feat(stacks): use runtime endpoint ID

* feat(api): introduce new datastore interface

* refactor(api): refactor http and main layers

* refactor(api): refactor http and bolt layers

.babelrc

@@ -0,0 +1,12 @@
+{
+  "plugins": ["lodash", "angularjs-annotate"],
+  "presets": [
+    [
+      "@babel/preset-env",
+      {
+        "modules": false,
+        "useBuiltIns": "entry"
+      }
+    ]
+  ]
+}

.codeclimate.yml

@@ -1,5 +1,42 @@
----
-engines:
+version: "2"
+checks:
+  argument-count:
+    enabled: true
+    config:
+      threshold: 4
+  complex-logic:
+    enabled: true
+    config:
+      threshold: 4
+  file-lines:
+    enabled: true
+    config:
+      threshold: 300
+  method-complexity:
+    enabled: false
+  method-count:
+    enabled: true
+    config:
+      threshold: 20
+  method-lines:
+    enabled: true
+    config:
+      threshold: 50
+  nested-control-flow:
+    enabled: true
+    config:
+      threshold: 4
+  return-statements:
+    enabled: false
+  similar-code:
+    enabled: true
+    config:
+      threshold: #language-specific defaults. overrides affect all languages.
+  identical-code:
+    enabled: true
+    config:
+      threshold: #language-specific defaults. overrides affect all languages.
+plugins:
   gofmt:
     enabled: true
   golint:
@@ -16,14 +53,10 @@ engines:
           mass_threshold: 80
   eslint:
     enabled: true
+    channel: "eslint-5"
     config:
       config: .eslintrc.yml
   fixme:
     enabled: true
-ratings:
-  paths:
-  - "**.css"
-  - "**.js"
-  - "**.go"
-exclude_paths:
+exclude_patterns:
 - test/

.codefresh/codefresh_branch.yml

@@ -1,46 +0,0 @@
-version: '1.0'
-steps:
-
-  build_backend:
-    image: portainer/golang-builder:ci
-    working_directory: ${{main_clone}}
-    commands:
-      - mkdir -p /go/src/github.com/${{CF_REPO_OWNER}}
-      - ln -s /codefresh/volume/${{CF_REPO_NAME}}/api /go/src/github.com/${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
-      - /build.sh api/cmd/portainer
-
-  build_frontend:
-    image: portainer/angular-builder:latest
-    working_directory: ${{build_backend}}
-    commands:
-      - yarn
-      - yarn grunt build-webapp
-      - mv api/cmd/portainer/portainer dist/
-
-  get_docker_version:
-    image: alpine:3.7
-    working_directory: ${{build_frontend}}
-    commands:
-      - cf_export DOCKER_VERSION=`cat gruntfile.js | grep -m 1 'shippedDockerVersion' | cut -d\' -f2`
-
-  download_docker_binary:
-    image: busybox
-    working_directory: ${{build_frontend}}
-    commands:
-      - echo ${{DOCKER_VERSION}}
-      - wget -O /tmp/docker-binaries.tgz https://download.docker.com/linux/static/stable/x86_64/docker-${{DOCKER_VERSION}}.tgz
-      - tar -xf /tmp/docker-binaries.tgz -C /tmp
-      - mv /tmp/docker/docker dist/
-
-  build_image:
-    type: build
-    working_directory: ${{download_docker_binary}}
-    dockerfile: ./build/linux/Dockerfile
-    image_name: portainer/portainer
-    tag: ${{CF_BRANCH}}
-
-  push_image:
-    type: push
-    candidate: '${{build_image}}'
-    tag: '${{CF_BRANCH}}'
-    registry: dockerhub

.codefresh/codefresh_pullrequest.yml

@@ -1,46 +0,0 @@
-version: '1.0'
-steps:
-
-  build_backend:
-    image: portainer/golang-builder:ci
-    working_directory: ${{main_clone}}
-    commands:
-      - mkdir -p /go/src/github.com/${{CF_REPO_OWNER}}
-      - ln -s /codefresh/volume/${{CF_REPO_NAME}}/api /go/src/github.com/${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
-      - /build.sh api/cmd/portainer
-
-  build_frontend:
-    image: portainer/angular-builder:latest
-    working_directory: ${{build_backend}}
-    commands:
-      - yarn
-      - yarn grunt build-webapp
-      - mv api/cmd/portainer/portainer dist/
-
-  get_docker_version:
-    image: alpine:3.7
-    working_directory: ${{build_frontend}}
-    commands:
-      - cf_export DOCKER_VERSION=`cat gruntfile.js | grep -m 1 'shippedDockerVersion' | cut -d\' -f2`
-
-  download_docker_binary:
-    image: busybox
-    working_directory: ${{build_frontend}}
-    commands:
-      - echo ${{DOCKER_VERSION}}
-      - wget -O /tmp/docker-binaries.tgz https://download.docker.com/linux/static/stable/x86_64/docker-${{DOCKER_VERSION}}.tgz
-      - tar -xf /tmp/docker-binaries.tgz -C /tmp
-      - mv /tmp/docker/docker dist/
-
-  build_image:
-    type: build
-    working_directory: ${{download_docker_binary}}
-    dockerfile: ./build/linux/Dockerfile
-    image_name: portainer/portainer
-    tag: ${{CF_BRANCH}}
-
-  push_image:
-    type: push
-    candidate: '${{build_image}}'
-    tag: 'pr${{CF_PULL_REQUEST_NUMBER}}'
-    registry: dockerhub

.eslintignore

@@ -0,0 +1,3 @@
+node_modules/
+dist/
+test/

.eslintrc.yml

@@ -1,284 +1,29 @@
 env:
   browser: true
   jquery: true
+  node: true
+  es6: true
+
+globals:
+  angular: true
+  __CONFIG_GA_ID: true
 
-# globals:
-#   angular: true
-#   $: true
-#   _: true
-#   moment: true
-#   filesize: true
-#   splitargs: true
 extends:
   - 'eslint:recommended'
+  - prettier
+
+plugins:
+  - import
+
+parserOptions:
+  ecmaVersion: 2018
+  sourceType: module
+  ecmaFeatures:
+    modules: true
 
-# http://eslint.org/docs/rules/
 rules:
-  # Possible Errors
-  no-await-in-loop: off
-  no-cond-assign: error
-  no-console: off
-  no-constant-condition: error
-  no-control-regex: error
-  no-debugger: error
-  no-dupe-args: error
-  no-dupe-keys: error
-  no-duplicate-case: error
-  no-empty-character-class: error
-  no-empty: error
-  no-ex-assign: error
-  no-extra-boolean-cast: error
-  no-extra-parens: off
-  no-extra-semi: error
-  no-func-assign: error
-  no-inner-declarations:
-    - error
-    - functions
-  no-invalid-regexp: error
-  no-irregular-whitespace: error
-  no-negated-in-lhs: error
-  no-obj-calls: error
-  no-prototype-builtins: off
-  no-regex-spaces: error
-  no-sparse-arrays: error
-  no-template-curly-in-string: off
-  no-unexpected-multiline: error
-  no-unreachable: error
-  no-unsafe-finally: off
-  no-unsafe-negation: off
-  use-isnan: error
-  valid-jsdoc: off
-  valid-typeof: error
-
-  # Best Practices
-  accessor-pairs: error
-  array-callback-return: off
-  block-scoped-var: off
-  class-methods-use-this: off
-  complexity:
-    - error
-    - 6
-  consistent-return: off
-  curly: off
-  default-case: off
-  dot-location: off
-  dot-notation: off
-  eqeqeq: error
-  guard-for-in: error
-  no-alert: error
-  no-caller: error
-  no-case-declarations: error
-  no-div-regex: error
-  no-else-return: off
-  no-empty-function: off
-  no-empty-pattern: error
-  no-eq-null: error
-  no-eval: error
-  no-extend-native: error
-  no-extra-bind: error
-  no-extra-label: off
-  no-fallthrough: error
-  no-floating-decimal: off
-  no-global-assign: off
-  no-implicit-coercion: off
-  no-implied-eval: error
-  no-invalid-this: off
-  no-iterator: error
-  no-labels:
-    - error
-    - allowLoop: true
-      allowSwitch: true
-  no-lone-blocks: error
-  no-loop-func: error
-  no-magic-number: off
-  no-multi-spaces: off
-  no-multi-str: off
-  no-native-reassign: error
-  no-new-func: error
-  no-new-wrappers: error
-  no-new: error
-  no-octal-escape: error
-  no-octal: error
-  no-param-reassign: off
-  no-proto: error
-  no-redeclare: error
-  no-restricted-properties: off
-  no-return-assign: error
-  no-return-await: off
-  no-script-url: error
-  no-self-assign: off
-  no-self-compare: error
-  no-sequences: off
-  no-throw-literal: off
-  no-unmodified-loop-condition: off
-  no-unused-expressions: error
-  no-unused-labels: off
-  no-useless-call: error
-  no-useless-concat: error
+  no-control-regex: off
+  no-empty: warn
+  no-empty-function: warn
   no-useless-escape: off
-  no-useless-return: off
-  no-void: error
-  no-warning-comments: off
-  no-with: error
-  prefer-promise-reject-errors: off
-  radix: error
-  require-await: off
-  vars-on-top: off
-  wrap-iife: error
-  yoda: off
-
-  # Strict
-  strict: off
-
-  # Variables
-  init-declarations: off
-  no-catch-shadow: error
-  no-delete-var: error
-  no-label-var: error
-  no-restricted-globals: off
-  no-shadow-restricted-names: error
-  no-shadow: off
-  no-undef-init: error
-  no-undef: off
-  no-undefined: off
-  no-unused-vars: off
-  no-use-before-define: off
-
-  # Node.js and CommonJS
-  callback-return: error
-  global-require: error
-  handle-callback-err: error
-  no-mixed-requires: off
-  no-new-require: off
-  no-path-concat: error
-  no-process-env: off
-  no-process-exit: error
-  no-restricted-modules: off
-  no-sync: off
-
-  # Stylistic Issues
-  array-bracket-spacing: off
-  block-spacing: off
-  brace-style: off
-  camelcase: off
-  capitalized-comments: off
-  comma-dangle:
-    - error
-    - never
-  comma-spacing: off
-  comma-style: off
-  computed-property-spacing: off
-  consistent-this: off
-  eol-last: off
-  func-call-spacing: off
-  func-name-matching: off
-  func-names: off
-  func-style: off
-  id-length: off
-  id-match: off
-  indent: off
-  jsx-quotes: off
-  key-spacing: off
-  keyword-spacing: off
-  line-comment-position: off
-  linebreak-style:
-    - error
-    - unix
-  lines-around-comment: off
-  lines-around-directive: off
-  max-depth: off
-  max-len: off
-  max-nested-callbacks: off
-  max-params: off
-  max-statements-per-line: off
-  max-statements:
-    - error
-    - 30
-  multiline-ternary: off
-  new-cap: off
-  new-parens: off
-  newline-after-var: off
-  newline-before-return: off
-  newline-per-chained-call: off
-  no-array-constructor: off
-  no-bitwise: off
-  no-continue: off
-  no-inline-comments: off
-  no-lonely-if: off
-  no-mixed-operators: off
-  no-mixed-spaces-and-tabs: off
-  no-multi-assign: off
-  no-multiple-empty-lines: off
-  no-negated-condition: off
-  no-nested-ternary: off
-  no-new-object: off
-  no-plusplus: off
-  no-restricted-syntax: off
-  no-spaced-func: off
-  no-tabs: off
-  no-ternary: off
-  no-trailing-spaces: off
-  no-underscore-dangle: off
-  no-unneeded-ternary: off
-  object-curly-newline: off
-  object-curly-spacing: off
-  object-property-newline: off
-  one-var-declaration-per-line: off
-  one-var: off
-  operator-assignment: off
-  operator-linebreak: off
-  padded-blocks: off
-  quote-props: off
-  quotes:
-    - error
-    - single
-  require-jsdoc: off
-  semi-spacing: off
-  semi:
-    - error
-    - always
-  sort-keys: off
-  sort-vars: off
-  space-before-blocks: off
-  space-before-function-paren: off
-  space-in-parens: off
-  space-infix-ops: off
-  space-unary-ops: off
-  spaced-comment: off
-  template-tag-spacing: off
-  unicode-bom: off
-  wrap-regex: off
-
-  # ECMAScript 6
-  arrow-body-style: off
-  arrow-parens: off
-  arrow-spacing: off
-  constructor-super: off
-  generator-star-spacing: off
-  no-class-assign: off
-  no-confusing-arrow: off
-  no-const-assign: off
-  no-dupe-class-members: off
-  no-duplicate-imports: off
-  no-new-symbol: off
-  no-restricted-imports: off
-  no-this-before-super: off
-  no-useless-computed-key: off
-  no-useless-constructor: off
-  no-useless-rename: off
-  no-var: off
-  object-shorthand: off
-  prefer-arrow-callback: off
-  prefer-const: off
-  prefer-destructuring: off
-  prefer-numeric-literals: off
-  prefer-rest-params: off
-  prefer-reflect: off
-  prefer-spread: off
-  prefer-template: off
-  require-yield: off
-  rest-spread-spacing: off
-  sort-imports: off
-  symbol-description: off
-  template-curly-spacing: off
-  yield-star-spacing: off
+  import/order: error

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -8,7 +8,9 @@ about: Create a bug report
 
 Thanks for reporting a bug for Portainer !
 
-Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/.
 
 Before opening a new issue, make sure that we do not have any duplicates
 already open. You can ensure this by searching the issue list for this
@@ -19,24 +21,22 @@ Also, be sure to check our FAQ and documentation first: https://portainer.readth
 -->
 
 **Bug description**
-
 A clear and concise description of what the bug is.
 
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 
-Briefly describe what you were expecting.
+**Portainer Logs**
+Provide the logs of your Portainer container or Service.
+You can see how [here](https://portainer.readthedocs.io/en/stable/faq.html#how-do-i-get-the-logs-from-portainer)
 
 **Steps to reproduce the issue:**
-
-Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
 
 **Technical details:**
-
 * Portainer version:
 * Docker version (managed by Portainer):
 * Platform (windows/linux):

.github/ISSUE_TEMPLATE/Custom.md

@@ -6,7 +6,9 @@ about: Ask us a question about Portainer usage or deployment
 
 <!--
 
-Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/
 
 Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
 -->

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -8,7 +8,7 @@ about: Suggest a feature/enhancement that should be added in Portainer
 
 Thanks for opening a feature request for Portainer !
 
-Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/
 
 Before opening a new issue, make sure that we do not have any duplicates
 already open. You can ensure this by searching the issue list for this

.github/stale.yml

@@ -0,0 +1,55 @@
+# Config for Stalebot, limited to only `issues`
+only: issues
+
+# Issues config
+issues:
+  daysUntilStale: 60
+  daysUntilClose: 7
+
+  # Limit the number of actions per hour, from 1-30. Default is 30
+  limitPerRun: 30
+
+  # Issues with these labels will never be considered stale
+  exemptLabels:
+    - kind/enhancement
+    - kind/feature
+    - kind/question
+    - kind/style
+    - kind/workaround
+    - bug/need-confirmation
+    - bug/confirmed
+    - status/discuss
+  
+  # Only issues with all of these labels are checked if stale. Defaults to `[]` (disabled)
+  onlyLabels: []
+
+  # Set to true to ignore issues in a project (defaults to false)
+  exemptProjects: true
+  # Set to true to ignore issues in a milestone (defaults to false)
+  exemptMilestones: true
+  # Set to true to ignore issues with an assignee (defaults to false)
+  exemptAssignees: true
+
+  # Label to use when marking an issue as stale
+  staleLabel: status/stale
+
+  # Comment to post when marking an issue as stale. Set to `false` to disable
+  markComment: >
+    This issue has been marked as stale as it has not had recent activity, 
+    it will be closed if no further activity occurs in the next 7 days.
+    If you believe that it has been incorrectly labelled as stale, 
+    leave a comment and the label will be removed.
+
+  # Comment to post when removing the stale label.
+  # unmarkComment: >
+  #   Your comment here.
+
+  # Comment to post when closing a stale issue. Set to `false` to disable
+  closeComment: >
+    Since no further activity has appeared on this issue it will be closed.
+    If you believe that it has been incorrectly closed, leave a comment
+    and mention @itsconquest. One of our staff will then review the issue.
+    
+    Note - If it is an old bug report, make sure that it is reproduceable in the
+    latest version of Portainer as it may have already been fixed.
+    

.gitignore

@@ -4,3 +4,5 @@ dist
 portainer-checksum.txt
 api/cmd/portainer/portainer*
 .tmp
+.vscode
+.eslintcache

.prettierrc

@@ -0,0 +1,13 @@
+{
+  "printWidth": 180,
+  "singleQuote": true,
+  "htmlWhitespaceSensitivity": "strict",
+  "overrides": [
+    {
+      "files": ["*.html"],
+      "options": {
+        "parser": "angular"
+      }
+    }
+  ]
+}

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 Some basic conventions for contributing to this project.
 
-### General
+## General
 
 Please make sure that there aren't existing pull requests attempting to address the issue mentioned. Likewise, please check for issues related to update, as someone else may be working on the issue in a branch or fork.
 
@@ -13,25 +13,11 @@ When creating a new branch, prefix it with the *type* of the change (see section
 
 For example, if you work on a bugfix for the issue #361, you could name the branch `fix361-template-selection`.
 
-### Issues open to contribution
+## Issues open to contribution
 
-Want to contribute but don't know where to start?
+Want to contribute but don't know where to start? Have a look at the issues labeled with the `good first issue` label: https://github.com/portainer/portainer/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22
 
-Some of the open issues are labeled with prefix `exp/`, this is used to mark them as available for contributors to work on. All of these have an attributed difficulty level:
-
-* **beginner**: a task that should be accessible with users not familiar with the codebase
-* **intermediate**: a task that require some understanding of the project codebase or some experience in
-either AngularJS or Golang
-* **advanced**: a task that require a deep understanding of the project codebase
-
-You can have a use Github filters to list these issues:
-
-* beginner labeled issues: https://github.com/portainer/portainer/labels/exp%2Fbeginner
-* intermediate labeled issues: https://github.com/portainer/portainer/labels/exp%2Fintermediate
-* advanced labeled issues: https://github.com/portainer/portainer/labels/exp%2Fadvanced
-
-
-### Commit Message Format
+## Commit Message Format
 
 Each commit message should include a **type**, a **scope** and a **subject**:
 
@@ -47,7 +33,7 @@ Lines should not exceed 100 characters. This allows the message to be easier to
  #269 style(dashboard): update dashboard with new layout
 ```
 
-#### Type
+### Type
 
 Must be one of the following:
 
@@ -61,16 +47,30 @@ Must be one of the following:
 * **chore**: Changes to the build process or auxiliary tools and libraries such as documentation
   generation
 
-#### Scope
+### Scope
 
 The scope could be anything specifying place of the commit change. For example `networks`,
 `containers`, `images` etc...
 You can use the **area** label tag associated on the issue here (for `area/containers` use `containers` as a scope...)
 
-#### Subject
+### Subject
 
 The subject contains succinct description of the change:
 
 * use the imperative, present tense: "change" not "changed" nor "changes"
 * don't capitalize first letter
 * no dot (.) at the end
+
+## Contribution process
+
+Our contribution process is described below. Some of the steps can be visualized inside Github via specific `status/` labels, such as `status/1-functional-review` or `status/2-technical-review`.
+
+### Bug report
+
+![portainer_bugreport_workflow](https://user-images.githubusercontent.com/5485061/45727219-50190a00-bbf5-11e8-9fe8-3a563bb8d5d7.png)
+
+### Feature request
+
+The feature request process is similar to the bug report process but has an extra functional validation before the technical validation as well as a documentation validation before the testing phase.
+
+![portainer_featurerequest_workflow](https://user-images.githubusercontent.com/5485061/45727229-5ad39f00-bbf5-11e8-9550-16ba66c50615.png)

README.md

@@ -1,27 +1,19 @@
-
 <p align="center">
-  <img title="portainer" src='https://portainer.io/images/logo_alt.png' />
+  <img title="portainer" src='https://github.com/portainer/portainer/blob/develop/assets/images/logo_alt.png?raw=true' />
 </p>
 
 [![Docker Pulls](https://img.shields.io/docker/pulls/portainer/portainer.svg)](https://hub.docker.com/r/portainer/portainer/)
-[![Microbadger](https://images.microbadger.com/badges/image/portainer/portainer.svg)](http://microbadger.com/images/portainer/portainer "Image size")
-[![Documentation Status](https://readthedocs.org/projects/portainer/badge/?version=stable)](http://portainer.readthedocs.io/en/stable/?badge=stable)
-[![Codefresh build status]( https://g.codefresh.io/api/badges/build?repoOwner=portainer&repoName=portainer&branch=develop&pipelineName=portainer-ci&accountName=deviantony&type=cf-1)]( https://g.codefresh.io/repositories/portainer/portainer/builds?filter=trigger:build;branch:develop;service:5922a08a3a1aab000116fcc6~portainer-ci)
+[![Microbadger](https://images.microbadger.com/badges/image/portainer/portainer.svg)](http://microbadger.com/images/portainer/portainer 'Image size')
+[![Build Status](https://portainer.visualstudio.com/Portainer%20CI/_apis/build/status/Portainer%20CI?branchName=develop)](https://portainer.visualstudio.com/Portainer%20CI/_build/latest?definitionId=3&branchName=develop)
 [![Code Climate](https://codeclimate.com/github/portainer/portainer/badges/gpa.svg)](https://codeclimate.com/github/portainer/portainer)
-[![Slack](https://portainer.io/slack/badge.svg)](https://portainer.io/slack/)
-[![Gitter](https://badges.gitter.im/portainer/Lobby.svg)](https://gitter.im/portainer/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=YHXZJQNJQ36H6)
 
 **_Portainer_** is a lightweight management UI which allows you to **easily** manage your different Docker environments (Docker hosts or Swarm clusters).
-
-**_Portainer_** is meant to be as **simple** to deploy as it is to use. It consists of a single container that can run on any Docker engine (can be deployed as Linux container or a Windows native container).
-
-**_Portainer_** allows you to manage your Docker containers, images, volumes, networks and more ! It is compatible with the *standalone Docker* engine and with *Docker Swarm mode*.
+**_Portainer_** is meant to be as **simple** to deploy as it is to use. It consists of a single container that can run on any Docker engine (can be deployed as Linux container or a Windows native container, supports other platforms too).
+**_Portainer_** allows you to manage all your Docker resources (containers, images, volumes, networks and more) ! It is compatible with the _standalone Docker_ engine and with _Docker Swarm mode_.
 
 ## Demo
 
-<img src="https://portainer.io/images/screenshots/portainer.gif" width="77%"/>
-
 You can try out the public demo instance: http://demo.portainer.io/ (login with the username **admin** and the password **tryportainer**).
 
 Please note that the public demo cluster is **reset every 15min**.
@@ -36,31 +28,31 @@ Unlike the public demo, the playground sessions are deleted after 4 hours. Apart
 
 ## Getting started
 
-* [Deploy Portainer](https://portainer.readthedocs.io/en/latest/deployment.html)
-* [Documentation](https://portainer.readthedocs.io)
+- [Deploy Portainer](https://www.portainer.io/installation/)
+- [Documentation](https://www.portainer.io/documentation/)
 
 ## Getting help
 
-* Issues: https://github.com/portainer/portainer/issues
-* FAQ: https://portainer.readthedocs.io/en/latest/faq.html
-* Slack (chat): https://portainer.io/slack/
-* Gitter (chat): https://gitter.im/portainer/Lobby
+For FORMAL Support, please purchase a support subscription from here: https://www.portainer.io/products-services/portainer-business-support/
+
+For community support: You can find more information about Portainer's community support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
+
+- Issues: https://github.com/portainer/portainer/issues
+- FAQ: https://www.portainer.io/documentation/faqs/
+- Slack (chat): https://portainer.io/slack/
 
 ## Reporting bugs and contributing
 
-* Want to report a bug or request a feature? Please open [an issue](https://github.com/portainer/portainer/issues/new).
-* Want to help us build **_portainer_**? Follow our [contribution guidelines](https://portainer.readthedocs.io/en/latest/contribute.html) to build it  locally and make a pull request. We need all the help we can get!
+- Want to report a bug or request a feature? Please open [an issue](https://github.com/portainer/portainer/issues/new).
+- Want to help us build **_portainer_**? Follow our [contribution guidelines](https://www.portainer.io/documentation/how-to-contribute/) to build it locally and make a pull request. We need all the help we can get!
+
+## Security
+
+- Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.
 
 ## Limitations
 
-**_Portainer_** has full support for the following Docker versions:
-
-* Docker 1.10 to the latest version
-* Standalone Docker Swarm >= 1.2.3 _(**NOTE:** Use of Standalone Docker Swarm is being discouraged since the introduction of built-in Swarm Mode in Docker. While older versions of Portainer had support for Standalone Docker Swarm, Portainer 1.17.0 and newer **do not** support it. However, the built-in Swarm Mode of Docker is fully supported.)_
-
-Partial support for the following Docker versions (some features may not be available):
-
-* Docker 1.9
+Portainer supports "Current - 2 docker versions only. Prior versions may operate, however these are not supported.
 
 ## Licensing
 
@@ -70,4 +62,4 @@ Portainer also contains the following code, which is licensed under the [MIT lic
 
 UI For Docker: Copyright (c) 2013-2016 Michael Crosby (crosbymichael.com), Kevan Ahlquist (kevanahlquist.com), Anthony Lapenna (portainer.io)
 
-rdash-angular: Copyright (c) [2014] [Elliot Hesp]
+rdash-angular: Copyright (c) [2014][elliot hesp]

api/access_control.go

@@ -0,0 +1,154 @@
+package portainer
+
+// NewPrivateResourceControl will create a new private resource control associated to the resource specified by the
+// identifier and type parameters. It automatically assigns it to the user specified by the userID parameter.
+func NewPrivateResourceControl(resourceIdentifier string, resourceType ResourceControlType, userID UserID) *ResourceControl {
+	return &ResourceControl{
+		Type:           resourceType,
+		ResourceID:     resourceIdentifier,
+		SubResourceIDs: []string{},
+		UserAccesses: []UserResourceAccess{
+			{
+				UserID:      userID,
+				AccessLevel: ReadWriteAccessLevel,
+			},
+		},
+		TeamAccesses:       []TeamResourceAccess{},
+		AdministratorsOnly: false,
+		Public:             false,
+		System:             false,
+	}
+}
+
+// NewSystemResourceControl will create a new public resource control with the System flag set to true.
+// These kind of resource control are not persisted and are created on the fly by the Portainer API.
+func NewSystemResourceControl(resourceIdentifier string, resourceType ResourceControlType) *ResourceControl {
+	return &ResourceControl{
+		Type:               resourceType,
+		ResourceID:         resourceIdentifier,
+		SubResourceIDs:     []string{},
+		UserAccesses:       []UserResourceAccess{},
+		TeamAccesses:       []TeamResourceAccess{},
+		AdministratorsOnly: false,
+		Public:             true,
+		System:             true,
+	}
+}
+
+// NewPublicResourceControl will create a new public resource control.
+func NewPublicResourceControl(resourceIdentifier string, resourceType ResourceControlType) *ResourceControl {
+	return &ResourceControl{
+		Type:               resourceType,
+		ResourceID:         resourceIdentifier,
+		SubResourceIDs:     []string{},
+		UserAccesses:       []UserResourceAccess{},
+		TeamAccesses:       []TeamResourceAccess{},
+		AdministratorsOnly: false,
+		Public:             true,
+		System:             false,
+	}
+}
+
+// NewRestrictedResourceControl will create a new resource control with user and team accesses restrictions.
+func NewRestrictedResourceControl(resourceIdentifier string, resourceType ResourceControlType, userIDs []UserID, teamIDs []TeamID) *ResourceControl {
+	userAccesses := make([]UserResourceAccess, 0)
+	teamAccesses := make([]TeamResourceAccess, 0)
+
+	for _, id := range userIDs {
+		access := UserResourceAccess{
+			UserID:      id,
+			AccessLevel: ReadWriteAccessLevel,
+		}
+
+		userAccesses = append(userAccesses, access)
+	}
+
+	for _, id := range teamIDs {
+		access := TeamResourceAccess{
+			TeamID:      id,
+			AccessLevel: ReadWriteAccessLevel,
+		}
+
+		teamAccesses = append(teamAccesses, access)
+	}
+
+	return &ResourceControl{
+		Type:               resourceType,
+		ResourceID:         resourceIdentifier,
+		SubResourceIDs:     []string{},
+		UserAccesses:       userAccesses,
+		TeamAccesses:       teamAccesses,
+		AdministratorsOnly: false,
+		Public:             false,
+		System:             false,
+	}
+}
+
+// DecorateStacks will iterate through a list of stacks, check for an associated resource control for each
+// stack and decorate the stack element if a resource control is found.
+func DecorateStacks(stacks []Stack, resourceControls []ResourceControl) []Stack {
+	for idx, stack := range stacks {
+
+		resourceControl := GetResourceControlByResourceIDAndType(stack.Name, StackResourceControl, resourceControls)
+		if resourceControl != nil {
+			stacks[idx].ResourceControl = resourceControl
+		}
+	}
+
+	return stacks
+}
+
+// FilterAuthorizedStacks returns a list of decorated stacks filtered through resource control access checks.
+func FilterAuthorizedStacks(stacks []Stack, user *User, userTeamIDs []TeamID, rbacEnabled bool) []Stack {
+	authorizedStacks := make([]Stack, 0)
+
+	for _, stack := range stacks {
+		_, ok := user.EndpointAuthorizations[stack.EndpointID][EndpointResourcesAccess]
+		if rbacEnabled && ok {
+			authorizedStacks = append(authorizedStacks, stack)
+			continue
+		}
+
+		if stack.ResourceControl != nil && UserCanAccessResource(user.ID, userTeamIDs, stack.ResourceControl) {
+			authorizedStacks = append(authorizedStacks, stack)
+		}
+	}
+
+	return authorizedStacks
+}
+
+// UserCanAccessResource will valide that a user has permissions defined in the specified resource control
+// based on its identifier and the team(s) he is part of.
+func UserCanAccessResource(userID UserID, userTeamIDs []TeamID, resourceControl *ResourceControl) bool {
+	for _, authorizedUserAccess := range resourceControl.UserAccesses {
+		if userID == authorizedUserAccess.UserID {
+			return true
+		}
+	}
+
+	for _, authorizedTeamAccess := range resourceControl.TeamAccesses {
+		for _, userTeamID := range userTeamIDs {
+			if userTeamID == authorizedTeamAccess.TeamID {
+				return true
+			}
+		}
+	}
+
+	return resourceControl.Public
+}
+
+// GetResourceControlByResourceIDAndType retrieves the first matching resource control in a set of resource controls
+// based on the specified id and resource type parameters.
+func GetResourceControlByResourceIDAndType(resourceID string, resourceType ResourceControlType, resourceControls []ResourceControl) *ResourceControl {
+	for _, resourceControl := range resourceControls {
+		if resourceID == resourceControl.ResourceID && resourceType == resourceControl.Type {
+			return &resourceControl
+		}
+		for _, subResourceID := range resourceControl.SubResourceIDs {
+			if resourceID == subResourceID {
+				return &resourceControl
+			}
+		}
+	}
+	return nil
+}

api/archive/tar.go

@@ -7,13 +7,13 @@ import (
 
 // TarFileInBuffer will create a tar archive containing a single file named via fileName and using the content
 // specified in fileContent. Returns the archive as a byte array.
-func TarFileInBuffer(fileContent []byte, fileName string) ([]byte, error) {
+func TarFileInBuffer(fileContent []byte, fileName string, mode int64) ([]byte, error) {
 	var buffer bytes.Buffer
 	tarWriter := tar.NewWriter(&buffer)
 
 	header := &tar.Header{
 		Name: fileName,
-		Mode: 0600,
+		Mode: mode,
 		Size: int64(len(fileContent)),
 	}
 

api/archive/zip.go

@@ -0,0 +1,54 @@
+package archive
+
+import (
+	"archive/zip"
+	"bytes"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+// UnzipArchive will unzip an archive from bytes into the dest destination folder on disk
+func UnzipArchive(archiveData []byte, dest string) error {
+	zipReader, err := zip.NewReader(bytes.NewReader(archiveData), int64(len(archiveData)))
+	if err != nil {
+		return err
+	}
+
+	for _, zipFile := range zipReader.File {
+		err := extractFileFromArchive(zipFile, dest)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func extractFileFromArchive(file *zip.File, dest string) error {
+	f, err := file.Open()
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	data, err := ioutil.ReadAll(f)
+	if err != nil {
+		return err
+	}
+
+	fpath := filepath.Join(dest, file.Name)
+
+	outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
+	if err != nil {
+		return err
+	}
+
+	_, err = io.Copy(outFile, bytes.NewReader(data))
+	if err != nil {
+		return err
+	}
+
+	return outFile.Close()
+}

api/authorizations.go

@@ -0,0 +1,774 @@
+package portainer
+
+// AuthorizationService represents a service used to
+// update authorizations associated to a user or team.
+type AuthorizationService struct {
+	dataStore DataStore
+}
+
+// NewAuthorizationService returns a point to a new AuthorizationService instance.
+func NewAuthorizationService(dataStore DataStore) *AuthorizationService {
+	return &AuthorizationService{
+		dataStore: dataStore,
+	}
+}
+
+// DefaultEndpointAuthorizationsForEndpointAdministratorRole returns the default endpoint authorizations
+// associated to the endpoint administrator role.
+func DefaultEndpointAuthorizationsForEndpointAdministratorRole() Authorizations {
+	return map[Authorization]bool{
+		OperationDockerContainerArchiveInfo:         true,
+		OperationDockerContainerList:                true,
+		OperationDockerContainerExport:              true,
+		OperationDockerContainerChanges:             true,
+		OperationDockerContainerInspect:             true,
+		OperationDockerContainerTop:                 true,
+		OperationDockerContainerLogs:                true,
+		OperationDockerContainerStats:               true,
+		OperationDockerContainerAttachWebsocket:     true,
+		OperationDockerContainerArchive:             true,
+		OperationDockerContainerCreate:              true,
+		OperationDockerContainerPrune:               true,
+		OperationDockerContainerKill:                true,
+		OperationDockerContainerPause:               true,
+		OperationDockerContainerUnpause:             true,
+		OperationDockerContainerRestart:             true,
+		OperationDockerContainerStart:               true,
+		OperationDockerContainerStop:                true,
+		OperationDockerContainerWait:                true,
+		OperationDockerContainerResize:              true,
+		OperationDockerContainerAttach:              true,
+		OperationDockerContainerExec:                true,
+		OperationDockerContainerRename:              true,
+		OperationDockerContainerUpdate:              true,
+		OperationDockerContainerPutContainerArchive: true,
+		OperationDockerContainerDelete:              true,
+		OperationDockerImageList:                    true,
+		OperationDockerImageSearch:                  true,
+		OperationDockerImageGetAll:                  true,
+		OperationDockerImageGet:                     true,
+		OperationDockerImageHistory:                 true,
+		OperationDockerImageInspect:                 true,
+		OperationDockerImageLoad:                    true,
+		OperationDockerImageCreate:                  true,
+		OperationDockerImagePrune:                   true,
+		OperationDockerImagePush:                    true,
+		OperationDockerImageTag:                     true,
+		OperationDockerImageDelete:                  true,
+		OperationDockerImageCommit:                  true,
+		OperationDockerImageBuild:                   true,
+		OperationDockerNetworkList:                  true,
+		OperationDockerNetworkInspect:               true,
+		OperationDockerNetworkCreate:                true,
+		OperationDockerNetworkConnect:               true,
+		OperationDockerNetworkDisconnect:            true,
+		OperationDockerNetworkPrune:                 true,
+		OperationDockerNetworkDelete:                true,
+		OperationDockerVolumeList:                   true,
+		OperationDockerVolumeInspect:                true,
+		OperationDockerVolumeCreate:                 true,
+		OperationDockerVolumePrune:                  true,
+		OperationDockerVolumeDelete:                 true,
+		OperationDockerExecInspect:                  true,
+		OperationDockerExecStart:                    true,
+		OperationDockerExecResize:                   true,
+		OperationDockerSwarmInspect:                 true,
+		OperationDockerSwarmUnlockKey:               true,
+		OperationDockerSwarmInit:                    true,
+		OperationDockerSwarmJoin:                    true,
+		OperationDockerSwarmLeave:                   true,
+		OperationDockerSwarmUpdate:                  true,
+		OperationDockerSwarmUnlock:                  true,
+		OperationDockerNodeList:                     true,
+		OperationDockerNodeInspect:                  true,
+		OperationDockerNodeUpdate:                   true,
+		OperationDockerNodeDelete:                   true,
+		OperationDockerServiceList:                  true,
+		OperationDockerServiceInspect:               true,
+		OperationDockerServiceLogs:                  true,
+		OperationDockerServiceCreate:                true,
+		OperationDockerServiceUpdate:                true,
+		OperationDockerServiceDelete:                true,
+		OperationDockerSecretList:                   true,
+		OperationDockerSecretInspect:                true,
+		OperationDockerSecretCreate:                 true,
+		OperationDockerSecretUpdate:                 true,
+		OperationDockerSecretDelete:                 true,
+		OperationDockerConfigList:                   true,
+		OperationDockerConfigInspect:                true,
+		OperationDockerConfigCreate:                 true,
+		OperationDockerConfigUpdate:                 true,
+		OperationDockerConfigDelete:                 true,
+		OperationDockerTaskList:                     true,
+		OperationDockerTaskInspect:                  true,
+		OperationDockerTaskLogs:                     true,
+		OperationDockerPluginList:                   true,
+		OperationDockerPluginPrivileges:             true,
+		OperationDockerPluginInspect:                true,
+		OperationDockerPluginPull:                   true,
+		OperationDockerPluginCreate:                 true,
+		OperationDockerPluginEnable:                 true,
+		OperationDockerPluginDisable:                true,
+		OperationDockerPluginPush:                   true,
+		OperationDockerPluginUpgrade:                true,
+		OperationDockerPluginSet:                    true,
+		OperationDockerPluginDelete:                 true,
+		OperationDockerSessionStart:                 true,
+		OperationDockerDistributionInspect:          true,
+		OperationDockerBuildPrune:                   true,
+		OperationDockerBuildCancel:                  true,
+		OperationDockerPing:                         true,
+		OperationDockerInfo:                         true,
+		OperationDockerVersion:                      true,
+		OperationDockerEvents:                       true,
+		OperationDockerSystem:                       true,
+		OperationDockerUndefined:                    true,
+		OperationDockerAgentPing:                    true,
+		OperationDockerAgentList:                    true,
+		OperationDockerAgentHostInfo:                true,
+		OperationDockerAgentBrowseDelete:            true,
+		OperationDockerAgentBrowseGet:               true,
+		OperationDockerAgentBrowseList:              true,
+		OperationDockerAgentBrowsePut:               true,
+		OperationDockerAgentBrowseRename:            true,
+		OperationDockerAgentUndefined:               true,
+		OperationPortainerResourceControlCreate:     true,
+		OperationPortainerResourceControlUpdate:     true,
+		OperationPortainerStackList:                 true,
+		OperationPortainerStackInspect:              true,
+		OperationPortainerStackFile:                 true,
+		OperationPortainerStackCreate:               true,
+		OperationPortainerStackMigrate:              true,
+		OperationPortainerStackUpdate:               true,
+		OperationPortainerStackDelete:               true,
+		OperationPortainerWebsocketExec:             true,
+		OperationPortainerWebhookList:               true,
+		OperationPortainerWebhookCreate:             true,
+		OperationPortainerWebhookDelete:             true,
+		OperationIntegrationStoridgeAdmin:           true,
+		EndpointResourcesAccess:                     true,
+	}
+}
+
+// DefaultEndpointAuthorizationsForHelpDeskRole returns the default endpoint authorizations
+// associated to the helpdesk role.
+func DefaultEndpointAuthorizationsForHelpDeskRole(volumeBrowsingAuthorizations bool) Authorizations {
+	authorizations := map[Authorization]bool{
+		OperationDockerContainerArchiveInfo: true,
+		OperationDockerContainerList:        true,
+		OperationDockerContainerChanges:     true,
+		OperationDockerContainerInspect:     true,
+		OperationDockerContainerTop:         true,
+		OperationDockerContainerLogs:        true,
+		OperationDockerContainerStats:       true,
+		OperationDockerImageList:            true,
+		OperationDockerImageSearch:          true,
+		OperationDockerImageGetAll:          true,
+		OperationDockerImageGet:             true,
+		OperationDockerImageHistory:         true,
+		OperationDockerImageInspect:         true,
+		OperationDockerNetworkList:          true,
+		OperationDockerNetworkInspect:       true,
+		OperationDockerVolumeList:           true,
+		OperationDockerVolumeInspect:        true,
+		OperationDockerSwarmInspect:         true,
+		OperationDockerNodeList:             true,
+		OperationDockerNodeInspect:          true,
+		OperationDockerServiceList:          true,
+		OperationDockerServiceInspect:       true,
+		OperationDockerServiceLogs:          true,
+		OperationDockerSecretList:           true,
+		OperationDockerSecretInspect:        true,
+		OperationDockerConfigList:           true,
+		OperationDockerConfigInspect:        true,
+		OperationDockerTaskList:             true,
+		OperationDockerTaskInspect:          true,
+		OperationDockerTaskLogs:             true,
+		OperationDockerPluginList:           true,
+		OperationDockerDistributionInspect:  true,
+		OperationDockerPing:                 true,
+		OperationDockerInfo:                 true,
+		OperationDockerVersion:              true,
+		OperationDockerEvents:               true,
+		OperationDockerSystem:               true,
+		OperationDockerAgentPing:            true,
+		OperationDockerAgentList:            true,
+		OperationDockerAgentHostInfo:        true,
+		OperationPortainerStackList:         true,
+		OperationPortainerStackInspect:      true,
+		OperationPortainerStackFile:         true,
+		OperationPortainerWebhookList:       true,
+		EndpointResourcesAccess:             true,
+	}
+
+	if volumeBrowsingAuthorizations {
+		authorizations[OperationDockerAgentBrowseGet] = true
+		authorizations[OperationDockerAgentBrowseList] = true
+	}
+
+	return authorizations
+}
+
+// DefaultEndpointAuthorizationsForStandardUserRole returns the default endpoint authorizations
+// associated to the standard user role.
+func DefaultEndpointAuthorizationsForStandardUserRole(volumeBrowsingAuthorizations bool) Authorizations {
+	authorizations := map[Authorization]bool{
+		OperationDockerContainerArchiveInfo:         true,
+		OperationDockerContainerList:                true,
+		OperationDockerContainerExport:              true,
+		OperationDockerContainerChanges:             true,
+		OperationDockerContainerInspect:             true,
+		OperationDockerContainerTop:                 true,
+		OperationDockerContainerLogs:                true,
+		OperationDockerContainerStats:               true,
+		OperationDockerContainerAttachWebsocket:     true,
+		OperationDockerContainerArchive:             true,
+		OperationDockerContainerCreate:              true,
+		OperationDockerContainerKill:                true,
+		OperationDockerContainerPause:               true,
+		OperationDockerContainerUnpause:             true,
+		OperationDockerContainerRestart:             true,
+		OperationDockerContainerStart:               true,
+		OperationDockerContainerStop:                true,
+		OperationDockerContainerWait:                true,
+		OperationDockerContainerResize:              true,
+		OperationDockerContainerAttach:              true,
+		OperationDockerContainerExec:                true,
+		OperationDockerContainerRename:              true,
+		OperationDockerContainerUpdate:              true,
+		OperationDockerContainerPutContainerArchive: true,
+		OperationDockerContainerDelete:              true,
+		OperationDockerImageList:                    true,
+		OperationDockerImageSearch:                  true,
+		OperationDockerImageGetAll:                  true,
+		OperationDockerImageGet:                     true,
+		OperationDockerImageHistory:                 true,
+		OperationDockerImageInspect:                 true,
+		OperationDockerImageLoad:                    true,
+		OperationDockerImageCreate:                  true,
+		OperationDockerImagePush:                    true,
+		OperationDockerImageTag:                     true,
+		OperationDockerImageDelete:                  true,
+		OperationDockerImageCommit:                  true,
+		OperationDockerImageBuild:                   true,
+		OperationDockerNetworkList:                  true,
+		OperationDockerNetworkInspect:               true,
+		OperationDockerNetworkCreate:                true,
+		OperationDockerNetworkConnect:               true,
+		OperationDockerNetworkDisconnect:            true,
+		OperationDockerNetworkDelete:                true,
+		OperationDockerVolumeList:                   true,
+		OperationDockerVolumeInspect:                true,
+		OperationDockerVolumeCreate:                 true,
+		OperationDockerVolumeDelete:                 true,
+		OperationDockerExecInspect:                  true,
+		OperationDockerExecStart:                    true,
+		OperationDockerExecResize:                   true,
+		OperationDockerSwarmInspect:                 true,
+		OperationDockerSwarmUnlockKey:               true,
+		OperationDockerSwarmInit:                    true,
+		OperationDockerSwarmJoin:                    true,
+		OperationDockerSwarmLeave:                   true,
+		OperationDockerSwarmUpdate:                  true,
+		OperationDockerSwarmUnlock:                  true,
+		OperationDockerNodeList:                     true,
+		OperationDockerNodeInspect:                  true,
+		OperationDockerNodeUpdate:                   true,
+		OperationDockerNodeDelete:                   true,
+		OperationDockerServiceList:                  true,
+		OperationDockerServiceInspect:               true,
+		OperationDockerServiceLogs:                  true,
+		OperationDockerServiceCreate:                true,
+		OperationDockerServiceUpdate:                true,
+		OperationDockerServiceDelete:                true,
+		OperationDockerSecretList:                   true,
+		OperationDockerSecretInspect:                true,
+		OperationDockerSecretCreate:                 true,
+		OperationDockerSecretUpdate:                 true,
+		OperationDockerSecretDelete:                 true,
+		OperationDockerConfigList:                   true,
+		OperationDockerConfigInspect:                true,
+		OperationDockerConfigCreate:                 true,
+		OperationDockerConfigUpdate:                 true,
+		OperationDockerConfigDelete:                 true,
+		OperationDockerTaskList:                     true,
+		OperationDockerTaskInspect:                  true,
+		OperationDockerTaskLogs:                     true,
+		OperationDockerPluginList:                   true,
+		OperationDockerPluginPrivileges:             true,
+		OperationDockerPluginInspect:                true,
+		OperationDockerPluginPull:                   true,
+		OperationDockerPluginCreate:                 true,
+		OperationDockerPluginEnable:                 true,
+		OperationDockerPluginDisable:                true,
+		OperationDockerPluginPush:                   true,
+		OperationDockerPluginUpgrade:                true,
+		OperationDockerPluginSet:                    true,
+		OperationDockerPluginDelete:                 true,
+		OperationDockerSessionStart:                 true,
+		OperationDockerDistributionInspect:          true,
+		OperationDockerBuildPrune:                   true,
+		OperationDockerBuildCancel:                  true,
+		OperationDockerPing:                         true,
+		OperationDockerInfo:                         true,
+		OperationDockerVersion:                      true,
+		OperationDockerEvents:                       true,
+		OperationDockerSystem:                       true,
+		OperationDockerUndefined:                    true,
+		OperationDockerAgentPing:                    true,
+		OperationDockerAgentList:                    true,
+		OperationDockerAgentHostInfo:                true,
+		OperationDockerAgentUndefined:               true,
+		OperationPortainerResourceControlUpdate:     true,
+		OperationPortainerStackList:                 true,
+		OperationPortainerStackInspect:              true,
+		OperationPortainerStackFile:                 true,
+		OperationPortainerStackCreate:               true,
+		OperationPortainerStackMigrate:              true,
+		OperationPortainerStackUpdate:               true,
+		OperationPortainerStackDelete:               true,
+		OperationPortainerWebsocketExec:             true,
+		OperationPortainerWebhookList:               true,
+		OperationPortainerWebhookCreate:             true,
+	}
+
+	if volumeBrowsingAuthorizations {
+		authorizations[OperationDockerAgentBrowseGet] = true
+		authorizations[OperationDockerAgentBrowseList] = true
+		authorizations[OperationDockerAgentBrowseDelete] = true
+		authorizations[OperationDockerAgentBrowsePut] = true
+		authorizations[OperationDockerAgentBrowseRename] = true
+	}
+
+	return authorizations
+}
+
+// DefaultEndpointAuthorizationsForReadOnlyUserRole returns the default endpoint authorizations
+// associated to the readonly user role.
+func DefaultEndpointAuthorizationsForReadOnlyUserRole(volumeBrowsingAuthorizations bool) Authorizations {
+	authorizations := map[Authorization]bool{
+		OperationDockerContainerArchiveInfo: true,
+		OperationDockerContainerList:        true,
+		OperationDockerContainerChanges:     true,
+		OperationDockerContainerInspect:     true,
+		OperationDockerContainerTop:         true,
+		OperationDockerContainerLogs:        true,
+		OperationDockerContainerStats:       true,
+		OperationDockerImageList:            true,
+		OperationDockerImageSearch:          true,
+		OperationDockerImageGetAll:          true,
+		OperationDockerImageGet:             true,
+		OperationDockerImageHistory:         true,
+		OperationDockerImageInspect:         true,
+		OperationDockerNetworkList:          true,
+		OperationDockerNetworkInspect:       true,
+		OperationDockerVolumeList:           true,
+		OperationDockerVolumeInspect:        true,
+		OperationDockerSwarmInspect:         true,
+		OperationDockerNodeList:             true,
+		OperationDockerNodeInspect:          true,
+		OperationDockerServiceList:          true,
+		OperationDockerServiceInspect:       true,
+		OperationDockerServiceLogs:          true,
+		OperationDockerSecretList:           true,
+		OperationDockerSecretInspect:        true,
+		OperationDockerConfigList:           true,
+		OperationDockerConfigInspect:        true,
+		OperationDockerTaskList:             true,
+		OperationDockerTaskInspect:          true,
+		OperationDockerTaskLogs:             true,
+		OperationDockerPluginList:           true,
+		OperationDockerDistributionInspect:  true,
+		OperationDockerPing:                 true,
+		OperationDockerInfo:                 true,
+		OperationDockerVersion:              true,
+		OperationDockerEvents:               true,
+		OperationDockerSystem:               true,
+		OperationDockerAgentPing:            true,
+		OperationDockerAgentList:            true,
+		OperationDockerAgentHostInfo:        true,
+		OperationPortainerStackList:         true,
+		OperationPortainerStackInspect:      true,
+		OperationPortainerStackFile:         true,
+		OperationPortainerWebhookList:       true,
+	}
+
+	if volumeBrowsingAuthorizations {
+		authorizations[OperationDockerAgentBrowseGet] = true
+		authorizations[OperationDockerAgentBrowseList] = true
+	}
+
+	return authorizations
+}
+
+// DefaultPortainerAuthorizations returns the default Portainer authorizations used by non-admin users.
+func DefaultPortainerAuthorizations() Authorizations {
+	return map[Authorization]bool{
+		OperationPortainerDockerHubInspect:        true,
+		OperationPortainerEndpointGroupList:       true,
+		OperationPortainerEndpointList:            true,
+		OperationPortainerEndpointInspect:         true,
+		OperationPortainerEndpointExtensionAdd:    true,
+		OperationPortainerEndpointExtensionRemove: true,
+		OperationPortainerExtensionList:           true,
+		OperationPortainerMOTD:                    true,
+		OperationPortainerRegistryList:            true,
+		OperationPortainerRegistryInspect:         true,
+		OperationPortainerTeamList:                true,
+		OperationPortainerTemplateList:            true,
+		OperationPortainerTemplateInspect:         true,
+		OperationPortainerUserList:                true,
+		OperationPortainerUserInspect:             true,
+		OperationPortainerUserMemberships:         true,
+	}
+}
+
+// UpdateVolumeBrowsingAuthorizations will update all the volume browsing authorizations for each role (except endpoint administrator)
+// based on the specified removeAuthorizations parameter. If removeAuthorizations is set to true, all
+// the authorizations will be dropped for the each role. If removeAuthorizations is set to false, the authorizations
+// will be reset based for each role.
+func (service AuthorizationService) UpdateVolumeBrowsingAuthorizations(remove bool) error {
+	roles, err := service.dataStore.Role().Roles()
+	if err != nil {
+		return err
+	}
+
+	for _, role := range roles {
+		// all roles except endpoint administrator
+		if role.ID != RoleID(1) {
+			updateRoleVolumeBrowsingAuthorizations(&role, remove)
+
+			err := service.dataStore.Role().UpdateRole(role.ID, &role)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func updateRoleVolumeBrowsingAuthorizations(role *Role, removeAuthorizations bool) {
+	if !removeAuthorizations {
+		delete(role.Authorizations, OperationDockerAgentBrowseDelete)
+		delete(role.Authorizations, OperationDockerAgentBrowseGet)
+		delete(role.Authorizations, OperationDockerAgentBrowseList)
+		delete(role.Authorizations, OperationDockerAgentBrowsePut)
+		delete(role.Authorizations, OperationDockerAgentBrowseRename)
+		return
+	}
+
+	role.Authorizations[OperationDockerAgentBrowseGet] = true
+	role.Authorizations[OperationDockerAgentBrowseList] = true
+
+	// Standard-user
+	if role.ID == RoleID(3) {
+		role.Authorizations[OperationDockerAgentBrowseDelete] = true
+		role.Authorizations[OperationDockerAgentBrowsePut] = true
+		role.Authorizations[OperationDockerAgentBrowseRename] = true
+	}
+}
+
+// RemoveTeamAccessPolicies will remove all existing access policies associated to the specified team
+func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) error {
+	endpoints, err := service.dataStore.Endpoint().Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		for policyTeamID := range endpoint.TeamAccessPolicies {
+			if policyTeamID == teamID {
+				delete(endpoint.TeamAccessPolicies, policyTeamID)
+
+				err := service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range endpointGroups {
+		for policyTeamID := range endpointGroup.TeamAccessPolicies {
+			if policyTeamID == teamID {
+				delete(endpointGroup.TeamAccessPolicies, policyTeamID)
+
+				err := service.dataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	registries, err := service.dataStore.Registry().Registries()
+	if err != nil {
+		return err
+	}
+
+	for _, registry := range registries {
+		for policyTeamID := range registry.TeamAccessPolicies {
+			if policyTeamID == teamID {
+				delete(registry.TeamAccessPolicies, policyTeamID)
+
+				err := service.dataStore.Registry().UpdateRegistry(registry.ID, &registry)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	return service.UpdateUsersAuthorizations()
+}
+
+// RemoveUserAccessPolicies will remove all existing access policies associated to the specified user
+func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) error {
+	endpoints, err := service.dataStore.Endpoint().Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		for policyUserID := range endpoint.UserAccessPolicies {
+			if policyUserID == userID {
+				delete(endpoint.UserAccessPolicies, policyUserID)
+
+				err := service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range endpointGroups {
+		for policyUserID := range endpointGroup.UserAccessPolicies {
+			if policyUserID == userID {
+				delete(endpointGroup.UserAccessPolicies, policyUserID)
+
+				err := service.dataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	registries, err := service.dataStore.Registry().Registries()
+	if err != nil {
+		return err
+	}
+
+	for _, registry := range registries {
+		for policyUserID := range registry.UserAccessPolicies {
+			if policyUserID == userID {
+				delete(registry.UserAccessPolicies, policyUserID)
+
+				err := service.dataStore.Registry().UpdateRegistry(registry.ID, &registry)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	return nil
+}
+
+// UpdateUsersAuthorizations will trigger an update of the authorizations for all the users.
+func (service *AuthorizationService) UpdateUsersAuthorizations() error {
+	users, err := service.dataStore.User().Users()
+	if err != nil {
+		return err
+	}
+
+	for _, user := range users {
+		err := service.updateUserAuthorizations(user.ID)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (service *AuthorizationService) updateUserAuthorizations(userID UserID) error {
+	user, err := service.dataStore.User().User(userID)
+	if err != nil {
+		return err
+	}
+
+	endpointAuthorizations, err := service.getAuthorizations(user)
+	if err != nil {
+		return err
+	}
+
+	user.EndpointAuthorizations = endpointAuthorizations
+
+	return service.dataStore.User().UpdateUser(userID, user)
+}
+
+func (service *AuthorizationService) getAuthorizations(user *User) (EndpointAuthorizations, error) {
+	endpointAuthorizations := EndpointAuthorizations{}
+	if user.Role == AdministratorRole {
+		return endpointAuthorizations, nil
+	}
+
+	userMemberships, err := service.dataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpoints, err := service.dataStore.Endpoint().Endpoints()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	roles, err := service.dataStore.Role().Roles()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpointAuthorizations = getUserEndpointAuthorizations(user, endpoints, endpointGroups, roles, userMemberships)
+
+	return endpointAuthorizations, nil
+}
+
+func getUserEndpointAuthorizations(user *User, endpoints []Endpoint, endpointGroups []EndpointGroup, roles []Role, userMemberships []TeamMembership) EndpointAuthorizations {
+	endpointAuthorizations := make(EndpointAuthorizations)
+
+	groupUserAccessPolicies := map[EndpointGroupID]UserAccessPolicies{}
+	groupTeamAccessPolicies := map[EndpointGroupID]TeamAccessPolicies{}
+	for _, endpointGroup := range endpointGroups {
+		groupUserAccessPolicies[endpointGroup.ID] = endpointGroup.UserAccessPolicies
+		groupTeamAccessPolicies[endpointGroup.ID] = endpointGroup.TeamAccessPolicies
+	}
+
+	for _, endpoint := range endpoints {
+		authorizations := getAuthorizationsFromUserEndpointPolicy(user, &endpoint, roles)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromUserEndpointGroupPolicy(user, &endpoint, roles, groupUserAccessPolicies)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromTeamEndpointPolicies(userMemberships, &endpoint, roles)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromTeamEndpointGroupPolicies(userMemberships, &endpoint, roles, groupTeamAccessPolicies)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+		}
+	}
+
+	return endpointAuthorizations
+}
+
+func getAuthorizationsFromUserEndpointPolicy(user *User, endpoint *Endpoint, roles []Role) Authorizations {
+	policyRoles := make([]RoleID, 0)
+
+	policy, ok := endpoint.UserAccessPolicies[user.ID]
+	if ok {
+		policyRoles = append(policyRoles, policy.RoleID)
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromUserEndpointGroupPolicy(user *User, endpoint *Endpoint, roles []Role, groupAccessPolicies map[EndpointGroupID]UserAccessPolicies) Authorizations {
+	policyRoles := make([]RoleID, 0)
+
+	policy, ok := groupAccessPolicies[endpoint.GroupID][user.ID]
+	if ok {
+		policyRoles = append(policyRoles, policy.RoleID)
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromTeamEndpointPolicies(memberships []TeamMembership, endpoint *Endpoint, roles []Role) Authorizations {
+	policyRoles := make([]RoleID, 0)
+
+	for _, membership := range memberships {
+		policy, ok := endpoint.TeamAccessPolicies[membership.TeamID]
+		if ok {
+			policyRoles = append(policyRoles, policy.RoleID)
+		}
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromTeamEndpointGroupPolicies(memberships []TeamMembership, endpoint *Endpoint, roles []Role, groupAccessPolicies map[EndpointGroupID]TeamAccessPolicies) Authorizations {
+	policyRoles := make([]RoleID, 0)
+
+	for _, membership := range memberships {
+		policy, ok := groupAccessPolicies[endpoint.GroupID][membership.TeamID]
+		if ok {
+			policyRoles = append(policyRoles, policy.RoleID)
+		}
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromRoles(roleIdentifiers []RoleID, roles []Role) Authorizations {
+	var associatedRoles []Role
+
+	for _, id := range roleIdentifiers {
+		for _, role := range roles {
+			if role.ID == id {
+				associatedRoles = append(associatedRoles, role)
+				break
+			}
+		}
+	}
+
+	var authorizations Authorizations
+	highestPriority := 0
+	for _, role := range associatedRoles {
+		if role.Priority > highestPriority {
+			highestPriority = role.Priority
+			authorizations = role.Authorizations
+		}
+	}
+
+	return authorizations
+}

api/bolt/datastore.go

@@ -6,21 +6,28 @@ import (
 	"time"
 
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/dockerhub"
-	"github.com/portainer/portainer/bolt/endpoint"
-	"github.com/portainer/portainer/bolt/endpointgroup"
-	"github.com/portainer/portainer/bolt/migrator"
-	"github.com/portainer/portainer/bolt/registry"
-	"github.com/portainer/portainer/bolt/resourcecontrol"
-	"github.com/portainer/portainer/bolt/settings"
-	"github.com/portainer/portainer/bolt/stack"
-	"github.com/portainer/portainer/bolt/tag"
-	"github.com/portainer/portainer/bolt/team"
-	"github.com/portainer/portainer/bolt/teammembership"
-	"github.com/portainer/portainer/bolt/template"
-	"github.com/portainer/portainer/bolt/user"
-	"github.com/portainer/portainer/bolt/version"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/dockerhub"
+	"github.com/portainer/portainer/api/bolt/edgegroup"
+	"github.com/portainer/portainer/api/bolt/edgestack"
+	"github.com/portainer/portainer/api/bolt/endpoint"
+	"github.com/portainer/portainer/api/bolt/endpointgroup"
+	"github.com/portainer/portainer/api/bolt/endpointrelation"
+	"github.com/portainer/portainer/api/bolt/extension"
+	"github.com/portainer/portainer/api/bolt/migrator"
+	"github.com/portainer/portainer/api/bolt/registry"
+	"github.com/portainer/portainer/api/bolt/resourcecontrol"
+	"github.com/portainer/portainer/api/bolt/role"
+	"github.com/portainer/portainer/api/bolt/schedule"
+	"github.com/portainer/portainer/api/bolt/settings"
+	"github.com/portainer/portainer/api/bolt/stack"
+	"github.com/portainer/portainer/api/bolt/tag"
+	"github.com/portainer/portainer/api/bolt/team"
+	"github.com/portainer/portainer/api/bolt/teammembership"
+	"github.com/portainer/portainer/api/bolt/tunnelserver"
+	"github.com/portainer/portainer/api/bolt/user"
+	"github.com/portainer/portainer/api/bolt/version"
+	"github.com/portainer/portainer/api/bolt/webhook"
 )
 
 const (
@@ -30,23 +37,30 @@ const (
 // Store defines the implementation of portainer.DataStore using
 // BoltDB as the storage system.
 type Store struct {
-	path                   string
-	db                     *bolt.DB
-	checkForDataMigration  bool
-	fileService            portainer.FileService
-	DockerHubService       *dockerhub.Service
-	EndpointGroupService   *endpointgroup.Service
-	EndpointService        *endpoint.Service
-	RegistryService        *registry.Service
-	ResourceControlService *resourcecontrol.Service
-	SettingsService        *settings.Service
-	StackService           *stack.Service
-	TagService             *tag.Service
-	TeamMembershipService  *teammembership.Service
-	TeamService            *team.Service
-	TemplateService        *template.Service
-	UserService            *user.Service
-	VersionService         *version.Service
+	path                    string
+	db                      *bolt.DB
+	isNew                   bool
+	fileService             portainer.FileService
+	DockerHubService        *dockerhub.Service
+	EdgeGroupService        *edgegroup.Service
+	EdgeStackService        *edgestack.Service
+	EndpointGroupService    *endpointgroup.Service
+	EndpointService         *endpoint.Service
+	EndpointRelationService *endpointrelation.Service
+	ExtensionService        *extension.Service
+	RegistryService         *registry.Service
+	ResourceControlService  *resourcecontrol.Service
+	RoleService             *role.Service
+	ScheduleService         *schedule.Service
+	SettingsService         *settings.Service
+	StackService            *stack.Service
+	TagService              *tag.Service
+	TeamMembershipService   *teammembership.Service
+	TeamService             *team.Service
+	TunnelServerService     *tunnelserver.Service
+	UserService             *user.Service
+	VersionService          *version.Service
+	WebhookService          *webhook.Service
 }
 
 // NewStore initializes a new Store and the associated services
@@ -54,6 +68,7 @@ func NewStore(storePath string, fileService portainer.FileService) (*Store, erro
 	store := &Store{
 		path:        storePath,
 		fileService: fileService,
+		isNew:       true,
 	}
 
 	databasePath := path.Join(storePath, databaseFileName)
@@ -62,10 +77,8 @@ func NewStore(storePath string, fileService portainer.FileService) (*Store, erro
 		return nil, err
 	}
 
-	if !databaseFileExists {
-		store.checkForDataMigration = false
-	} else {
-		store.checkForDataMigration = true
+	if databaseFileExists {
+		store.isNew = false
 	}
 
 	return store, nil
@@ -83,29 +96,6 @@ func (store *Store) Open() error {
 	return store.initServices()
 }
 
-// Init creates the default data set.
-func (store *Store) Init() error {
-	groups, err := store.EndpointGroupService.EndpointGroups()
-	if err != nil {
-		return err
-	}
-
-	if len(groups) == 0 {
-		unassignedGroup := &portainer.EndpointGroup{
-			Name:            "Unassigned",
-			Description:     "Unassigned endpoints",
-			Labels:          []portainer.Pair{},
-			AuthorizedUsers: []portainer.UserID{},
-			AuthorizedTeams: []portainer.TeamID{},
-			Tags:            []string{},
-		}
-
-		return store.EndpointGroupService.CreateEndpointGroup(unassignedGroup)
-	}
-
-	return nil
-}
-
 // Close closes the BoltDB database.
 func (store *Store) Close() error {
 	if store.db != nil {
@@ -114,9 +104,16 @@ func (store *Store) Close() error {
 	return nil
 }
 
+// IsNew returns true if the database was just created and false if it is re-using
+// existing data.
+func (store *Store) IsNew() bool {
+	return store.isNew
+}
+
 // MigrateData automatically migrate the data based on the DBVersion.
+// This process is only triggered on an existing database, not if the database was just created.
 func (store *Store) MigrateData() error {
-	if !store.checkForDataMigration {
+	if store.isNew {
 		return store.VersionService.StoreDBVersion(portainer.DBVersion)
 	}
 
@@ -129,16 +126,24 @@ func (store *Store) MigrateData() error {
 
 	if version < portainer.DBVersion {
 		migratorParams := &migrator.Parameters{
-			DB:                     store.db,
-			DatabaseVersion:        version,
-			EndpointGroupService:   store.EndpointGroupService,
-			EndpointService:        store.EndpointService,
-			ResourceControlService: store.ResourceControlService,
-			SettingsService:        store.SettingsService,
-			StackService:           store.StackService,
-			UserService:            store.UserService,
-			VersionService:         store.VersionService,
-			FileService:            store.fileService,
+			DB:                      store.db,
+			DatabaseVersion:         version,
+			EndpointGroupService:    store.EndpointGroupService,
+			EndpointService:         store.EndpointService,
+			EndpointRelationService: store.EndpointRelationService,
+			ExtensionService:        store.ExtensionService,
+			RegistryService:         store.RegistryService,
+			ResourceControlService:  store.ResourceControlService,
+			RoleService:             store.RoleService,
+			ScheduleService:         store.ScheduleService,
+			SettingsService:         store.SettingsService,
+			StackService:            store.StackService,
+			TagService:              store.TagService,
+			TeamMembershipService:   store.TeamMembershipService,
+			UserService:             store.UserService,
+			VersionService:          store.VersionService,
+			FileService:             store.fileService,
+			AuthorizationService:    portainer.NewAuthorizationService(store),
 		}
 		migrator := migrator.NewMigrator(migratorParams)
 
@@ -154,12 +159,30 @@ func (store *Store) MigrateData() error {
 }
 
 func (store *Store) initServices() error {
+	authorizationsetService, err := role.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.RoleService = authorizationsetService
+
 	dockerhubService, err := dockerhub.NewService(store.db)
 	if err != nil {
 		return err
 	}
 	store.DockerHubService = dockerhubService
 
+	edgeStackService, err := edgestack.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.EdgeStackService = edgeStackService
+
+	edgeGroupService, err := edgegroup.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.EdgeGroupService = edgeGroupService
+
 	endpointgroupService, err := endpointgroup.NewService(store.db)
 	if err != nil {
 		return err
@@ -172,6 +195,18 @@ func (store *Store) initServices() error {
 	}
 	store.EndpointService = endpointService
 
+	endpointRelationService, err := endpointrelation.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.EndpointRelationService = endpointRelationService
+
+	extensionService, err := extension.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.ExtensionService = extensionService
+
 	registryService, err := registry.NewService(store.db)
 	if err != nil {
 		return err
@@ -214,11 +249,11 @@ func (store *Store) initServices() error {
 	}
 	store.TeamService = teamService
 
-	templateService, err := template.NewService(store.db)
+	tunnelServerService, err := tunnelserver.NewService(store.db)
 	if err != nil {
 		return err
 	}
-	store.TemplateService = templateService
+	store.TunnelServerService = tunnelServerService
 
 	userService, err := user.NewService(store.db)
 	if err != nil {
@@ -232,5 +267,117 @@ func (store *Store) initServices() error {
 	}
 	store.VersionService = versionService
 
+	webhookService, err := webhook.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.WebhookService = webhookService
+
+	scheduleService, err := schedule.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.ScheduleService = scheduleService
+
 	return nil
 }
+
+// DockerHub gives access to the DockerHub data management layer
+func (store *Store) DockerHub() portainer.DockerHubService {
+	return store.DockerHubService
+}
+
+// EdgeGroup gives access to the EdgeGroup data management layer
+func (store *Store) EdgeGroup() portainer.EdgeGroupService {
+	return store.EdgeGroupService
+}
+
+// EdgeStack gives access to the EdgeStack data management layer
+func (store *Store) EdgeStack() portainer.EdgeStackService {
+	return store.EdgeStackService
+}
+
+// Endpoint gives access to the Endpoint data management layer
+func (store *Store) Endpoint() portainer.EndpointService {
+	return store.EndpointService
+}
+
+// EndpointGroup gives access to the EndpointGroup data management layer
+func (store *Store) EndpointGroup() portainer.EndpointGroupService {
+	return store.EndpointGroupService
+}
+
+// EndpointRelation gives access to the EndpointRelation data management layer
+func (store *Store) EndpointRelation() portainer.EndpointRelationService {
+	return store.EndpointRelationService
+}
+
+// Extension gives access to the Extension data management layer
+func (store *Store) Extension() portainer.ExtensionService {
+	return store.ExtensionService
+}
+
+// Registry gives access to the Registry data management layer
+func (store *Store) Registry() portainer.RegistryService {
+	return store.RegistryService
+}
+
+// ResourceControl gives access to the ResourceControl data management layer
+func (store *Store) ResourceControl() portainer.ResourceControlService {
+	return store.ResourceControlService
+}
+
+// Role gives access to the Role data management layer
+func (store *Store) Role() portainer.RoleService {
+	return store.RoleService
+}
+
+// Schedule gives access to the Schedule data management layer
+func (store *Store) Schedule() portainer.ScheduleService {
+	return store.ScheduleService
+}
+
+// Settings gives access to the Settings data management layer
+func (store *Store) Settings() portainer.SettingsService {
+	return store.SettingsService
+}
+
+// Stack gives access to the Stack data management layer
+func (store *Store) Stack() portainer.StackService {
+	return store.StackService
+}
+
+// Tag gives access to the Tag data management layer
+func (store *Store) Tag() portainer.TagService {
+	return store.TagService
+}
+
+// TeamMembership gives access to the TeamMembership data management layer
+func (store *Store) TeamMembership() portainer.TeamMembershipService {
+	return store.TeamMembershipService
+}
+
+// Team gives access to the Team data management layer
+func (store *Store) Team() portainer.TeamService {
+	return store.TeamService
+}
+
+// TunnelServer gives access to the TunnelServer data management layer
+func (store *Store) TunnelServer() portainer.TunnelServerService {
+	return store.TunnelServerService
+}
+
+// User gives access to the User data management layer
+func (store *Store) User() portainer.UserService {
+	return store.UserService
+}
+
+// Version gives access to the Version data management layer
+func (store *Store) Version() portainer.VersionService {
+	return store.VersionService
+}
+
+// Webhook gives access to the Webhook data management layer
+func (store *Store) Webhook() portainer.WebhookService {
+	return store.WebhookService
+}

api/bolt/dockerhub/dockerhub.go

@@ -1,8 +1,8 @@
 package dockerhub
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )

api/bolt/edgegroup/edgegroup.go

@@ -0,0 +1,94 @@
+package edgegroup
+
+import (
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "edgegroups"
+)
+
+// Service represents a service for managing Edge group data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// EdgeGroups return an array containing all the Edge groups.
+func (service *Service) EdgeGroups() ([]portainer.EdgeGroup, error) {
+	var groups = make([]portainer.EdgeGroup, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var group portainer.EdgeGroup
+			err := internal.UnmarshalObjectWithJsoniter(v, &group)
+			if err != nil {
+				return err
+			}
+			groups = append(groups, group)
+		}
+
+		return nil
+	})
+
+	return groups, err
+}
+
+// EdgeGroup returns an Edge group by ID.
+func (service *Service) EdgeGroup(ID portainer.EdgeGroupID) (*portainer.EdgeGroup, error) {
+	var group portainer.EdgeGroup
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &group)
+	if err != nil {
+		return nil, err
+	}
+
+	return &group, nil
+}
+
+// UpdateEdgeGroup updates an Edge group.
+func (service *Service) UpdateEdgeGroup(ID portainer.EdgeGroupID, group *portainer.EdgeGroup) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, group)
+}
+
+// DeleteEdgeGroup deletes an Edge group.
+func (service *Service) DeleteEdgeGroup(ID portainer.EdgeGroupID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
+
+// CreateEdgeGroup assign an ID to a new Edge group and saves it.
+func (service *Service) CreateEdgeGroup(group *portainer.EdgeGroup) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		group.ID = portainer.EdgeGroupID(id)
+
+		data, err := internal.MarshalObject(group)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(group.ID)), data)
+	})
+}

api/bolt/edgestack/edgestack.go

@@ -0,0 +1,101 @@
+package edgestack
+
+import (
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "edge_stack"
+)
+
+// Service represents a service for managing Edge stack data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// EdgeStacks returns an array containing all edge stacks
+func (service *Service) EdgeStacks() ([]portainer.EdgeStack, error) {
+	var stacks = make([]portainer.EdgeStack, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var stack portainer.EdgeStack
+			err := internal.UnmarshalObject(v, &stack)
+			if err != nil {
+				return err
+			}
+			stacks = append(stacks, stack)
+		}
+
+		return nil
+	})
+
+	return stacks, err
+}
+
+// EdgeStack returns an Edge stack by ID.
+func (service *Service) EdgeStack(ID portainer.EdgeStackID) (*portainer.EdgeStack, error) {
+	var stack portainer.EdgeStack
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &stack)
+	if err != nil {
+		return nil, err
+	}
+
+	return &stack, nil
+}
+
+// CreateEdgeStack assign an ID to a new Edge stack and saves it.
+func (service *Service) CreateEdgeStack(edgeStack *portainer.EdgeStack) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		if edgeStack.ID == 0 {
+			id, _ := bucket.NextSequence()
+			edgeStack.ID = portainer.EdgeStackID(id)
+		}
+
+		data, err := internal.MarshalObject(edgeStack)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(edgeStack.ID)), data)
+	})
+}
+
+// UpdateEdgeStack updates an Edge stack.
+func (service *Service) UpdateEdgeStack(ID portainer.EdgeStackID, edgeStack *portainer.EdgeStack) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, edgeStack)
+}
+
+// DeleteEdgeStack deletes an Edge stack.
+func (service *Service) DeleteEdgeStack(ID portainer.EdgeStackID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
+
+// GetNextIdentifier returns the next identifier for an endpoint.
+func (service *Service) GetNextIdentifier() int {
+	return internal.GetNextIdentifier(service.db, BucketName)
+}

api/bolt/endpoint/endpoint.go

@@ -1,10 +1,9 @@
 package endpoint
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
-
 	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 )
 
 const (
@@ -64,7 +63,7 @@ func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 		cursor := bucket.Cursor()
 		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
 			var endpoint portainer.Endpoint
-			err := internal.UnmarshalObject(v, &endpoint)
+			err := internal.UnmarshalObjectWithJsoniter(v, &endpoint)
 			if err != nil {
 				return err
 			}

api/bolt/endpointgroup/endpointgroup.go

@@ -1,8 +1,8 @@
 package endpointgroup
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )

api/bolt/endpointrelation/endpointrelation.go

@@ -0,0 +1,68 @@
+package endpointrelation
+
+import (
+	"github.com/boltdb/bolt"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "endpoint_relations"
+)
+
+// Service represents a service for managing endpoint relation data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// EndpointRelation returns a Endpoint relation object by EndpointID
+func (service *Service) EndpointRelation(endpointID portainer.EndpointID) (*portainer.EndpointRelation, error) {
+	var endpointRelation portainer.EndpointRelation
+	identifier := internal.Itob(int(endpointID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &endpointRelation)
+	if err != nil {
+		return nil, err
+	}
+
+	return &endpointRelation, nil
+}
+
+// CreateEndpointRelation saves endpointRelation
+func (service *Service) CreateEndpointRelation(endpointRelation *portainer.EndpointRelation) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		data, err := internal.MarshalObject(endpointRelation)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(endpointRelation.EndpointID)), data)
+	})
+}
+
+// UpdateEndpointRelation updates an Endpoint relation object
+func (service *Service) UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error {
+	identifier := internal.Itob(int(EndpointID))
+	return internal.UpdateObject(service.db, BucketName, identifier, endpointRelation)
+}
+
+// DeleteEndpointRelation deletes an Endpoint relation object
+func (service *Service) DeleteEndpointRelation(EndpointID portainer.EndpointID) error {
+	identifier := internal.Itob(int(EndpointID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}

api/bolt/extension/extension.go

@@ -0,0 +1,86 @@
+package extension
+
+import (
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "extension"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Extension returns a extension by ID
+func (service *Service) Extension(ID portainer.ExtensionID) (*portainer.Extension, error) {
+	var extension portainer.Extension
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &extension)
+	if err != nil {
+		return nil, err
+	}
+
+	return &extension, nil
+}
+
+// Extensions return an array containing all the extensions.
+func (service *Service) Extensions() ([]portainer.Extension, error) {
+	var extensions = make([]portainer.Extension, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var extension portainer.Extension
+			err := internal.UnmarshalObject(v, &extension)
+			if err != nil {
+				return err
+			}
+			extensions = append(extensions, extension)
+		}
+
+		return nil
+	})
+
+	return extensions, err
+}
+
+// Persist persists a extension inside the database.
+func (service *Service) Persist(extension *portainer.Extension) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		data, err := internal.MarshalObject(extension)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(extension.ID)), data)
+	})
+}
+
+// DeleteExtension deletes a Extension.
+func (service *Service) DeleteExtension(ID portainer.ExtensionID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}

api/bolt/init.go

@@ -0,0 +1,133 @@
+package bolt
+
+import portainer "github.com/portainer/portainer/api"
+
+// Init creates the default data set.
+func (store *Store) Init() error {
+	_, err := store.SettingsService.Settings()
+	if err == portainer.ErrObjectNotFound {
+		defaultSettings := &portainer.Settings{
+			AuthenticationMethod: portainer.AuthenticationInternal,
+			BlackListedLabels:    make([]portainer.Pair, 0),
+			LDAPSettings: portainer.LDAPSettings{
+				AnonymousMode:   true,
+				AutoCreateUsers: true,
+				TLSConfig:       portainer.TLSConfiguration{},
+				SearchSettings: []portainer.LDAPSearchSettings{
+					portainer.LDAPSearchSettings{},
+				},
+				GroupSearchSettings: []portainer.LDAPGroupSearchSettings{
+					portainer.LDAPGroupSearchSettings{},
+				},
+			},
+			OAuthSettings:                      portainer.OAuthSettings{},
+			AllowBindMountsForRegularUsers:     true,
+			AllowPrivilegedModeForRegularUsers: true,
+			AllowVolumeBrowserForRegularUsers:  false,
+			EnableHostManagementFeatures:       false,
+			EdgeAgentCheckinInterval:           portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
+			TemplatesURL:                       portainer.DefaultTemplatesURL,
+		}
+
+		err = store.SettingsService.UpdateSettings(defaultSettings)
+		if err != nil {
+			return err
+		}
+	} else if err != nil {
+		return err
+	}
+
+	_, err = store.DockerHubService.DockerHub()
+	if err == portainer.ErrObjectNotFound {
+		defaultDockerHub := &portainer.DockerHub{
+			Authentication: false,
+			Username:       "",
+			Password:       "",
+		}
+
+		err := store.DockerHubService.UpdateDockerHub(defaultDockerHub)
+		if err != nil {
+			return err
+		}
+	} else if err != nil {
+		return err
+	}
+
+	groups, err := store.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	if len(groups) == 0 {
+		unassignedGroup := &portainer.EndpointGroup{
+			Name:               "Unassigned",
+			Description:        "Unassigned endpoints",
+			Labels:             []portainer.Pair{},
+			UserAccessPolicies: portainer.UserAccessPolicies{},
+			TeamAccessPolicies: portainer.TeamAccessPolicies{},
+			TagIDs:             []portainer.TagID{},
+		}
+
+		err = store.EndpointGroupService.CreateEndpointGroup(unassignedGroup)
+		if err != nil {
+			return err
+		}
+	}
+
+	roles, err := store.RoleService.Roles()
+	if err != nil {
+		return err
+	}
+
+	if len(roles) == 0 {
+		environmentAdministratorRole := &portainer.Role{
+			Name:           "Endpoint administrator",
+			Description:    "Full control of all resources in an endpoint",
+			Priority:       1,
+			Authorizations: portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
+		}
+
+		err = store.RoleService.CreateRole(environmentAdministratorRole)
+		if err != nil {
+			return err
+		}
+
+		environmentReadOnlyUserRole := &portainer.Role{
+			Name:           "Helpdesk",
+			Description:    "Read-only access of all resources in an endpoint",
+			Priority:       2,
+			Authorizations: portainer.DefaultEndpointAuthorizationsForHelpDeskRole(false),
+		}
+
+		err = store.RoleService.CreateRole(environmentReadOnlyUserRole)
+		if err != nil {
+			return err
+		}
+
+		standardUserRole := &portainer.Role{
+			Name:           "Standard user",
+			Description:    "Full control of assigned resources in an endpoint",
+			Priority:       3,
+			Authorizations: portainer.DefaultEndpointAuthorizationsForStandardUserRole(false),
+		}
+
+		err = store.RoleService.CreateRole(standardUserRole)
+		if err != nil {
+			return err
+		}
+
+		readOnlyUserRole := &portainer.Role{
+			Name:           "Read-only user",
+			Description:    "Read-only access of assigned resources in an endpoint",
+			Priority:       4,
+			Authorizations: portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(false),
+		}
+
+		err = store.RoleService.CreateRole(readOnlyUserRole)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/internal/db.go

@@ -4,7 +4,7 @@ import (
 	"encoding/binary"
 
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/api"
 )
 
 // Itob returns an 8-byte big endian representation of v.
@@ -82,13 +82,15 @@ func DeleteObject(db *bolt.DB, bucketName string, key []byte) error {
 func GetNextIdentifier(db *bolt.DB, bucketName string) int {
 	var identifier int
 
-	db.View(func(tx *bolt.Tx) error {
+	db.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
-		id := bucket.Sequence()
+		id, err := bucket.NextSequence()
+		if err != nil {
+			return err
+		}
 		identifier = int(id)
 		return nil
 	})
 
-	identifier++
 	return identifier
 }

api/bolt/internal/json.go

@@ -2,6 +2,8 @@ package internal
 
 import (
 	"encoding/json"
+
+	jsoniter "github.com/json-iterator/go"
 )
 
 // MarshalObject encodes an object to binary format
@@ -13,3 +15,11 @@ func MarshalObject(object interface{}) ([]byte, error) {
 func UnmarshalObject(data []byte, object interface{}) error {
 	return json.Unmarshal(data, object)
 }
+
+// UnmarshalObjectWithJsoniter decodes an object from binary data
+// using the jsoniter library. It is mainly used to accelerate endpoint
+// decoding at the moment.
+func UnmarshalObjectWithJsoniter(data []byte, object interface{}) error {
+	var jsoni = jsoniter.ConfigCompatibleWithStandardLibrary
+	return jsoni.Unmarshal(data, &object)
+}

api/bolt/migrator/migrate_dbversion0.go

@@ -2,8 +2,8 @@ package migrator
 
 import (
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/user"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/user"
 )
 
 func (m *Migrator) updateAdminUserToDBVersion1() error {

api/bolt/migrator/migrate_dbversion1.go

@@ -2,8 +2,8 @@ package migrator
 
 import (
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 )
 
 func (m *Migrator) updateResourceControlsToDBVersion2() error {

api/bolt/migrator/migrate_dbversion10.go

@@ -1,6 +1,6 @@
 package migrator
 
-import "github.com/portainer/portainer"
+import "github.com/portainer/portainer/api"
 
 func (m *Migrator) updateEndpointsToVersion11() error {
 	legacyEndpoints, err := m.endpointService.Endpoints()

api/bolt/migrator/migrate_dbversion11.go

@@ -5,9 +5,9 @@ import (
 	"strings"
 
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
-	"github.com/portainer/portainer/bolt/stack"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+	"github.com/portainer/portainer/api/bolt/stack"
 )
 
 func (m *Migrator) updateEndpointsToVersion12() error {

api/bolt/migrator/migrate_dbversion12.go

@@ -1,6 +1,6 @@
 package migrator
 
-import "github.com/portainer/portainer"
+import "github.com/portainer/portainer/api"
 
 func (m *Migrator) updateSettingsToVersion13() error {
 	legacySettings, err := m.settingsService.Settings()

api/bolt/migrator/migrate_dbversion13.go

@@ -0,0 +1,19 @@
+package migrator
+
+func (m *Migrator) updateResourceControlsToDBVersion14() error {
+	resourceControls, err := m.resourceControlService.ResourceControls()
+	if err != nil {
+		return err
+	}
+
+	for _, resourceControl := range resourceControls {
+		if resourceControl.AdministratorsOnly == true {
+			err = m.resourceControlService.DeleteResourceControl(resourceControl.ID)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion14.go

@@ -0,0 +1,16 @@
+package migrator
+
+func (m *Migrator) updateSettingsToDBVersion15() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.EnableHostManagementFeatures = false
+	return m.settingsService.UpdateSettings(legacySettings)
+}
+
+func (m *Migrator) updateTemplatesToVersion15() error {
+	// Removed with the entire template management layer, part of https://github.com/portainer/portainer/issues/3707
+	return nil
+}

api/bolt/migrator/migrate_dbversion15.go

@@ -0,0 +1,14 @@
+package migrator
+
+func (m *Migrator) updateSettingsToDBVersion16() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	if legacySettings.SnapshotInterval == "" {
+		legacySettings.SnapshotInterval = "5m"
+	}
+
+	return m.settingsService.UpdateSettings(legacySettings)
+}

api/bolt/migrator/migrate_dbversion16.go

@@ -0,0 +1,19 @@
+package migrator
+
+func (m *Migrator) updateExtensionsToDBVersion17() error {
+	legacyExtensions, err := m.extensionService.Extensions()
+	if err != nil {
+		return err
+	}
+
+	for _, extension := range legacyExtensions {
+		extension.License.Valid = true
+
+		err = m.extensionService.Persist(&extension)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion17.go

@@ -0,0 +1,125 @@
+package migrator
+
+import (
+	portainer "github.com/portainer/portainer/api"
+)
+
+func (m *Migrator) updateUsersToDBVersion18() error {
+	legacyUsers, err := m.userService.Users()
+	if err != nil {
+		return err
+	}
+
+	for _, user := range legacyUsers {
+		user.PortainerAuthorizations = map[portainer.Authorization]bool{
+			portainer.OperationPortainerDockerHubInspect:        true,
+			portainer.OperationPortainerEndpointGroupList:       true,
+			portainer.OperationPortainerEndpointList:            true,
+			portainer.OperationPortainerEndpointInspect:         true,
+			portainer.OperationPortainerEndpointExtensionAdd:    true,
+			portainer.OperationPortainerEndpointExtensionRemove: true,
+			portainer.OperationPortainerExtensionList:           true,
+			portainer.OperationPortainerMOTD:                    true,
+			portainer.OperationPortainerRegistryList:            true,
+			portainer.OperationPortainerRegistryInspect:         true,
+			portainer.OperationPortainerTeamList:                true,
+			portainer.OperationPortainerTemplateList:            true,
+			portainer.OperationPortainerTemplateInspect:         true,
+			portainer.OperationPortainerUserList:                true,
+			portainer.OperationPortainerUserMemberships:         true,
+		}
+
+		err = m.userService.UpdateUser(user.ID, &user)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) updateEndpointsToDBVersion18() error {
+	legacyEndpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.UserAccessPolicies = make(portainer.UserAccessPolicies)
+		for _, userID := range endpoint.AuthorizedUsers {
+			endpoint.UserAccessPolicies[userID] = portainer.AccessPolicy{
+				RoleID: 4,
+			}
+		}
+
+		endpoint.TeamAccessPolicies = make(portainer.TeamAccessPolicies)
+		for _, teamID := range endpoint.AuthorizedTeams {
+			endpoint.TeamAccessPolicies[teamID] = portainer.AccessPolicy{
+				RoleID: 4,
+			}
+		}
+
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) updateEndpointGroupsToDBVersion18() error {
+	legacyEndpointGroups, err := m.endpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range legacyEndpointGroups {
+		endpointGroup.UserAccessPolicies = make(portainer.UserAccessPolicies)
+		for _, userID := range endpointGroup.AuthorizedUsers {
+			endpointGroup.UserAccessPolicies[userID] = portainer.AccessPolicy{
+				RoleID: 4,
+			}
+		}
+
+		endpointGroup.TeamAccessPolicies = make(portainer.TeamAccessPolicies)
+		for _, teamID := range endpointGroup.AuthorizedTeams {
+			endpointGroup.TeamAccessPolicies[teamID] = portainer.AccessPolicy{
+				RoleID: 4,
+			}
+		}
+
+		err = m.endpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) updateRegistriesToDBVersion18() error {
+	legacyRegistries, err := m.registryService.Registries()
+	if err != nil {
+		return err
+	}
+
+	for _, registry := range legacyRegistries {
+		registry.UserAccessPolicies = make(portainer.UserAccessPolicies)
+		for _, userID := range registry.AuthorizedUsers {
+			registry.UserAccessPolicies[userID] = portainer.AccessPolicy{}
+		}
+
+		registry.TeamAccessPolicies = make(portainer.TeamAccessPolicies)
+		for _, teamID := range registry.AuthorizedTeams {
+			registry.TeamAccessPolicies[teamID] = portainer.AccessPolicy{}
+		}
+
+		err = m.registryService.UpdateRegistry(registry.ID, &registry)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion18.go

@@ -0,0 +1,16 @@
+package migrator
+
+import portainer "github.com/portainer/portainer/api"
+
+func (m *Migrator) updateSettingsToDBVersion19() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	if legacySettings.EdgeAgentCheckinInterval == 0 {
+		legacySettings.EdgeAgentCheckinInterval = portainer.DefaultEdgeAgentCheckinIntervalInSeconds
+	}
+
+	return m.settingsService.UpdateSettings(legacySettings)
+}

api/bolt/migrator/migrate_dbversion19.go

@@ -0,0 +1,57 @@
+package migrator
+
+import (
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+func (m *Migrator) updateUsersToDBVersion20() error {
+	return m.authorizationService.UpdateUsersAuthorizations()
+}
+
+func (m *Migrator) updateSettingsToDBVersion20() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.AllowVolumeBrowserForRegularUsers = false
+
+	return m.settingsService.UpdateSettings(legacySettings)
+}
+
+func (m *Migrator) updateSchedulesToDBVersion20() error {
+	legacySchedules, err := m.scheduleService.Schedules()
+	if err != nil {
+		return err
+	}
+
+	for _, schedule := range legacySchedules {
+		if schedule.JobType == portainer.ScriptExecutionJobType {
+			if schedule.CronExpression == "0 0 * * *" {
+				schedule.CronExpression = "0 * * * *"
+			} else if schedule.CronExpression == "0 0 0/2 * *" {
+				schedule.CronExpression = "0 */2 * * *"
+			} else if schedule.CronExpression == "0 0 0 * *" {
+				schedule.CronExpression = "0 0 * * *"
+			} else {
+				revisedCronExpression := strings.Split(schedule.CronExpression, " ")
+				if len(revisedCronExpression) == 5 {
+					continue
+				}
+
+				revisedCronExpression = revisedCronExpression[1:]
+				schedule.CronExpression = strings.Join(revisedCronExpression, " ")
+			}
+
+			err := m.scheduleService.UpdateSchedule(schedule.ID, &schedule)
+			if err != nil {
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion2.go

@@ -1,6 +1,6 @@
 package migrator
 
-import "github.com/portainer/portainer"
+import "github.com/portainer/portainer/api"
 
 func (m *Migrator) updateSettingsToDBVersion3() error {
 	legacySettings, err := m.settingsService.Settings()

api/bolt/migrator/migrate_dbversion20.go

@@ -0,0 +1,82 @@
+package migrator
+
+import portainer "github.com/portainer/portainer/api"
+
+func (m *Migrator) updateResourceControlsToDBVersion22() error {
+	legacyResourceControls, err := m.resourceControlService.ResourceControls()
+	if err != nil {
+		return err
+	}
+
+	for _, resourceControl := range legacyResourceControls {
+		resourceControl.AdministratorsOnly = false
+
+		err := m.resourceControlService.UpdateResourceControl(resourceControl.ID, &resourceControl)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
+	legacyUsers, err := m.userService.Users()
+	if err != nil {
+		return err
+	}
+
+	settings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	for _, user := range legacyUsers {
+		user.PortainerAuthorizations = portainer.DefaultPortainerAuthorizations()
+		err = m.userService.UpdateUser(user.ID, &user)
+		if err != nil {
+			return err
+		}
+	}
+
+	endpointAdministratorRole, err := m.roleService.Role(portainer.RoleID(1))
+	if err != nil {
+		return err
+	}
+	endpointAdministratorRole.Priority = 1
+	endpointAdministratorRole.Authorizations = portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole()
+
+	err = m.roleService.UpdateRole(endpointAdministratorRole.ID, endpointAdministratorRole)
+
+	helpDeskRole, err := m.roleService.Role(portainer.RoleID(2))
+	if err != nil {
+		return err
+	}
+	helpDeskRole.Priority = 2
+	helpDeskRole.Authorizations = portainer.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)
+
+	err = m.roleService.UpdateRole(helpDeskRole.ID, helpDeskRole)
+
+	standardUserRole, err := m.roleService.Role(portainer.RoleID(3))
+	if err != nil {
+		return err
+	}
+	standardUserRole.Priority = 3
+	standardUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)
+
+	err = m.roleService.UpdateRole(standardUserRole.ID, standardUserRole)
+
+	readOnlyUserRole, err := m.roleService.Role(portainer.RoleID(4))
+	if err != nil {
+		return err
+	}
+	readOnlyUserRole.Priority = 4
+	readOnlyUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)
+
+	err = m.roleService.UpdateRole(readOnlyUserRole.ID, readOnlyUserRole)
+	if err != nil {
+		return err
+	}
+
+	return m.authorizationService.UpdateUsersAuthorizations()
+}

api/bolt/migrator/migrate_dbversion22.go

@@ -0,0 +1,92 @@
+package migrator
+
+import "github.com/portainer/portainer/api"
+
+func (m *Migrator) updateTagsToDBVersion23() error {
+	tags, err := m.tagService.Tags()
+	if err != nil {
+		return err
+	}
+
+	for _, tag := range tags {
+		tag.EndpointGroups = make(map[portainer.EndpointGroupID]bool)
+		tag.Endpoints = make(map[portainer.EndpointID]bool)
+		err = m.tagService.UpdateTag(tag.ID, &tag)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (m *Migrator) updateEndpointsAndEndpointGroupsToDBVersion23() error {
+	tags, err := m.tagService.Tags()
+	if err != nil {
+		return err
+	}
+
+	tagsNameMap := make(map[string]portainer.Tag)
+	for _, tag := range tags {
+		tagsNameMap[tag.Name] = tag
+	}
+
+	endpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		endpointTags := make([]portainer.TagID, 0)
+		for _, tagName := range endpoint.Tags {
+			tag, ok := tagsNameMap[tagName]
+			if ok {
+				endpointTags = append(endpointTags, tag.ID)
+				tag.Endpoints[endpoint.ID] = true
+			}
+		}
+		endpoint.TagIDs = endpointTags
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+
+		relation := &portainer.EndpointRelation{
+			EndpointID: endpoint.ID,
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		}
+
+		err = m.endpointRelationService.CreateEndpointRelation(relation)
+		if err != nil {
+			return err
+		}
+	}
+
+	endpointGroups, err := m.endpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range endpointGroups {
+		endpointGroupTags := make([]portainer.TagID, 0)
+		for _, tagName := range endpointGroup.Tags {
+			tag, ok := tagsNameMap[tagName]
+			if ok {
+				endpointGroupTags = append(endpointGroupTags, tag.ID)
+				tag.EndpointGroups[endpointGroup.ID] = true
+			}
+		}
+		endpointGroup.TagIDs = endpointGroupTags
+		err = m.endpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+		if err != nil {
+			return err
+		}
+	}
+
+	for _, tag := range tagsNameMap {
+		err = m.tagService.UpdateTag(tag.ID, &tag)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

api/bolt/migrator/migrate_dbversion23.go

@@ -0,0 +1,18 @@
+package migrator
+
+import portainer "github.com/portainer/portainer/api"
+
+func (m *Migrator) updateSettingsToDB24() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	if legacySettings.TemplatesURL == "" {
+		legacySettings.TemplatesURL = portainer.DefaultTemplatesURL
+
+		return m.settingsService.UpdateSettings(legacySettings)
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion3.go

@@ -1,6 +1,6 @@
 package migrator
 
-import "github.com/portainer/portainer"
+import "github.com/portainer/portainer/api"
 
 func (m *Migrator) updateEndpointsToDBVersion4() error {
 	legacyEndpoints, err := m.endpointService.Endpoints()

api/bolt/migrator/migrate_dbversion7.go

@@ -1,6 +1,6 @@
 package migrator
 
-import "github.com/portainer/portainer"
+import "github.com/portainer/portainer/api"
 
 func (m *Migrator) updateEndpointsToVersion8() error {
 	legacyEndpoints, err := m.endpointService.Endpoints()

api/bolt/migrator/migrate_dbversion8.go

@@ -1,6 +1,6 @@
 package migrator
 
-import "github.com/portainer/portainer"
+import "github.com/portainer/portainer/api"
 
 func (m *Migrator) updateEndpointsToVersion9() error {
 	legacyEndpoints, err := m.endpointService.Endpoints()

api/bolt/migrator/migrate_dbversion9.go

@@ -1,6 +1,6 @@
 package migrator
 
-import "github.com/portainer/portainer"
+import "github.com/portainer/portainer/api"
 
 func (m *Migrator) updateEndpointsToVersion10() error {
 	legacyEndpoints, err := m.endpointService.Endpoints()

api/bolt/migrator/migrator.go

@@ -2,65 +2,95 @@ package migrator
 
 import (
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/endpoint"
-	"github.com/portainer/portainer/bolt/endpointgroup"
-	"github.com/portainer/portainer/bolt/resourcecontrol"
-	"github.com/portainer/portainer/bolt/settings"
-	"github.com/portainer/portainer/bolt/stack"
-	"github.com/portainer/portainer/bolt/user"
-	"github.com/portainer/portainer/bolt/version"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/endpoint"
+	"github.com/portainer/portainer/api/bolt/endpointgroup"
+	"github.com/portainer/portainer/api/bolt/endpointrelation"
+	"github.com/portainer/portainer/api/bolt/extension"
+	"github.com/portainer/portainer/api/bolt/registry"
+	"github.com/portainer/portainer/api/bolt/resourcecontrol"
+	"github.com/portainer/portainer/api/bolt/role"
+	"github.com/portainer/portainer/api/bolt/schedule"
+	"github.com/portainer/portainer/api/bolt/settings"
+	"github.com/portainer/portainer/api/bolt/stack"
+	"github.com/portainer/portainer/api/bolt/tag"
+	"github.com/portainer/portainer/api/bolt/teammembership"
+	"github.com/portainer/portainer/api/bolt/user"
+	"github.com/portainer/portainer/api/bolt/version"
 )
 
 type (
 	// Migrator defines a service to migrate data after a Portainer version update.
 	Migrator struct {
-		currentDBVersion       int
-		db                     *bolt.DB
-		endpointGroupService   *endpointgroup.Service
-		endpointService        *endpoint.Service
-		resourceControlService *resourcecontrol.Service
-		settingsService        *settings.Service
-		stackService           *stack.Service
-		userService            *user.Service
-		versionService         *version.Service
-		fileService            portainer.FileService
+		currentDBVersion        int
+		db                      *bolt.DB
+		endpointGroupService    *endpointgroup.Service
+		endpointService         *endpoint.Service
+		endpointRelationService *endpointrelation.Service
+		extensionService        *extension.Service
+		registryService         *registry.Service
+		resourceControlService  *resourcecontrol.Service
+		roleService             *role.Service
+		scheduleService         *schedule.Service
+		settingsService         *settings.Service
+		stackService            *stack.Service
+		tagService              *tag.Service
+		teamMembershipService   *teammembership.Service
+		userService             *user.Service
+		versionService          *version.Service
+		fileService             portainer.FileService
+		authorizationService    *portainer.AuthorizationService
 	}
 
 	// Parameters represents the required parameters to create a new Migrator instance.
 	Parameters struct {
-		DB                     *bolt.DB
-		DatabaseVersion        int
-		EndpointGroupService   *endpointgroup.Service
-		EndpointService        *endpoint.Service
-		ResourceControlService *resourcecontrol.Service
-		SettingsService        *settings.Service
-		StackService           *stack.Service
-		UserService            *user.Service
-		VersionService         *version.Service
-		FileService            portainer.FileService
+		DB                      *bolt.DB
+		DatabaseVersion         int
+		EndpointGroupService    *endpointgroup.Service
+		EndpointService         *endpoint.Service
+		EndpointRelationService *endpointrelation.Service
+		ExtensionService        *extension.Service
+		RegistryService         *registry.Service
+		ResourceControlService  *resourcecontrol.Service
+		RoleService             *role.Service
+		ScheduleService         *schedule.Service
+		SettingsService         *settings.Service
+		StackService            *stack.Service
+		TagService              *tag.Service
+		TeamMembershipService   *teammembership.Service
+		UserService             *user.Service
+		VersionService          *version.Service
+		FileService             portainer.FileService
+		AuthorizationService    *portainer.AuthorizationService
 	}
 )
 
 // NewMigrator creates a new Migrator.
 func NewMigrator(parameters *Parameters) *Migrator {
 	return &Migrator{
-		db:                     parameters.DB,
-		currentDBVersion:       parameters.DatabaseVersion,
-		endpointGroupService:   parameters.EndpointGroupService,
-		endpointService:        parameters.EndpointService,
-		resourceControlService: parameters.ResourceControlService,
-		settingsService:        parameters.SettingsService,
-		stackService:           parameters.StackService,
-		userService:            parameters.UserService,
-		versionService:         parameters.VersionService,
-		fileService:            parameters.FileService,
+		db:                      parameters.DB,
+		currentDBVersion:        parameters.DatabaseVersion,
+		endpointGroupService:    parameters.EndpointGroupService,
+		endpointService:         parameters.EndpointService,
+		endpointRelationService: parameters.EndpointRelationService,
+		extensionService:        parameters.ExtensionService,
+		registryService:         parameters.RegistryService,
+		resourceControlService:  parameters.ResourceControlService,
+		roleService:             parameters.RoleService,
+		scheduleService:         parameters.ScheduleService,
+		settingsService:         parameters.SettingsService,
+		tagService:              parameters.TagService,
+		teamMembershipService:   parameters.TeamMembershipService,
+		stackService:            parameters.StackService,
+		userService:             parameters.UserService,
+		versionService:          parameters.VersionService,
+		fileService:             parameters.FileService,
+		authorizationService:    parameters.AuthorizationService,
 	}
 }
 
 // Migrate checks the database version and migrate the existing data to the most recent data model.
 func (m *Migrator) Migrate() error {
-
 	// Portainer < 1.12
 	if m.currentDBVersion < 1 {
 		err := m.updateAdminUserToDBVersion1()
@@ -178,5 +208,125 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 
+	// Portainer 1.19.2
+	if m.currentDBVersion < 14 {
+		err := m.updateResourceControlsToDBVersion14()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.20.0
+	if m.currentDBVersion < 15 {
+		err := m.updateSettingsToDBVersion15()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateTemplatesToVersion15()
+		if err != nil {
+			return err
+		}
+	}
+
+	if m.currentDBVersion < 16 {
+		err := m.updateSettingsToDBVersion16()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.20.1
+	if m.currentDBVersion < 17 {
+		err := m.updateExtensionsToDBVersion17()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.21.0
+	if m.currentDBVersion < 18 {
+		err := m.updateUsersToDBVersion18()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateEndpointsToDBVersion18()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateEndpointGroupsToDBVersion18()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateRegistriesToDBVersion18()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.22.0
+	if m.currentDBVersion < 19 {
+		err := m.updateSettingsToDBVersion19()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.22.1
+	if m.currentDBVersion < 20 {
+		err := m.updateUsersToDBVersion20()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateSettingsToDBVersion20()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateSchedulesToDBVersion20()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.23.0
+	// DBVersion 21 is missing as it was shipped as via hotfix 1.22.2
+	if m.currentDBVersion < 22 {
+		err := m.updateResourceControlsToDBVersion22()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateUsersAndRolesToDBVersion22()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.24.0
+	if m.currentDBVersion < 23 {
+		err := m.updateTagsToDBVersion23()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateEndpointsAndEndpointGroupsToDBVersion23()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 2.0
+	if m.currentDBVersion < 24 {
+		err := m.updateSettingsToDB24()
+		if err != nil {
+			return err
+		}
+	}
+
 	return m.versionService.StoreDBVersion(portainer.DBVersion)
 }

api/bolt/registry/registry.go

@@ -1,8 +1,8 @@
 package registry
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )

api/bolt/resourcecontrol/resourcecontrol.go

@@ -1,8 +1,8 @@
 package resourcecontrol
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )
@@ -42,9 +42,10 @@ func (service *Service) ResourceControl(ID portainer.ResourceControlID) (*portai
 	return &resourceControl, nil
 }
 
-// ResourceControlByResourceID returns a ResourceControl object by checking if the resourceID is equal
-// to the main ResourceID or in SubResourceIDs
-func (service *Service) ResourceControlByResourceID(resourceID string) (*portainer.ResourceControl, error) {
+// ResourceControlByResourceIDAndType returns a ResourceControl object by checking if the resourceID is equal
+// to the main ResourceID or in SubResourceIDs. It also performs a check on the resource type. Return nil
+// if no ResourceControl was found.
+func (service *Service) ResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
 	var resourceControl *portainer.ResourceControl
 
 	err := service.db.View(func(tx *bolt.Tx) error {
@@ -58,7 +59,7 @@ func (service *Service) ResourceControlByResourceID(resourceID string) (*portain
 				return err
 			}
 
-			if rc.ResourceID == resourceID {
+			if rc.ResourceID == resourceID && rc.Type == resourceType {
 				resourceControl = &rc
 				break
 			}
@@ -71,10 +72,6 @@ func (service *Service) ResourceControlByResourceID(resourceID string) (*portain
 			}
 		}
 
-		if resourceControl == nil {
-			return portainer.ErrObjectNotFound
-		}
-
 		return nil
 	})
 

api/bolt/role/role.go

@@ -0,0 +1,89 @@
+package role
+
+import (
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "roles"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Role returns a Role by ID
+func (service *Service) Role(ID portainer.RoleID) (*portainer.Role, error) {
+	var set portainer.Role
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &set)
+	if err != nil {
+		return nil, err
+	}
+
+	return &set, nil
+}
+
+// Roles return an array containing all the sets.
+func (service *Service) Roles() ([]portainer.Role, error) {
+	var sets = make([]portainer.Role, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var set portainer.Role
+			err := internal.UnmarshalObject(v, &set)
+			if err != nil {
+				return err
+			}
+			sets = append(sets, set)
+		}
+
+		return nil
+	})
+
+	return sets, err
+}
+
+// CreateRole creates a new Role.
+func (service *Service) CreateRole(role *portainer.Role) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		role.ID = portainer.RoleID(id)
+
+		data, err := internal.MarshalObject(role)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(role.ID)), data)
+	})
+}
+
+// UpdateRole updates a role.
+func (service *Service) UpdateRole(ID portainer.RoleID, role *portainer.Role) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, role)
+}

api/bolt/schedule/schedule.go

@@ -0,0 +1,129 @@
+package schedule
+
+import (
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "schedules"
+)
+
+// Service represents a service for managing schedule data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Schedule returns a schedule by ID.
+func (service *Service) Schedule(ID portainer.ScheduleID) (*portainer.Schedule, error) {
+	var schedule portainer.Schedule
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &schedule)
+	if err != nil {
+		return nil, err
+	}
+
+	return &schedule, nil
+}
+
+// UpdateSchedule updates a schedule.
+func (service *Service) UpdateSchedule(ID portainer.ScheduleID, schedule *portainer.Schedule) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, schedule)
+}
+
+// DeleteSchedule deletes a schedule.
+func (service *Service) DeleteSchedule(ID portainer.ScheduleID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
+
+// Schedules return a array containing all the schedules.
+func (service *Service) Schedules() ([]portainer.Schedule, error) {
+	var schedules = make([]portainer.Schedule, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var schedule portainer.Schedule
+			err := internal.UnmarshalObject(v, &schedule)
+			if err != nil {
+				return err
+			}
+			schedules = append(schedules, schedule)
+		}
+
+		return nil
+	})
+
+	return schedules, err
+}
+
+// SchedulesByJobType return a array containing all the schedules
+// with the specified JobType.
+func (service *Service) SchedulesByJobType(jobType portainer.JobType) ([]portainer.Schedule, error) {
+	var schedules = make([]portainer.Schedule, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var schedule portainer.Schedule
+			err := internal.UnmarshalObject(v, &schedule)
+			if err != nil {
+				return err
+			}
+			if schedule.JobType == jobType {
+				schedules = append(schedules, schedule)
+			}
+		}
+
+		return nil
+	})
+
+	return schedules, err
+}
+
+// CreateSchedule assign an ID to a new schedule and saves it.
+func (service *Service) CreateSchedule(schedule *portainer.Schedule) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		// We manually manage sequences for schedules
+		err := bucket.SetSequence(uint64(schedule.ID))
+		if err != nil {
+			return err
+		}
+
+		data, err := internal.MarshalObject(schedule)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(schedule.ID)), data)
+	})
+}
+
+// GetNextIdentifier returns the next identifier for a schedule.
+func (service *Service) GetNextIdentifier() int {
+	return internal.GetNextIdentifier(service.db, BucketName)
+}

api/bolt/settings/settings.go

@@ -1,8 +1,8 @@
 package settings
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )

api/bolt/stack/stack.go

@@ -1,8 +1,8 @@
 package stack
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )

api/bolt/tag/tag.go

@@ -1,8 +1,8 @@
 package tag
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )
@@ -52,6 +52,19 @@ func (service *Service) Tags() ([]portainer.Tag, error) {
 	return tags, err
 }
 
+// Tag returns a tag by ID.
+func (service *Service) Tag(ID portainer.TagID) (*portainer.Tag, error) {
+	var tag portainer.Tag
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &tag)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tag, nil
+}
+
 // CreateTag creates a new tag.
 func (service *Service) CreateTag(tag *portainer.Tag) error {
 	return service.db.Update(func(tx *bolt.Tx) error {
@@ -69,6 +82,12 @@ func (service *Service) CreateTag(tag *portainer.Tag) error {
 	})
 }
 
+// UpdateTag updates a tag.
+func (service *Service) UpdateTag(ID portainer.TagID, tag *portainer.Tag) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, tag)
+}
+
 // DeleteTag deletes a tag.
 func (service *Service) DeleteTag(ID portainer.TagID) error {
 	identifier := internal.Itob(int(ID))

api/bolt/team/team.go

@@ -1,8 +1,8 @@
 package team
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )

api/bolt/teammembership/teammembership.go

@@ -1,8 +1,8 @@
 package teammembership
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )

api/bolt/template/template.go

@@ -1,95 +0,0 @@
-package template
-
-import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
-
-	"github.com/boltdb/bolt"
-)
-
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "templates"
-)
-
-// Service represents a service for managing endpoint data.
-type Service struct {
-	db *bolt.DB
-}
-
-// NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Service{
-		db: db,
-	}, nil
-}
-
-// Templates return an array containing all the templates.
-func (service *Service) Templates() ([]portainer.Template, error) {
-	var templates = make([]portainer.Template, 0)
-
-	err := service.db.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		cursor := bucket.Cursor()
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var template portainer.Template
-			err := internal.UnmarshalObject(v, &template)
-			if err != nil {
-				return err
-			}
-			templates = append(templates, template)
-		}
-
-		return nil
-	})
-
-	return templates, err
-}
-
-// Template returns a template by ID.
-func (service *Service) Template(ID portainer.TemplateID) (*portainer.Template, error) {
-	var template portainer.Template
-	identifier := internal.Itob(int(ID))
-
-	err := internal.GetObject(service.db, BucketName, identifier, &template)
-	if err != nil {
-		return nil, err
-	}
-
-	return &template, nil
-}
-
-// CreateTemplate creates a new template.
-func (service *Service) CreateTemplate(template *portainer.Template) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		id, _ := bucket.NextSequence()
-		template.ID = portainer.TemplateID(id)
-
-		data, err := internal.MarshalObject(template)
-		if err != nil {
-			return err
-		}
-
-		return bucket.Put(internal.Itob(int(template.ID)), data)
-	})
-}
-
-// UpdateTemplate saves a template.
-func (service *Service) UpdateTemplate(ID portainer.TemplateID, template *portainer.Template) error {
-	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, template)
-}
-
-// DeleteTemplate deletes a template.
-func (service *Service) DeleteTemplate(ID portainer.TemplateID) error {
-	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
-}

api/bolt/tunnelserver/tunnelserver.go

@@ -0,0 +1,48 @@
+package tunnelserver
+
+import (
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "tunnel_server"
+	infoKey    = "INFO"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Info retrieve the TunnelServerInfo object.
+func (service *Service) Info() (*portainer.TunnelServerInfo, error) {
+	var info portainer.TunnelServerInfo
+
+	err := internal.GetObject(service.db, BucketName, []byte(infoKey), &info)
+	if err != nil {
+		return nil, err
+	}
+
+	return &info, nil
+}
+
+// UpdateInfo persists a TunnelServerInfo object.
+func (service *Service) UpdateInfo(settings *portainer.TunnelServerInfo) error {
+	return internal.UpdateObject(service.db, BucketName, []byte(infoKey), settings)
+}

api/bolt/user/user.go

@@ -1,8 +1,8 @@
 package user
 
 import (
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
 )

api/bolt/version/version.go

@@ -4,8 +4,8 @@ import (
 	"strconv"
 
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
 )
 
 const (

api/bolt/webhook/webhook.go

@@ -0,0 +1,151 @@
+package webhook
+
+import (
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "webhooks"
+)
+
+// Service represents a service for managing webhook data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+//Webhooks returns an array of all webhooks
+func (service *Service) Webhooks() ([]portainer.Webhook, error) {
+	var webhooks = make([]portainer.Webhook, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var webhook portainer.Webhook
+			err := internal.UnmarshalObject(v, &webhook)
+			if err != nil {
+				return err
+			}
+			webhooks = append(webhooks, webhook)
+		}
+
+		return nil
+	})
+
+	return webhooks, err
+}
+
+// Webhook returns a webhook by ID.
+func (service *Service) Webhook(ID portainer.WebhookID) (*portainer.Webhook, error) {
+	var webhook portainer.Webhook
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &webhook)
+	if err != nil {
+		return nil, err
+	}
+
+	return &webhook, nil
+}
+
+// WebhookByResourceID returns a webhook by the ResourceID it is associated with.
+func (service *Service) WebhookByResourceID(ID string) (*portainer.Webhook, error) {
+	var webhook *portainer.Webhook
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+		cursor := bucket.Cursor()
+
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var w portainer.Webhook
+			err := internal.UnmarshalObject(v, &w)
+			if err != nil {
+				return err
+			}
+
+			if w.ResourceID == ID {
+				webhook = &w
+				break
+			}
+		}
+
+		if webhook == nil {
+			return portainer.ErrObjectNotFound
+		}
+
+		return nil
+	})
+
+	return webhook, err
+}
+
+// WebhookByToken returns a webhook by the random token it is associated with.
+func (service *Service) WebhookByToken(token string) (*portainer.Webhook, error) {
+	var webhook *portainer.Webhook
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+		cursor := bucket.Cursor()
+
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var w portainer.Webhook
+			err := internal.UnmarshalObject(v, &w)
+			if err != nil {
+				return err
+			}
+
+			if w.Token == token {
+				webhook = &w
+				break
+			}
+		}
+
+		if webhook == nil {
+			return portainer.ErrObjectNotFound
+		}
+
+		return nil
+	})
+
+	return webhook, err
+}
+
+// DeleteWebhook deletes a webhook.
+func (service *Service) DeleteWebhook(ID portainer.WebhookID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
+
+// CreateWebhook assign an ID to a new webhook and saves it.
+func (service *Service) CreateWebhook(webhook *portainer.Webhook) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		webhook.ID = portainer.WebhookID(id)
+
+		data, err := internal.MarshalObject(webhook)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(webhook.ID)), data)
+	})
+}

api/chisel/key.go

@@ -0,0 +1,24 @@
+package chisel
+
+import (
+	"encoding/base64"
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+// GenerateEdgeKey will generate a key that can be used by an Edge agent to register with a Portainer instance.
+// The key represents the following data in this particular format:
+// portainer_instance_url|tunnel_server_addr|tunnel_server_fingerprint|endpoint_ID
+// The key returned by this function is a base64 encoded version of the data.
+func (service *Service) GenerateEdgeKey(url, host string, endpointIdentifier int) string {
+	keyInformation := []string{
+		url,
+		fmt.Sprintf("%s:%s", host, service.serverPort),
+		service.serverFingerprint,
+		strconv.Itoa(endpointIdentifier),
+	}
+
+	key := strings.Join(keyInformation, "|")
+	return base64.RawStdEncoding.EncodeToString([]byte(key))
+}

api/chisel/schedules.go

@@ -0,0 +1,47 @@
+package chisel
+
+import (
+	"strconv"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+// AddSchedule register a schedule inside the tunnel details associated to an endpoint.
+func (service *Service) AddSchedule(endpointID portainer.EndpointID, schedule *portainer.EdgeSchedule) {
+	tunnel := service.GetTunnelDetails(endpointID)
+
+	existingScheduleIndex := -1
+	for idx, existingSchedule := range tunnel.Schedules {
+		if existingSchedule.ID == schedule.ID {
+			existingScheduleIndex = idx
+			break
+		}
+	}
+
+	if existingScheduleIndex == -1 {
+		tunnel.Schedules = append(tunnel.Schedules, *schedule)
+	} else {
+		tunnel.Schedules[existingScheduleIndex] = *schedule
+	}
+
+	key := strconv.Itoa(int(endpointID))
+	service.tunnelDetailsMap.Set(key, tunnel)
+}
+
+// RemoveSchedule will remove the specified schedule from each tunnel it was registered with.
+func (service *Service) RemoveSchedule(scheduleID portainer.ScheduleID) {
+	for item := range service.tunnelDetailsMap.IterBuffered() {
+		tunnelDetails := item.Val.(*portainer.TunnelDetails)
+
+		updatedSchedules := make([]portainer.EdgeSchedule, 0)
+		for _, schedule := range tunnelDetails.Schedules {
+			if schedule.ID == scheduleID {
+				continue
+			}
+			updatedSchedules = append(updatedSchedules, schedule)
+		}
+
+		tunnelDetails.Schedules = updatedSchedules
+		service.tunnelDetailsMap.Set(item.Key, tunnelDetails)
+	}
+}

api/chisel/service.go

@@ -0,0 +1,189 @@
+package chisel
+
+import (
+	"fmt"
+	"log"
+	"strconv"
+	"time"
+
+	"github.com/dchest/uniuri"
+
+	cmap "github.com/orcaman/concurrent-map"
+
+	chserver "github.com/jpillora/chisel/server"
+	portainer "github.com/portainer/portainer/api"
+)
+
+const (
+	tunnelCleanupInterval = 10 * time.Second
+	requiredTimeout       = 15 * time.Second
+	activeTimeout         = 4*time.Minute + 30*time.Second
+)
+
+// Service represents a service to manage the state of multiple reverse tunnels.
+// It is used to start a reverse tunnel server and to manage the connection status of each tunnel
+// connected to the tunnel server.
+type Service struct {
+	serverFingerprint string
+	serverPort        string
+	tunnelDetailsMap  cmap.ConcurrentMap
+	dataStore         portainer.DataStore
+	snapshotter       portainer.Snapshotter
+	chiselServer      *chserver.Server
+}
+
+// NewService returns a pointer to a new instance of Service
+func NewService(dataStore portainer.DataStore) *Service {
+	return &Service{
+		tunnelDetailsMap: cmap.New(),
+		dataStore:        dataStore,
+	}
+}
+
+// StartTunnelServer starts a tunnel server on the specified addr and port.
+// It uses a seed to generate a new private/public key pair. If the seed cannot
+// be found inside the database, it will generate a new one randomly and persist it.
+// It starts the tunnel status verification process in the background.
+// The snapshotter is used in the tunnel status verification process.
+func (service *Service) StartTunnelServer(addr, port string, snapshotter portainer.Snapshotter) error {
+	keySeed, err := service.retrievePrivateKeySeed()
+	if err != nil {
+		return err
+	}
+
+	config := &chserver.Config{
+		Reverse: true,
+		KeySeed: keySeed,
+	}
+
+	chiselServer, err := chserver.NewServer(config)
+	if err != nil {
+		return err
+	}
+
+	service.serverFingerprint = chiselServer.GetFingerprint()
+	service.serverPort = port
+
+	err = chiselServer.Start(addr, port)
+	if err != nil {
+		return err
+	}
+	service.chiselServer = chiselServer
+
+	// TODO: work-around Chisel default behavior.
+	// By default, Chisel will allow anyone to connect if no user exists.
+	username, password := generateRandomCredentials()
+	err = service.chiselServer.AddUser(username, password, "127.0.0.1")
+	if err != nil {
+		return err
+	}
+
+	service.snapshotter = snapshotter
+	go service.startTunnelVerificationLoop()
+
+	return nil
+}
+
+func (service *Service) retrievePrivateKeySeed() (string, error) {
+	var serverInfo *portainer.TunnelServerInfo
+
+	serverInfo, err := service.dataStore.TunnelServer().Info()
+	if err == portainer.ErrObjectNotFound {
+		keySeed := uniuri.NewLen(16)
+
+		serverInfo = &portainer.TunnelServerInfo{
+			PrivateKeySeed: keySeed,
+		}
+
+		err := service.dataStore.TunnelServer().UpdateInfo(serverInfo)
+		if err != nil {
+			return "", err
+		}
+	} else if err != nil {
+		return "", err
+	}
+
+	return serverInfo.PrivateKeySeed, nil
+}
+
+func (service *Service) startTunnelVerificationLoop() {
+	log.Printf("[DEBUG] [chisel, monitoring] [check_interval_seconds: %f] [message: starting tunnel management process]", tunnelCleanupInterval.Seconds())
+	ticker := time.NewTicker(tunnelCleanupInterval)
+	stopSignal := make(chan struct{})
+
+	for {
+		select {
+		case <-ticker.C:
+			service.checkTunnels()
+		case <-stopSignal:
+			ticker.Stop()
+			return
+		}
+	}
+}
+
+func (service *Service) checkTunnels() {
+	for item := range service.tunnelDetailsMap.IterBuffered() {
+		tunnel := item.Val.(*portainer.TunnelDetails)
+
+		if tunnel.LastActivity.IsZero() || tunnel.Status == portainer.EdgeAgentIdle {
+			continue
+		}
+
+		elapsed := time.Since(tunnel.LastActivity)
+		log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %s] [status: %s] [status_time_seconds: %f] [message: endpoint tunnel monitoring]", item.Key, tunnel.Status, elapsed.Seconds())
+
+		if tunnel.Status == portainer.EdgeAgentManagementRequired && elapsed.Seconds() < requiredTimeout.Seconds() {
+			continue
+		} else if tunnel.Status == portainer.EdgeAgentManagementRequired && elapsed.Seconds() > requiredTimeout.Seconds() {
+			log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %s] [status: %s] [status_time_seconds: %f] [timeout_seconds: %f] [message: REQUIRED state timeout exceeded]", item.Key, tunnel.Status, elapsed.Seconds(), requiredTimeout.Seconds())
+		}
+
+		if tunnel.Status == portainer.EdgeAgentActive && elapsed.Seconds() < activeTimeout.Seconds() {
+			continue
+		} else if tunnel.Status == portainer.EdgeAgentActive && elapsed.Seconds() > activeTimeout.Seconds() {
+			log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %s] [status: %s] [status_time_seconds: %f] [timeout_seconds: %f] [message: ACTIVE state timeout exceeded]", item.Key, tunnel.Status, elapsed.Seconds(), activeTimeout.Seconds())
+
+			endpointID, err := strconv.Atoi(item.Key)
+			if err != nil {
+				log.Printf("[ERROR] [chisel,snapshot,conversion] Invalid endpoint identifier (id: %s): %s", item.Key, err)
+			}
+
+			err = service.snapshotEnvironment(portainer.EndpointID(endpointID), tunnel.Port)
+			if err != nil {
+				log.Printf("[ERROR] [snapshot] Unable to snapshot Edge endpoint (id: %s): %s", item.Key, err)
+			}
+		}
+
+		if len(tunnel.Schedules) > 0 {
+			endpointID, err := strconv.Atoi(item.Key)
+			if err != nil {
+				log.Printf("[ERROR] [chisel,conversion] Invalid endpoint identifier (id: %s): %s", item.Key, err)
+				continue
+			}
+
+			service.SetTunnelStatusToIdle(portainer.EndpointID(endpointID))
+		} else {
+			service.tunnelDetailsMap.Remove(item.Key)
+		}
+
+	}
+}
+
+func (service *Service) snapshotEnvironment(endpointID portainer.EndpointID, tunnelPort int) error {
+	endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
+	if err != nil {
+		return err
+	}
+
+	endpointURL := endpoint.URL
+	endpoint.URL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnelPort)
+	snapshot, err := service.snapshotter.CreateSnapshot(endpoint)
+	if err != nil {
+		return err
+	}
+
+	endpoint.Snapshots = []portainer.Snapshot{*snapshot}
+	endpoint.URL = endpointURL
+	return service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+}

api/chisel/tunnel.go

@@ -0,0 +1,144 @@
+package chisel
+
+import (
+	"encoding/base64"
+	"fmt"
+	"math/rand"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/portainer/libcrypto"
+
+	"github.com/dchest/uniuri"
+	portainer "github.com/portainer/portainer/api"
+)
+
+const (
+	minAvailablePort = 49152
+	maxAvailablePort = 65535
+)
+
+// getUnusedPort is used to generate an unused random port in the dynamic port range.
+// Dynamic ports (also called private ports) are 49152 to 65535.
+func (service *Service) getUnusedPort() int {
+	port := randomInt(minAvailablePort, maxAvailablePort)
+
+	for item := range service.tunnelDetailsMap.IterBuffered() {
+		tunnel := item.Val.(*portainer.TunnelDetails)
+		if tunnel.Port == port {
+			return service.getUnusedPort()
+		}
+	}
+
+	return port
+}
+
+func randomInt(min, max int) int {
+	return min + rand.Intn(max-min)
+}
+
+// GetTunnelDetails returns information about the tunnel associated to an endpoint.
+func (service *Service) GetTunnelDetails(endpointID portainer.EndpointID) *portainer.TunnelDetails {
+	key := strconv.Itoa(int(endpointID))
+
+	if item, ok := service.tunnelDetailsMap.Get(key); ok {
+		tunnelDetails := item.(*portainer.TunnelDetails)
+		return tunnelDetails
+	}
+
+	schedules := make([]portainer.EdgeSchedule, 0)
+	return &portainer.TunnelDetails{
+		Status:      portainer.EdgeAgentIdle,
+		Port:        0,
+		Schedules:   schedules,
+		Credentials: "",
+	}
+}
+
+// SetTunnelStatusToActive update the status of the tunnel associated to the specified endpoint.
+// It sets the status to ACTIVE.
+func (service *Service) SetTunnelStatusToActive(endpointID portainer.EndpointID) {
+	tunnel := service.GetTunnelDetails(endpointID)
+	tunnel.Status = portainer.EdgeAgentActive
+	tunnel.Credentials = ""
+	tunnel.LastActivity = time.Now()
+
+	key := strconv.Itoa(int(endpointID))
+	service.tunnelDetailsMap.Set(key, tunnel)
+}
+
+// SetTunnelStatusToIdle update the status of the tunnel associated to the specified endpoint.
+// It sets the status to IDLE.
+// It removes any existing credentials associated to the tunnel.
+func (service *Service) SetTunnelStatusToIdle(endpointID portainer.EndpointID) {
+	tunnel := service.GetTunnelDetails(endpointID)
+
+	tunnel.Status = portainer.EdgeAgentIdle
+	tunnel.Port = 0
+	tunnel.LastActivity = time.Now()
+
+	credentials := tunnel.Credentials
+	if credentials != "" {
+		tunnel.Credentials = ""
+		service.chiselServer.DeleteUser(strings.Split(credentials, ":")[0])
+	}
+
+	key := strconv.Itoa(int(endpointID))
+	service.tunnelDetailsMap.Set(key, tunnel)
+}
+
+// SetTunnelStatusToRequired update the status of the tunnel associated to the specified endpoint.
+// It sets the status to REQUIRED.
+// If no port is currently associated to the tunnel, it will associate a random unused port to the tunnel
+// and generate temporary credentials that can be used to establish a reverse tunnel on that port.
+// Credentials are encrypted using the Edge ID associated to the endpoint.
+func (service *Service) SetTunnelStatusToRequired(endpointID portainer.EndpointID) error {
+	tunnel := service.GetTunnelDetails(endpointID)
+
+	if tunnel.Port == 0 {
+		endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
+		if err != nil {
+			return err
+		}
+
+		tunnel.Status = portainer.EdgeAgentManagementRequired
+		tunnel.Port = service.getUnusedPort()
+		tunnel.LastActivity = time.Now()
+
+		username, password := generateRandomCredentials()
+		authorizedRemote := fmt.Sprintf("^R:0.0.0.0:%d$", tunnel.Port)
+		err = service.chiselServer.AddUser(username, password, authorizedRemote)
+		if err != nil {
+			return err
+		}
+
+		credentials, err := encryptCredentials(username, password, endpoint.EdgeID)
+		if err != nil {
+			return err
+		}
+		tunnel.Credentials = credentials
+
+		key := strconv.Itoa(int(endpointID))
+		service.tunnelDetailsMap.Set(key, tunnel)
+	}
+
+	return nil
+}
+
+func generateRandomCredentials() (string, string) {
+	username := uniuri.NewLen(8)
+	password := uniuri.NewLen(8)
+	return username, password
+}
+
+func encryptCredentials(username, password, key string) (string, error) {
+	credentials := fmt.Sprintf("%s:%s", username, password)
+
+	encryptedCredentials, err := libcrypto.Encrypt([]byte(credentials), []byte(key))
+	if err != nil {
+		return "", err
+	}
+
+	return base64.RawStdEncoding.EncodeToString(encryptedCredentials), nil
+}

api/cli/cli.go

@@ -1,9 +1,10 @@
 package cli
 
 import (
+	"log"
 	"time"
 
-	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/api"
 
 	"os"
 	"path/filepath"
@@ -18,11 +19,7 @@ type Service struct{}
 const (
 	errInvalidEndpointProtocol       = portainer.Error("Invalid endpoint protocol: Portainer only supports unix://, npipe:// or tcp://")
 	errSocketOrNamedPipeNotFound     = portainer.Error("Unable to locate Unix socket or named pipe")
-	errEndpointsFileNotFound         = portainer.Error("Unable to locate external endpoints file")
-	errTemplateFileNotFound          = portainer.Error("Unable to locate template file on disk")
-	errInvalidSyncInterval           = portainer.Error("Invalid synchronization interval")
 	errInvalidSnapshotInterval       = portainer.Error("Invalid snapshot interval")
-	errEndpointExcludeExternal       = portainer.Error("Cannot use the -H flag mutually with --external-endpoints")
 	errNoAuthExcludeAdminPassword    = portainer.Error("Cannot use --no-auth with --admin-password or --admin-password-file")
 	errAdminPassExcludeAdminPassFile = portainer.Error("Cannot use --admin-password with --admin-password-file")
 )
@@ -33,11 +30,12 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 
 	flags := &portainer.CLIFlags{
 		Addr:              kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
+		TunnelAddr:        kingpin.Flag("tunnel-addr", "Address to serve the tunnel server").Default(defaultTunnelServerAddress).String(),
+		TunnelPort:        kingpin.Flag("tunnel-port", "Port to serve the tunnel server").Default(defaultTunnelServerPort).String(),
 		Assets:            kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:              kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
 		EndpointURL:       kingpin.Flag("host", "Endpoint URL").Short('H').String(),
-		ExternalEndpoints: kingpin.Flag("external-endpoints", "Path to a file defining available endpoints").String(),
-		NoAuth:            kingpin.Flag("no-auth", "Disable authentication").Default(defaultNoAuth).Bool(),
+		NoAuth:            kingpin.Flag("no-auth", "Disable authentication (deprecated)").Default(defaultNoAuth).Bool(),
 		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAnalytics).Bool(),
 		TLS:               kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
 		TLSSkipVerify:     kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
@@ -47,15 +45,12 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		SSL:               kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
 		SSLCert:           kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
 		SSLKey:            kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
-		SyncInterval:      kingpin.Flag("sync-interval", "Duration between each synchronization via the external endpoints source").Default(defaultSyncInterval).String(),
-		Snapshot:          kingpin.Flag("snapshot", "Start a background job to create endpoint snapshots").Default(defaultSnapshot).Bool(),
 		SnapshotInterval:  kingpin.Flag("snapshot-interval", "Duration between each endpoint snapshot job").Default(defaultSnapshotInterval).String(),
 		AdminPassword:     kingpin.Flag("admin-password", "Hashed admin password").String(),
 		AdminPasswordFile: kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
 		Labels:            pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
 		Logo:              kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
 		Templates:         kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
-		TemplateFile:      kingpin.Flag("template-file", "Path to the templates (app) definitions on the filesystem").Default(defaultTemplateFile).String(),
 	}
 
 	kingpin.Parse()
@@ -74,26 +69,9 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 // ValidateFlags validates the values of the flags.
 func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 
-	if *flags.EndpointURL != "" && *flags.ExternalEndpoints != "" {
-		return errEndpointExcludeExternal
-	}
+	displayDeprecationWarnings(flags)
 
-	err := validateTemplateFile(*flags.TemplateFile)
-	if err != nil {
-		return err
-	}
-
-	err = validateEndpointURL(*flags.EndpointURL)
-	if err != nil {
-		return err
-	}
-
-	err = validateExternalEndpoints(*flags.ExternalEndpoints)
-	if err != nil {
-		return err
-	}
-
-	err = validateSyncInterval(*flags.SyncInterval)
+	err := validateEndpointURL(*flags.EndpointURL)
 	if err != nil {
 		return err
 	}
@@ -114,6 +92,12 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 	return nil
 }
 
+func displayDeprecationWarnings(flags *portainer.CLIFlags) {
+	if *flags.NoAuth {
+		log.Println("Warning: the --no-auth flag is deprecated and will likely be removed in a future version of Portainer.")
+	}
+}
+
 func validateEndpointURL(endpointURL string) error {
 	if endpointURL != "" {
 		if !strings.HasPrefix(endpointURL, "unix://") && !strings.HasPrefix(endpointURL, "tcp://") && !strings.HasPrefix(endpointURL, "npipe://") {
@@ -134,38 +118,6 @@ func validateEndpointURL(endpointURL string) error {
 	return nil
 }
 
-func validateExternalEndpoints(externalEndpoints string) error {
-	if externalEndpoints != "" {
-		if _, err := os.Stat(externalEndpoints); err != nil {
-			if os.IsNotExist(err) {
-				return errEndpointsFileNotFound
-			}
-			return err
-		}
-	}
-	return nil
-}
-
-func validateTemplateFile(templateFile string) error {
-	if _, err := os.Stat(templateFile); err != nil {
-		if os.IsNotExist(err) {
-			return errTemplateFileNotFound
-		}
-		return err
-	}
-	return nil
-}
-
-func validateSyncInterval(syncInterval string) error {
-	if syncInterval != defaultSyncInterval {
-		_, err := time.ParseDuration(syncInterval)
-		if err != nil {
-			return errInvalidSyncInterval
-		}
-	}
-	return nil
-}
-
 func validateSnapshotInterval(snapshotInterval string) error {
 	if snapshotInterval != defaultSnapshotInterval {
 		_, err := time.ParseDuration(snapshotInterval)

api/cli/defaults.go

@@ -3,21 +3,20 @@
 package cli
 
 const (
-	defaultBindAddress      = ":9000"
-	defaultDataDirectory    = "/data"
-	defaultAssetsDirectory  = "./"
-	defaultNoAuth           = "false"
-	defaultNoAnalytics      = "false"
-	defaultTLS              = "false"
-	defaultTLSSkipVerify    = "false"
-	defaultTLSCACertPath    = "/certs/ca.pem"
-	defaultTLSCertPath      = "/certs/cert.pem"
-	defaultTLSKeyPath       = "/certs/key.pem"
-	defaultSSL              = "false"
-	defaultSSLCertPath      = "/certs/portainer.crt"
-	defaultSSLKeyPath       = "/certs/portainer.key"
-	defaultSyncInterval     = "60s"
-	defaultSnapshot         = "true"
-	defaultSnapshotInterval = "5m"
-	defaultTemplateFile     = "/templates.json"
+	defaultBindAddress         = ":9000"
+	defaultTunnelServerAddress = "0.0.0.0"
+	defaultTunnelServerPort    = "8000"
+	defaultDataDirectory       = "/data"
+	defaultAssetsDirectory     = "./"
+	defaultNoAuth              = "false"
+	defaultNoAnalytics         = "false"
+	defaultTLS                 = "false"
+	defaultTLSSkipVerify       = "false"
+	defaultTLSCACertPath       = "/certs/ca.pem"
+	defaultTLSCertPath         = "/certs/cert.pem"
+	defaultTLSKeyPath          = "/certs/key.pem"
+	defaultSSL                 = "false"
+	defaultSSLCertPath         = "/certs/portainer.crt"
+	defaultSSLKeyPath          = "/certs/portainer.key"
+	defaultSnapshotInterval    = "5m"
 )

api/cli/defaults_windows.go

@@ -1,21 +1,20 @@
 package cli
 
 const (
-	defaultBindAddress      = ":9000"
-	defaultDataDirectory    = "C:\\data"
-	defaultAssetsDirectory  = "./"
-	defaultNoAuth           = "false"
-	defaultNoAnalytics      = "false"
-	defaultTLS              = "false"
-	defaultTLSSkipVerify    = "false"
-	defaultTLSCACertPath    = "C:\\certs\\ca.pem"
-	defaultTLSCertPath      = "C:\\certs\\cert.pem"
-	defaultTLSKeyPath       = "C:\\certs\\key.pem"
-	defaultSSL              = "false"
-	defaultSSLCertPath      = "C:\\certs\\portainer.crt"
-	defaultSSLKeyPath       = "C:\\certs\\portainer.key"
-	defaultSyncInterval     = "60s"
-	defaultSnapshot         = "true"
-	defaultSnapshotInterval = "5m"
-	defaultTemplateFile     = "/templates.json"
+	defaultBindAddress         = ":9000"
+	defaultTunnelServerAddress = "0.0.0.0"
+	defaultTunnelServerPort    = "8000"
+	defaultDataDirectory       = "C:\\data"
+	defaultAssetsDirectory     = "./"
+	defaultNoAuth              = "false"
+	defaultNoAnalytics         = "false"
+	defaultTLS                 = "false"
+	defaultTLSSkipVerify       = "false"
+	defaultTLSCACertPath       = "C:\\certs\\ca.pem"
+	defaultTLSCertPath         = "C:\\certs\\cert.pem"
+	defaultTLSKeyPath          = "C:\\certs\\key.pem"
+	defaultSSL                 = "false"
+	defaultSSLCertPath         = "C:\\certs\\portainer.crt"
+	defaultSSLKeyPath          = "C:\\certs\\portainer.key"
+	defaultSnapshotInterval    = "5m"
 )

api/cli/pairlist.go

@@ -1,7 +1,7 @@
 package cli
 
 import (
-	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/api"
 
 	"fmt"
 	"gopkg.in/alecthomas/kingpin.v2"

api/cmd/portainer/main.go

@@ -1,35 +1,37 @@
-package main // import "github.com/portainer/portainer"
+package main
 
 import (
-	"encoding/json"
-	"strings"
-
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/bolt"
-	"github.com/portainer/portainer/cli"
-	"github.com/portainer/portainer/cron"
-	"github.com/portainer/portainer/crypto"
-	"github.com/portainer/portainer/docker"
-	"github.com/portainer/portainer/exec"
-	"github.com/portainer/portainer/filesystem"
-	"github.com/portainer/portainer/git"
-	"github.com/portainer/portainer/http"
-	"github.com/portainer/portainer/http/client"
-	"github.com/portainer/portainer/jwt"
-	"github.com/portainer/portainer/ldap"
-	"github.com/portainer/portainer/libcompose"
-
 	"log"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/portainer/portainer/api/chisel"
+
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt"
+	"github.com/portainer/portainer/api/cli"
+	"github.com/portainer/portainer/api/cron"
+	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/api/docker"
+	"github.com/portainer/portainer/api/exec"
+	"github.com/portainer/portainer/api/filesystem"
+	"github.com/portainer/portainer/api/git"
+	"github.com/portainer/portainer/api/http"
+	"github.com/portainer/portainer/api/http/client"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/ldap"
+	"github.com/portainer/portainer/api/libcompose"
 )
 
 func initCLI() *portainer.CLIFlags {
-	var cli portainer.CLIService = &cli.Service{}
-	flags, err := cli.ParseFlags(portainer.APIVersion)
+	var cliService portainer.CLIService = &cli.Service{}
+	flags, err := cliService.ParseFlags(portainer.APIVersion)
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	err = cli.ValidateFlags(flags)
+	err = cliService.ValidateFlags(flags)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -44,7 +46,7 @@ func initFileService(dataStorePath string) portainer.FileService {
 	return fileService
 }
 
-func initStore(dataStorePath string, fileService portainer.FileService) *bolt.Store {
+func initDataStore(dataStorePath string, fileService portainer.FileService) portainer.DataStore {
 	store, err := bolt.NewStore(dataStorePath, fileService)
 	if err != nil {
 		log.Fatal(err)
@@ -67,12 +69,12 @@ func initStore(dataStorePath string, fileService portainer.FileService) *bolt.St
 	return store
 }
 
-func initComposeStackManager(dataStorePath string) portainer.ComposeStackManager {
-	return libcompose.NewComposeStackManager(dataStorePath)
+func initComposeStackManager(dataStorePath string, reverseTunnelService portainer.ReverseTunnelService) portainer.ComposeStackManager {
+	return libcompose.NewComposeStackManager(dataStorePath, reverseTunnelService)
 }
 
-func initSwarmStackManager(assetsPath string, dataStorePath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (portainer.SwarmStackManager, error) {
-	return exec.NewSwarmStackManager(assetsPath, dataStorePath, signatureService, fileService)
+func initSwarmStackManager(assetsPath string, dataStorePath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) (portainer.SwarmStackManager, error) {
+	return exec.NewSwarmStackManager(assetsPath, dataStorePath, signatureService, fileService, reverseTunnelService)
 }
 
 func initJWTService(authenticationEnabled bool) portainer.JWTService {
@@ -87,7 +89,7 @@ func initJWTService(authenticationEnabled bool) portainer.JWTService {
 }
 
 func initDigitalSignatureService() portainer.DigitalSignatureService {
-	return &crypto.ECDSAService{}
+	return crypto.NewECDSAService(os.Getenv("AGENT_SECRET"))
 }
 
 func initCryptoService() portainer.CryptoService {
@@ -99,157 +101,117 @@ func initLDAPService() portainer.LDAPService {
 }
 
 func initGitService() portainer.GitService {
-	return &git.Service{}
+	return git.NewService()
 }
 
-func initClientFactory(signatureService portainer.DigitalSignatureService) *docker.ClientFactory {
-	return docker.NewClientFactory(signatureService)
+func initClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *docker.ClientFactory {
+	return docker.NewClientFactory(signatureService, reverseTunnelService)
 }
 
 func initSnapshotter(clientFactory *docker.ClientFactory) portainer.Snapshotter {
 	return docker.NewSnapshotter(clientFactory)
 }
 
-func initJobScheduler(endpointService portainer.EndpointService, snapshotter portainer.Snapshotter, flags *portainer.CLIFlags) (portainer.JobScheduler, error) {
-	jobScheduler := cron.NewJobScheduler(endpointService, snapshotter)
-
-	if *flags.ExternalEndpoints != "" {
-		log.Println("Using external endpoint definition. Endpoint management via the API will be disabled.")
-		err := jobScheduler.ScheduleEndpointSyncJob(*flags.ExternalEndpoints, *flags.SyncInterval)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if *flags.Snapshot {
-		err := jobScheduler.ScheduleSnapshotJob(*flags.SnapshotInterval)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return jobScheduler, nil
+func initJobScheduler() portainer.JobScheduler {
+	return cron.NewJobScheduler()
 }
 
-func initStatus(endpointManagement, snapshot bool, flags *portainer.CLIFlags) *portainer.Status {
+func loadSnapshotSystemSchedule(jobScheduler portainer.JobScheduler, snapshotter portainer.Snapshotter, dataStore portainer.DataStore) error {
+	settings, err := dataStore.Settings().Settings()
+	if err != nil {
+		return err
+	}
+
+	schedules, err := dataStore.Schedule().SchedulesByJobType(portainer.SnapshotJobType)
+	if err != nil {
+		return err
+	}
+
+	var snapshotSchedule *portainer.Schedule
+	if len(schedules) == 0 {
+		snapshotJob := &portainer.SnapshotJob{}
+		snapshotSchedule = &portainer.Schedule{
+			ID:             portainer.ScheduleID(dataStore.Schedule().GetNextIdentifier()),
+			Name:           "system_snapshot",
+			CronExpression: "@every " + settings.SnapshotInterval,
+			Recurring:      true,
+			JobType:        portainer.SnapshotJobType,
+			SnapshotJob:    snapshotJob,
+			Created:        time.Now().Unix(),
+		}
+	} else {
+		snapshotSchedule = &schedules[0]
+	}
+
+	snapshotJobContext := cron.NewSnapshotJobContext(dataStore, snapshotter)
+	snapshotJobRunner := cron.NewSnapshotJobRunner(snapshotSchedule, snapshotJobContext)
+
+	err = jobScheduler.ScheduleJob(snapshotJobRunner)
+	if err != nil {
+		return err
+	}
+
+	if len(schedules) == 0 {
+		return dataStore.Schedule().CreateSchedule(snapshotSchedule)
+	}
+	return nil
+}
+
+func loadSchedulesFromDatabase(jobScheduler portainer.JobScheduler, jobService portainer.JobService, dataStore portainer.DataStore, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) error {
+	schedules, err := dataStore.Schedule().Schedules()
+	if err != nil {
+		return err
+	}
+
+	for _, schedule := range schedules {
+
+		if schedule.JobType == portainer.ScriptExecutionJobType {
+			jobContext := cron.NewScriptExecutionJobContext(jobService, dataStore, fileService)
+			jobRunner := cron.NewScriptExecutionJobRunner(&schedule, jobContext)
+
+			err = jobScheduler.ScheduleJob(jobRunner)
+			if err != nil {
+				return err
+			}
+		}
+
+		if schedule.EdgeSchedule != nil {
+			for _, endpointID := range schedule.EdgeSchedule.Endpoints {
+				reverseTunnelService.AddSchedule(endpointID, schedule.EdgeSchedule)
+			}
+		}
+
+	}
+
+	return nil
+}
+
+func initStatus(flags *portainer.CLIFlags) *portainer.Status {
 	return &portainer.Status{
-		Analytics:          !*flags.NoAnalytics,
-		Authentication:     !*flags.NoAuth,
-		EndpointManagement: endpointManagement,
-		Snapshot:           snapshot,
-		Version:            portainer.APIVersion,
+		Analytics:      !*flags.NoAnalytics,
+		Authentication: !*flags.NoAuth,
+		Version:        portainer.APIVersion,
 	}
 }
 
-func initDockerHub(dockerHubService portainer.DockerHubService) error {
-	_, err := dockerHubService.DockerHub()
-	if err == portainer.ErrObjectNotFound {
-		dockerhub := &portainer.DockerHub{
-			Authentication: false,
-			Username:       "",
-			Password:       "",
-		}
-		return dockerHubService.UpdateDockerHub(dockerhub)
-	} else if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func initSettings(settingsService portainer.SettingsService, flags *portainer.CLIFlags) error {
-	_, err := settingsService.Settings()
-	if err == portainer.ErrObjectNotFound {
-		settings := &portainer.Settings{
-			LogoURL:              *flags.Logo,
-			AuthenticationMethod: portainer.AuthenticationInternal,
-			LDAPSettings: portainer.LDAPSettings{
-				AutoCreateUsers: true,
-				TLSConfig:       portainer.TLSConfiguration{},
-				SearchSettings: []portainer.LDAPSearchSettings{
-					portainer.LDAPSearchSettings{},
-				},
-				GroupSearchSettings: []portainer.LDAPGroupSearchSettings{
-					portainer.LDAPGroupSearchSettings{},
-				},
-			},
-			AllowBindMountsForRegularUsers:     true,
-			AllowPrivilegedModeForRegularUsers: true,
-			SnapshotInterval:                   *flags.SnapshotInterval,
-		}
-
-		if *flags.Labels != nil {
-			settings.BlackListedLabels = *flags.Labels
-		} else {
-			settings.BlackListedLabels = make([]portainer.Pair, 0)
-		}
-
-		return settingsService.UpdateSettings(settings)
-	} else if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func initTemplates(templateService portainer.TemplateService, fileService portainer.FileService, templateURL, templateFile string) error {
-
-	existingTemplates, err := templateService.Templates()
+func updateSettingsFromFlags(dataStore portainer.DataStore, flags *portainer.CLIFlags) error {
+	settings, err := dataStore.Settings().Settings()
 	if err != nil {
 		return err
 	}
 
-	if len(existingTemplates) != 0 {
-		log.Printf("Templates already registered inside the database. Skipping template import.")
-		return nil
+	settings.LogoURL = *flags.Logo
+	settings.SnapshotInterval = *flags.SnapshotInterval
+
+	if *flags.Templates != "" {
+		settings.TemplatesURL = *flags.Templates
 	}
 
-	var templatesJSON []byte
-	if templateURL == "" {
-		return loadTemplatesFromFile(fileService, templateService, templateFile)
+	if *flags.Labels != nil {
+		settings.BlackListedLabels = *flags.Labels
 	}
 
-	templatesJSON, err = client.Get(templateURL)
-	if err != nil {
-		log.Println("Unable to retrieve templates via HTTP")
-		return err
-	}
-
-	return unmarshalAndPersistTemplates(templateService, templatesJSON)
-}
-
-func loadTemplatesFromFile(fileService portainer.FileService, templateService portainer.TemplateService, templateFile string) error {
-	templatesJSON, err := fileService.GetFileContent(templateFile)
-	if err != nil {
-		log.Println("Unable to retrieve template via filesystem")
-		return err
-	}
-	return unmarshalAndPersistTemplates(templateService, templatesJSON)
-}
-
-func unmarshalAndPersistTemplates(templateService portainer.TemplateService, templateData []byte) error {
-	var templates []portainer.Template
-	err := json.Unmarshal(templateData, &templates)
-	if err != nil {
-		log.Println("Unable to parse templates file. Please review your template definition file.")
-		return err
-	}
-
-	for _, template := range templates {
-		err := templateService.CreateTemplate(&template)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func retrieveFirstEndpointFromDatabase(endpointService portainer.EndpointService) *portainer.Endpoint {
-	endpoints, err := endpointService.Endpoints()
-	if err != nil {
-		log.Fatal(err)
-	}
-	return &endpoints[0]
+	return dataStore.Settings().UpdateSettings(settings)
 }
 
 func loadAndParseKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
@@ -281,7 +243,7 @@ func initKeyPair(fileService portainer.FileService, signatureService portainer.D
 	return generateAndStoreKeyPair(fileService, signatureService)
 }
 
-func createTLSSecuredEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
+func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
 	tlsConfiguration := portainer.TLSConfiguration{
 		TLS:           *flags.TLS,
 		TLSSkipVerify: *flags.TLSSkipVerify,
@@ -295,20 +257,20 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, endpointService portain
 		tlsConfiguration.TLS = true
 	}
 
-	endpointID := endpointService.GetNextIdentifier()
+	endpointID := dataStore.Endpoint().GetNextIdentifier()
 	endpoint := &portainer.Endpoint{
-		ID:              portainer.EndpointID(endpointID),
-		Name:            "primary",
-		URL:             *flags.EndpointURL,
-		GroupID:         portainer.EndpointGroupID(1),
-		Type:            portainer.DockerEnvironment,
-		TLSConfig:       tlsConfiguration,
-		AuthorizedUsers: []portainer.UserID{},
-		AuthorizedTeams: []portainer.TeamID{},
-		Extensions:      []portainer.EndpointExtension{},
-		Tags:            []string{},
-		Status:          portainer.EndpointStatusUp,
-		Snapshots:       []portainer.Snapshot{},
+		ID:                 portainer.EndpointID(endpointID),
+		Name:               "primary",
+		URL:                *flags.EndpointURL,
+		GroupID:            portainer.EndpointGroupID(1),
+		Type:               portainer.DockerEnvironment,
+		TLSConfig:          tlsConfiguration,
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		Extensions:         []portainer.EndpointExtension{},
+		TagIDs:             []portainer.TagID{},
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.Snapshot{},
 	}
 
 	if strings.HasPrefix(endpoint.URL, "tcp://") {
@@ -327,10 +289,10 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, endpointService portain
 		}
 	}
 
-	return snapshotAndPersistEndpoint(endpoint, endpointService, snapshotter)
+	return snapshotAndPersistEndpoint(endpoint, dataStore, snapshotter)
 }
 
-func createUnsecuredEndpoint(endpointURL string, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
+func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
 	if strings.HasPrefix(endpointURL, "tcp://") {
 		_, err := client.ExecutePingOperation(endpointURL, nil)
 		if err != nil {
@@ -338,26 +300,26 @@ func createUnsecuredEndpoint(endpointURL string, endpointService portainer.Endpo
 		}
 	}
 
-	endpointID := endpointService.GetNextIdentifier()
+	endpointID := dataStore.Endpoint().GetNextIdentifier()
 	endpoint := &portainer.Endpoint{
-		ID:              portainer.EndpointID(endpointID),
-		Name:            "primary",
-		URL:             endpointURL,
-		GroupID:         portainer.EndpointGroupID(1),
-		Type:            portainer.DockerEnvironment,
-		TLSConfig:       portainer.TLSConfiguration{},
-		AuthorizedUsers: []portainer.UserID{},
-		AuthorizedTeams: []portainer.TeamID{},
-		Extensions:      []portainer.EndpointExtension{},
-		Tags:            []string{},
-		Status:          portainer.EndpointStatusUp,
-		Snapshots:       []portainer.Snapshot{},
+		ID:                 portainer.EndpointID(endpointID),
+		Name:               "primary",
+		URL:                endpointURL,
+		GroupID:            portainer.EndpointGroupID(1),
+		Type:               portainer.DockerEnvironment,
+		TLSConfig:          portainer.TLSConfiguration{},
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		Extensions:         []portainer.EndpointExtension{},
+		TagIDs:             []portainer.TagID{},
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.Snapshot{},
 	}
 
-	return snapshotAndPersistEndpoint(endpoint, endpointService, snapshotter)
+	return snapshotAndPersistEndpoint(endpoint, dataStore, snapshotter)
 }
 
-func snapshotAndPersistEndpoint(endpoint *portainer.Endpoint, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
+func snapshotAndPersistEndpoint(endpoint *portainer.Endpoint, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
 	snapshot, err := snapshotter.CreateSnapshot(endpoint)
 	endpoint.Status = portainer.EndpointStatusUp
 	if err != nil {
@@ -368,15 +330,15 @@ func snapshotAndPersistEndpoint(endpoint *portainer.Endpoint, endpointService po
 		endpoint.Snapshots = []portainer.Snapshot{*snapshot}
 	}
 
-	return endpointService.CreateEndpoint(endpoint)
+	return dataStore.Endpoint().CreateEndpoint(endpoint)
 }
 
-func initEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
+func initEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
 	if *flags.EndpointURL == "" {
 		return nil
 	}
 
-	endpoints, err := endpointService.Endpoints()
+	endpoints, err := dataStore.Endpoint().Endpoints()
 	if err != nil {
 		return err
 	}
@@ -387,9 +349,39 @@ func initEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointS
 	}
 
 	if *flags.TLS || *flags.TLSSkipVerify {
-		return createTLSSecuredEndpoint(flags, endpointService, snapshotter)
+		return createTLSSecuredEndpoint(flags, dataStore, snapshotter)
+	}
+	return createUnsecuredEndpoint(*flags.EndpointURL, dataStore, snapshotter)
+}
+
+func initJobService(dockerClientFactory *docker.ClientFactory) portainer.JobService {
+	return docker.NewJobService(dockerClientFactory)
+}
+
+func initExtensionManager(fileService portainer.FileService, dataStore portainer.DataStore) (portainer.ExtensionManager, error) {
+	extensionManager := exec.NewExtensionManager(fileService, dataStore)
+
+	err := extensionManager.StartExtensions()
+	if err != nil {
+		return nil, err
+	}
+
+	return extensionManager, nil
+}
+
+func terminateIfNoAdminCreated(dataStore portainer.DataStore) {
+	timer1 := time.NewTimer(5 * time.Minute)
+	<-timer1.C
+
+	users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if len(users) == 0 {
+		log.Fatal("No administrator account was created after 5 min. Shutting down the Portainer instance for security reasons.")
+		return
 	}
-	return createUnsecuredEndpoint(*flags.EndpointURL, endpointService, snapshotter)
 }
 
 func main() {
@@ -397,8 +389,8 @@ func main() {
 
 	fileService := initFileService(*flags.Data)
 
-	store := initStore(*flags.Data, fileService)
-	defer store.Close()
+	dataStore := initDataStore(*flags.Data, fileService)
+	defer dataStore.Close()
 
 	jwtService := initJWTService(!*flags.NoAuth)
 
@@ -415,47 +407,50 @@ func main() {
 		log.Fatal(err)
 	}
 
-	clientFactory := initClientFactory(digitalSignatureService)
+	extensionManager, err := initExtensionManager(fileService, dataStore)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	reverseTunnelService := chisel.NewService(dataStore)
+
+	clientFactory := initClientFactory(digitalSignatureService, reverseTunnelService)
+
+	jobService := initJobService(clientFactory)
 
 	snapshotter := initSnapshotter(clientFactory)
 
-	jobScheduler, err := initJobScheduler(store.EndpointService, snapshotter, flags)
+	swarmStackManager, err := initSwarmStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService, reverseTunnelService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	composeStackManager := initComposeStackManager(*flags.Data, reverseTunnelService)
+
+	if dataStore.IsNew() {
+		err = updateSettingsFromFlags(dataStore, flags)
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+
+	jobScheduler := initJobScheduler()
+
+	err = loadSchedulesFromDatabase(jobScheduler, jobService, dataStore, fileService, reverseTunnelService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = loadSnapshotSystemSchedule(jobScheduler, snapshotter, dataStore)
 	if err != nil {
 		log.Fatal(err)
 	}
 
 	jobScheduler.Start()
 
-	endpointManagement := true
-	if *flags.ExternalEndpoints != "" {
-		endpointManagement = false
-	}
+	applicationStatus := initStatus(flags)
 
-	swarmStackManager, err := initSwarmStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	composeStackManager := initComposeStackManager(*flags.Data)
-
-	err = initTemplates(store.TemplateService, fileService, *flags.Templates, *flags.TemplateFile)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	err = initSettings(store.SettingsService, flags)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	err = initDockerHub(store.DockerHubService)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	applicationStatus := initStatus(endpointManagement, *flags.Snapshot, flags)
-
-	err = initEndpoint(flags, store.EndpointService, snapshotter)
+	err = initEndpoint(flags, dataStore, snapshotter)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -466,7 +461,7 @@ func main() {
 		if err != nil {
 			log.Fatal(err)
 		}
-		adminPasswordHash, err = cryptoService.Hash(string(content))
+		adminPasswordHash, err = cryptoService.Hash(strings.TrimSuffix(string(content), "\n"))
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -475,19 +470,20 @@ func main() {
 	}
 
 	if adminPasswordHash != "" {
-		users, err := store.UserService.UsersByRole(portainer.AdministratorRole)
+		users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
 		if err != nil {
 			log.Fatal(err)
 		}
 
 		if len(users) == 0 {
-			log.Printf("Creating admin user with password hash %s", adminPasswordHash)
+			log.Println("Created admin user with the given password.")
 			user := &portainer.User{
-				Username: "admin",
-				Role:     portainer.AdministratorRole,
-				Password: adminPasswordHash,
+				Username:                "admin",
+				Role:                    portainer.AdministratorRole,
+				Password:                adminPasswordHash,
+				PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 			}
-			err := store.UserService.CreateUser(user)
+			err := dataStore.User().CreateUser(user)
 			if err != nil {
 				log.Fatal(err)
 			}
@@ -496,37 +492,38 @@ func main() {
 		}
 	}
 
+	if !*flags.NoAuth {
+		go terminateIfNoAdminCreated(dataStore)
+	}
+
+	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotter)
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	var server portainer.Server = &http.Server{
-		Status:                 applicationStatus,
-		BindAddress:            *flags.Addr,
-		AssetsPath:             *flags.Assets,
-		AuthDisabled:           *flags.NoAuth,
-		EndpointManagement:     endpointManagement,
-		UserService:            store.UserService,
-		TeamService:            store.TeamService,
-		TeamMembershipService:  store.TeamMembershipService,
-		EndpointService:        store.EndpointService,
-		EndpointGroupService:   store.EndpointGroupService,
-		ResourceControlService: store.ResourceControlService,
-		SettingsService:        store.SettingsService,
-		RegistryService:        store.RegistryService,
-		DockerHubService:       store.DockerHubService,
-		StackService:           store.StackService,
-		TagService:             store.TagService,
-		TemplateService:        store.TemplateService,
-		SwarmStackManager:      swarmStackManager,
-		ComposeStackManager:    composeStackManager,
-		CryptoService:          cryptoService,
-		JWTService:             jwtService,
-		FileService:            fileService,
-		LDAPService:            ldapService,
-		GitService:             gitService,
-		SignatureService:       digitalSignatureService,
-		JobScheduler:           jobScheduler,
-		Snapshotter:            snapshotter,
-		SSL:                    *flags.SSL,
-		SSLCert:                *flags.SSLCert,
-		SSLKey:                 *flags.SSLKey,
+		ReverseTunnelService: reverseTunnelService,
+		Status:               applicationStatus,
+		BindAddress:          *flags.Addr,
+		AssetsPath:           *flags.Assets,
+		AuthDisabled:         *flags.NoAuth,
+		DataStore:            dataStore,
+		SwarmStackManager:    swarmStackManager,
+		ComposeStackManager:  composeStackManager,
+		ExtensionManager:     extensionManager,
+		CryptoService:        cryptoService,
+		JWTService:           jwtService,
+		FileService:          fileService,
+		LDAPService:          ldapService,
+		GitService:           gitService,
+		SignatureService:     digitalSignatureService,
+		JobScheduler:         jobScheduler,
+		Snapshotter:          snapshotter,
+		SSL:                  *flags.SSL,
+		SSLCert:              *flags.SSLCert,
+		SSLKey:               *flags.SSLKey,
+		DockerClientFactory:  clientFactory,
+		JobService:           jobService,
 	}
 
 	log.Printf("Starting Portainer %s on %s", portainer.APIVersion, *flags.Addr)

api/cron/job_endpoint_snapshot.go

@@ -1,60 +0,0 @@
-package cron
-
-import (
-	"log"
-
-	"github.com/portainer/portainer"
-)
-
-type (
-	endpointSnapshotJob struct {
-		endpointService portainer.EndpointService
-		snapshotter     portainer.Snapshotter
-	}
-)
-
-func newEndpointSnapshotJob(endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) endpointSnapshotJob {
-	return endpointSnapshotJob{
-		endpointService: endpointService,
-		snapshotter:     snapshotter,
-	}
-}
-
-func (job endpointSnapshotJob) Snapshot() error {
-
-	endpoints, err := job.endpointService.Endpoints()
-	if err != nil {
-		return err
-	}
-
-	for _, endpoint := range endpoints {
-		if endpoint.Type == portainer.AzureEnvironment {
-			continue
-		}
-
-		snapshot, err := job.snapshotter.CreateSnapshot(&endpoint)
-		endpoint.Status = portainer.EndpointStatusUp
-		if err != nil {
-			log.Printf("cron error: endpoint snapshot error (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
-			endpoint.Status = portainer.EndpointStatusDown
-		}
-
-		if snapshot != nil {
-			endpoint.Snapshots = []portainer.Snapshot{*snapshot}
-		}
-
-		err = job.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (job endpointSnapshotJob) Run() {
-	err := job.Snapshot()
-	if err != nil {
-		log.Printf("cron error: snapshot job error (err=%s)\n", err)
-	}
-}

api/cron/job_endpoint_sync.go

@@ -1,206 +0,0 @@
-package cron
-
-import (
-	"encoding/json"
-	"io/ioutil"
-	"log"
-	"strings"
-
-	"github.com/portainer/portainer"
-)
-
-type (
-	endpointSyncJob struct {
-		endpointService  portainer.EndpointService
-		endpointFilePath string
-	}
-
-	synchronization struct {
-		endpointsToCreate []*portainer.Endpoint
-		endpointsToUpdate []*portainer.Endpoint
-		endpointsToDelete []*portainer.Endpoint
-	}
-
-	fileEndpoint struct {
-		Name          string `json:"Name"`
-		URL           string `json:"URL"`
-		TLS           bool   `json:"TLS,omitempty"`
-		TLSSkipVerify bool   `json:"TLSSkipVerify,omitempty"`
-		TLSCACert     string `json:"TLSCACert,omitempty"`
-		TLSCert       string `json:"TLSCert,omitempty"`
-		TLSKey        string `json:"TLSKey,omitempty"`
-	}
-)
-
-const (
-	// ErrEmptyEndpointArray is an error raised when the external endpoint source array is empty.
-	ErrEmptyEndpointArray = portainer.Error("External endpoint source is empty")
-)
-
-func newEndpointSyncJob(endpointFilePath string, endpointService portainer.EndpointService) endpointSyncJob {
-	return endpointSyncJob{
-		endpointService:  endpointService,
-		endpointFilePath: endpointFilePath,
-	}
-}
-
-func endpointSyncError(err error) bool {
-	if err != nil {
-		log.Printf("cron error: synchronization job error (err=%s)\n", err)
-		return true
-	}
-	return false
-}
-
-func isValidEndpoint(endpoint *portainer.Endpoint) bool {
-	if endpoint.Name != "" && endpoint.URL != "" {
-		if !strings.HasPrefix(endpoint.URL, "unix://") && !strings.HasPrefix(endpoint.URL, "tcp://") {
-			return false
-		}
-		return true
-	}
-	return false
-}
-
-func convertFileEndpoints(fileEndpoints []fileEndpoint) []portainer.Endpoint {
-	convertedEndpoints := make([]portainer.Endpoint, 0)
-
-	for _, e := range fileEndpoints {
-		endpoint := portainer.Endpoint{
-			Name:      e.Name,
-			URL:       e.URL,
-			TLSConfig: portainer.TLSConfiguration{},
-		}
-		if e.TLS {
-			endpoint.TLSConfig.TLS = true
-			endpoint.TLSConfig.TLSSkipVerify = e.TLSSkipVerify
-			endpoint.TLSConfig.TLSCACertPath = e.TLSCACert
-			endpoint.TLSConfig.TLSCertPath = e.TLSCert
-			endpoint.TLSConfig.TLSKeyPath = e.TLSKey
-		}
-		convertedEndpoints = append(convertedEndpoints, endpoint)
-	}
-
-	return convertedEndpoints
-}
-
-func endpointExists(endpoint *portainer.Endpoint, endpoints []portainer.Endpoint) int {
-	for idx, v := range endpoints {
-		if endpoint.Name == v.Name && isValidEndpoint(&v) {
-			return idx
-		}
-	}
-	return -1
-}
-
-func mergeEndpointIfRequired(original, updated *portainer.Endpoint) *portainer.Endpoint {
-	var endpoint *portainer.Endpoint
-	if original.URL != updated.URL || original.TLSConfig.TLS != updated.TLSConfig.TLS ||
-		(updated.TLSConfig.TLS && original.TLSConfig.TLSSkipVerify != updated.TLSConfig.TLSSkipVerify) ||
-		(updated.TLSConfig.TLS && original.TLSConfig.TLSCACertPath != updated.TLSConfig.TLSCACertPath) ||
-		(updated.TLSConfig.TLS && original.TLSConfig.TLSCertPath != updated.TLSConfig.TLSCertPath) ||
-		(updated.TLSConfig.TLS && original.TLSConfig.TLSKeyPath != updated.TLSConfig.TLSKeyPath) {
-		endpoint = original
-		endpoint.URL = updated.URL
-		if updated.TLSConfig.TLS {
-			endpoint.TLSConfig.TLS = true
-			endpoint.TLSConfig.TLSSkipVerify = updated.TLSConfig.TLSSkipVerify
-			endpoint.TLSConfig.TLSCACertPath = updated.TLSConfig.TLSCACertPath
-			endpoint.TLSConfig.TLSCertPath = updated.TLSConfig.TLSCertPath
-			endpoint.TLSConfig.TLSKeyPath = updated.TLSConfig.TLSKeyPath
-		} else {
-			endpoint.TLSConfig.TLS = false
-			endpoint.TLSConfig.TLSSkipVerify = false
-			endpoint.TLSConfig.TLSCACertPath = ""
-			endpoint.TLSConfig.TLSCertPath = ""
-			endpoint.TLSConfig.TLSKeyPath = ""
-		}
-	}
-	return endpoint
-}
-
-func (sync synchronization) requireSync() bool {
-	if len(sync.endpointsToCreate) != 0 || len(sync.endpointsToUpdate) != 0 || len(sync.endpointsToDelete) != 0 {
-		return true
-	}
-	return false
-}
-
-// TMP: endpointSyncJob method to access logger, should be generic
-func (job endpointSyncJob) prepareSyncData(storedEndpoints, fileEndpoints []portainer.Endpoint) *synchronization {
-	endpointsToCreate := make([]*portainer.Endpoint, 0)
-	endpointsToUpdate := make([]*portainer.Endpoint, 0)
-	endpointsToDelete := make([]*portainer.Endpoint, 0)
-
-	for idx := range storedEndpoints {
-		fidx := endpointExists(&storedEndpoints[idx], fileEndpoints)
-		if fidx != -1 {
-			endpoint := mergeEndpointIfRequired(&storedEndpoints[idx], &fileEndpoints[fidx])
-			if endpoint != nil {
-				log.Printf("New definition for a stored endpoint found in file, updating database. [name: %v] [url: %v]\n", endpoint.Name, endpoint.URL)
-				endpointsToUpdate = append(endpointsToUpdate, endpoint)
-			}
-		} else {
-			log.Printf("Stored endpoint not found in file (definition might be invalid), removing from database. [name: %v] [url: %v]", storedEndpoints[idx].Name, storedEndpoints[idx].URL)
-			endpointsToDelete = append(endpointsToDelete, &storedEndpoints[idx])
-		}
-	}
-
-	for idx, endpoint := range fileEndpoints {
-		if !isValidEndpoint(&endpoint) {
-			log.Printf("Invalid file endpoint definition, skipping. [name: %v] [url: %v]", endpoint.Name, endpoint.URL)
-			continue
-		}
-		sidx := endpointExists(&fileEndpoints[idx], storedEndpoints)
-		if sidx == -1 {
-			log.Printf("File endpoint not found in database, adding to database. [name: %v] [url: %v]", fileEndpoints[idx].Name, fileEndpoints[idx].URL)
-			endpointsToCreate = append(endpointsToCreate, &fileEndpoints[idx])
-		}
-	}
-
-	return &synchronization{
-		endpointsToCreate: endpointsToCreate,
-		endpointsToUpdate: endpointsToUpdate,
-		endpointsToDelete: endpointsToDelete,
-	}
-}
-
-func (job endpointSyncJob) Sync() error {
-	data, err := ioutil.ReadFile(job.endpointFilePath)
-	if endpointSyncError(err) {
-		return err
-	}
-
-	var fileEndpoints []fileEndpoint
-	err = json.Unmarshal(data, &fileEndpoints)
-	if endpointSyncError(err) {
-		return err
-	}
-
-	if len(fileEndpoints) == 0 {
-		return ErrEmptyEndpointArray
-	}
-
-	storedEndpoints, err := job.endpointService.Endpoints()
-	if endpointSyncError(err) {
-		return err
-	}
-
-	convertedFileEndpoints := convertFileEndpoints(fileEndpoints)
-
-	sync := job.prepareSyncData(storedEndpoints, convertedFileEndpoints)
-	if sync.requireSync() {
-		err = job.endpointService.Synchronize(sync.endpointsToCreate, sync.endpointsToUpdate, sync.endpointsToDelete)
-		if endpointSyncError(err) {
-			return err
-		}
-		log.Printf("Endpoint synchronization ended. [created: %v] [updated: %v] [deleted: %v]", len(sync.endpointsToCreate), len(sync.endpointsToUpdate), len(sync.endpointsToDelete))
-	}
-	return nil
-}
-
-func (job endpointSyncJob) Run() {
-	log.Println("cron: synchronization job started")
-	err := job.Sync()
-	endpointSyncError(err)
-}

api/cron/job_script_execution.go

@@ -0,0 +1,96 @@
+package cron
+
+import (
+	"log"
+	"time"
+
+	"github.com/portainer/portainer/api"
+)
+
+// ScriptExecutionJobRunner is used to run a ScriptExecutionJob
+type ScriptExecutionJobRunner struct {
+	schedule     *portainer.Schedule
+	context      *ScriptExecutionJobContext
+	executedOnce bool
+}
+
+// ScriptExecutionJobContext represents the context of execution of a ScriptExecutionJob
+type ScriptExecutionJobContext struct {
+	dataStore   portainer.DataStore
+	jobService  portainer.JobService
+	fileService portainer.FileService
+}
+
+// NewScriptExecutionJobContext returns a new context that can be used to execute a ScriptExecutionJob
+func NewScriptExecutionJobContext(jobService portainer.JobService, dataStore portainer.DataStore, fileService portainer.FileService) *ScriptExecutionJobContext {
+	return &ScriptExecutionJobContext{
+		jobService:  jobService,
+		dataStore:   dataStore,
+		fileService: fileService,
+	}
+}
+
+// NewScriptExecutionJobRunner returns a new runner that can be scheduled
+func NewScriptExecutionJobRunner(schedule *portainer.Schedule, context *ScriptExecutionJobContext) *ScriptExecutionJobRunner {
+	return &ScriptExecutionJobRunner{
+		schedule:     schedule,
+		context:      context,
+		executedOnce: false,
+	}
+}
+
+// Run triggers the execution of the job.
+// It will iterate through all the endpoints specified in the context to
+// execute the script associated to the job.
+func (runner *ScriptExecutionJobRunner) Run() {
+	if !runner.schedule.Recurring && runner.executedOnce {
+		return
+	}
+	runner.executedOnce = true
+
+	scriptFile, err := runner.context.fileService.GetFileContent(runner.schedule.ScriptExecutionJob.ScriptPath)
+	if err != nil {
+		log.Printf("scheduled job error (script execution). Unable to retrieve script file (err=%s)\n", err)
+		return
+	}
+
+	targets := make([]*portainer.Endpoint, 0)
+	for _, endpointID := range runner.schedule.ScriptExecutionJob.Endpoints {
+		endpoint, err := runner.context.dataStore.Endpoint().Endpoint(endpointID)
+		if err != nil {
+			log.Printf("scheduled job error (script execution). Unable to retrieve information about endpoint (id=%d) (err=%s)\n", endpointID, err)
+			return
+		}
+
+		targets = append(targets, endpoint)
+	}
+
+	runner.executeAndRetry(targets, scriptFile, 0)
+}
+
+func (runner *ScriptExecutionJobRunner) executeAndRetry(endpoints []*portainer.Endpoint, script []byte, retryCount int) {
+	retryTargets := make([]*portainer.Endpoint, 0)
+
+	for _, endpoint := range endpoints {
+		err := runner.context.jobService.ExecuteScript(endpoint, "", runner.schedule.ScriptExecutionJob.Image, script, runner.schedule)
+		if err == portainer.ErrUnableToPingEndpoint {
+			retryTargets = append(retryTargets, endpoint)
+		} else if err != nil {
+			log.Printf("scheduled job error (script execution). Unable to execute script (endpoint=%s) (err=%s)\n", endpoint.Name, err)
+		}
+	}
+
+	retryCount++
+	if retryCount >= runner.schedule.ScriptExecutionJob.RetryCount {
+		return
+	}
+
+	time.Sleep(time.Duration(runner.schedule.ScriptExecutionJob.RetryInterval) * time.Second)
+
+	runner.executeAndRetry(retryTargets, script, retryCount)
+}
+
+// GetSchedule returns the schedule associated to the runner
+func (runner *ScriptExecutionJobRunner) GetSchedule() *portainer.Schedule {
+	return runner.schedule
+}

api/cron/job_snapshot.go

@@ -0,0 +1,85 @@
+package cron
+
+import (
+	"log"
+
+	"github.com/portainer/portainer/api"
+)
+
+// SnapshotJobRunner is used to run a SnapshotJob
+type SnapshotJobRunner struct {
+	schedule *portainer.Schedule
+	context  *SnapshotJobContext
+}
+
+// SnapshotJobContext represents the context of execution of a SnapshotJob
+type SnapshotJobContext struct {
+	dataStore   portainer.DataStore
+	snapshotter portainer.Snapshotter
+}
+
+// NewSnapshotJobContext returns a new context that can be used to execute a SnapshotJob
+func NewSnapshotJobContext(dataStore portainer.DataStore, snapshotter portainer.Snapshotter) *SnapshotJobContext {
+	return &SnapshotJobContext{
+		dataStore:   dataStore,
+		snapshotter: snapshotter,
+	}
+}
+
+// NewSnapshotJobRunner returns a new runner that can be scheduled
+func NewSnapshotJobRunner(schedule *portainer.Schedule, context *SnapshotJobContext) *SnapshotJobRunner {
+	return &SnapshotJobRunner{
+		schedule: schedule,
+		context:  context,
+	}
+}
+
+// GetSchedule returns the schedule associated to the runner
+func (runner *SnapshotJobRunner) GetSchedule() *portainer.Schedule {
+	return runner.schedule
+}
+
+// Run triggers the execution of the schedule.
+// It will iterate through all the endpoints available in the database to
+// create a snapshot of each one of them.
+// As a snapshot can be a long process, to avoid any concurrency issue we
+// retrieve the latest version of the endpoint right after a snapshot.
+func (runner *SnapshotJobRunner) Run() {
+	go func() {
+		endpoints, err := runner.context.dataStore.Endpoint().Endpoints()
+		if err != nil {
+			log.Printf("background schedule error (endpoint snapshot). Unable to retrieve endpoint list (err=%s)\n", err)
+			return
+		}
+
+		for _, endpoint := range endpoints {
+			if endpoint.Type == portainer.EdgeAgentEnvironment {
+				continue
+			}
+
+			snapshot, snapshotError := runner.context.snapshotter.CreateSnapshot(&endpoint)
+
+			latestEndpointReference, err := runner.context.dataStore.Endpoint().Endpoint(endpoint.ID)
+			if latestEndpointReference == nil {
+				log.Printf("background schedule error (endpoint snapshot). Endpoint not found inside the database anymore (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+				continue
+			}
+
+			latestEndpointReference.Status = portainer.EndpointStatusUp
+			if snapshotError != nil {
+				log.Printf("background schedule error (endpoint snapshot). Unable to create snapshot (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, snapshotError)
+				latestEndpointReference.Status = portainer.EndpointStatusDown
+			}
+
+			if snapshot != nil {
+				latestEndpointReference.Snapshots = []portainer.Snapshot{*snapshot}
+			}
+
+			err = runner.context.dataStore.Endpoint().UpdateEndpoint(latestEndpointReference.ID, latestEndpointReference)
+			if err != nil {
+				log.Printf("background schedule error (endpoint snapshot). Unable to update endpoint (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+				return
+			}
+		}
+	}()
+}

api/cron/scheduler.go

@@ -1,80 +1,110 @@
 package cron
 
 import (
-	"log"
-
-	"github.com/portainer/portainer"
-	"github.com/robfig/cron"
+	"github.com/portainer/portainer/api"
+	"github.com/robfig/cron/v3"
 )
 
-// JobScheduler represents a service for managing crons.
+// JobScheduler represents a service for managing crons
 type JobScheduler struct {
-	cron            *cron.Cron
-	endpointService portainer.EndpointService
-	snapshotter     portainer.Snapshotter
-
-	endpointFilePath     string
-	endpointSyncInterval string
+	cron *cron.Cron
 }
 
-// NewJobScheduler initializes a new service.
-func NewJobScheduler(endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) *JobScheduler {
+// NewJobScheduler initializes a new service
+func NewJobScheduler() *JobScheduler {
 	return &JobScheduler{
-		cron:            cron.New(),
-		endpointService: endpointService,
-		snapshotter:     snapshotter,
+		cron: cron.New(),
 	}
 }
 
-// ScheduleEndpointSyncJob schedules a cron job to synchronize the endpoints from a file
-func (scheduler *JobScheduler) ScheduleEndpointSyncJob(endpointFilePath string, interval string) error {
-
-	scheduler.endpointFilePath = endpointFilePath
-	scheduler.endpointSyncInterval = interval
-
-	job := newEndpointSyncJob(endpointFilePath, scheduler.endpointService)
-
-	err := job.Sync()
-	if err != nil {
-		return err
-	}
-
-	return scheduler.cron.AddJob("@every "+interval, job)
+// ScheduleJob schedules the execution of a job via a runner
+func (scheduler *JobScheduler) ScheduleJob(runner portainer.JobRunner) error {
+	_, err := scheduler.cron.AddJob(runner.GetSchedule().CronExpression, runner)
+	return err
 }
 
-// ScheduleSnapshotJob schedules a cron job to create endpoint snapshots
-func (scheduler *JobScheduler) ScheduleSnapshotJob(interval string) error {
-	job := newEndpointSnapshotJob(scheduler.endpointService, scheduler.snapshotter)
+// UpdateSystemJobSchedule updates the first occurence of the specified
+// scheduled job based on the specified job type.
+// It does so by re-creating a new cron
+// and adding all the existing jobs. It will then re-schedule the new job
+// with the update cron expression passed in parameter.
+// NOTE: the cron library do not support updating schedules directly
+// hence the work-around
+func (scheduler *JobScheduler) UpdateSystemJobSchedule(jobType portainer.JobType, newCronExpression string) error {
+	cronEntries := scheduler.cron.Entries()
+	newCron := cron.New()
 
-	err := job.Snapshot()
-	if err != nil {
-		return err
-	}
-
-	return scheduler.cron.AddJob("@every "+interval, job)
-}
-
-// UpdateSnapshotJob will update the schedules to match the new snapshot interval
-func (scheduler *JobScheduler) UpdateSnapshotJob(interval string) {
-	// TODO: the cron library do not support removing/updating schedules.
-	// As a work-around we need to re-create the cron and reschedule the jobs.
-	// We should update the library.
-	jobs := scheduler.cron.Entries()
-	scheduler.cron.Stop()
-
-	scheduler.cron = cron.New()
-
-	for _, job := range jobs {
-		switch job.Job.(type) {
-		case endpointSnapshotJob:
-			scheduler.ScheduleSnapshotJob(interval)
-		case endpointSyncJob:
-			scheduler.ScheduleEndpointSyncJob(scheduler.endpointFilePath, scheduler.endpointSyncInterval)
-		default:
-			log.Println("Unsupported job")
+	for _, entry := range cronEntries {
+		if entry.Job.(portainer.JobRunner).GetSchedule().JobType == jobType {
+			_, err := newCron.AddJob(newCronExpression, entry.Job)
+			if err != nil {
+				return err
+			}
+			continue
 		}
+
+		newCron.Schedule(entry.Schedule, entry.Job)
 	}
 
+	scheduler.cron.Stop()
+	scheduler.cron = newCron
+	scheduler.cron.Start()
+	return nil
+}
+
+// UpdateJobSchedule updates a specific scheduled job by re-creating a new cron
+// and adding all the existing jobs. It will then re-schedule the new job
+// via the specified JobRunner parameter.
+// NOTE: the cron library do not support updating schedules directly
+// hence the work-around
+func (scheduler *JobScheduler) UpdateJobSchedule(runner portainer.JobRunner) error {
+	cronEntries := scheduler.cron.Entries()
+	newCron := cron.New()
+
+	for _, entry := range cronEntries {
+
+		if entry.Job.(portainer.JobRunner).GetSchedule().ID == runner.GetSchedule().ID {
+
+			var jobRunner cron.Job = runner
+			if entry.Job.(portainer.JobRunner).GetSchedule().JobType == portainer.SnapshotJobType {
+				jobRunner = entry.Job
+			}
+
+			_, err := newCron.AddJob(runner.GetSchedule().CronExpression, jobRunner)
+			if err != nil {
+				return err
+			}
+			continue
+		}
+
+		newCron.Schedule(entry.Schedule, entry.Job)
+	}
+
+	scheduler.cron.Stop()
+	scheduler.cron = newCron
+	scheduler.cron.Start()
+	return nil
+}
+
+// UnscheduleJob remove a scheduled job by re-creating a new cron
+// and adding all the existing jobs except for the one specified via scheduleID.
+// NOTE: the cron library do not support removing schedules directly
+// hence the work-around
+func (scheduler *JobScheduler) UnscheduleJob(scheduleID portainer.ScheduleID) {
+	cronEntries := scheduler.cron.Entries()
+	newCron := cron.New()
+
+	for _, entry := range cronEntries {
+
+		if entry.Job.(portainer.JobRunner).GetSchedule().ID == scheduleID {
+			continue
+		}
+
+		newCron.Schedule(entry.Schedule, entry.Job)
+	}
+
+	scheduler.cron.Stop()
+	scheduler.cron = newCron
 	scheduler.cron.Start()
 }
 

api/crypto/ecdsa.go

@@ -3,12 +3,13 @@ package crypto
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/md5"
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"math/big"
+
+	"github.com/portainer/libcrypto"
 )
 
 const (
@@ -27,6 +28,15 @@ type ECDSAService struct {
 	privateKey    *ecdsa.PrivateKey
 	publicKey     *ecdsa.PublicKey
 	encodedPubKey string
+	secret        string
+}
+
+// NewECDSAService returns a pointer to a ECDSAService.
+// An optional secret can be specified
+func NewECDSAService(secret string) *ECDSAService {
+	return &ECDSAService{
+		secret: secret,
+	}
 }
 
 // EncodedPublicKey returns the encoded version of the public that can be used
@@ -92,14 +102,18 @@ func (service *ECDSAService) GenerateKeyPair() ([]byte, []byte, error) {
 	return private, public, nil
 }
 
-// Sign creates a signature from a message.
-// It automatically hash the message using MD5 and creates a signature from
+// CreateSignature creates a digital signature.
+// It automatically hash a specific message using MD5 and creates a signature from
 // that hash.
+// If a secret is associated to the service, it will be used instead of the specified
+// message.
 // It then encodes the generated signature in base64.
-func (service *ECDSAService) Sign(message string) (string, error) {
-	digest := md5.New()
-	digest.Write([]byte(message))
-	hash := digest.Sum(nil)
+func (service *ECDSAService) CreateSignature(message string) (string, error) {
+	if service.secret != "" {
+		message = service.secret
+	}
+
+	hash := libcrypto.HashFromBytes([]byte(message))
 
 	r := big.NewInt(0)
 	s := big.NewInt(0)

api/docker/client.go

@@ -1,38 +1,44 @@
 package docker
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
 	"time"
 
 	"github.com/docker/docker/client"
-	"github.com/portainer/portainer"
-	"github.com/portainer/portainer/crypto"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/crypto"
 )
 
 const (
-	unsupportedEnvironmentType = portainer.Error("Environment not supported")
+	unsupportedEnvironmentType  = portainer.Error("Environment not supported")
+	defaultDockerRequestTimeout = 60
+	dockerClientVersion         = "1.37"
 )
 
 // ClientFactory is used to create Docker clients
 type ClientFactory struct {
-	signatureService portainer.DigitalSignatureService
+	signatureService     portainer.DigitalSignatureService
+	reverseTunnelService portainer.ReverseTunnelService
 }
 
 // NewClientFactory returns a new instance of a ClientFactory
-func NewClientFactory(signatureService portainer.DigitalSignatureService) *ClientFactory {
+func NewClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *ClientFactory {
 	return &ClientFactory{
-		signatureService: signatureService,
+		signatureService:     signatureService,
+		reverseTunnelService: reverseTunnelService,
 	}
 }
 
 // CreateClient is a generic function to create a Docker client based on
-// a specific endpoint configuration
-func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint) (*client.Client, error) {
-	if endpoint.Type == portainer.AzureEnvironment {
-		return nil, unsupportedEnvironmentType
-	} else if endpoint.Type == portainer.AgentOnDockerEnvironment {
-		return createAgentClient(endpoint, factory.signatureService)
+// a specific endpoint configuration. The nodeName parameter can be used
+// with an agent enabled endpoint to target a specific node in an agent cluster.
+func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeName string) (*client.Client, error) {
+	if endpoint.Type == portainer.AgentOnDockerEnvironment {
+		return createAgentClient(endpoint, factory.signatureService, nodeName)
+	} else if endpoint.Type == portainer.EdgeAgentEnvironment {
+		return createEdgeClient(endpoint, factory.reverseTunnelService, nodeName)
 	}
 
 	if strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://") {
@@ -44,7 +50,7 @@ func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint) (*clien
 func createLocalClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(portainer.SupportedDockerAPIVersion),
+		client.WithVersion(dockerClientVersion),
 	)
 }
 
@@ -56,18 +62,40 @@ func createTCPClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 
 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(portainer.SupportedDockerAPIVersion),
+		client.WithVersion(dockerClientVersion),
 		client.WithHTTPClient(httpCli),
 	)
 }
 
-func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService) (*client.Client, error) {
+func createEdgeClient(endpoint *portainer.Endpoint, reverseTunnelService portainer.ReverseTunnelService, nodeName string) (*client.Client, error) {
 	httpCli, err := httpClient(endpoint)
 	if err != nil {
 		return nil, err
 	}
 
-	signature, err := signatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	headers := map[string]string{}
+	if nodeName != "" {
+		headers[portainer.PortainerAgentTargetHeader] = nodeName
+	}
+
+	tunnel := reverseTunnelService.GetTunnelDetails(endpoint.ID)
+	endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
+
+	return client.NewClientWithOpts(
+		client.WithHost(endpointURL),
+		client.WithVersion(dockerClientVersion),
+		client.WithHTTPClient(httpCli),
+		client.WithHTTPHeaders(headers),
+	)
+}
+
+func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, nodeName string) (*client.Client, error) {
+	httpCli, err := httpClient(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	signature, err := signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
 	if err != nil {
 		return nil, err
 	}
@@ -77,9 +105,13 @@ func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.
 		portainer.PortainerAgentSignatureHeader: signature,
 	}
 
+	if nodeName != "" {
+		headers[portainer.PortainerAgentTargetHeader] = nodeName
+	}
+
 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(portainer.SupportedDockerAPIVersion),
+		client.WithVersion(dockerClientVersion),
 		client.WithHTTPClient(httpCli),
 		client.WithHTTPHeaders(headers),
 	)
@@ -97,7 +129,7 @@ func httpClient(endpoint *portainer.Endpoint) (*http.Client, error) {
 	}
 
 	return &http.Client{
-		Timeout:   time.Second * 10,
 		Transport: transport,
+		Timeout:   defaultDockerRequestTimeout * time.Second,
 	}, nil
 }

api/docker/job.go

@@ -0,0 +1,115 @@
+package docker
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"io/ioutil"
+	"strconv"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/client"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/archive"
+)
+
+// JobService represents a service that handles the execution of jobs
+type JobService struct {
+	dockerClientFactory *ClientFactory
+}
+
+// NewJobService returns a pointer to a new job service
+func NewJobService(dockerClientFactory *ClientFactory) *JobService {
+	return &JobService{
+		dockerClientFactory: dockerClientFactory,
+	}
+}
+
+// ExecuteScript will leverage a privileged container to execute a script against the specified endpoint/nodename.
+// It will copy the script content specified as a parameter inside a container based on the specified image and execute it.
+func (service *JobService) ExecuteScript(endpoint *portainer.Endpoint, nodeName, image string, script []byte, schedule *portainer.Schedule) error {
+	buffer, err := archive.TarFileInBuffer(script, "script.sh", 0700)
+	if err != nil {
+		return err
+	}
+
+	cli, err := service.dockerClientFactory.CreateClient(endpoint, nodeName)
+	if err != nil {
+		return err
+	}
+	defer cli.Close()
+
+	_, err = cli.Ping(context.Background())
+	if err != nil {
+		return portainer.ErrUnableToPingEndpoint
+	}
+
+	err = pullImage(cli, image)
+	if err != nil {
+		return err
+	}
+
+	containerConfig := &container.Config{
+		AttachStdin:  true,
+		AttachStdout: true,
+		AttachStderr: true,
+		Tty:          true,
+		WorkingDir:   "/tmp",
+		Image:        image,
+		Labels: map[string]string{
+			"io.portainer.job.endpoint": strconv.Itoa(int(endpoint.ID)),
+		},
+		Cmd: strslice.StrSlice([]string{"sh", "/tmp/script.sh"}),
+	}
+
+	if schedule != nil {
+		containerConfig.Labels["io.portainer.schedule.id"] = strconv.Itoa(int(schedule.ID))
+	}
+
+	hostConfig := &container.HostConfig{
+		Binds:       []string{"/:/host", "/etc:/etc:ro", "/usr:/usr:ro", "/run:/run:ro", "/sbin:/sbin:ro", "/var:/var:ro"},
+		NetworkMode: "host",
+		Privileged:  true,
+	}
+
+	networkConfig := &network.NetworkingConfig{}
+
+	body, err := cli.ContainerCreate(context.Background(), containerConfig, hostConfig, networkConfig, "")
+	if err != nil {
+		return err
+	}
+
+	if schedule != nil {
+		err = cli.ContainerRename(context.Background(), body.ID, schedule.Name+"_"+body.ID)
+		if err != nil {
+			return err
+		}
+	}
+
+	copyOptions := types.CopyToContainerOptions{}
+	err = cli.CopyToContainer(context.Background(), body.ID, "/tmp", bytes.NewReader(buffer), copyOptions)
+	if err != nil {
+		return err
+	}
+
+	startOptions := types.ContainerStartOptions{}
+	return cli.ContainerStart(context.Background(), body.ID, startOptions)
+}
+
+func pullImage(cli *client.Client, image string) error {
+	imageReadCloser, err := cli.ImagePull(context.Background(), image, types.ImagePullOptions{})
+	if err != nil {
+		return err
+	}
+	defer imageReadCloser.Close()
+
+	_, err = io.Copy(ioutil.Discard, imageReadCloser)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/docker/snapshot.go

@@ -2,15 +2,17 @@ package docker
 
 import (
 	"context"
+	"log"
+	"strings"
 	"time"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/client"
-	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/api"
 )
 
-func snapshot(cli *client.Client) (*portainer.Snapshot, error) {
+func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.Snapshot, error) {
 	_, err := cli.Ping(context.Background())
 	if err != nil {
 		return nil, err
@@ -22,29 +24,44 @@ func snapshot(cli *client.Client) (*portainer.Snapshot, error) {
 
 	err = snapshotInfo(snapshot, cli)
 	if err != nil {
-		return nil, err
+		log.Printf("[WARN] [docker,snapshot] [message: unable to snapshot engine information] [endpoint: %s] [err: %s]", endpoint.Name, err)
 	}
 
 	if snapshot.Swarm {
 		err = snapshotSwarmServices(snapshot, cli)
 		if err != nil {
-			return nil, err
+			log.Printf("[WARN] [docker,snapshot] [message: unable to snapshot Swarm services] [endpoint: %s] [err: %s]", endpoint.Name, err)
+		}
+
+		err = snapshotNodes(snapshot, cli)
+		if err != nil {
+			log.Printf("[WARN] [docker,snapshot] [message: unable to snapshot Swarm nodes] [endpoint: %s] [err: %s]", endpoint.Name, err)
 		}
 	}
 
 	err = snapshotContainers(snapshot, cli)
 	if err != nil {
-		return nil, err
+		log.Printf("[WARN] [docker,snapshot] [message: unable to snapshot containers] [endpoint: %s] [err: %s]", endpoint.Name, err)
 	}
 
 	err = snapshotImages(snapshot, cli)
 	if err != nil {
-		return nil, err
+		log.Printf("[WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: %s] [err: %s]", endpoint.Name, err)
 	}
 
 	err = snapshotVolumes(snapshot, cli)
 	if err != nil {
-		return nil, err
+		log.Printf("[WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: %s] [err: %s]", endpoint.Name, err)
+	}
+
+	err = snapshotNetworks(snapshot, cli)
+	if err != nil {
+		log.Printf("[WARN] [docker,snapshot] [message: unable to snapshot networks] [endpoint: %s] [err: %s]", endpoint.Name, err)
+	}
+
+	err = snapshotVersion(snapshot, cli)
+	if err != nil {
+		log.Printf("[WARN] [docker,snapshot] [message: unable to snapshot engine version] [endpoint: %s] [err: %s]", endpoint.Name, err)
 	}
 
 	snapshot.Time = time.Now().Unix()
@@ -61,6 +78,23 @@ func snapshotInfo(snapshot *portainer.Snapshot, cli *client.Client) error {
 	snapshot.DockerVersion = info.ServerVersion
 	snapshot.TotalCPU = info.NCPU
 	snapshot.TotalMemory = info.MemTotal
+	snapshot.SnapshotRaw.Info = info
+	return nil
+}
+
+func snapshotNodes(snapshot *portainer.Snapshot, cli *client.Client) error {
+	nodes, err := cli.NodeList(context.Background(), types.NodeListOptions{})
+	if err != nil {
+		return err
+	}
+	var nanoCpus int64
+	var totalMem int64
+	for _, node := range nodes {
+		nanoCpus += node.Description.Resources.NanoCPUs
+		totalMem += node.Description.Resources.MemoryBytes
+	}
+	snapshot.TotalCPU = int(nanoCpus / 1e9)
+	snapshot.TotalMemory = totalMem
 	return nil
 }
 
@@ -93,6 +127,8 @@ func snapshotContainers(snapshot *portainer.Snapshot, cli *client.Client) error
 
 	runningContainers := 0
 	stoppedContainers := 0
+	healthyContainers := 0
+	unhealthyContainers := 0
 	stacks := make(map[string]struct{})
 	for _, container := range containers {
 		if container.State == "exited" {
@@ -101,6 +137,12 @@ func snapshotContainers(snapshot *portainer.Snapshot, cli *client.Client) error
 			runningContainers++
 		}
 
+		if strings.Contains(container.Status, "(healthy)") {
+			healthyContainers++
+		} else if strings.Contains(container.Status, "(unhealthy)") {
+			unhealthyContainers++
+		}
+
 		for k, v := range container.Labels {
 			if k == "com.docker.compose.project" {
 				stacks[v] = struct{}{}
@@ -110,7 +152,10 @@ func snapshotContainers(snapshot *portainer.Snapshot, cli *client.Client) error
 
 	snapshot.RunningContainerCount = runningContainers
 	snapshot.StoppedContainerCount = stoppedContainers
+	snapshot.HealthyContainerCount = healthyContainers
+	snapshot.UnhealthyContainerCount = unhealthyContainers
 	snapshot.StackCount += len(stacks)
+	snapshot.SnapshotRaw.Containers = containers
 	return nil
 }
 
@@ -121,6 +166,7 @@ func snapshotImages(snapshot *portainer.Snapshot, cli *client.Client) error {
 	}
 
 	snapshot.ImageCount = len(images)
+	snapshot.SnapshotRaw.Images = images
 	return nil
 }
 
@@ -131,5 +177,24 @@ func snapshotVolumes(snapshot *portainer.Snapshot, cli *client.Client) error {
 	}
 
 	snapshot.VolumeCount = len(volumes.Volumes)
+	snapshot.SnapshotRaw.Volumes = volumes
+	return nil
+}
+
+func snapshotNetworks(snapshot *portainer.Snapshot, cli *client.Client) error {
+	networks, err := cli.NetworkList(context.Background(), types.NetworkListOptions{})
+	if err != nil {
+		return err
+	}
+	snapshot.SnapshotRaw.Networks = networks
+	return nil
+}
+
+func snapshotVersion(snapshot *portainer.Snapshot, cli *client.Client) error {
+	version, err := cli.ServerVersion(context.Background())
+	if err != nil {
+		return err
+	}
+	snapshot.SnapshotRaw.Version = version
 	return nil
 }

api/docker/snapshotter.go

@@ -1,7 +1,7 @@
 package docker
 
 import (
-	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/api"
 )
 
 // Snapshotter represents a service used to create endpoint snapshots
@@ -18,10 +18,11 @@ func NewSnapshotter(clientFactory *ClientFactory) *Snapshotter {
 
 // CreateSnapshot creates a snapshot of a specific endpoint
 func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*portainer.Snapshot, error) {
-	cli, err := snapshotter.clientFactory.CreateClient(endpoint)
+	cli, err := snapshotter.clientFactory.CreateClient(endpoint, "")
 	if err != nil {
 		return nil, err
 	}
+	defer cli.Close()
 
-	return snapshot(cli)
+	return snapshot(cli, endpoint)
 }

api/edgegroup.go

@@ -0,0 +1,54 @@
+package portainer
+
+// EdgeGroupRelatedEndpoints returns a list of endpoints related to this Edge group
+func EdgeGroupRelatedEndpoints(edgeGroup *EdgeGroup, endpoints []Endpoint, endpointGroups []EndpointGroup) []EndpointID {
+	if !edgeGroup.Dynamic {
+		return edgeGroup.Endpoints
+	}
+
+	endpointIDs := []EndpointID{}
+	for _, endpoint := range endpoints {
+		if endpoint.Type != EdgeAgentEnvironment {
+			continue
+		}
+
+		var endpointGroup EndpointGroup
+		for _, group := range endpointGroups {
+			if endpoint.GroupID == group.ID {
+				endpointGroup = group
+				break
+			}
+		}
+
+		if edgeGroupRelatedToEndpoint(edgeGroup, &endpoint, &endpointGroup) {
+			endpointIDs = append(endpointIDs, endpoint.ID)
+		}
+	}
+
+	return endpointIDs
+}
+
+// edgeGroupRelatedToEndpoint returns true is edgeGroup is associated with endpoint
+func edgeGroupRelatedToEndpoint(edgeGroup *EdgeGroup, endpoint *Endpoint, endpointGroup *EndpointGroup) bool {
+	if !edgeGroup.Dynamic {
+		for _, endpointID := range edgeGroup.Endpoints {
+			if endpoint.ID == endpointID {
+				return true
+			}
+		}
+		return false
+	}
+
+	endpointTags := TagSet(endpoint.TagIDs)
+	if endpointGroup.TagIDs != nil {
+		endpointTags = TagUnion(endpointTags, TagSet(endpointGroup.TagIDs))
+	}
+	edgeGroupTags := TagSet(edgeGroup.TagIDs)
+
+	if edgeGroup.PartialMatch {
+		intersection := TagIntersection(endpointTags, edgeGroupTags)
+		return len(intersection) != 0
+	}
+
+	return TagContains(edgeGroupTags, endpointTags)
+}

api/edgestack.go

@@ -0,0 +1,27 @@
+package portainer
+
+import "errors"
+
+// EdgeStackRelatedEndpoints returns a list of endpoints related to this Edge stack
+func EdgeStackRelatedEndpoints(edgeGroupIDs []EdgeGroupID, endpoints []Endpoint, endpointGroups []EndpointGroup, edgeGroups []EdgeGroup) ([]EndpointID, error) {
+	edgeStackEndpoints := []EndpointID{}
+
+	for _, edgeGroupID := range edgeGroupIDs {
+		var edgeGroup *EdgeGroup
+
+		for _, group := range edgeGroups {
+			if group.ID == edgeGroupID {
+				edgeGroup = &group
+				break
+			}
+		}
+
+		if edgeGroup == nil {
+			return nil, errors.New("Edge group was not found")
+		}
+
+		edgeStackEndpoints = append(edgeStackEndpoints, EdgeGroupRelatedEndpoints(edgeGroup, endpoints, endpointGroups)...)
+	}
+
+	return edgeStackEndpoints, nil
+}

api/endpoint.go

@@ -0,0 +1,25 @@
+package portainer
+
+// EndpointRelatedEdgeStacks returns a list of Edge stacks related to this Endpoint
+func EndpointRelatedEdgeStacks(endpoint *Endpoint, endpointGroup *EndpointGroup, edgeGroups []EdgeGroup, edgeStacks []EdgeStack) []EdgeStackID {
+	relatedEdgeGroupsSet := map[EdgeGroupID]bool{}
+
+	for _, edgeGroup := range edgeGroups {
+		if edgeGroupRelatedToEndpoint(&edgeGroup, endpoint, endpointGroup) {
+			relatedEdgeGroupsSet[edgeGroup.ID] = true
+		}
+	}
+
+	relatedEdgeStacks := []EdgeStackID{}
+	for _, edgeStack := range edgeStacks {
+		for _, edgeGroupID := range edgeStack.EdgeGroups {
+			if relatedEdgeGroupsSet[edgeGroupID] {
+				relatedEdgeStacks = append(relatedEdgeStacks, edgeStack.ID)
+				break
+			}
+		}
+	}
+
+	return relatedEdgeStacks
+
+}

api/errors.go

@@ -4,6 +4,7 @@ package portainer
 const (
 	ErrUnauthorized           = Error("Unauthorized")
 	ErrResourceAccessDenied   = Error("Access denied to resource")
+	ErrAuthorizationRequired  = Error("Authorization required for this operation")
 	ErrObjectNotFound         = Error("Object not found inside the database")
 	ErrMissingSecurityContext = Error("Unable to find security details in request context")
 )
@@ -38,11 +39,6 @@ const (
 	ErrEndpointAccessDenied = Error("Access denied to endpoint")
 )
 
-// Azure environment errors
-const (
-	ErrAzureInvalidCredentials = Error("Invalid Azure credentials")
-)
-
 // Endpoint group errors.
 const (
 	ErrCannotRemoveDefaultGroup = Error("Cannot remove the default endpoint group")
@@ -88,8 +84,29 @@ const (
 	ErrUndefinedTLSFileType = Error("Undefined TLS file type")
 )
 
+// Extension errors.
+const (
+	ErrExtensionAlreadyEnabled = Error("This extension is already enabled")
+)
+
+// Docker errors.
+const (
+	ErrUnableToPingEndpoint = Error("Unable to communicate with the endpoint")
+)
+
+// Schedule errors.
+const (
+	ErrHostManagementFeaturesDisabled = Error("Host management features are disabled")
+)
+
 // Error represents an application error.
 type Error string
 
 // Error returns the error message.
 func (e Error) Error() string { return string(e) }
+
+// Webhook errors
+const (
+	ErrWebhookAlreadyExists   = Error("A webhook for this resource already exists")
+	ErrUnsupportedWebhookType = Error("Webhooks for this resource are not currently supported")
+)

api/exec/extension.go

@@ -0,0 +1,313 @@
+package exec
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/coreos/go-semver/semver"
+
+	"github.com/orcaman/concurrent-map"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/client"
+)
+
+var extensionDownloadBaseURL = portainer.AssetsServerURL + "/extensions/"
+var extensionVersionRegexp = regexp.MustCompile(`\d+(\.\d+)+`)
+
+var extensionBinaryMap = map[portainer.ExtensionID]string{
+	portainer.RegistryManagementExtension:  "extension-registry-management",
+	portainer.OAuthAuthenticationExtension: "extension-oauth-authentication",
+	portainer.RBACExtension:                "extension-rbac",
+}
+
+// ExtensionManager represents a service used to
+// manage extension processes.
+type ExtensionManager struct {
+	processes   cmap.ConcurrentMap
+	fileService portainer.FileService
+	dataStore   portainer.DataStore
+}
+
+// NewExtensionManager returns a pointer to an ExtensionManager
+func NewExtensionManager(fileService portainer.FileService, dataStore portainer.DataStore) *ExtensionManager {
+	return &ExtensionManager{
+		processes:   cmap.New(),
+		fileService: fileService,
+		dataStore:   dataStore,
+	}
+}
+
+func processKey(ID portainer.ExtensionID) string {
+	return strconv.Itoa(int(ID))
+}
+
+func buildExtensionURL(extension *portainer.Extension) string {
+	return fmt.Sprintf("%s%s-%s-%s-%s.zip", extensionDownloadBaseURL, extensionBinaryMap[extension.ID], runtime.GOOS, runtime.GOARCH, extension.Version)
+}
+
+func buildExtensionPath(binaryPath string, extension *portainer.Extension) string {
+	extensionFilename := fmt.Sprintf("%s-%s-%s-%s", extensionBinaryMap[extension.ID], runtime.GOOS, runtime.GOARCH, extension.Version)
+	if runtime.GOOS == "windows" {
+		extensionFilename += ".exe"
+	}
+
+	extensionPath := path.Join(
+		binaryPath,
+		extensionFilename)
+
+	return extensionPath
+}
+
+// FetchExtensionDefinitions will fetch the list of available
+// extension definitions from the official Portainer assets server.
+// If it cannot retrieve the data from the Internet it will fallback to the locally cached
+// manifest file.
+func (manager *ExtensionManager) FetchExtensionDefinitions() ([]portainer.Extension, error) {
+	var extensionData []byte
+
+	extensionData, err := client.Get(portainer.ExtensionDefinitionsURL, 5)
+	if err != nil {
+		log.Printf("[WARN] [exec,extensions] [message: unable to retrieve extensions manifest via Internet. Extensions will be retrieved from local cache and might not be up to date] [err: %s]", err)
+
+		extensionData, err = manager.fileService.GetFileContent(portainer.LocalExtensionManifestFile)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var extensions []portainer.Extension
+	err = json.Unmarshal(extensionData, &extensions)
+	if err != nil {
+		return nil, err
+	}
+
+	return extensions, nil
+}
+
+// InstallExtension will install the extension from an archive. It will extract the extension version number from
+// the archive file name first and return an error if the file name is not valid (cannot find extension version).
+// It will then extract the archive and execute the EnableExtension function to enable the extension.
+// Since we're missing information about this extension (stored on Portainer.io server) we need to assume
+// default information based on the extension ID.
+func (manager *ExtensionManager) InstallExtension(extension *portainer.Extension, licenseKey string, archiveFileName string, extensionArchive []byte) error {
+	extensionVersion := extensionVersionRegexp.FindString(archiveFileName)
+	if extensionVersion == "" {
+		return errors.New("invalid extension archive filename: unable to retrieve extension version")
+	}
+
+	err := manager.fileService.ExtractExtensionArchive(extensionArchive)
+	if err != nil {
+		return err
+	}
+
+	switch extension.ID {
+	case portainer.RegistryManagementExtension:
+		extension.Name = "Registry Manager"
+	case portainer.OAuthAuthenticationExtension:
+		extension.Name = "External Authentication"
+	case portainer.RBACExtension:
+		extension.Name = "Role-Based Access Control"
+	}
+	extension.ShortDescription = "Extension enabled offline"
+	extension.Version = extensionVersion
+	extension.Available = true
+
+	return manager.EnableExtension(extension, licenseKey)
+}
+
+// EnableExtension will check for the existence of the extension binary on the filesystem
+// first. If it does not exist, it will download it from the official Portainer assets server.
+// After installing the binary on the filesystem, it will execute the binary in license check
+// mode to validate the extension license. If the license is valid, it will then start
+// the extension process and register it in the processes map.
+func (manager *ExtensionManager) EnableExtension(extension *portainer.Extension, licenseKey string) error {
+	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
+	extensionBinaryExists, err := manager.fileService.FileExists(extensionBinaryPath)
+	if err != nil {
+		return err
+	}
+
+	if !extensionBinaryExists {
+		err := manager.downloadExtension(extension)
+		if err != nil {
+			return err
+		}
+	}
+
+	licenseDetails, err := validateLicense(extensionBinaryPath, licenseKey)
+	if err != nil {
+		return err
+	}
+
+	extension.License = portainer.LicenseInformation{
+		LicenseKey: licenseKey,
+		Company:    licenseDetails[0],
+		Expiration: licenseDetails[1],
+		Valid:      true,
+	}
+	extension.Version = licenseDetails[2]
+
+	return manager.startExtensionProcess(extension, extensionBinaryPath)
+}
+
+// DisableExtension will retrieve the process associated to the extension
+// from the processes map and kill the process. It will then remove the process
+// from the processes map and remove the binary associated to the extension
+// from the filesystem
+func (manager *ExtensionManager) DisableExtension(extension *portainer.Extension) error {
+	process, ok := manager.processes.Get(processKey(extension.ID))
+	if !ok {
+		return nil
+	}
+
+	err := process.(*exec.Cmd).Process.Kill()
+	if err != nil {
+		return err
+	}
+
+	manager.processes.Remove(processKey(extension.ID))
+
+	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
+	return manager.fileService.RemoveDirectory(extensionBinaryPath)
+}
+
+// StartExtensions will retrieve the extensions definitions from the Internet and check if a new version of each
+// extension is available. If so, it will automatically install the new version of the extension. If no update is
+// available it will simply start the extension.
+// The purpose of this function is to be ran at startup, as such most of the error handling won't block the program execution
+// and will log warning messages instead.
+func (manager *ExtensionManager) StartExtensions() error {
+	extensions, err := manager.dataStore.Extension().Extensions()
+	if err != nil {
+		return err
+	}
+
+	definitions, err := manager.FetchExtensionDefinitions()
+	if err != nil {
+		log.Printf("[WARN] [exec,extensions] [message: unable to retrieve extension information from Internet. Skipping extensions update check.] [err: %s]", err)
+		return nil
+	}
+
+	return manager.updateAndStartExtensions(extensions, definitions)
+}
+
+func (manager *ExtensionManager) updateAndStartExtensions(extensions []portainer.Extension, definitions []portainer.Extension) error {
+	for _, definition := range definitions {
+		for _, extension := range extensions {
+			if extension.ID == definition.ID {
+				definitionVersion := semver.New(definition.Version)
+				extensionVersion := semver.New(extension.Version)
+
+				if extensionVersion.LessThan(*definitionVersion) {
+					log.Printf("[INFO] [exec,extensions] [message: new version detected, updating extension] [extension: %s] [current_version: %s] [available_version: %s]", extension.Name, extension.Version, definition.Version)
+					err := manager.UpdateExtension(&extension, definition.Version)
+					if err != nil {
+						log.Printf("[WARN] [exec,extensions] [message: unable to update extension automatically] [extension: %s] [current_version: %s] [available_version: %s] [err: %s]", extension.Name, extension.Version, definition.Version, err)
+					}
+				} else {
+					err := manager.EnableExtension(&extension, extension.License.LicenseKey)
+					if err != nil {
+						log.Printf("[WARN] [exec,extensions] [message: unable to start extension] [extension: %s] [err: %s]", extension.Name, err)
+						extension.Enabled = false
+						extension.License.Valid = false
+					}
+				}
+
+				err := manager.dataStore.Extension().Persist(&extension)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	return nil
+}
+
+// UpdateExtension will download the new extension binary from the official Portainer assets
+// server, disable the previous extension via DisableExtension, trigger a license check
+// and then start the extension process and add it to the processes map
+func (manager *ExtensionManager) UpdateExtension(extension *portainer.Extension, version string) error {
+	oldVersion := extension.Version
+
+	extension.Version = version
+	err := manager.downloadExtension(extension)
+	if err != nil {
+		return err
+	}
+
+	extension.Version = oldVersion
+	err = manager.DisableExtension(extension)
+	if err != nil {
+		return err
+	}
+
+	extension.Version = version
+	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
+
+	licenseDetails, err := validateLicense(extensionBinaryPath, extension.License.LicenseKey)
+	if err != nil {
+		return err
+	}
+
+	extension.Version = licenseDetails[2]
+
+	return manager.startExtensionProcess(extension, extensionBinaryPath)
+}
+
+func (manager *ExtensionManager) downloadExtension(extension *portainer.Extension) error {
+	extensionURL := buildExtensionURL(extension)
+
+	data, err := client.Get(extensionURL, 30)
+	if err != nil {
+		return err
+	}
+
+	return manager.fileService.ExtractExtensionArchive(data)
+}
+
+func validateLicense(binaryPath, licenseKey string) ([]string, error) {
+	licenseCheckProcess := exec.Command(binaryPath, "-license", licenseKey, "-check")
+	cmdOutput := &bytes.Buffer{}
+	licenseCheckProcess.Stdout = cmdOutput
+
+	err := licenseCheckProcess.Run()
+	if err != nil {
+		log.Printf("[DEBUG] [exec,extension] [message: unable to run extension process] [err: %s]", err)
+		return nil, errors.New("invalid extension license key")
+	}
+
+	output := string(cmdOutput.Bytes())
+
+	return strings.Split(output, "|"), nil
+}
+
+func (manager *ExtensionManager) startExtensionProcess(extension *portainer.Extension, binaryPath string) error {
+	extensionProcess := exec.Command(binaryPath, "-license", extension.License.LicenseKey)
+	extensionProcess.Stdout = os.Stdout
+	extensionProcess.Stderr = os.Stderr
+
+	err := extensionProcess.Start()
+	if err != nil {
+		log.Printf("[DEBUG] [exec,extension] [message: unable to start extension process] [err: %s]", err)
+		return err
+	}
+
+	time.Sleep(3 * time.Second)
+
+	manager.processes.Set(processKey(extension.ID), extensionProcess)
+	return nil
+}

api/exec/swarm_stack.go

@@ -3,30 +3,33 @@ package exec
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"os"
 	"os/exec"
 	"path"
 	"runtime"
 
-	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/api"
 )
 
 // SwarmStackManager represents a service for managing stacks.
 type SwarmStackManager struct {
-	binaryPath       string
-	dataPath         string
-	signatureService portainer.DigitalSignatureService
-	fileService      portainer.FileService
+	binaryPath           string
+	dataPath             string
+	signatureService     portainer.DigitalSignatureService
+	fileService          portainer.FileService
+	reverseTunnelService portainer.ReverseTunnelService
 }
 
 // NewSwarmStackManager initializes a new SwarmStackManager service.
 // It also updates the configuration of the Docker CLI binary.
-func NewSwarmStackManager(binaryPath, dataPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (*SwarmStackManager, error) {
+func NewSwarmStackManager(binaryPath, dataPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) (*SwarmStackManager, error) {
 	manager := &SwarmStackManager{
-		binaryPath:       binaryPath,
-		dataPath:         dataPath,
-		signatureService: signatureService,
-		fileService:      fileService,
+		binaryPath:           binaryPath,
+		dataPath:             dataPath,
+		signatureService:     signatureService,
+		fileService:          fileService,
+		reverseTunnelService: reverseTunnelService,
 	}
 
 	err := manager.updateDockerCLIConfiguration(dataPath)
@@ -39,7 +42,7 @@ func NewSwarmStackManager(binaryPath, dataPath string, signatureService portaine
 
 // Login executes the docker login command against a list of registries (including DockerHub).
 func (manager *SwarmStackManager) Login(dockerhub *portainer.DockerHub, registries []portainer.Registry, endpoint *portainer.Endpoint) {
-	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	command, args := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
 	for _, registry := range registries {
 		if registry.Authentication {
 			registryArgs := append(args, "login", "--username", registry.Username, "--password", registry.Password, registry.URL)
@@ -55,7 +58,7 @@ func (manager *SwarmStackManager) Login(dockerhub *portainer.DockerHub, registri
 
 // Logout executes the docker logout command.
 func (manager *SwarmStackManager) Logout(endpoint *portainer.Endpoint) error {
-	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	command, args := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
 	args = append(args, "logout")
 	return runCommandAndCaptureStdErr(command, args, nil, "")
 }
@@ -63,7 +66,7 @@ func (manager *SwarmStackManager) Logout(endpoint *portainer.Endpoint) error {
 // Deploy executes the docker stack deploy command.
 func (manager *SwarmStackManager) Deploy(stack *portainer.Stack, prune bool, endpoint *portainer.Endpoint) error {
 	stackFilePath := path.Join(stack.ProjectPath, stack.EntryPoint)
-	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	command, args := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
 
 	if prune {
 		args = append(args, "stack", "deploy", "--prune", "--with-registry-auth", "--compose-file", stackFilePath, stack.Name)
@@ -82,7 +85,7 @@ func (manager *SwarmStackManager) Deploy(stack *portainer.Stack, prune bool, end
 
 // Remove executes the docker stack rm command.
 func (manager *SwarmStackManager) Remove(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
-	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	command, args := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
 	args = append(args, "stack", "rm", stack.Name)
 	return runCommandAndCaptureStdErr(command, args, nil, "")
 }
@@ -106,7 +109,7 @@ func runCommandAndCaptureStdErr(command string, args []string, env []string, wor
 	return nil
 }
 
-func prepareDockerCommandAndArgs(binaryPath, dataPath string, endpoint *portainer.Endpoint) (string, []string) {
+func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, dataPath string, endpoint *portainer.Endpoint) (string, []string) {
 	// Assume Linux as a default
 	command := path.Join(binaryPath, "docker")
 
@@ -116,7 +119,14 @@ func prepareDockerCommandAndArgs(binaryPath, dataPath string, endpoint *portaine
 
 	args := make([]string, 0)
 	args = append(args, "--config", dataPath)
-	args = append(args, "-H", endpoint.URL)
+
+	endpointURL := endpoint.URL
+	if endpoint.Type == portainer.EdgeAgentEnvironment {
+		tunnel := manager.reverseTunnelService.GetTunnelDetails(endpoint.ID)
+		endpointURL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnel.Port)
+	}
+
+	args = append(args, "-H", endpointURL)
 
 	if endpoint.TLSConfig.TLS {
 		args = append(args, "--tls")
@@ -140,7 +150,7 @@ func (manager *SwarmStackManager) updateDockerCLIConfiguration(dataPath string)
 		return err
 	}
 
-	signature, err := manager.signatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	signature, err := manager.signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
 	if err != nil {
 		return err
 	}

api/filesystem/filesystem.go

@@ -6,7 +6,8 @@ import (
 	"encoding/pem"
 	"io/ioutil"
 
-	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/archive"
 
 	"io"
 	"os"
@@ -28,10 +29,19 @@ const (
 	ComposeStorePath = "compose"
 	// ComposeFileDefaultName represents the default name of a compose file.
 	ComposeFileDefaultName = "docker-compose.yml"
+	// EdgeStackStorePath represents the subfolder where edge stack files are stored in the file store folder.
+	EdgeStackStorePath = "edge_stacks"
 	// PrivateKeyFile represents the name on disk of the file containing the private key.
 	PrivateKeyFile = "portainer.key"
 	// PublicKeyFile represents the name on disk of the file containing the public key.
 	PublicKeyFile = "portainer.pub"
+	// BinaryStorePath represents the subfolder where binaries are stored in the file store folder.
+	BinaryStorePath = "bin"
+	// ScheduleStorePath represents the subfolder where schedule files are stored.
+	ScheduleStorePath = "schedules"
+	// ExtensionRegistryManagementStorePath represents the subfolder where files related to the
+	// registry management extension are stored.
+	ExtensionRegistryManagementStorePath = "extensions"
 )
 
 // Service represents a service for managing files and directories.
@@ -63,9 +73,25 @@ func NewService(dataStorePath, fileStorePath string) (*Service, error) {
 		return nil, err
 	}
 
+	err = service.createDirectoryInStore(BinaryStorePath)
+	if err != nil {
+		return nil, err
+	}
+
 	return service, nil
 }
 
+// GetBinaryFolder returns the full path to the binary store on the filesystem
+func (service *Service) GetBinaryFolder() string {
+	return path.Join(service.fileStorePath, BinaryStorePath)
+}
+
+// ExtractExtensionArchive extracts the content of an extension archive
+// specified as raw data into the binary store on the filesystem
+func (service *Service) ExtractExtensionArchive(data []byte) error {
+	return archive.UnzipArchive(data, path.Join(service.fileStorePath, BinaryStorePath))
+}
+
 // RemoveDirectory removes a directory on the filesystem.
 func (service *Service) RemoveDirectory(directoryPath string) error {
 	return os.RemoveAll(directoryPath)
@@ -97,6 +123,53 @@ func (service *Service) StoreStackFileFromBytes(stackIdentifier, fileName string
 	return path.Join(service.fileStorePath, stackStorePath), nil
 }
 
+// GetEdgeStackProjectPath returns the absolute path on the FS for a edge stack based
+// on its identifier.
+func (service *Service) GetEdgeStackProjectPath(edgeStackIdentifier string) string {
+	return path.Join(service.fileStorePath, EdgeStackStorePath, edgeStackIdentifier)
+}
+
+// StoreEdgeStackFileFromBytes creates a subfolder in the EdgeStackStorePath and stores a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreEdgeStackFileFromBytes(edgeStackIdentifier, fileName string, data []byte) (string, error) {
+	stackStorePath := path.Join(EdgeStackStorePath, edgeStackIdentifier)
+	err := service.createDirectoryInStore(stackStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	composeFilePath := path.Join(stackStorePath, fileName)
+	r := bytes.NewReader(data)
+
+	err = service.createFileInStore(composeFilePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, stackStorePath), nil
+}
+
+// StoreRegistryManagementFileFromBytes creates a subfolder in the
+// ExtensionRegistryManagementStorePath and stores a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreRegistryManagementFileFromBytes(folder, fileName string, data []byte) (string, error) {
+	extensionStorePath := path.Join(ExtensionRegistryManagementStorePath, folder)
+	err := service.createDirectoryInStore(extensionStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	file := path.Join(extensionStorePath, fileName)
+	r := bytes.NewReader(data)
+
+	err = service.createFileInStore(file, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, file), nil
+}
+
 // StoreTLSFileFromBytes creates a folder in the TLSStorePath and stores a new file from bytes.
 // It returns the path to the newly created file.
 func (service *Service) StoreTLSFileFromBytes(folder string, fileType portainer.TLSFileType, data []byte) (string, error) {
@@ -318,3 +391,32 @@ func (service *Service) getContentFromPEMFile(filePath string) ([]byte, error) {
 	block, _ := pem.Decode(fileContent)
 	return block.Bytes, nil
 }
+
+// GetScheduleFolder returns the absolute path on the filesystem for a schedule based
+// on its identifier.
+func (service *Service) GetScheduleFolder(identifier string) string {
+	return path.Join(service.fileStorePath, ScheduleStorePath, identifier)
+}
+
+// StoreScheduledJobFileFromBytes creates a subfolder in the ScheduleStorePath and stores a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreScheduledJobFileFromBytes(identifier string, data []byte) (string, error) {
+	scheduleStorePath := path.Join(ScheduleStorePath, identifier)
+	err := service.createDirectoryInStore(scheduleStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	filePath := path.Join(scheduleStorePath, createScheduledJobFileName(identifier))
+	r := bytes.NewReader(data)
+	err = service.createFileInStore(filePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, filePath), nil
+}
+
+func createScheduledJobFileName(identifier string) string {
+	return "job_" + identifier + ".sh"
+}

api/git/git.go

@@ -1,21 +1,37 @@
 package git
 
 import (
+	"crypto/tls"
+	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	"gopkg.in/src-d/go-git.v4"
 	"gopkg.in/src-d/go-git.v4/plumbing"
+	"gopkg.in/src-d/go-git.v4/plumbing/transport/client"
+	githttp "gopkg.in/src-d/go-git.v4/plumbing/transport/http"
 )
 
 // Service represents a service for managing Git.
-type Service struct{}
+type Service struct {
+	httpsCli *http.Client
+}
 
 // NewService initializes a new service.
-func NewService(dataStorePath string) (*Service, error) {
-	service := &Service{}
+func NewService() *Service {
+	httpsCli := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+		Timeout: 300 * time.Second,
+	}
 
-	return service, nil
+	client.InstallProtocol("https", githttp.NewClient(httpsCli))
+
+	return &Service{
+		httpsCli: httpsCli,
+	}
 }
 
 // ClonePublicRepository clones a public git repository using the specified URL in the specified
@@ -32,7 +48,7 @@ func (service *Service) ClonePrivateRepositoryWithBasicAuth(repositoryURL, refer
 	return cloneRepository(repositoryURL, referenceName, destination)
 }
 
-func cloneRepository(repositoryURL, referenceName string, destination string) error {
+func cloneRepository(repositoryURL, referenceName, destination string) error {
 	options := &git.CloneOptions{
 		URL: repositoryURL,
 	}

api/go.mod

@@ -0,0 +1,37 @@
+module github.com/portainer/portainer/api
+
+go 1.13
+
+require (
+	github.com/Microsoft/go-winio v0.4.14
+	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
+	github.com/boltdb/bolt v1.3.1
+	github.com/containerd/containerd v1.3.1 // indirect
+	github.com/coreos/go-semver v0.3.0
+	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/docker/cli v0.0.0-20191126203649-54d085b857e9
+	github.com/docker/docker v0.0.0-00010101000000-000000000000
+	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
+	github.com/go-ldap/ldap/v3 v3.1.8
+	github.com/gofrs/uuid v3.2.0+incompatible
+	github.com/gorilla/mux v1.7.3
+	github.com/gorilla/securecookie v1.1.1
+	github.com/gorilla/websocket v1.4.1
+	github.com/imdario/mergo v0.3.8 // indirect
+	github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389
+	github.com/json-iterator/go v1.1.8
+	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
+	github.com/mattn/go-shellwords v1.0.6 // indirect
+	github.com/mitchellh/mapstructure v1.1.2 // indirect
+	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
+	github.com/portainer/libcompose v0.5.3
+	github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2
+	github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33
+	github.com/robfig/cron/v3 v3.0.0
+	golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1
+	gopkg.in/alecthomas/kingpin.v2 v2.2.6
+	gopkg.in/src-d/go-git.v4 v4.13.1
+)
+
+replace github.com/docker/docker => github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203

api/go.sum

@@ -0,0 +1,279 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
+github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Microsoft/go-winio v0.3.8 h1:dvxbxtpTIjdAbx2OtL26p4eq0iEvys/U5yrsTJb3NZI=
+github.com/Microsoft/go-winio v0.3.8/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
+github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
+github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
+github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
+github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
+github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs=
+github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 h1:axBiC50cNZOs7ygH5BgQp4N+aYrZ2DNpWZ1KG3VOSOM=
+github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2/go.mod h1:jnzFpU88PccN/tPPhCpnNU8mZphvKxYM9lLNkd8e+os=
+github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
+github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/boltdb/bolt v1.3.1 h1:JQmyP4ZBrce+ZQu0dY660FMfatumYDLun9hBCUVIkF4=
+github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/containerd/containerd v1.3.1 h1:LdbWxLhkAIxGO7h3mATHkyav06WuDs/yTWxIljJOTks=
+github.com/containerd/containerd v1.3.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc h1:TP+534wVlf61smEIq1nwLLAjQVEK2EADoW3CX9AuT+8=
+github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
+github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9 h1:74lLNRzvsdIlkTgfDSMuaPjBr4cf6k7pwQQANm/yLKU=
+github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/docker/cli v0.0.0-20190711175710-5b38d82aa076/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v0.0.0-20191126203649-54d085b857e9 h1:Q6D6b2iRKhvtL3Wj9p0SyPOvUDJ1ht62mbiBoNJ3Aus=
+github.com/docker/cli v0.0.0-20191126203649-54d085b857e9/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
+github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker-credential-helpers v0.6.3 h1:zI2p9+1NQYdnG6sMU26EX4aVGlqbInSQxQXLvzJ4RPQ=
+github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
+github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203 h1:QeBh8wW8pIZKlXxlMOQ8hSCMdJA+2Z/bD/iDyCAS8XU=
+github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203/go.mod h1:3CPr2caMgTHxxIAZgEMd3uLYPDlRvPqCpyeRf6ncPcY=
+github.com/docker/go-connections v0.3.0 h1:3lOnM9cSzgGwx8VfK/NGOW5fLQ0GjIlCkaktF+n1M6o=
+github.com/docker/go-connections v0.3.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 h1:X0fj836zx99zFu83v/M79DuBn84IL/Syx1SY6Y5ZEMA=
+github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
+github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
+github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
+github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
+github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
+github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
+github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
+github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814 h1:gWvniJ4GbFfkf700kykAImbLiEMU0Q3QN9hQ26Js1pU=
+github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814/go.mod h1:secRm32Ro77eD23BmPVbgLbWN+JWDw7pJszenjxI4bI=
+github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
+github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/go-asn1-ber/asn1-ber v1.3.1 h1:gvPdv/Hr++TRFCl0UbPFHC54P9N9jgsRPnmnr419Uck=
+github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-ldap/ldap/v3 v3.1.8 h1:5vU/2jOh9HqprwXp8aF915s9p6Z8wmbSEVF7/gdTFhM=
+github.com/go-ldap/ldap/v3 v3.1.8/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gofrs/uuid v3.2.0+incompatible h1:y12jRkkFxsd7GpqdSZ+/KCs/fJbqpEXSGd4+jfEaewE=
+github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gogo/protobuf v1.1.1 h1:72R+M5VuhED/KujmZVcIquuo8mBgX4oVda//DQb3PXo=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
+github.com/gorilla/mux v0.0.0-20160317213430-0eeaf8392f5b/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
+github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM=
+github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
+github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
+github.com/jpillora/ansi v0.0.0-20170202005112-f496b27cd669 h1:l5rH/CnVVu+HPxjtxjM90nHrm4nov3j3RF9/62UjgLs=
+github.com/jpillora/ansi v0.0.0-20170202005112-f496b27cd669/go.mod h1:kOeLNvjNBGSV3uYtFjvb72+fnZCMFJF1XDvRIjdom0g=
+github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
+github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389 h1:K3JsoRqX6C4gmTvY4jqtFGCfK8uToj9DMahciJaoWwE=
+github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389/go.mod h1:wHQUFFnFySoqdAOzjHkTvb4DsVM1h/73PS9l2vnioRM=
+github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82 h1:7ufdyC3aMxFcCv+ABZy/dmIVGKFoGNBCqOgLYPIckD8=
+github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82/go.mod h1:w8buj+yNfmLEP0ENlbG/FRnK6bVmuhqXnukYCs9sDvY=
+github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9 h1:0c9jcgBtHRtDU//jTrcCgWG6UHjMZytiq/3WhraNgUM=
+github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9/go.mod h1:1ffp+CRe0eAwwRb0/BownUAjMBsmTLwgAvRbfj9dRwE=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
+github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v2wtGp9Gmz1Ze3eVRAWJMLokvN3QjdzCHLY=
+github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c h1:N7A4JCA2G+j5fuFxCsJqjFU/sZe0mj8H0sSoSwbaikw=
+github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c/go.mod h1:Nn5wlyECw3iJrzi0AhIWg+AJUb4PlRQVW4/3XHH1LZA=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v0.0.0-20150511174710-5cf931ef8f76/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/mattn/go-shellwords v1.0.6 h1:9Jok5pILi5S1MnDirGVTufYGtksUs/V2BWUP3ZkeUUI=
+github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
+github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c h1:nXxl5PrvVm2L/wCy8dQu6DMTwH4oIuGN8GJDAlqDdVE=
+github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420 h1:Yu3681ykYHDfLoI6XVjL4JWmkE+3TX9yfIWwRCh1kFM=
+github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
+github.com/opencontainers/image-spec v0.0.0-20170515205857-f03dbe35d449 h1:Aq8iG72akPb/kszE7ksZ5ldV+JYPYii/KZOxlpJF07s=
+github.com/opencontainers/image-spec v0.0.0-20170515205857-f03dbe35d449/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/runc v0.0.0-20161109192122-51371867a01c h1:iOMba/KmaXgSX5PFKu1u6s+DZXiq+EzPayawa76w6aA=
+github.com/opencontainers/runc v0.0.0-20161109192122-51371867a01c/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6 h1:lNCW6THrCKBiJBpz8kbVGjC7MgdCGKwuvBgc7LoD6sw=
+github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
+github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/portainer/libcompose v0.5.3 h1:tE4WcPuGvo+NKeDkDWpwNavNLZ5GHIJ4RvuZXsI9uI8=
+github.com/portainer/libcompose v0.5.3/go.mod h1:7SKd/ho69rRKHDFSDUwkbMcol2TMKU5OslDsajr8Ro8=
+github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2 h1:0PfgGLys9yHr4rtnirg0W0Cjvv6/DzxBIZk5sV59208=
+github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2/go.mod h1:/wIeGwJOMYc1JplE/OvYMO5korce39HddIfI8VKGyAM=
+github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33 h1:H8HR2dHdBf8HANSkUyVw4o8+4tegGcd+zyKZ3e599II=
+github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33/go.mod h1:Y2TfgviWI4rT2qaOTHr+hq6MdKIE5YjgQAu7qwptTV0=
+github.com/portainer/portainer v0.10.1 h1:I8K345CjGWfUGsVA8c8/gqamwLCC6CIAjxZXSklAFq0=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.1.0 h1:BQ53HtBmfOitExawJ6LokA4x8ov/z0SYYb0+HxJfRI8=
+github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.6.0 h1:kRhiuYSXR3+uv2IbVbZhUxK5zVD/2pp3Gd2PpvPkpEo=
+github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.3 h1:CTwfnzjQ+8dS6MhHHu4YswVAD99sL2wjPqP+VkURmKE=
+github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
+github.com/robfig/cron/v3 v3.0.0 h1:kQ6Cb7aHOHTSzNVNEhmp8EcWKLb4CbiMW9h9VyIhO4E=
+github.com/robfig/cron/v3 v3.0.0/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
+github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
+github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
+github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc=
+github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
+github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ=
+github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
+github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg=
+github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1 h1:anGSYQpPhQwXlwsu5wmfq0nWkCNaMEMUwAv13Y92hd8=
+golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/net v0.0.0-20181017193950-04a2e542c03f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 h1:Ao/3l156eZf2AW5wK8a7/smtodRU+gha3+BeqJ69lRk=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181019160139-8e24a49d80f8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3 h1:4y9KwBHBgBNwDbtu44R5o1fdOCQUEXhbk/P4A9WmJq0=
+golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8 h1:Nw54tB0rB7hY/N0NQvRW8DG4Yk3Q6T9cu9RcFQDu1tc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/grpc v1.22.1 h1:/7cs52RnTJmD43s3uxzlq2U7nqVTd/37viQwMrMNlOM=
+google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/src-d/go-billy.v4 v4.3.2 h1:0SQA1pRztfTFx2miS8sA97XvooFeNOmvUenF4o0EcVg=
+gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98=
+gopkg.in/src-d/go-git-fixtures.v3 v3.5.0 h1:ivZFOIltbce2Mo8IjzUHAFoq/IylO9WHhNOAJK+LsJg=
+gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
+gopkg.in/src-d/go-git.v4 v4.13.1 h1:SRtFyV8Kxc0UP7aCHcijOMQGPxHSmMOPrzulQWolkYE=
+gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8=
+gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
+gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

api/http/client/client.go

@@ -2,71 +2,31 @@ package client
 
 import (
 	"crypto/tls"
-	"encoding/json"
-	"fmt"
 	"io/ioutil"
+	"log"
 	"net/http"
-	"net/url"
 	"strings"
 	"time"
 
-	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/api"
 )
 
-// HTTPClient represents a client to send HTTP requests.
-type HTTPClient struct {
-	*http.Client
-}
-
-// NewHTTPClient is used to build a new HTTPClient.
-func NewHTTPClient() *HTTPClient {
-	return &HTTPClient{
-		&http.Client{
-			Timeout: time.Second * 5,
-		},
-	}
-}
-
-// AzureAuthenticationResponse represents an Azure API authentication response.
-type AzureAuthenticationResponse struct {
-	AccessToken string `json:"access_token"`
-	ExpiresOn   string `json:"expires_on"`
-}
-
-// ExecuteAzureAuthenticationRequest is used to execute an authentication request
-// against the Azure API. It re-uses the same http.Client.
-func (client *HTTPClient) ExecuteAzureAuthenticationRequest(credentials *portainer.AzureCredentials) (*AzureAuthenticationResponse, error) {
-	loginURL := fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/token", credentials.TenantID)
-	params := url.Values{
-		"grant_type":    {"client_credentials"},
-		"client_id":     {credentials.ApplicationID},
-		"client_secret": {credentials.AuthenticationKey},
-		"resource":      {"https://management.azure.com/"},
-	}
-
-	response, err := client.PostForm(loginURL, params)
-	if err != nil {
-		return nil, err
-	}
-
-	if response.StatusCode != http.StatusOK {
-		return nil, portainer.ErrAzureInvalidCredentials
-	}
-
-	var token AzureAuthenticationResponse
-	err = json.NewDecoder(response.Body).Decode(&token)
-	if err != nil {
-		return nil, err
-	}
-
-	return &token, nil
-}
+const (
+	errInvalidResponseStatus = portainer.Error("Invalid response status (expecting 200)")
+	defaultHTTPTimeout       = 5
+)
 
 // Get executes a simple HTTP GET to the specified URL and returns
-// the content of the response body.
-func Get(url string) ([]byte, error) {
+// the content of the response body. Timeout can be specified via the timeout parameter,
+// will default to defaultHTTPTimeout if set to 0.
+func Get(url string, timeout int) ([]byte, error) {
+
+	if timeout == 0 {
+		timeout = defaultHTTPTimeout
+	}
+
 	client := &http.Client{
-		Timeout: time.Second * 3,
+		Timeout: time.Second * time.Duration(timeout),
 	}
 
 	response, err := client.Get(url)
@@ -75,6 +35,11 @@ func Get(url string) ([]byte, error) {
 	}
 	defer response.Body.Close()
 
+	if response.StatusCode != http.StatusOK {
+		log.Printf("[ERROR] [http,client] [message: unexpected status code] [status_code: %d]", response.StatusCode)
+		return nil, errInvalidResponseStatus
+	}
+
 	body, err := ioutil.ReadAll(response.Body)
 	if err != nil {
 		return nil, err

api/http/error/error.go

@@ -1,41 +0,0 @@
-package error
-
-import (
-	"encoding/json"
-	"log"
-	"net/http"
-)
-
-type (
-	// LoggerHandler defines a HTTP handler that includes a HandlerError return pointer
-	LoggerHandler func(http.ResponseWriter, *http.Request) *HandlerError
-	// HandlerError represents an error raised inside a HTTP handler
-	HandlerError struct {
-		StatusCode int
-		Message    string
-		Err        error
-	}
-	errorResponse struct {
-		Err string `json:"err,omitempty"`
-	}
-)
-
-func (handler LoggerHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
-	err := handler(rw, r)
-	if err != nil {
-		writeErrorResponse(rw, err)
-	}
-}
-
-func writeErrorResponse(rw http.ResponseWriter, err *HandlerError) {
-	log.Printf("http error: %s (err=%s) (code=%d)\n", err.Message, err.Err, err.StatusCode)
-	rw.Header().Set("Content-Type", "application/json")
-	rw.WriteHeader(err.StatusCode)
-	json.NewEncoder(rw).Encode(&errorResponse{Err: err.Message})
-}
-
-// WriteError is a convenience function that creates a new HandlerError before calling writeErrorResponse.
-// For use outside of the standard http handlers.
-func WriteError(rw http.ResponseWriter, code int, message string, err error) {
-	writeErrorResponse(rw, &HandlerError{code, message, err})
-}

api/http/handler/auth/authenticate.go

@@ -6,10 +6,10 @@ import (
 	"strings"
 
 	"github.com/asaskevich/govalidator"
-	"github.com/portainer/portainer"
-	httperror "github.com/portainer/portainer/http/error"
-	"github.com/portainer/portainer/http/request"
-	"github.com/portainer/portainer/http/response"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	"github.com/portainer/portainer/api"
 )
 
 type authenticatePayload struct {
@@ -42,17 +42,17 @@ func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *ht
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}
 
-	settings, err := handler.SettingsService.Settings()
+	settings, err := handler.DataStore.Settings().Settings()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}
 
-	u, err := handler.UserService.UserByUsername(payload.Username)
+	u, err := handler.DataStore.User().UserByUsername(payload.Username)
 	if err != nil && err != portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
 	}
 
-	if err == portainer.ErrObjectNotFound && settings.AuthenticationMethod == portainer.AuthenticationInternal {
+	if err == portainer.ErrObjectNotFound && (settings.AuthenticationMethod == portainer.AuthenticationInternal || settings.AuthenticationMethod == portainer.AuthenticationOAuth) {
 		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", portainer.ErrUnauthorized}
 	}
 
@@ -79,6 +79,11 @@ func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.
 		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
 	}
 
+	err = handler.AuthorizationService.UpdateUsersAuthorizations()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
+	}
+
 	return handler.writeToken(w, user)
 }
 
@@ -98,11 +103,12 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 	}
 
 	user := &portainer.User{
-		Username: username,
-		Role:     portainer.StandardUserRole,
+		Username:                username,
+		Role:                    portainer.StandardUserRole,
+		PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 	}
 
-	err = handler.UserService.CreateUser(user)
+	err = handler.DataStore.User().CreateUser(user)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
 	}
@@ -112,6 +118,11 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
 	}
 
+	err = handler.AuthorizationService.UpdateUsersAuthorizations()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
+	}
+
 	return handler.writeToken(w, user)
 }
 
@@ -122,6 +133,10 @@ func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User)
 		Role:     user.Role,
 	}
 
+	return handler.persistAndWriteToken(w, tokenData)
+}
+
+func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
 	token, err := handler.JWTService.GenerateToken(tokenData)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to generate JWT token", err}
@@ -131,7 +146,7 @@ func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User)
 }
 
 func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portainer.LDAPSettings) error {
-	teams, err := handler.TeamService.Teams()
+	teams, err := handler.DataStore.Team().Teams()
 	if err != nil {
 		return err
 	}
@@ -141,7 +156,7 @@ func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portain
 		return err
 	}
 
-	userMemberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(user.ID)
+	userMemberships, err := handler.DataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
 	if err != nil {
 		return err
 	}
@@ -159,12 +174,13 @@ func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portain
 				Role:   portainer.TeamMember,
 			}
 
-			err := handler.TeamMembershipService.CreateTeamMembership(membership)
+			err := handler.DataStore.TeamMembership().CreateTeamMembership(membership)
 			if err != nil {
 				return err
 			}
 		}
 	}
+
 	return nil
 }
 

api/http/handler/auth/authenticate_oauth.go

@@ -0,0 +1,144 @@
+package auth
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"log"
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/portainer/api"
+)
+
+type oauthPayload struct {
+	Code string
+}
+
+func (payload *oauthPayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Code) {
+		return portainer.Error("Invalid OAuth authorization code")
+	}
+	return nil
+}
+
+func (handler *Handler) authenticateThroughExtension(code, licenseKey string, settings *portainer.OAuthSettings) (string, error) {
+	extensionURL := handler.ProxyManager.GetExtensionURL(portainer.OAuthAuthenticationExtension)
+
+	encodedConfiguration, err := json.Marshal(settings)
+	if err != nil {
+		return "", nil
+	}
+
+	req, err := http.NewRequest("GET", extensionURL+"/validate", nil)
+	if err != nil {
+		return "", err
+	}
+
+	client := &http.Client{}
+	req.Header.Set("X-OAuth-Config", string(encodedConfiguration))
+	req.Header.Set("X-OAuth-Code", code)
+	req.Header.Set("X-PortainerExtension-License", licenseKey)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	type extensionResponse struct {
+		Username string `json:"Username,omitempty"`
+		Err      string `json:"err,omitempty"`
+		Details  string `json:"details,omitempty"`
+	}
+
+	var extResp extensionResponse
+	err = json.Unmarshal(body, &extResp)
+	if err != nil {
+		return "", err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", portainer.Error(extResp.Err + ":" + extResp.Details)
+	}
+
+	return extResp.Username, nil
+}
+
+func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload oauthPayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	if settings.AuthenticationMethod != 3 {
+		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", portainer.Error("OAuth authentication is not enabled")}
+	}
+
+	extension, err := handler.DataStore.Extension().Extension(portainer.OAuthAuthenticationExtension)
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Oauth authentication extension is not enabled", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
+	}
+
+	username, err := handler.authenticateThroughExtension(payload.Code, extension.License.LicenseKey, &settings.OAuthSettings)
+	if err != nil {
+		log.Printf("[DEBUG] - OAuth authentication error: %s", err)
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", portainer.ErrUnauthorized}
+	}
+
+	user, err := handler.DataStore.User().UserByUsername(username)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
+	}
+
+	if user == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
+		return &httperror.HandlerError{http.StatusForbidden, "Account not created beforehand in Portainer and automatic user provisioning not enabled", portainer.ErrUnauthorized}
+	}
+
+	if user == nil {
+		user = &portainer.User{
+			Username:                username,
+			Role:                    portainer.StandardUserRole,
+			PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
+		}
+
+		err = handler.DataStore.User().CreateUser(user)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
+		}
+
+		if settings.OAuthSettings.DefaultTeamID != 0 {
+			membership := &portainer.TeamMembership{
+				UserID: user.ID,
+				TeamID: settings.OAuthSettings.DefaultTeamID,
+				Role:   portainer.TeamMember,
+			}
+
+			err = handler.DataStore.TeamMembership().CreateTeamMembership(membership)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist team membership inside the database", err}
+			}
+		}
+
+		err = handler.AuthorizationService.UpdateUsersAuthorizations()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
+		}
+	}
+
+	return handler.writeToken(w, user)
+}

api/http/handler/auth/handler.go

@@ -4,14 +4,13 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
-	"github.com/portainer/portainer"
-	httperror "github.com/portainer/portainer/http/error"
-	"github.com/portainer/portainer/http/security"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/proxy"
+	"github.com/portainer/portainer/api/http/security"
 )
 
 const (
-	// ErrInvalidCredentials is an error raised when credentials for a user are invalid
-	ErrInvalidCredentials = portainer.Error("Invalid credentials")
 	// ErrAuthDisabled is an error raised when trying to access the authentication endpoints
 	// when the server has been started with the --no-auth flag
 	ErrAuthDisabled = portainer.Error("Authentication is disabled")
@@ -20,14 +19,13 @@ const (
 // Handler is the HTTP handler used to handle authentication operations.
 type Handler struct {
 	*mux.Router
-	authDisabled          bool
-	UserService           portainer.UserService
-	CryptoService         portainer.CryptoService
-	JWTService            portainer.JWTService
-	LDAPService           portainer.LDAPService
-	SettingsService       portainer.SettingsService
-	TeamService           portainer.TeamService
-	TeamMembershipService portainer.TeamMembershipService
+	authDisabled         bool
+	DataStore            portainer.DataStore
+	CryptoService        portainer.CryptoService
+	JWTService           portainer.JWTService
+	LDAPService          portainer.LDAPService
+	ProxyManager         *proxy.Manager
+	AuthorizationService *portainer.AuthorizationService
 }
 
 // NewHandler creates a handler to manage authentication operations.
@@ -36,6 +34,9 @@ func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimi
 		Router:       mux.NewRouter(),
 		authDisabled: authDisabled,
 	}
+
+	h.Handle("/auth/oauth/validate",
+		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.validateOAuth)))).Methods(http.MethodPost)
 	h.Handle("/auth",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
 

api/http/handler/dockerhub/dockerhub_inspect.go

@@ -3,13 +3,13 @@ package dockerhub
 import (
 	"net/http"
 
-	httperror "github.com/portainer/portainer/http/error"
-	"github.com/portainer/portainer/http/response"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/response"
 )
 
 // GET request on /api/dockerhub
 func (handler *Handler) dockerhubInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	dockerhub, err := handler.DockerHubService.DockerHub()
+	dockerhub, err := handler.DataStore.DockerHub().DockerHub()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve DockerHub details from the database", err}
 	}