    Data: '',
-    Labels: [],
-    encodeSecret: true
-  };
-
-  $scope.addLabel = function() {
-    $scope.formValues.Labels.push({ key: '', value: ''});
-  };
-
-  $scope.removeLabel = function(index) {
-    $scope.formValues.Labels.splice(index, 1);
-  };
-
-  function prepareLabelsConfig(config) {
-    config.Labels = LabelHelper.fromKeyValueToLabelHash($scope.formValues.Labels);
-  }
-
-  function prepareSecretData(config) {
-    if ($scope.formValues.encodeSecret) {
-      config.Data = btoa(unescape(encodeURIComponent($scope.formValues.Data)));
-    } else {
-      config.Data = $scope.formValues.Data;
-    }
-  }
-
-  function prepareConfiguration() {
-    var config = {};
-    config.Name = $scope.formValues.Name;
-    prepareSecretData(config);
-    prepareLabelsConfig(config);
-    return config;
-  }
-
-  function createSecret(config) {
-    $('#createSecretSpinner').show();
-    SecretService.create(config)
-    .then(function success(data) {
-      Notifications.success('Secret successfully created');
-      $state.go('secrets', {}, {reload: true});
-    })
-    .catch(function error(err) {
-      Notifications.error('Failure', err, 'Unable to create secret');
-    })
-    .finally(function final() {
-      $('#createSecretSpinner').hide();
-    });
-  }
-
-  $scope.create = function () {
-    var config = prepareConfiguration();
-    createSecret(config);
-  };
-}]);

app/components/createService/includes/placement.html

@@ -1,57 +0,0 @@
-<form class="form-horizontal" style="margin-top: 15px;">
-  <div class="form-group">
-    <div class="col-sm-12" style="margin-top: 5px;">
-      <label class="control-label text-left">Placement constraints</label>
-      <span class="label label-default interactive" style="margin-left: 10px;" ng-click="addPlacementConstraint()">
-        <i class="fa fa-plus-circle" aria-hidden="true"></i> placement constraint
-      </span>
-    </div>
-    <div class="col-sm-12 form-inline" style="margin-top: 10px;">
-      <div ng-repeat="constraint in formValues.PlacementConstraints" style="margin-top: 2px;">
-        <div class="input-group col-sm-4 input-group-sm">
-          <span class="input-group-addon">name</span>
-          <input type="text" class="form-control" ng-model="constraint.key" placeholder="e.g. node.role">
-        </div>
-        <div class="input-group col-sm-1 input-group-sm">
-          <select name="constraintOperator" class="form-control" ng-model="constraint.operator">
-            <option value="==">==</option>
-            <option value="!=">!=</option>
-          </select>
-        </div>
-        <div class="input-group col-sm-5 input-group-sm">
-          <span class="input-group-addon">value</span>
-          <input type="text" class="form-control" ng-model="constraint.value" placeholder="e.g. manager">
-        </div>
-        <button class="btn btn-sm btn-danger" type="button" ng-click="removePlacementConstraint($index)">
-          <i class="fa fa-trash" aria-hidden="true"></i>
-        </button>
-      </div>
-    </div>
-  </div>
-</form>
-
-<form class="form-horizontal" style="margin-top: 15px;" ng-if="applicationState.endpoint.apiVersion >= 1.30">
-  <div class="form-group">
-    <div class="col-sm-12" style="margin-top: 5px;">
-      <label class="control-label text-left">Placement preferences</label>
-      <span class="label label-default interactive" style="margin-left: 10px;" ng-click="addPlacementPreference()">
-        <i class="fa fa-plus-circle" aria-hidden="true"></i> placement preference
-      </span>
-    </div>
-    <div class="col-sm-12 form-inline" style="margin-top: 10px;">
-      <div ng-repeat="preference in formValues.PlacementPreferences" style="margin-top: 2px;">
-        <div class="input-group col-sm-4 input-group-sm">
-          <span class="input-group-addon">strategy</span>
-          <input type="text" class="form-control" ng-model="preference.strategy" placeholder="e.g. spread">
-        </div>
-        <div class="input-group col-sm-5 input-group-sm">
-          <span class="input-group-addon">value</span>
-          <input type="text" class="form-control" ng-model="preference.value" placeholder="e.g. node.labels.datacenter">
-        </div>
-        <button class="btn btn-sm btn-danger" type="button" ng-click="removePlacementPreference($index)">
-          <i class="fa fa-trash" aria-hidden="true"></i>
-        </button>
-      </div>
-    </div>
-  </div>
-</form>