fix(doclinks): fix help link paths [EE-6861] (#11417)

* fix(auth): make createAccessToken api backward compatible [EE-6818]

* fix(api): api error message [EE-6818]

* fix messages

.eslintrc.yml

@@ -10,6 +10,7 @@ globals:
 extends:
   - 'eslint:recommended'
   - 'plugin:storybook/recommended'
+  - 'plugin:import/typescript'
   - prettier
 
 plugins:
@@ -23,10 +24,13 @@ parserOptions:
     modules: true
 
 rules:
+  no-console: error
+  no-alert: error
   no-control-regex: 'off'
   no-empty: warn
   no-empty-function: warn
   no-useless-escape: 'off'
+  import/named: error
   import/order:
     [
       'error',
@@ -41,6 +45,12 @@ rules:
         pathGroupsExcludedImportTypes: ['internal'],
       },
     ]
+  no-restricted-imports:
+    - error
+    - patterns:
+        - group:
+            - '@/react/test-utils/*'
+          message: 'These utils are just for test files'
 
 settings:
   'import/resolver':
@@ -49,6 +59,8 @@ settings:
         - ['@@', './app/react/components']
         - ['@', './app']
       extensions: ['.js', '.ts', '.tsx']
+    typescript: true
+    node: true
 
 overrides:
   - files:
@@ -73,6 +85,7 @@ overrides:
     settings:
       react:
         version: 'detect'
+
     rules:
       import/order:
         [
@@ -86,8 +99,8 @@ overrides:
       no-plusplus: off
       func-style: [error, 'declaration']
       import/prefer-default-export: off
-      no-use-before-define: "off"
-      '@typescript-eslint/no-use-before-define': ['error', { functions: false, "allowNamedExports": true }]
+      no-use-before-define: 'off'
+      '@typescript-eslint/no-use-before-define': ['error', { functions: false, 'allowNamedExports': true }]
       no-shadow: 'off'
       '@typescript-eslint/no-shadow': off
       jsx-a11y/no-autofocus: warn
@@ -106,6 +119,12 @@ overrides:
       'no-await-in-loop': 'off'
       'react/jsx-no-useless-fragment': ['error', { allowExpressions: true }]
       'regex/invalid': ['error', [{ 'regex': '<Icon icon="(.*)"', 'message': 'Please directly import the `lucide-react` icon instead of using the string' }]]
+      '@typescript-eslint/no-restricted-imports':
+        - error
+        - patterns:
+            - group:
+                - '@/react/test-utils/*'
+              message: 'These utils are just for test files'
     overrides: # allow props spreading for hoc files
       - files:
           - app/**/with*.ts{,x}
@@ -114,13 +133,16 @@ overrides:
   - files:
       - app/**/*.test.*
     extends:
-      - 'plugin:jest/recommended'
-      - 'plugin:jest/style'
+      - 'plugin:vitest/recommended'
     env:
-      'jest/globals': true
+      'vitest/env': true
     rules:
       'react/jsx-no-constructed-context-values': off
+      '@typescript-eslint/no-restricted-imports': off
+      no-restricted-imports: off
   - files:
       - app/**/*.stories.*
     rules:
       'no-alert': off
+      '@typescript-eslint/no-restricted-imports': off
+      no-restricted-imports: off

.github/DISCUSSION_TEMPLATE/help.yaml

@@ -0,0 +1,11 @@
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Before asking a question, make sure it hasn't been already asked and answered. You can search our [discussions](https://github.com/orgs/portainer/discussions) and [bug reports](https://github.com/portainer/portainer/issues) in GitHub.  Also, be sure to check our [knowledge base](https://portal.portainer.io/knowledge) and [documentation](https://docs.portainer.io/) first.
+
+  - type: textarea
+    attributes:
+      label: Ask a Question!
+    validations:
+      required: true

.github/DISCUSSION_TEMPLATE/ideas.yaml

@@ -0,0 +1,38 @@
+body:
+  - type: markdown
+    attributes:
+      value: |
+        # Welcome!
+        
+        Thanks for suggesting an idea for Portainer!
+
+        Before opening a new idea or feature request, make sure that we do not have any duplicates already open. You can ensure this by [searching this discussion cagetory](https://github.com/orgs/portainer/discussions/categories/ideas). If there is a duplicate, please add a comment to the existing idea instead.
+
+        Also, be sure to check our [knowledge base](https://portal.portainer.io/knowledge) and [documentation](https://docs.portainer.io) as they may point you toward a solution.
+        
+        **DO NOT FILE DUPLICATE REQUESTS.**
+
+  - type: textarea
+    attributes:
+      label: Is your feature request related to a problem? Please describe
+      description: Short list of what the feature request aims to address.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Describe the solution you'd like
+      description: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Describe alternatives you've considered
+      description: A clear and concise description of any alternative solutions or features you've considered.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Additional context
+      description: Add any other context or screenshots about the feature request here.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,54 +0,0 @@
----
-name: Bug report
-about: Create a bug report
-title: ''
-labels: bug/need-confirmation, kind/bug
-assignees: ''
----
-
-<!--
-
-Thanks for reporting a bug for Portainer !
-
-You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
-
-Do you need help or have a question? Come chat with us on Slack https://portainer.io/slack/
-
-Before opening a new issue, make sure that we do not have any duplicates
-already open. You can ensure this by searching the issue list for this
-repository. If there is a duplicate, please close your issue and add a comment
-to the existing issue instead.
-
-Also, be sure to check our FAQ and documentation first: https://documentation.portainer.io/
--->
-
-**Bug description**
-A clear and concise description of what the bug is.
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Portainer Logs**
-Provide the logs of your Portainer container or Service.
-You can see how [here](https://documentation.portainer.io/r/portainer-logs)
-
-**Steps to reproduce the issue:**
-
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Technical details:**
-
-- Portainer version:
-- Docker version (managed by Portainer):
-- Kubernetes version (managed by Portainer):
-- Platform (windows/linux):
-- Command used to start Portainer (`docker run -p 9443:9443 portainer/portainer`):
-- Browser:
-- Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commercial setup.
-- Have you reviewed our technical documentation and knowledge base? Yes/No
-
-**Additional context**
-Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,167 @@
+name: Bug Report
+description: Create a report to help us improve.
+labels: kind/bug,bug/need-confirmation
+body:
+
+  - type: markdown
+    attributes:
+      value: |
+        # Welcome!
+        
+        The issue tracker is for reporting bugs. If you have an [idea for a new feature](https://github.com/orgs/portainer/discussions/categories/ideas) or a [general question about Portainer](https://github.com/orgs/portainer/discussions/categories/help) please post in our [GitHub Discussions](https://github.com/orgs/portainer/discussions).
+        
+        You can also ask for help in our [community Slack channel](https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA).
+        
+        **DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS**.
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Before you start please confirm the following.
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/portainer/portainer/issues).
+          required: true
+        - label: Yes, I've checked whether this issue is covered in the Portainer [documentation](https://docs.portainer.io) or [knowledge base](https://portal.portainer.io/knowledge).
+          required: true
+
+  - type: markdown
+    attributes:
+      value: |
+        # About your issue
+
+        Tell us a bit about the issue you're having.
+
+        How to write a good bug report:
+
+        - Respect the issue template as much as possible.
+        - Summarize the issue so that we understand what is going wrong.
+        - Describe what you would have expected to have happened, and what actually happened instead.
+        - Provide easy to follow steps to reproduce the issue. 
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown).
+
+  - type: textarea
+    attributes:
+      label: Problem Description
+      description: A clear and concise description of what the bug is. 
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Expected Behavior
+      description: A clear and concise description of what you expected to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Actual Behavior
+      description: A clear and concise description of what actually happens.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Steps to Reproduce
+      description: Please be as detailed as possible when providing steps to reproduce.
+      placeholder: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error   
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Portainer logs or screenshots
+      description: Provide Portainer container logs or any screenshots related to the issue.
+    validations:
+      required: false
+
+  - type: markdown
+    attributes:
+      value: |
+        # About your environment
+
+        Tell us a bit about your Portainer environment.
+
+  - type: dropdown
+    attributes:
+      label: Portainer version
+      description: We only provide support for the most recent version of Portainer and the previous 3 versions. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
+      multiple: false
+      options:
+        - '2.19.4'
+        - '2.19.3'
+        - '2.19.2'
+        - '2.19.1'
+        - '2.19.0'
+        - '2.18.4'
+        - '2.18.3'
+        - '2.18.2'
+        - '2.18.1'
+        - '2.17.1'
+        - '2.17.0'
+        - '2.16.2'
+        - '2.16.1'
+        - '2.16.0'
+    validations:
+      required: true
+
+  - type: dropdown
+    attributes:
+      label: Portainer Edition
+      multiple: false
+      options:
+        - 'Business Edition (BE/EE) with 5NF / 3NF license'
+        - 'Business Edition (BE/EE) with Home & Student license'
+        - 'Business Edition (BE/EE) with Starter license'
+        - 'Business Edition (BE/EE) with Professional or Enterprise license'
+        - 'Community Edition (CE)'
+    validations:
+      required: true
+
+  - type: input
+    attributes:
+      label: Platform and Version
+      description: |
+        Enter your container management platform (Docker | Swarm | Kubernetes) along with the version. 
+        Example: Docker 24.0.3 | Docker Swarm 24.0.3 | Kubernetes 1.26
+        You can find our supported platforms [in our documentation](https://docs.portainer.io/start/requirements-and-prerequisites).
+    validations:
+      required: true
+
+  - type: input
+    attributes:
+      label: OS and Architecture
+      description: |
+        Enter your Operating System, Version and Architecture. Example: Ubuntu 22.04, AMD64 | Raspbian OS, ARM64
+    validations:
+      required: true
+
+  - type: input
+    attributes:
+      label: Browser
+      description: | 
+        Enter your browser and version. Example: Google Chrome 114.0
+    validations:
+      required: false
+
+  - type: textarea
+    attributes:
+      label: What command did you use to deploy Portainer?
+      description: |
+        Example: `docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest`
+        If you deployed Portainer using a compose file or manifest you can provide this here as well.
+      render: bash
+    validations:
+      required: false
+
+  - type: textarea
+    attributes:
+      label: Additional Information
+      description: Any additional information about your environment, the bug, or anything else you think might be helpful.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,11 @@
 blank_issues_enabled: false
 contact_links:
-  - name: Portainer Business Edition - Get 3 nodes free
-    url: https://www.portainer.io/take-3 
+  - name: Question
+    url: https://github.com/orgs/portainer/discussions/new?category=help
+    about: Ask us a question about Portainer usage or deployment.
+  - name: Idea or Feature Request
+    url: https://github.com/orgs/portainer/discussions/new?category=ideas
+    about: Suggest an idea or feature/enhancement that should be added in Portainer.
+  - name: Portainer Business Edition - Get 3 Nodes Free
+    url: https://www.portainer.io/take-3
     about: Portainer Business Edition has more features, more support and you can now get 3 nodes free for as long as you want.

.github/workflows/ci.yaml

@@ -0,0 +1,176 @@
+name: ci
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'develop'
+      - 'release/*'
+  pull_request:
+    branches:
+      - 'develop'
+      - 'release/*'
+      - 'feat/*'
+      - 'fix/*'
+      - 'refactor/*'
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+env:
+  DOCKER_HUB_REPO: portainerci/portainer-ce
+  EXTENSION_HUB_REPO: portainerci/portainer-docker-extension
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x
+
+jobs:
+  build_images:
+    strategy:
+      matrix:
+        config:
+          - { platform: linux, arch: amd64, version: "" }
+          - { platform: linux, arch: arm64, version: "" }
+          - { platform: linux, arch: arm, version: "" }
+          - { platform: linux, arch: ppc64le, version: "" }
+          - { platform: linux, arch: s390x, version: "" }
+          - { platform: windows, arch: amd64, version: 1809 }
+          - { platform: windows, arch: amd64, version: ltsc2022 }
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: '[preparation] checkout the current branch'
+        uses: actions/checkout@v4.1.1
+        with:
+          ref: ${{ github.event.inputs.branch }}
+      - name: '[preparation] set up golang'
+        uses: actions/setup-go@v5.0.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - name: '[preparation] set up node.js'
+        uses: actions/setup-node@v4.0.1
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'yarn'
+      - name: '[preparation] set up qemu'
+        uses: docker/setup-qemu-action@v3.0.0
+      - name: '[preparation] set up docker context for buildx'
+        run: docker context create builders
+      - name: '[preparation] set up docker buildx'
+        uses: docker/setup-buildx-action@v3.0.0
+        with:
+          endpoint: builders
+      - name: '[preparation] docker login'
+        uses: docker/login-action@v3.0.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+      - name: '[preparation] set the container image tag'
+        run: |
+          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+            # use the release branch name as the tag for release branches
+            # for instance, release/2.19 becomes 2.19
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
+          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
+            # use pr${{ github.event.number }} as the tag for pull requests
+            # for instance, pr123
+            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
+          else
+            # replace / with - in the branch name
+            # for instance, feature/1.0.0 -> feature-1.0.0
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
+          fi
+          
+          echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}-${{ matrix.config.platform }}${{ matrix.config.version }}-${{ matrix.config.arch }}" >> $GITHUB_ENV
+      - name: '[execution] build linux & windows portainer binaries'
+        run: |
+          export YARN_VERSION=$(yarn --version)
+          export WEBPACK_VERSION=$(yarn list webpack --depth=0 | grep webpack | awk -F@ '{print $2}')
+          export BUILDNUMBER=${GITHUB_RUN_NUMBER}
+          GIT_COMMIT_HASH_LONG=${{ github.sha }}
+          export GIT_COMMIT_HASH_SHORT={GIT_COMMIT_HASH_LONG:0:7}
+          
+          NODE_ENV="testing"
+          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+            NODE_ENV="production"
+          fi
+          
+          make build-all PLATFORM=${{ matrix.config.platform }} ARCH=${{ matrix.config.arch }} ENV=${NODE_ENV}
+        env:
+          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
+      - name: '[execution] build and push docker images'
+        run: |
+          if [ "${{ matrix.config.platform }}" == "windows" ]; then
+            mv dist/portainer dist/portainer.exe
+            docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} --build-arg OSVERSION=${{ matrix.config.version }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
+          else 
+            docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
+            docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
+            
+            if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+              docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
+              docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
+            fi
+          fi
+        env:
+          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
+  build_manifests:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    needs: [build_images]
+    steps:
+      - name: '[preparation] docker login'
+        uses: docker/login-action@v3.0.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+      - name: '[preparation] set up docker context for buildx'
+        run: docker version && docker context create builders
+      - name: '[preparation] set up docker buildx'
+        uses: docker/setup-buildx-action@v3.0.0
+        with:
+          endpoint: builders
+      - name: '[execution] build and push manifests'
+        run: |
+          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+            # use the release branch name as the tag for release branches
+            # for instance, release/2.19 becomes 2.19
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
+          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
+            # use pr${{ github.event.number }} as the tag for pull requests
+            # for instance, pr123
+            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
+          else
+            # replace / with - in the branch name
+            # for instance, feature/1.0.0 -> feature-1.0.0
+            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
+          fi
+
+          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-s390x" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windows1809-amd64" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windowsltsc2022-amd64"
+          
+          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
+            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine"
+            
+          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
+            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-s390x"
+            
+            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
+              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine"
+          fi

.github/workflows/lint.yml

@@ -11,21 +11,31 @@ on:
       - master
       - develop
       - release/*
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+env:
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x
 
 jobs:
   run-linters:
     name: Run linters
     runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
 
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2
         with:
-          node-version: '18'
+          node-version: ${{ env.NODE_VERSION }}
           cache: 'yarn'
       - uses: actions/setup-go@v4
         with:
-          go-version: 1.19.5
+          go-version: ${{ env.GO_VERSION }}
       - run: yarn --frozen-lockfile
       - name: Run linters
         uses: wearerequired/lint-action@v1
@@ -41,6 +51,5 @@ jobs:
       - name: GolangCI-Lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.52.2
-          working-directory: api
+          version: v1.55.2
           args: --timeout=10m -c .golangci.yaml

.github/workflows/nightly-security-scan.yml

@@ -5,6 +5,9 @@ on:
     - cron: '0 20 * * *'
   workflow_dispatch:
 
+env:
+  GO_VERSION: 1.21.6
+
 jobs:
   client-dependencies:
     name: Client Dependency Check
@@ -25,7 +28,7 @@ jobs:
         with:
           json: true
 
-      - name: upload scan result as develop artifact 
+      - name: upload scan result as develop artifact
         uses: actions/upload-artifact@v3
         with:
           name: js-security-scan-develop-result
@@ -41,7 +44,7 @@ jobs:
           name: html-js-result-${{github.run_id}}
           path: js-result.html
 
-      - name: analyse vulnerabilities 
+      - name: analyse vulnerabilities
         id: set-matrix
         run: |
           result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
@@ -58,10 +61,10 @@ jobs:
       - name: checkout repository
         uses: actions/checkout@master
 
-      - name: install Go 
+      - name: install Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.19.5'
+          go-version: ${{ env.GO_VERSION }}
 
       - name: download Go modules
         run: cd ./api && go get -t -v -d ./...
@@ -72,9 +75,9 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         run: |
           yarn global add snyk
-          snyk test --file=./api/go.mod --json-file-output=snyk.json 2>/dev/null || :
+          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :
 
-      - name: upload scan result as develop artifact 
+      - name: upload scan result as develop artifact
         uses: actions/upload-artifact@v3
         with:
           name: go-security-scan-develop-result
@@ -102,35 +105,68 @@ jobs:
     if: >-
       github.ref == 'refs/heads/develop'
     outputs:
-      image: ${{ steps.set-matrix.outputs.image_result }}
+      image-trivy: ${{ steps.set-trivy-matrix.outputs.image_trivy_result }}
+      image-docker-scout: ${{ steps.set-docker-scout-matrix.outputs.image_docker_scout_result }}
     steps:
-      - name: scan vulnerabilities by Trivy 
+      - name: scan vulnerabilities by Trivy
         uses: docker://docker.io/aquasec/trivy:latest
         continue-on-error: true
         with:
           args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop
 
-      - name: upload image security scan result as artifact
+      - name: upload Trivy image security scan result as artifact
         uses: actions/upload-artifact@v3
         with:
           name: image-security-scan-develop-result
           path: image-trivy.json
 
-      - name: develop scan report export to html
+      - name: develop Trivy scan report export to html
         run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-trivy-result")
 
-      - name: upload html file as artifact
+      - name: upload html file as Trivy artifact
         uses: actions/upload-artifact@v3
         with:
           name: html-image-result-${{github.run_id}}
-          path: image-result.html
+          path: image-trivy-result.html
 
-      - name: analyse vulnerabilities
-        id: set-matrix
+      - name: analyse vulnerabilities from Trivy
+        id: set-trivy-matrix
         run: |
           result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix)
-          echo "image_result=${result}" >> $GITHUB_OUTPUT
+          echo "image_trivy_result=${result}" >> $GITHUB_OUTPUT
+
+      - name: scan vulnerabilities by Docker Scout
+        uses: docker/scout-action@v1
+        continue-on-error: true
+        with:
+          command: cves
+          image: portainerci/portainer:develop
+          sarif-file: image-docker-scout.json
+          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
+          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: upload Docker Scout image security scan result as artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: image-security-scan-develop-result
+          path: image-docker-scout.json
+
+      - name: develop Docker Scout scan report export to html
+        run: |
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
+
+      - name: upload html file as Docker Scout artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: html-image-result-${{github.run_id}}
+          path: image-docker-scout-result.html
+
+      - name: analyse vulnerabilities from Docker Scout
+        id: set-docker-scout-matrix
+        run: |
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=matrix)
+          echo "image_docker_scout_result=${result}" >> $GITHUB_OUTPUT
 
   result-analysis:
     name: Analyse Scan Results
@@ -142,22 +178,26 @@ jobs:
       matrix:
         js: ${{fromJson(needs.client-dependencies.outputs.js)}}
         go: ${{fromJson(needs.server-dependencies.outputs.go)}}
-        image: ${{fromJson(needs.image-vulnerability.outputs.image)}}
+        image-trivy: ${{fromJson(needs.image-vulnerability.outputs.image-trivy)}}
+        image-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.image-docker-scout)}}
     steps:
       - name: display the results of js, Go, and image scan
         run: |
           echo "${{ matrix.js.status }}"
           echo "${{ matrix.go.status }}"
-          echo "${{ matrix.image.status }}"
+          echo "${{ matrix.image-trivy.status }}"
+          echo "${{ matrix.image-docker-scout.status }}"
           echo "${{ matrix.js.summary }}"
           echo "${{ matrix.go.summary }}"
-          echo "${{ matrix.image.summary }}"
+          echo "${{ matrix.image-trivy.summary }}"
+          echo "${{ matrix.image-docker-scout.summary }}"
 
-      - name: send message to Slack 
-        if: >- 
+      - name: send message to Slack
+        if: >-
           matrix.js.status == 'failure' ||
           matrix.go.status == 'failure' || 
-          matrix.image.status == 'failure'
+          matrix.image-trivy.status == 'failure' || 
+          matrix.image-docker-scout.status == 'failure'
         uses: slackapi/slack-github-action@v1.23.0
         with:
           payload: |
@@ -193,7 +233,14 @@ jobs:
                       "type": "section",
                       "text": {
                         "type": "mrkdwn",
-                        "text": "*Image vulnerability check*: *${{ matrix.image.status }}*\n${{ matrix.image.summary }}\n"
+                        "text": "*Image Trivy vulnerability check*: *${{ matrix.image-trivy.status }}*\n${{ matrix.image-trivy.summary }}\n"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Image Docker Scout vulnerability check*: *${{ matrix.image-docker-scout.status }}*\n${{ matrix.image-docker-scout.summary }}\n"
                       }
                     }
                   ]

.github/workflows/pr-security.yml

@@ -7,20 +7,24 @@ on:
       - edited
     paths:
       - 'package.json'
-      - 'api/go.mod'
-      - 'gruntfile.js'
+      - 'go.mod'
       - 'build/linux/Dockerfile'
       - 'build/linux/alpine.Dockerfile'
       - 'build/windows/Dockerfile'
       - '.github/workflows/pr-security.yml'
 
+env:
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x
+
 jobs:
   client-dependencies:
     name: Client Dependency Check
     runs-on: ubuntu-latest
     if: >-
       github.event.pull_request &&
-      github.event.review.body == '/scan'
+      github.event.review.body == '/scan' &&
+      github.event.pull_request.draft == false
     outputs:
       jsdiff: ${{ steps.set-diff-matrix.outputs.js_diff_result }}
     steps:
@@ -74,7 +78,8 @@ jobs:
     runs-on: ubuntu-latest
     if: >-
       github.event.pull_request &&
-      github.event.review.body == '/scan'
+      github.event.review.body == '/scan' &&
+      github.event.pull_request.draft == false
     outputs:
       godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }}
     steps:
@@ -84,7 +89,7 @@ jobs:
       - name: install Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.19.5'
+          go-version: ${{ env.GO_VERSION }}
 
       - name: download Go modules
         run: cd ./api && go get -t -v -d ./...
@@ -95,7 +100,7 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         run: |
           yarn global add snyk
-          snyk test --file=./api/go.mod --json-file-output=snyk.json 2>/dev/null || :
+          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :
 
       - name: upload scan result as pull-request artifact
         uses: actions/upload-artifact@v3
@@ -136,22 +141,24 @@ jobs:
     runs-on: ubuntu-latest
     if: >-
       github.event.pull_request &&
-      github.event.review.body == '/scan'
+      github.event.review.body == '/scan' &&
+      github.event.pull_request.draft == false
     outputs:
-      imagediff: ${{ steps.set-diff-matrix.outputs.image_diff_result }}
+      imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }}
+      imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }}
     steps:
       - name: checkout code
         uses: actions/checkout@master
 
-      - name: install Go 1.19.5
+      - name: install Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.19.5'
+          go-version: ${{ env.GO_VERSION }}
 
-      - name: install Node.js 18.x
+      - name: install Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 18.x
+          node-version: ${{ env.NODE_VERSION }}
 
       - name: Install packages
         run: yarn --frozen-lockfile
@@ -167,26 +174,26 @@ jobs:
         with:
           context: .
           file: build/linux/Dockerfile
-          tags: trivy-portainer:${{ github.sha }}
-          outputs: type=docker,dest=/tmp/trivy-portainer-image.tar
+          tags: local-portainer:${{ github.sha }}
+          outputs: type=docker,dest=/tmp/local-portainer-image.tar
 
       - name: load docker image
         run: |
-          docker load --input /tmp/trivy-portainer-image.tar
+          docker load --input /tmp/local-portainer-image.tar
 
       - name: scan vulnerabilities by Trivy
         uses: docker://docker.io/aquasec/trivy:latest
         continue-on-error: true
         with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }}
+          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress local-portainer:${{ github.sha }}
 
-      - name: upload image security scan result as artifact
+      - name: upload Trivy image security scan result as artifact
         uses: actions/upload-artifact@v3
         with:
           name: image-security-scan-feature-result
           path: image-trivy.json
 
-      - name: download artifacts from develop branch built by nightly scan
+      - name: download Trivy artifacts from develop branch built by nightly scan
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -198,21 +205,65 @@ jobs:
             echo "null" > ./image-trivy-develop.json
           fi
 
-      - name: pr vs develop scan report comparison export to html
+      - name: pr vs develop Trivy scan report comparison export to html
         run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-trivy-result")
 
-      - name: upload html file as artifact
+      - name: upload html file as Trivy artifact
         uses: actions/upload-artifact@v3
         with:
           name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-result.html
+          path: image-trivy-result.html
 
-      - name: analyse different vulnerabilities against develop branch
-        id: set-diff-matrix
+      - name: analyse different vulnerabilities against develop branch by Trivy
+        id: set-diff-trivy-matrix
         run: |
           result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix)
-          echo "image_diff_result=${result}" >> $GITHUB_OUTPUT
+          echo "image_diff_trivy_result=${result}" >> $GITHUB_OUTPUT
+
+      - name: scan vulnerabilities by Docker Scout
+        uses: docker/scout-action@v1
+        continue-on-error: true
+        with:
+          command: cves
+          image: local-portainer:${{ github.sha }}
+          sarif-file: image-docker-scout.json
+          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
+          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: upload Docker Scout image security scan result as artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: image-security-scan-feature-result
+          path: image-docker-scout.json
+
+      - name: download Docker Scout artifacts from develop branch built by nightly scan
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mv ./image-docker-scout.json ./image-docker-scout-feature.json
+          (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
+          if [[ -e ./image-docker-scout.json ]]; then
+            mv ./image-docker-scout.json ./image-docker-scout-develop.json
+          else
+            echo "null" > ./image-docker-scout-develop.json
+          fi
+
+      - name: pr vs develop Docker Scout scan report comparison export to html
+        run: |
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
+
+      - name: upload html file as Docker Scout artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: html-image-result-compare-to-develop-${{github.run_id}}
+          path: image-docker-scout-result.html
+
+      - name: analyse different vulnerabilities against develop branch by Docker Scout
+        id: set-diff-docker-scout-matrix
+        run: |
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=matrix)
+          echo "image_diff_docker_scout_result=${result}" >> $GITHUB_OUTPUT
 
   result-analysis:
     name: Analyse Scan Result Against develop Branch
@@ -220,23 +271,28 @@ jobs:
     runs-on: ubuntu-latest
     if: >-
       github.event.pull_request &&
-      github.event.review.body == '/scan'
+      github.event.review.body == '/scan' &&
+      github.event.pull_request.draft == false
     strategy:
       matrix:
         jsdiff: ${{fromJson(needs.client-dependencies.outputs.jsdiff)}}
         godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}}
-        imagediff: ${{fromJson(needs.image-vulnerability.outputs.imagediff)}}
+        imagediff-trivy: ${{fromJson(needs.image-vulnerability.outputs.imagediff-trivy)}}
+        imagediff-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.imagediff-docker-scout)}}
     steps:
       - name: check job status of diff result
         if: >-
           matrix.jsdiff.status == 'failure' ||
           matrix.godiff.status == 'failure' ||
-          matrix.imagediff.status == 'failure'
+          matrix.imagediff-trivy.status == 'failure' ||
+          matrix.imagediff-docker-scout.status == 'failure'
         run: |
           echo "${{ matrix.jsdiff.status }}"
           echo "${{ matrix.godiff.status }}"
-          echo "${{ matrix.imagediff.status }}"
+          echo "${{ matrix.imagediff-trivy.status }}"
+          echo "${{ matrix.imagediff-docker-scout.status }}"
           echo "${{ matrix.jsdiff.summary }}"
           echo "${{ matrix.godiff.summary }}"
-          echo "${{ matrix.imagediff.summary }}"
+          echo "${{ matrix.imagediff-trivy.summary }}"
+          echo "${{ matrix.imagediff-docker-scout.summary }}"
           exit 1

.github/workflows/stale.yml

@@ -1,7 +1,8 @@
 name: Close Stale Issues
 on:
   schedule:
-  - cron: '0 12 * * *'
+    - cron: '0 12 * * *'
+  workflow_dispatch:
 jobs:
   stale:
     runs-on: ubuntu-latest
@@ -9,7 +10,7 @@ jobs:
       issues: write
 
     steps:
-    - uses: actions/stale@v4.0.0
+    - uses: actions/stale@v8
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/test.yaml

@@ -1,25 +1,56 @@
 name: Test
-on: push
+
+env:
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x
+
+on:
+  pull_request:
+    branches:
+      - master
+      - develop
+      - release/*
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+  push:
+    branches:
+      - master
+      - develop
+      - release/*
+
 jobs:
   test-client:
     runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
 
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2
         with:
-          node-version: '18'
+          node-version: ${{ env.NODE_VERSION }}
           cache: 'yarn'
       - run: yarn --frozen-lockfile
 
       - name: Run tests
-        run: yarn jest --maxWorkers=2
+        run: make test-client ARGS="--maxWorkers=2 --minWorkers=1"
   test-server:
+    strategy:
+      matrix:
+        config:
+          - { platform: linux, arch: amd64 }
+          - { platform: linux, arch: arm64 }
+          - { platform: windows, arch: amd64, version: 1809 }
+          - { platform: windows, arch: amd64, version: ltsc2022 }
     runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: 1.19.5
+          go-version: ${{ env.GO_VERSION }}
       - name: Run tests
         run: make test-server

.github/workflows/validate-openapi-spec.yaml

@@ -6,22 +6,32 @@ on:
       - master
       - develop
       - 'release/*'
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+env:
+  GO_VERSION: 1.21.6
+  NODE_VERSION: 18.x
 
 jobs:
   openapi-spec:
     runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
     steps:
       - uses: actions/checkout@v3
 
       - uses: actions/setup-go@v3
         with:
-          go-version: '1.18'
+          go-version: ${{ env.GO_VERSION }}
 
       - name: Download golang modules
         run: cd ./api && go get -t -v -d ./...
       - uses: actions/setup-node@v3
         with:
-          node-version: '18'
+          node-version: ${{ env.NODE_VERSION }}
           cache: 'yarn'
       - run: yarn --frozen-lockfile
 

.golangci.yaml

@@ -0,0 +1,40 @@
+linters:
+  # Disable all linters, the defaults don't pass on our code yet
+  disable-all: true
+
+  # Enable these for now
+  enable:
+    - unused
+    - depguard
+    - gosimple
+    - govet
+    - errorlint
+    - exportloopref
+
+linters-settings:
+  depguard:
+    rules:
+      main:
+        deny:
+          - pkg: 'encoding/json'
+            desc: 'use github.com/segmentio/encoding/json'
+          - pkg: 'github.com/sirupsen/logrus'
+            desc: 'logging is allowed only by github.com/rs/zerolog'
+          - pkg: 'golang.org/x/exp'
+            desc: 'exp is not allowed'
+          - pkg: 'github.com/portainer/libcrypto'
+            desc: 'use github.com/portainer/portainer/pkg/libcrypto'
+          - pkg: 'github.com/portainer/libhttp'
+            desc: 'use github.com/portainer/portainer/pkg/libhttp'
+        files:
+          - '!**/*_test.go'
+          - '!**/base.go'
+          - '!**/base_tx.go'
+
+# errorlint is causing a typecheck error for some reason. The go compiler will report these
+# anyway, so ignore them from the linter
+issues:
+  exclude-rules:
+    - path: ./
+      linters:
+        - typecheck

.prettierrc

@@ -2,18 +2,24 @@
   "printWidth": 180,
   "singleQuote": true,
   "htmlWhitespaceSensitivity": "strict",
+  "trailingComma": "es5",
   "overrides": [
     {
-      "files": ["*.html"],
+      "files": [
+        "*.html"
+      ],
       "options": {
         "parser": "angular"
       }
     },
     {
-      "files": ["*.{j,t}sx", "*.ts"],
+      "files": [
+        "*.{j,t}sx",
+        "*.ts"
+      ],
       "options": {
         "printWidth": 80
       }
     }
   ]
-}
+}

.storybook/main.ts

@@ -3,6 +3,7 @@ import { StorybookConfig } from '@storybook/react-webpack5';
 import TsconfigPathsPlugin from 'tsconfig-paths-webpack-plugin';
 import { Configuration } from 'webpack';
 import postcss from 'postcss';
+
 const config: StorybookConfig = {
   stories: ['../app/**/*.stories.@(ts|tsx)'],
   addons: [
@@ -87,9 +88,6 @@ const config: StorybookConfig = {
     name: '@storybook/react-webpack5',
     options: {},
   },
-  docs: {
-    autodocs: true,
-  },
 };
 
 export default config;

.storybook/preview.tsx

@@ -1,23 +1,26 @@
 import '../app/assets/css';
-
+import React from 'react';
 import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
-import { initialize as initMSW, mswDecorator } from 'msw-storybook-addon';
-import { handlers } from '@/setup-tests/server-handlers';
+import { initialize as initMSW, mswLoader } from 'msw-storybook-addon';
+import { handlers } from '../app/setup-tests/server-handlers';
 import { QueryClient, QueryClientProvider } from 'react-query';
 
-// Initialize MSW
-initMSW({
-  onUnhandledRequest: ({ method, url }) => {
-    if (url.pathname.startsWith('/api')) {
-      console.error(`Unhandled ${method} request to ${url}.
+initMSW(
+  {
+    onUnhandledRequest: ({ method, url }) => {
+      console.log(method, url);
+      if (url.startsWith('/api')) {
+        console.error(`Unhandled ${method} request to ${url}.
 
         This exception has been only logged in the console, however, it's strongly recommended to resolve this error as you don't want unmocked data in Storybook stories.
 
         If you wish to mock an error response, please refer to this guide: https://mswjs.io/docs/recipes/mocking-error-responses
       `);
-    }
+      }
+    },
   },
-});
+  handlers
+);
 
 export const parameters = {
   actions: { argTypesRegex: '^on[A-Z].*' },
@@ -44,5 +47,6 @@ export const decorators = [
       </UIRouter>
     </QueryClientProvider>
   ),
-  mswDecorator,
 ];
+
+export const loaders = [mswLoader];

.storybook/public/mockServiceWorker.js

@@ -2,22 +2,22 @@
 /* tslint:disable */
 
 /**
- * Mock Service Worker (0.36.3).
+ * Mock Service Worker (2.0.11).
  * @see https://github.com/mswjs/msw
  * - Please do NOT modify this file.
  * - Please do NOT serve this file on production.
  */
 
-const INTEGRITY_CHECKSUM = '02f4ad4a2797f85668baf196e553d929';
-const bypassHeaderName = 'x-msw-bypass';
+const INTEGRITY_CHECKSUM = 'c5f7f8e188b673ea4e677df7ea3c5a39';
+const IS_MOCKED_RESPONSE = Symbol('isMockedResponse');
 const activeClientIds = new Set();
 
 self.addEventListener('install', function () {
-  return self.skipWaiting();
+  self.skipWaiting();
 });
 
-self.addEventListener('activate', async function (event) {
-  return self.clients.claim();
+self.addEventListener('activate', function (event) {
+  event.waitUntil(self.clients.claim());
 });
 
 self.addEventListener('message', async function (event) {
@@ -33,7 +33,9 @@ self.addEventListener('message', async function (event) {
     return;
   }
 
-  const allClients = await self.clients.matchAll();
+  const allClients = await self.clients.matchAll({
+    type: 'window',
+  });
 
   switch (event.data) {
     case 'KEEPALIVE_REQUEST': {
@@ -83,165 +85,8 @@ self.addEventListener('message', async function (event) {
   }
 });
 
-// Resolve the "main" client for the given event.
-// Client that issues a request doesn't necessarily equal the client
-// that registered the worker. It's with the latter the worker should
-// communicate with during the response resolving phase.
-async function resolveMainClient(event) {
-  const client = await self.clients.get(event.clientId);
-
-  if (client.frameType === 'top-level') {
-    return client;
-  }
-
-  const allClients = await self.clients.matchAll();
-
-  return allClients
-    .filter((client) => {
-      // Get only those clients that are currently visible.
-      return client.visibilityState === 'visible';
-    })
-    .find((client) => {
-      // Find the client ID that's recorded in the
-      // set of clients that have registered the worker.
-      return activeClientIds.has(client.id);
-    });
-}
-
-async function handleRequest(event, requestId) {
-  const client = await resolveMainClient(event);
-  const response = await getResponse(event, client, requestId);
-
-  // Send back the response clone for the "response:*" life-cycle events.
-  // Ensure MSW is active and ready to handle the message, otherwise
-  // this message will pend indefinitely.
-  if (client && activeClientIds.has(client.id)) {
-    (async function () {
-      const clonedResponse = response.clone();
-      sendToClient(client, {
-        type: 'RESPONSE',
-        payload: {
-          requestId,
-          type: clonedResponse.type,
-          ok: clonedResponse.ok,
-          status: clonedResponse.status,
-          statusText: clonedResponse.statusText,
-          body: clonedResponse.body === null ? null : await clonedResponse.text(),
-          headers: serializeHeaders(clonedResponse.headers),
-          redirected: clonedResponse.redirected,
-        },
-      });
-    })();
-  }
-
-  return response;
-}
-
-async function getResponse(event, client, requestId) {
-  const { request } = event;
-  const requestClone = request.clone();
-  const getOriginalResponse = () => fetch(requestClone);
-
-  // Bypass mocking when the request client is not active.
-  if (!client) {
-    return getOriginalResponse();
-  }
-
-  // Bypass initial page load requests (i.e. static assets).
-  // The absence of the immediate/parent client in the map of the active clients
-  // means that MSW hasn't dispatched the "MOCK_ACTIVATE" event yet
-  // and is not ready to handle requests.
-  if (!activeClientIds.has(client.id)) {
-    return await getOriginalResponse();
-  }
-
-  // Bypass requests with the explicit bypass header
-  if (requestClone.headers.get(bypassHeaderName) === 'true') {
-    const cleanRequestHeaders = serializeHeaders(requestClone.headers);
-
-    // Remove the bypass header to comply with the CORS preflight check.
-    delete cleanRequestHeaders[bypassHeaderName];
-
-    const originalRequest = new Request(requestClone, {
-      headers: new Headers(cleanRequestHeaders),
-    });
-
-    return fetch(originalRequest);
-  }
-
-  // Send the request to the client-side MSW.
-  const reqHeaders = serializeHeaders(request.headers);
-  const body = await request.text();
-
-  const clientMessage = await sendToClient(client, {
-    type: 'REQUEST',
-    payload: {
-      id: requestId,
-      url: request.url,
-      method: request.method,
-      headers: reqHeaders,
-      cache: request.cache,
-      mode: request.mode,
-      credentials: request.credentials,
-      destination: request.destination,
-      integrity: request.integrity,
-      redirect: request.redirect,
-      referrer: request.referrer,
-      referrerPolicy: request.referrerPolicy,
-      body,
-      bodyUsed: request.bodyUsed,
-      keepalive: request.keepalive,
-    },
-  });
-
-  switch (clientMessage.type) {
-    case 'MOCK_SUCCESS': {
-      return delayPromise(() => respondWithMock(clientMessage), clientMessage.payload.delay);
-    }
-
-    case 'MOCK_NOT_FOUND': {
-      return getOriginalResponse();
-    }
-
-    case 'NETWORK_ERROR': {
-      const { name, message } = clientMessage.payload;
-      const networkError = new Error(message);
-      networkError.name = name;
-
-      // Rejecting a request Promise emulates a network error.
-      throw networkError;
-    }
-
-    case 'INTERNAL_ERROR': {
-      const parsedBody = JSON.parse(clientMessage.payload.body);
-
-      console.error(
-        `\
-[MSW] Uncaught exception in the request handler for "%s %s":
-
-${parsedBody.location}
-
-This exception has been gracefully handled as a 500 response, however, it's strongly recommended to resolve this error, as it indicates a mistake in your code. If you wish to mock an error response, please see this guide: https://mswjs.io/docs/recipes/mocking-error-responses\
-`,
-        request.method,
-        request.url
-      );
-
-      return respondWithMock(clientMessage);
-    }
-  }
-
-  return getOriginalResponse();
-}
-
 self.addEventListener('fetch', function (event) {
   const { request } = event;
-  const accept = request.headers.get('accept') || '';
-
-  // Bypass server-sent events.
-  if (accept.includes('text/event-stream')) {
-    return;
-  }
 
   // Bypass navigation requests.
   if (request.mode === 'navigate') {
@@ -261,36 +106,149 @@ self.addEventListener('fetch', function (event) {
     return;
   }
 
-  const requestId = uuidv4();
-
-  return event.respondWith(
-    handleRequest(event, requestId).catch((error) => {
-      if (error.name === 'NetworkError') {
-        console.warn('[MSW] Successfully emulated a network error for the "%s %s" request.', request.method, request.url);
-        return;
-      }
-
-      // At this point, any exception indicates an issue with the original request/response.
-      console.error(
-        `\
-[MSW] Caught an exception from the "%s %s" request (%s). This is probably not a problem with Mock Service Worker. There is likely an additional logging output above.`,
-        request.method,
-        request.url,
-        `${error.name}: ${error.message}`
-      );
-    })
-  );
+  // Generate unique request ID.
+  const requestId = crypto.randomUUID();
+  event.respondWith(handleRequest(event, requestId));
 });
 
-function serializeHeaders(headers) {
-  const reqHeaders = {};
-  headers.forEach((value, name) => {
-    reqHeaders[name] = reqHeaders[name] ? [].concat(reqHeaders[name]).concat(value) : value;
-  });
-  return reqHeaders;
+async function handleRequest(event, requestId) {
+  const client = await resolveMainClient(event);
+  const response = await getResponse(event, client, requestId);
+
+  // Send back the response clone for the "response:*" life-cycle events.
+  // Ensure MSW is active and ready to handle the message, otherwise
+  // this message will pend indefinitely.
+  if (client && activeClientIds.has(client.id)) {
+    (async function () {
+      const responseClone = response.clone();
+
+      sendToClient(
+        client,
+        {
+          type: 'RESPONSE',
+          payload: {
+            requestId,
+            isMockedResponse: IS_MOCKED_RESPONSE in response,
+            type: responseClone.type,
+            status: responseClone.status,
+            statusText: responseClone.statusText,
+            body: responseClone.body,
+            headers: Object.fromEntries(responseClone.headers.entries()),
+          },
+        },
+        [responseClone.body]
+      );
+    })();
+  }
+
+  return response;
 }
 
-function sendToClient(client, message) {
+// Resolve the main client for the given event.
+// Client that issues a request doesn't necessarily equal the client
+// that registered the worker. It's with the latter the worker should
+// communicate with during the response resolving phase.
+async function resolveMainClient(event) {
+  const client = await self.clients.get(event.clientId);
+
+  if (client?.frameType === 'top-level') {
+    return client;
+  }
+
+  const allClients = await self.clients.matchAll({
+    type: 'window',
+  });
+
+  return allClients
+    .filter((client) => {
+      // Get only those clients that are currently visible.
+      return client.visibilityState === 'visible';
+    })
+    .find((client) => {
+      // Find the client ID that's recorded in the
+      // set of clients that have registered the worker.
+      return activeClientIds.has(client.id);
+    });
+}
+
+async function getResponse(event, client, requestId) {
+  const { request } = event;
+
+  // Clone the request because it might've been already used
+  // (i.e. its body has been read and sent to the client).
+  const requestClone = request.clone();
+
+  function passthrough() {
+    const headers = Object.fromEntries(requestClone.headers.entries());
+
+    // Remove internal MSW request header so the passthrough request
+    // complies with any potential CORS preflight checks on the server.
+    // Some servers forbid unknown request headers.
+    delete headers['x-msw-intention'];
+
+    return fetch(requestClone, { headers });
+  }
+
+  // Bypass mocking when the client is not active.
+  if (!client) {
+    return passthrough();
+  }
+
+  // Bypass initial page load requests (i.e. static assets).
+  // The absence of the immediate/parent client in the map of the active clients
+  // means that MSW hasn't dispatched the "MOCK_ACTIVATE" event yet
+  // and is not ready to handle requests.
+  if (!activeClientIds.has(client.id)) {
+    return passthrough();
+  }
+
+  // Bypass requests with the explicit bypass header.
+  // Such requests can be issued by "ctx.fetch()".
+  const mswIntention = request.headers.get('x-msw-intention');
+  if (['bypass', 'passthrough'].includes(mswIntention)) {
+    return passthrough();
+  }
+
+  // Notify the client that a request has been intercepted.
+  const requestBuffer = await request.arrayBuffer();
+  const clientMessage = await sendToClient(
+    client,
+    {
+      type: 'REQUEST',
+      payload: {
+        id: requestId,
+        url: request.url,
+        mode: request.mode,
+        method: request.method,
+        headers: Object.fromEntries(request.headers.entries()),
+        cache: request.cache,
+        credentials: request.credentials,
+        destination: request.destination,
+        integrity: request.integrity,
+        redirect: request.redirect,
+        referrer: request.referrer,
+        referrerPolicy: request.referrerPolicy,
+        body: requestBuffer,
+        keepalive: request.keepalive,
+      },
+    },
+    [requestBuffer]
+  );
+
+  switch (clientMessage.type) {
+    case 'MOCK_RESPONSE': {
+      return respondWithMock(clientMessage.data);
+    }
+
+    case 'MOCK_NOT_FOUND': {
+      return passthrough();
+    }
+  }
+
+  return passthrough();
+}
+
+function sendToClient(client, message, transferrables = []) {
   return new Promise((resolve, reject) => {
     const channel = new MessageChannel();
 
@@ -302,27 +260,25 @@ function sendToClient(client, message) {
       resolve(event.data);
     };
 
-    client.postMessage(JSON.stringify(message), [channel.port2]);
+    client.postMessage(message, [channel.port2].concat(transferrables.filter(Boolean)));
   });
 }
 
-function delayPromise(cb, duration) {
-  return new Promise((resolve) => {
-    setTimeout(() => resolve(cb()), duration);
-  });
-}
+async function respondWithMock(response) {
+  // Setting response status code to 0 is a no-op.
+  // However, when responding with a "Response.error()", the produced Response
+  // instance will have status code set to 0. Since it's not possible to create
+  // a Response instance with status code 0, handle that use-case separately.
+  if (response.status === 0) {
+    return Response.error();
+  }
 
-function respondWithMock(clientMessage) {
-  return new Response(clientMessage.payload.body, {
-    ...clientMessage.payload,
-    headers: clientMessage.payload.headers,
-  });
-}
+  const mockedResponse = new Response(response.body, response);
 
-function uuidv4() {
-  return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
-    const r = (Math.random() * 16) | 0;
-    const v = c == 'x' ? r : (r & 0x3) | 0x8;
-    return v.toString(16);
+  Reflect.defineProperty(mockedResponse, IS_MOCKED_RESPONSE, {
+    value: true,
+    enumerable: true,
   });
+
+  return mockedResponse;
 }

Makefile

@@ -7,9 +7,9 @@ ARCH=$(shell go env GOARCH)
 # build target, can be one of "production", "testing", "development"
 ENV=development
 WEBPACK_CONFIG=webpack/webpack.$(ENV).js
-TAG=latest
+TAG=local
 
-SWAG=go run github.com/swaggo/swag/cmd/swag@v1.8.11 
+SWAG=go run github.com/swaggo/swag/cmd/swag@v1.16.2 
 GOTESTSUM=go run gotest.tools/gotestsum@latest
 
 # Don't change anything below this line unless you know what you're doing
@@ -65,10 +65,10 @@ clean: ## Remove all build and download artifacts
 test: test-server test-client ## Run all tests
 
 test-client: ## Run client tests
-	yarn test
+	yarn test $(ARGS)
 
 test-server:	## Run server tests
-	cd api && $(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover  ./...
+	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover  ./...
 
 ##@ Dev
 .PHONY: dev dev-client dev-server
@@ -92,7 +92,7 @@ format-client: ## Format client code
 	yarn format
 
 format-server: ## Format server code
-	cd api && go fmt ./...
+	go fmt ./...
 
 ##@ Lint
 .PHONY: lint lint-client lint-server
@@ -102,7 +102,7 @@ lint-client: ## Lint client code
 	yarn lint
 
 lint-server: ## Lint server code
-	cd api && go vet ./...
+	golangci-lint run --timeout=10m -c .golangci.yaml
 
 
 ##@ Extension
@@ -114,7 +114,7 @@ dev-extension: build-server build-client ## Run the extension in development mod
 ##@ Docs
 .PHONY: docs-build docs-validate docs-clean docs-validate-clean
 docs-build: init-dist ## Build docs
-	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 --markdownFiles ./
+	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./ 
 
 docs-validate: docs-build ## Validate docs
 	yarn swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml

api/.golangci.yaml

@@ -1,31 +0,0 @@
-linters:
-  # Disable all linters, the defaults don't pass on our code yet
-  disable-all: true
-
-  # Enable these for now
-  enable:
-    - depguard
-    - govet
-    - errorlint
-    - exportloopref
-linters-settings:
-  depguard:
-    list-type: denylist
-    include-go-root: true
-    packages:
-      - github.com/sirupsen/logrus
-      - golang.org/x/exp
-    packages-with-error-message:
-      - github.com/sirupsen/logrus: 'logging is allowed only by github.com/rs/zerolog'
-    ignore-file-rules:
-      - '**/*_test.go'
-      - '**/base.go'
-      - '**/base_tx.go'
-
-# errorlint is causing a typecheck error for some reason. The go compiler will report these
-# anyway, so ignore them from the linter
-issues:
-  exclude-rules:
-    - path: ./
-      linters:
-        - typecheck

api/adminmonitor/admin_monitor.go

@@ -7,9 +7,9 @@ import (
 	"sync"
 	"time"
 
-	httperror "github.com/portainer/libhttp/error"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/rs/zerolog/log"
 )

api/apikey/apikey.go

@@ -1,30 +1,17 @@
 package apikey
 
 import (
-	"crypto/rand"
-	"io"
-
 	portainer "github.com/portainer/portainer/api"
 )
 
 // APIKeyService represents a service for managing API keys.
 type APIKeyService interface {
-	HashRaw(rawKey string) []byte
+	HashRaw(rawKey string) string
 	GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error)
 	GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error)
 	GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error)
-	GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error)
+	GetDigestUserAndKey(digest string) (portainer.User, portainer.APIKey, error)
 	UpdateAPIKey(apiKey *portainer.APIKey) error
 	DeleteAPIKey(apiKeyID portainer.APIKeyID) error
 	InvalidateUserKeyCache(userId portainer.UserID) bool
 }
-
-// generateRandomKey generates a random key of specified length
-// source: https://github.com/gorilla/securecookie/blob/master/securecookie.go#L515
-func generateRandomKey(length int) []byte {
-	k := make([]byte, length)
-	if _, err := io.ReadFull(rand.Reader, k); err != nil {
-		return nil
-	}
-	return k
-}

api/apikey/apikey_test.go

@@ -3,6 +3,7 @@ package apikey
 import (
 	"testing"
 
+	"github.com/portainer/portainer/api/internal/securecookie"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -33,7 +34,7 @@ func Test_generateRandomKey(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := generateRandomKey(tt.wantLenth)
+			got := securecookie.GenerateRandomKey(tt.wantLenth)
 			is.Equal(tt.wantLenth, len(got))
 		})
 	}
@@ -41,7 +42,7 @@ func Test_generateRandomKey(t *testing.T) {
 	t.Run("Generated keys are unique", func(t *testing.T) {
 		keys := make(map[string]bool)
 		for i := 0; i < 100; i++ {
-			key := generateRandomKey(8)
+			key := securecookie.GenerateRandomKey(8)
 			_, ok := keys[string(key)]
 			is.False(ok)
 			keys[string(key)] = true

api/apikey/cache.go

@@ -33,8 +33,8 @@ func NewAPIKeyCache(cacheSize int) *apiKeyCache {
 // Get returns the user/key associated to an api-key's digest
 // This is required because HTTP requests will contain the digest of the API key in header,
 // the digest value must be mapped to a portainer user.
-func (c *apiKeyCache) Get(digest []byte) (portainer.User, portainer.APIKey, bool) {
-	val, ok := c.cache.Get(string(digest))
+func (c *apiKeyCache) Get(digest string) (portainer.User, portainer.APIKey, bool) {
+	val, ok := c.cache.Get(digest)
 	if !ok {
 		return portainer.User{}, portainer.APIKey{}, false
 	}
@@ -44,23 +44,23 @@ func (c *apiKeyCache) Get(digest []byte) (portainer.User, portainer.APIKey, bool
 }
 
 // Set persists a user/key entry to the cache
-func (c *apiKeyCache) Set(digest []byte, user portainer.User, apiKey portainer.APIKey) {
-	c.cache.Add(string(digest), entry{
+func (c *apiKeyCache) Set(digest string, user portainer.User, apiKey portainer.APIKey) {
+	c.cache.Add(digest, entry{
 		user:   user,
 		apiKey: apiKey,
 	})
 }
 
 // Delete evicts a digest's user/key entry key from the cache
-func (c *apiKeyCache) Delete(digest []byte) {
-	c.cache.Remove(string(digest))
+func (c *apiKeyCache) Delete(digest string) {
+	c.cache.Remove(digest)
 }
 
 // InvalidateUserKeyCache loops through all the api-keys associated to a user and removes them from the cache
 func (c *apiKeyCache) InvalidateUserKeyCache(userId portainer.UserID) bool {
 	present := false
 	for _, k := range c.cache.Keys() {
-		user, _, _ := c.Get([]byte(k.(string)))
+		user, _, _ := c.Get(k.(string))
 		if user.ID == userId {
 			present = c.cache.Remove(k)
 		}

api/apikey/cache_test.go

@@ -17,19 +17,19 @@ func Test_apiKeyCacheGet(t *testing.T) {
 	keyCache.cache.Add(string(""), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
 
 	tests := []struct {
-		digest []byte
+		digest string
 		found  bool
 	}{
 		{
-			digest: []byte("foo"),
+			digest: "foo",
 			found:  true,
 		},
 		{
-			digest: []byte(""),
+			digest: "",
 			found:  true,
 		},
 		{
-			digest: []byte("bar"),
+			digest: "bar",
 			found:  false,
 		},
 	}
@@ -48,11 +48,11 @@ func Test_apiKeyCacheSet(t *testing.T) {
 	keyCache := NewAPIKeyCache(10)
 
 	// pre-populate cache
-	keyCache.Set([]byte("bar"), portainer.User{ID: 2}, portainer.APIKey{})
-	keyCache.Set([]byte("foo"), portainer.User{ID: 1}, portainer.APIKey{})
+	keyCache.Set("bar", portainer.User{ID: 2}, portainer.APIKey{})
+	keyCache.Set("foo", portainer.User{ID: 1}, portainer.APIKey{})
 
 	// overwrite existing entry
-	keyCache.Set([]byte("foo"), portainer.User{ID: 3}, portainer.APIKey{})
+	keyCache.Set("foo", portainer.User{ID: 3}, portainer.APIKey{})
 
 	val, ok := keyCache.cache.Get(string("bar"))
 	is.True(ok)
@@ -74,14 +74,14 @@ func Test_apiKeyCacheDelete(t *testing.T) {
 
 	t.Run("Delete an existing entry", func(t *testing.T) {
 		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
-		keyCache.Delete([]byte("foo"))
+		keyCache.Delete("foo")
 
 		_, ok := keyCache.cache.Get(string("foo"))
 		is.False(ok)
 	})
 
 	t.Run("Delete a non-existing entry", func(t *testing.T) {
-		nonPanicFunc := func() { keyCache.Delete([]byte("non-existent-key")) }
+		nonPanicFunc := func() { keyCache.Delete("non-existent-key") }
 		is.NotPanics(nonPanicFunc)
 	})
 }
@@ -131,16 +131,16 @@ func Test_apiKeyCacheLRU(t *testing.T) {
 			keyCache := NewAPIKeyCache(test.cacheLen)
 
 			for _, key := range test.key {
-				keyCache.Set([]byte(key), portainer.User{ID: 1}, portainer.APIKey{})
+				keyCache.Set(key, portainer.User{ID: 1}, portainer.APIKey{})
 			}
 
 			for _, key := range test.foundKeys {
-				_, _, found := keyCache.Get([]byte(key))
+				_, _, found := keyCache.Get(key)
 				is.True(found, "Key %s not found", key)
 			}
 
 			for _, key := range test.evictedKeys {
-				_, _, found := keyCache.Get([]byte(key))
+				_, _, found := keyCache.Get(key)
 				is.False(found, "key %s should have been evicted", key)
 			}
 		})

api/apikey/service.go

@@ -8,6 +8,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/internal/securecookie"
 
 	"github.com/pkg/errors"
 )
@@ -31,15 +32,15 @@ func NewAPIKeyService(apiKeyRepository dataservices.APIKeyRepository, userReposi
 }
 
 // HashRaw computes a hash digest of provided raw API key.
-func (a *apiKeyService) HashRaw(rawKey string) []byte {
+func (a *apiKeyService) HashRaw(rawKey string) string {
 	hashDigest := sha256.Sum256([]byte(rawKey))
-	return hashDigest[:]
+	return base64.StdEncoding.EncodeToString(hashDigest[:])
 }
 
 // GenerateApiKey generates a raw API key for a user (for one-time display).
 // The generated API key is stored in the cache and database.
 func (a *apiKeyService) GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error) {
-	randKey := generateRandomKey(32)
+	randKey := securecookie.GenerateRandomKey(32)
 	encodedRawAPIKey := base64.StdEncoding.EncodeToString(randKey)
 	prefixedAPIKey := portainerAPIKeyPrefix + encodedRawAPIKey
 
@@ -76,7 +77,7 @@ func (a *apiKeyService) GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey,
 
 // GetDigestUserAndKey returns the user and api-key associated to a specified hash digest.
 // A cache lookup is performed first; if the user/api-key is not found in the cache, respective database lookups are performed.
-func (a *apiKeyService) GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error) {
+func (a *apiKeyService) GetDigestUserAndKey(digest string) (portainer.User, portainer.APIKey, error) {
 	// get api key from cache if possible
 	cachedUser, cachedKey, ok := a.cache.Get(digest)
 	if ok {

api/apikey/service_test.go

@@ -2,6 +2,7 @@ package apikey
 
 import (
 	"crypto/sha256"
+	"encoding/base64"
 	"fmt"
 	"strings"
 	"testing"
@@ -68,7 +69,7 @@ func Test_GenerateApiKey(t *testing.T) {
 
 		generatedDigest := sha256.Sum256([]byte(rawKey))
 
-		is.Equal(apiKey.Digest, generatedDigest[:])
+		is.Equal(apiKey.Digest, base64.StdEncoding.EncodeToString(generatedDigest[:]))
 	})
 }
 

api/archive/targz.go

@@ -48,18 +48,6 @@ func TarGzDir(absolutePath string) (string, error) {
 }
 
 func addToArchive(tarWriter *tar.Writer, pathInArchive string, path string, info os.FileInfo) error {
-	header, err := tar.FileInfoHeader(info, info.Name())
-	if err != nil {
-		return err
-	}
-
-	header.Name = pathInArchive // use relative paths in archive
-
-	err = tarWriter.WriteHeader(header)
-	if err != nil {
-		return err
-	}
-
 	if info.IsDir() {
 		return nil
 	}
@@ -68,6 +56,26 @@ func addToArchive(tarWriter *tar.Writer, pathInArchive string, path string, info
 	if err != nil {
 		return err
 	}
+
+	stat, err := file.Stat()
+	if err != nil {
+		return err
+	}
+
+	header, err := tar.FileInfoHeader(stat, stat.Name())
+	if err != nil {
+		return err
+	}
+	header.Name = pathInArchive // use relative paths in archive
+
+	err = tarWriter.WriteHeader(header)
+	if err != nil {
+		return err
+	}
+	if stat.IsDir() {
+		return nil
+	}
+
 	_, err = io.Copy(tarWriter, file)
 	return err
 }
@@ -98,7 +106,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 			// skip, dir will be created with a file
 		case tar.TypeReg:
 			p := filepath.Clean(filepath.Join(outputDirPath, header.Name))
-			if err := os.MkdirAll(filepath.Dir(p), 0744); err != nil {
+			if err := os.MkdirAll(filepath.Dir(p), 0o744); err != nil {
 				return fmt.Errorf("Failed to extract dir %s", filepath.Dir(p))
 			}
 			outFile, err := os.Create(p)

api/backup/backup.go

@@ -17,7 +17,7 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-const rwxr__r__ os.FileMode = 0744
+const rwxr__r__ os.FileMode = 0o744
 
 var filesToBackup = []string{
 	"certs",
@@ -30,6 +30,7 @@ var filesToBackup = []string{
 	"portainer.key",
 	"portainer.pub",
 	"tls",
+	"chisel",
 }
 
 // Creates a tar.gz system archive and encrypts it if password is not empty. Returns a path to the archive file.
@@ -81,14 +82,8 @@ func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datasto
 }
 
 func backupDb(backupDirPath string, datastore dataservices.DataStore) error {
-	backupWriter, err := os.Create(filepath.Join(backupDirPath, "portainer.db"))
-	if err != nil {
-		return err
-	}
-	if err = datastore.BackupTo(backupWriter); err != nil {
-		return err
-	}
-	return backupWriter.Close()
+	_, err := datastore.Backup(filepath.Join(backupDirPath, "portainer.db"))
+	return err
 }
 
 func encrypt(path string, passphrase string) (string, error) {

api/build/variables.go

@@ -1,9 +1,12 @@
 package build
 
+import "runtime"
+
 // Variables to be set during the build time
 var BuildNumber string
 var ImageTag string
 var NodejsVersion string
 var YarnVersion string
 var WebpackVersion string
-var GoVersion string
+var GoVersion string = runtime.Version()
+var GitCommit string

api/chisel/service.go

@@ -21,6 +21,7 @@ const (
 	tunnelCleanupInterval = 10 * time.Second
 	requiredTimeout       = 15 * time.Second
 	activeTimeout         = 4*time.Minute + 30*time.Second
+	pingTimeout           = 3 * time.Second
 )
 
 // Service represents a service to manage the state of multiple reverse tunnels.
@@ -59,14 +60,18 @@ func (service *Service) pingAgent(endpointID portainer.EndpointID) error {
 	}
 
 	httpClient := &http.Client{
-		Timeout: 3 * time.Second,
+		Timeout: pingTimeout,
 	}
 
 	resp, err := httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+
 	io.Copy(io.Discard, resp.Body)
 	resp.Body.Close()
 
-	return err
+	return nil
 }
 
 // KeepTunnelAlive keeps the tunnel of the given environment for maxAlive duration, or until ctx is done
@@ -75,10 +80,11 @@ func (service *Service) KeepTunnelAlive(endpointID portainer.EndpointID, ctx con
 		log.Debug().
 			Int("endpoint_id", int(endpointID)).
 			Float64("max_alive_minutes", maxAlive.Minutes()).
-			Msg("start")
+			Msg("KeepTunnelAlive: start")
 
 		maxAliveTicker := time.NewTicker(maxAlive)
 		defer maxAliveTicker.Stop()
+
 		pingTicker := time.NewTicker(tunnelCleanupInterval)
 		defer pingTicker.Stop()
 
@@ -91,13 +97,13 @@ func (service *Service) KeepTunnelAlive(endpointID portainer.EndpointID, ctx con
 					log.Debug().
 						Int("endpoint_id", int(endpointID)).
 						Err(err).
-						Msg("ping agent")
+						Msg("KeepTunnelAlive: ping agent")
 				}
 			case <-maxAliveTicker.C:
 				log.Debug().
 					Int("endpoint_id", int(endpointID)).
 					Float64("timeout_minutes", maxAlive.Minutes()).
-					Msg("tunnel keep alive timeout")
+					Msg("KeepTunnelAlive: tunnel keep alive timeout")
 
 				return
 			case <-ctx.Done():
@@ -105,7 +111,7 @@ func (service *Service) KeepTunnelAlive(endpointID portainer.EndpointID, ctx con
 				log.Debug().
 					Int("endpoint_id", int(endpointID)).
 					Err(err).
-					Msg("tunnel stop")
+					Msg("KeepTunnelAlive: tunnel stop")
 
 				return
 			}
@@ -126,8 +132,8 @@ func (service *Service) StartTunnelServer(addr, port string, snapshotService por
 	}
 
 	config := &chserver.Config{
-		Reverse:        true,
-		PrivateKeyFile: privateKeyFile,
+		Reverse: true,
+		KeyFile: privateKeyFile,
 	}
 
 	chiselServer, err := chserver.NewServer(config)

api/chisel/service_test.go

@@ -0,0 +1,39 @@
+package chisel
+
+import (
+	"net"
+	"net/http"
+	"testing"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestPingAgentPanic(t *testing.T) {
+	endpointID := portainer.EndpointID(1)
+
+	s := NewService(nil, nil, nil)
+
+	defer func() {
+		require.Nil(t, recover())
+	}()
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/ping", func(w http.ResponseWriter, r *http.Request) {
+		time.Sleep(pingTimeout + 1*time.Second)
+	})
+
+	ln, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+
+	go func() {
+		require.NoError(t, http.Serve(ln, mux))
+	}()
+
+	s.getTunnelDetails(endpointID)
+	s.tunnelDetailsMap[endpointID].Port = ln.Addr().(*net.TCPAddr).Port
+
+	require.Error(t, s.pingAgent(endpointID))
+}

api/chisel/tunnel.go

@@ -8,9 +8,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/portainer/libcrypto"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/internal/edge/cache"
+	"github.com/portainer/portainer/pkg/libcrypto"
 
 	"github.com/dchest/uniuri"
 )

api/cli/cli.go

@@ -49,7 +49,7 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		SSL:                       kingpin.Flag("ssl", "Secure Portainer instance using SSL (deprecated)").Default(defaultSSL).Bool(),
 		SSLCert:                   kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").String(),
 		SSLKey:                    kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").String(),
-		Rollback:                  kingpin.Flag("rollback", "Rollback the database store to the previous version").Bool(),
+		Rollback:                  kingpin.Flag("rollback", "Rollback the database to the previous backup").Bool(),
 		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each environment snapshot job").String(),
 		AdminPassword:             kingpin.Flag("admin-password", "Set admin password with provided hash").String(),
 		AdminPasswordFile:         kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),

api/cli/confirm.go

@@ -9,7 +9,7 @@ import (
 
 // Confirm starts a rollback db cli application
 func Confirm(message string) (bool, error) {
-	fmt.Printf("%s [y/N]", message)
+	fmt.Printf("%s [y/N] ", message)
 
 	reader := bufio.NewReader(os.Stdin)
 

api/cmd/portainer/log.go

@@ -39,9 +39,9 @@ func setLoggingMode(mode string) {
 	case "PRETTY":
 		log.Logger = log.Output(zerolog.ConsoleWriter{
 			Out:           os.Stderr,
-			NoColor:       true,
 			TimeFormat:    "2006/01/02 03:04PM",
-			FormatMessage: formatMessage})
+			FormatMessage: formatMessage,
+		})
 	case "JSON":
 		log.Logger = log.Output(os.Stderr)
 	}
@@ -51,5 +51,6 @@ func formatMessage(i interface{}) string {
 	if i == nil {
 		return ""
 	}
+
 	return fmt.Sprintf("%s |", i)
 }

api/cmd/portainer/main.go

@@ -3,11 +3,9 @@ package main
 import (
 	"context"
 	"crypto/sha256"
-	"math/rand"
 	"os"
 	"path"
 	"strings"
-	"time"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/apikey"
@@ -20,6 +18,7 @@ import (
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/datastore/migrator"
 	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/docker"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
@@ -42,6 +41,7 @@ import (
 	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
 	"github.com/portainer/portainer/api/oauth"
+	"github.com/portainer/portainer/api/pendingactions"
 	"github.com/portainer/portainer/api/scheduler"
 	"github.com/portainer/portainer/api/stacks/deployments"
 	"github.com/portainer/portainer/pkg/featureflags"
@@ -119,11 +119,15 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 			log.Fatal().Err(err).Msg("failed generating instance id")
 		}
 
+		migratorInstance := migrator.NewMigrator(&migrator.MigratorParameters{})
+		migratorCount := migratorInstance.GetMigratorCountOfCurrentAPIVersion()
+
 		// from MigrateData
 		v := models.Version{
 			SchemaVersion: portainer.APIVersion,
 			Edition:       int(portainer.PortainerCE),
 			InstanceID:    instanceId.String(),
+			MigratorCount: migratorCount,
 		}
 		store.VersionService.UpdateVersion(&v)
 
@@ -152,6 +156,16 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	return store
 }
 
+// checkDBSchemaServerVersionMatch checks if the server version matches the db scehma version
+func checkDBSchemaServerVersionMatch(dbStore dataservices.DataStore, serverVersion string, serverEdition int) bool {
+	v, err := dbStore.Version().Version()
+	if err != nil {
+		return false
+	}
+
+	return v.SchemaVersion == serverVersion && v.Edition == serverEdition
+}
+
 func initComposeStackManager(composeDeployer libstack.Deployer, proxyManager *proxy.Manager) portainer.ComposeStackManager {
 	composeWrapper, err := exec.NewComposeStackManager(composeDeployer, proxyManager)
 	if err != nil {
@@ -184,7 +198,7 @@ func initAPIKeyService(datastore dataservices.DataStore) apikey.APIKeyService {
 	return apikey.NewAPIKeyService(datastore.APIKeyRepository(), datastore.User())
 }
 
-func initJWTService(userSessionTimeout string, dataStore dataservices.DataStore) (dataservices.JWTService, error) {
+func initJWTService(userSessionTimeout string, dataStore dataservices.DataStore) (portainer.JWTService, error) {
 	if userSessionTimeout == "" {
 		userSessionTimeout = portainer.DefaultUserSessionTimeout
 	}
@@ -248,11 +262,12 @@ func initSnapshotService(
 	dockerClientFactory *dockerclient.ClientFactory,
 	kubernetesClientFactory *kubecli.ClientFactory,
 	shutdownCtx context.Context,
+	pendingActionsService *pendingactions.PendingActionsService,
 ) (portainer.SnapshotService, error) {
 	dockerSnapshotter := docker.NewSnapshotter(dockerClientFactory)
 	kubernetesSnapshotter := kubernetes.NewSnapshotter(kubernetesClientFactory)
 
-	snapshotService, err := snapshot.NewService(snapshotIntervalFromFlag, dataStore, dockerSnapshotter, kubernetesSnapshotter, shutdownCtx)
+	snapshotService, err := snapshot.NewService(snapshotIntervalFromFlag, dataStore, dockerSnapshotter, kubernetesSnapshotter, shutdownCtx, pendingActionsService)
 	if err != nil {
 		return nil, err
 	}
@@ -383,6 +398,11 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Err(err).Msg("")
 	}
 
+	// check if the db schema version matches with server version
+	if !checkDBSchemaServerVersionMatch(dataStore, portainer.APIVersion, int(portainer.Edition)) {
+		log.Fatal().Msg("The database schema version does not align with the server version. Please consider reverting to the previous server version or addressing the database migration issue.")
+	}
+
 	instanceID, err := dataStore.Version().InstanceID()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed getting instance id")
@@ -434,15 +454,17 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	dockerClientFactory := initDockerClientFactory(digitalSignatureService, reverseTunnelService)
 	kubernetesClientFactory, err := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, dataStore, instanceID, *flags.AddrHTTPS, settings.UserSessionTimeout)
 
-	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx)
+	authorizationService := authorization.NewService(dataStore)
+	authorizationService.K8sClientFactory = kubernetesClientFactory
+
+	pendingActionsService := pendingactions.NewService(dataStore, kubernetesClientFactory, authorizationService, shutdownCtx)
+
+	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx, pendingActionsService)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing snapshot service")
 	}
 	snapshotService.Start()
 
-	authorizationService := authorization.NewService(dataStore)
-	authorizationService.K8sClientFactory = kubernetesClientFactory
-
 	kubernetesTokenCacheManager := kubeproxy.NewTokenCacheManager()
 
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService(*flags.BaseURL, *flags.AddrHTTPS, sslSettings.CertPath)
@@ -602,12 +624,11 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		DemoService:                 demoService,
 		UpgradeService:              upgradeService,
 		AdminCreationDone:           adminCreationDone,
+		PendingActionsService:       pendingActionsService,
 	}
 }
 
 func main() {
-	rand.Seed(time.Now().UnixNano())
-
 	configureLogger()
 	setLoggingMode("PRETTY")
 

api/crypto/ecdsa.go

@@ -8,7 +8,7 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 
-	"github.com/portainer/libcrypto"
+	"github.com/portainer/portainer/pkg/libcrypto"
 )
 
 const (

api/database/boltdb/db.go

@@ -144,6 +144,8 @@ func (connection *DbConnection) Open() error {
 // Close closes the BoltDB database.
 // Safe to being called multiple times.
 func (connection *DbConnection) Close() error {
+	log.Info().Msg("closing PortainerDB")
+
 	if connection.DB != nil {
 		return connection.DB.Close()
 	}
@@ -255,7 +257,7 @@ func (connection *DbConnection) UpdateObjectFunc(bucketName string, key []byte,
 			return fmt.Errorf("%w (bucket=%s, key=%s)", dserrors.ErrObjectNotFound, bucketName, keyToString(key))
 		}
 
-		err := connection.UnmarshalObjectWithJsoniter(data, object)
+		err := connection.UnmarshalObject(data, object)
 		if err != nil {
 			return err
 		}

api/database/boltdb/export.go

@@ -1,10 +1,10 @@
 package boltdb
 
 import (
-	"encoding/json"
 	"time"
 
 	"github.com/rs/zerolog/log"
+	"github.com/segmentio/encoding/json"
 	bolt "go.etcd.io/bbolt"
 )
 

api/database/boltdb/json.go

@@ -1,34 +1,41 @@
 package boltdb
 
 import (
+	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
-	"encoding/json"
 	"fmt"
 	"io"
 
-	jsoniter "github.com/json-iterator/go"
 	"github.com/pkg/errors"
+	"github.com/segmentio/encoding/json"
 )
 
 var errEncryptedStringTooShort = fmt.Errorf("encrypted string too short")
 
 // MarshalObject encodes an object to binary format
-func (connection *DbConnection) MarshalObject(object interface{}) (data []byte, err error) {
+func (connection *DbConnection) MarshalObject(object interface{}) ([]byte, error) {
+	buf := &bytes.Buffer{}
+
 	// Special case for the VERSION bucket. Here we're not using json
 	if v, ok := object.(string); ok {
-		data = []byte(v)
+		buf.WriteString(v)
 	} else {
-		data, err = json.Marshal(object)
-		if err != nil {
-			return data, err
+		enc := json.NewEncoder(buf)
+		enc.SetSortMapKeys(false)
+		enc.SetAppendNewline(false)
+
+		if err := enc.Encode(object); err != nil {
+			return nil, err
 		}
 	}
+
 	if connection.getEncryptionKey() == nil {
-		return data, nil
+		return buf.Bytes(), nil
 	}
-	return encrypt(data, connection.getEncryptionKey())
+
+	return encrypt(buf.Bytes(), connection.getEncryptionKey())
 }
 
 // UnmarshalObject decodes an object from binary data
@@ -54,31 +61,6 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object interface{})
 	return err
 }
 
-// UnmarshalObjectWithJsoniter decodes an object from binary data
-// using the jsoniter library. It is mainly used to accelerate environment(endpoint)
-// decoding at the moment.
-func (connection *DbConnection) UnmarshalObjectWithJsoniter(data []byte, object interface{}) error {
-	if connection.getEncryptionKey() != nil {
-		var err error
-		data, err = decrypt(data, connection.getEncryptionKey())
-		if err != nil {
-			return err
-		}
-	}
-	var jsoni = jsoniter.ConfigCompatibleWithStandardLibrary
-	err := jsoni.Unmarshal(data, &object)
-	if err != nil {
-		if s, ok := object.(*string); ok {
-			*s = string(data)
-			return nil
-		}
-
-		return err
-	}
-
-	return nil
-}
-
 // mmm, don't have a KMS .... aes GCM seems the most likely from
 // https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a#symmetric-encryption
 

api/database/boltdb/tx.go

@@ -28,7 +28,7 @@ func (tx *DbTransaction) GetObject(bucketName string, key []byte, object interfa
 		return fmt.Errorf("%w (bucket=%s, key=%s)", dserrors.ErrObjectNotFound, bucketName, keyToString(key))
 	}
 
-	return tx.conn.UnmarshalObjectWithJsoniter(value, object)
+	return tx.conn.UnmarshalObject(value, object)
 }
 
 func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object interface{}) error {
@@ -134,7 +134,7 @@ func (tx *DbTransaction) GetAllWithJsoniter(bucketName string, obj interface{},
 	bucket := tx.tx.Bucket([]byte(bucketName))
 
 	return bucket.ForEach(func(k []byte, v []byte) error {
-		err := tx.conn.UnmarshalObjectWithJsoniter(v, obj)
+		err := tx.conn.UnmarshalObject(v, obj)
 		if err == nil {
 			obj, err = appendFn(obj)
 		}
@@ -147,7 +147,7 @@ func (tx *DbTransaction) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte
 	cursor := tx.tx.Bucket([]byte(bucketName)).Cursor()
 
 	for k, v := cursor.Seek(keyPrefix); k != nil && bytes.HasPrefix(k, keyPrefix); k, v = cursor.Next() {
-		err := tx.conn.UnmarshalObjectWithJsoniter(v, obj)
+		err := tx.conn.UnmarshalObject(v, obj)
 		if err != nil {
 			return err
 		}

api/dataservices/apikeyrepository/apikeyrepository.go

@@ -1,7 +1,6 @@
 package apikeyrepository
 
 import (
-	"bytes"
 	"errors"
 	"fmt"
 
@@ -37,7 +36,7 @@ func NewService(connection portainer.Connection) (*Service, error) {
 
 // GetAPIKeysByUserID returns a slice containing all the APIKeys a user has access to.
 func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer.APIKey, error) {
-	var result = make([]portainer.APIKey, 0)
+	result := make([]portainer.APIKey, 0)
 
 	err := service.Connection.GetAll(
 		BucketName,
@@ -61,7 +60,7 @@ func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer
 
 // GetAPIKeyByDigest returns the API key for the associated digest.
 // Note: there is a 1-to-1 mapping of api-key and digest
-func (service *Service) GetAPIKeyByDigest(digest []byte) (*portainer.APIKey, error) {
+func (service *Service) GetAPIKeyByDigest(digest string) (*portainer.APIKey, error) {
 	var k *portainer.APIKey
 	stop := fmt.Errorf("ok")
 	err := service.Connection.GetAll(
@@ -73,7 +72,7 @@ func (service *Service) GetAPIKeyByDigest(digest []byte) (*portainer.APIKey, err
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to APIKey object")
 				return nil, fmt.Errorf("failed to convert to APIKey object: %s", obj)
 			}
-			if bytes.Equal(key.Digest, digest) {
+			if key.Digest == digest {
 				k = key
 				return nil, stop
 			}

api/dataservices/endpoint/endpoint.go

@@ -5,6 +5,7 @@ import (
 	"time"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
 )
 
 // BucketName represents the name of the bucket where this service stores data.
@@ -144,6 +145,23 @@ func (service *Service) Create(endpoint *portainer.Endpoint) error {
 	})
 }
 
+func (service *Service) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error) {
+	var endpoints = make([]portainer.Endpoint, 0)
+
+	return endpoints, service.connection.GetAll(
+		BucketName,
+		&portainer.Endpoint{},
+		dataservices.FilterFn(&endpoints, func(e portainer.Endpoint) bool {
+			for t := range e.TeamAccessPolicies {
+				if t == teamID {
+					return true
+				}
+			}
+			return false
+		}),
+	)
+}
+
 // GetNextIdentifier returns the next identifier for an environment(endpoint).
 func (service *Service) GetNextIdentifier() int {
 	var identifier int

api/dataservices/endpoint/tx.go

@@ -122,6 +122,23 @@ func (service ServiceTx) Create(endpoint *portainer.Endpoint) error {
 	return nil
 }
 
+func (service ServiceTx) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error) {
+	var endpoints = make([]portainer.Endpoint, 0)
+
+	return endpoints, service.tx.GetAll(
+		BucketName,
+		&portainer.Endpoint{},
+		dataservices.FilterFn(&endpoints, func(e portainer.Endpoint) bool {
+			for t := range e.TeamAccessPolicies {
+				if t == teamID {
+					return true
+				}
+			}
+			return false
+		}),
+	)
+}
+
 // GetNextIdentifier returns the next identifier for an environment(endpoint).
 func (service ServiceTx) GetNextIdentifier() int {
 	return service.tx.GetNextIdentifier(BucketName)

api/dataservices/endpointgroup/endpointgroup.go

@@ -5,10 +5,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 )
 
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "endpoint_groups"
-)
+const BucketName = "endpoint_groups"
 
 // Service represents a service for managing environment(endpoint) data.
 type Service struct {

api/dataservices/interface.go

@@ -1,9 +1,6 @@
 package dataservices
 
 import (
-	"io"
-	"time"
-
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 )
@@ -35,6 +32,7 @@ type (
 		User() UserService
 		Version() VersionService
 		Webhook() WebhookService
+		PendingActions() PendingActionsService
 	}
 
 	DataStore interface {
@@ -46,7 +44,7 @@ type (
 		MigrateData() error
 		Rollback(force bool) error
 		CheckCurrentEdition() error
-		BackupTo(w io.Writer) error
+		Backup(path string) (string, error)
 		Export(filename string) (err error)
 
 		DataStoreTx
@@ -72,6 +70,11 @@ type (
 		GetNextIdentifier() int
 	}
 
+	PendingActionsService interface {
+		BaseCRUD[portainer.PendingActions, portainer.PendingActionsID]
+		GetNextIdentifier() int
+	}
+
 	// EdgeStackService represents a service to manage Edge stacks
 	EdgeStackService interface {
 		EdgeStacks() ([]portainer.EdgeStack, error)
@@ -89,6 +92,7 @@ type (
 	EndpointService interface {
 		Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error)
 		EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool)
+		EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error)
 		Heartbeat(endpointID portainer.EndpointID) (int64, bool)
 		UpdateHeartbeat(endpointID portainer.EndpointID)
 		Endpoints() ([]portainer.Endpoint, error)
@@ -126,15 +130,6 @@ type (
 		HelmUserRepositoryByUserID(userID portainer.UserID) ([]portainer.HelmUserRepository, error)
 	}
 
-	// JWTService represents a service for managing JWT tokens
-	JWTService interface {
-		GenerateToken(data *portainer.TokenData) (string, error)
-		GenerateTokenForOAuth(data *portainer.TokenData, expiryTime *time.Time) (string, error)
-		GenerateTokenForKubeconfig(data *portainer.TokenData) (string, error)
-		ParseAndVerifyToken(token string) (*portainer.TokenData, error)
-		SetUserSessionDuration(userSessionDuration time.Duration)
-	}
-
 	// RegistryService represents a service for managing registry data
 	RegistryService interface {
 		BaseCRUD[portainer.Registry, portainer.RegistryID]
@@ -155,7 +150,7 @@ type (
 	APIKeyRepository interface {
 		BaseCRUD[portainer.APIKey, portainer.APIKeyID]
 		GetAPIKeysByUserID(userID portainer.UserID) ([]portainer.APIKey, error)
-		GetAPIKeyByDigest(digest []byte) (*portainer.APIKey, error)
+		GetAPIKeyByDigest(digest string) (*portainer.APIKey, error)
 	}
 
 	// SettingsService represents a service for managing application settings

api/dataservices/pendingactions/pendingactions.go

@@ -0,0 +1,74 @@
+package pendingactions
+
+import (
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+const (
+	BucketName = "pending_actions"
+)
+
+type Service struct {
+	dataservices.BaseDataService[portainer.PendingActions, portainer.PendingActionsID]
+}
+
+type ServiceTx struct {
+	dataservices.BaseDataServiceTx[portainer.PendingActions, portainer.PendingActionsID]
+}
+
+func NewService(connection portainer.Connection) (*Service, error) {
+	err := connection.SetServiceName(BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		BaseDataService: dataservices.BaseDataService[portainer.PendingActions, portainer.PendingActionsID]{
+			Bucket:     BucketName,
+			Connection: connection,
+		},
+	}, nil
+}
+
+func (s Service) Create(config *portainer.PendingActions) error {
+	return s.Connection.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Create(config)
+	})
+}
+
+func (s Service) Update(ID portainer.PendingActionsID, config *portainer.PendingActions) error {
+	return s.Connection.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Update(ID, config)
+	})
+}
+
+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[portainer.PendingActions, portainer.PendingActionsID]{
+			Bucket:     BucketName,
+			Connection: service.Connection,
+			Tx:         tx,
+		},
+	}
+}
+
+func (s ServiceTx) Create(config *portainer.PendingActions) error {
+	return s.Tx.CreateObject(BucketName, func(id uint64) (int, interface{}) {
+		config.ID = portainer.PendingActionsID(id)
+		config.CreatedAt = time.Now().Unix()
+
+		return int(config.ID), config
+	})
+}
+
+func (s ServiceTx) Update(ID portainer.PendingActionsID, config *portainer.PendingActions) error {
+	return s.BaseDataServiceTx.Update(ID, config)
+}
+
+// GetNextIdentifier returns the next identifier for a custom template.
+func (service *Service) GetNextIdentifier() int {
+	return service.Connection.GetNextIdentifier(BucketName)
+}

api/dataservices/snapshot/snapshot.go

@@ -5,9 +5,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 )
 
-const (
-	BucketName = "snapshots"
-)
+const BucketName = "snapshots"
 
 type Service struct {
 	dataservices.BaseDataService[portainer.Snapshot, portainer.EndpointID]

api/dataservices/stack/stack.go

@@ -106,7 +106,6 @@ func (service *Service) StackByWebhookID(id string) (*portainer.Stack, error) {
 	}
 
 	return nil, err
-
 }
 
 // RefreshableStacks returns stacks that are configured for a periodic update

api/dataservices/tag/tag.go

@@ -5,10 +5,8 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 )
 
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "tags"
-)
+// BucketName represents the name of the bucket where this service stores data.
+const BucketName = "tags"
 
 // Service represents a service for managing environment(endpoint) data.
 type Service struct {

api/dataservices/tag/tx.go

@@ -22,7 +22,7 @@ func (service ServiceTx) Create(tag *portainer.Tag) error {
 	)
 }
 
-// UpdateTagFunc is a no-op inside a transaction
+// UpdateTagFunc is a no-op inside a transaction.
 func (service ServiceTx) UpdateTagFunc(ID portainer.TagID, updateFunc func(tag *portainer.Tag)) error {
 	return errors.New("cannot be called inside a transaction")
 }

api/dataservices/version/version.go

@@ -73,6 +73,10 @@ func (service *Service) IsUpdating() (bool, error) {
 
 // StoreIsUpdating store the database updating status.
 func (service *Service) StoreIsUpdating(isUpdating bool) error {
+	if isUpdating {
+		return service.connection.UpdateObject(BucketName, []byte(updatingKey), isUpdating)
+	}
+
 	return service.connection.DeleteObject(BucketName, []byte(updatingKey))
 }
 

api/datastore/backup.go

@@ -4,186 +4,89 @@ import (
 	"fmt"
 	"os"
 	"path"
-	"time"
 
-	"github.com/portainer/portainer/api/database/models"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/rs/zerolog/log"
 )
 
-var backupDefaults = struct {
-	backupDir string
-	commonDir string
-}{
-	"backups",
-	"common",
+// Backup takes an optional output path and creates a backup of the database.
+// The database connection is stopped before running the backup to avoid any
+// corruption and if a path is not given a default is used.
+// The path or an error are returned.
+func (store *Store) Backup(path string) (string, error) {
+	if err := store.createBackupPath(); err != nil {
+		return "", err
+	}
+
+	backupFilename := store.backupFilename()
+	if path != "" {
+		backupFilename = path
+	}
+	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msgf("Backing up database")
+
+	// Close the store before backing up
+	err := store.Close()
+	if err != nil {
+		return "", fmt.Errorf("failed to close store before backup: %w", err)
+	}
+
+	err = store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true)
+	if err != nil {
+		return "", fmt.Errorf("failed to create backup file: %w", err)
+	}
+
+	// reopen the store
+	_, err = store.Open()
+	if err != nil {
+		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
+	}
+
+	return backupFilename, nil
 }
 
-//
-// Backup Helpers
-//
+func (store *Store) Restore() error {
+	backupFilename := store.backupFilename()
+	return store.RestoreFromFile(backupFilename)
+}
 
-// createBackupFolders create initial folders for backups
-func (store *Store) createBackupFolders() {
-	// create common dir
-	commonDir := store.commonBackupDir()
-	if exists, _ := store.fileService.FileExists(commonDir); !exists {
-		if err := os.MkdirAll(commonDir, 0700); err != nil {
-			log.Error().Err(err).Msg("error while creating common backup folder")
+func (store *Store) RestoreFromFile(backupFilename string) error {
+	store.Close()
+	if err := store.fileService.Copy(backupFilename, store.connection.GetDatabaseFilePath(), true); err != nil {
+		return fmt.Errorf("unable to restore backup file %q. err: %w", backupFilename, err)
+	}
+
+	log.Info().Str("from", backupFilename).Str("to", store.connection.GetDatabaseFilePath()).Msgf("database restored")
+
+	_, err := store.Open()
+	if err != nil {
+		return fmt.Errorf("unable to determine version of restored portainer backup file: %w", err)
+	}
+
+	// determine the db version
+	version, err := store.VersionService.Version()
+	if err != nil {
+		return fmt.Errorf("unable to determine restored database version. err: %w", err)
+	}
+
+	editionLabel := portainer.SoftwareEdition(version.Edition).GetEditionLabel()
+	log.Info().Msgf("Restored database version: Portainer %s %s", editionLabel, version.SchemaVersion)
+	return nil
+}
+
+func (store *Store) createBackupPath() error {
+	backupDir := path.Join(store.connection.GetStorePath(), "backups")
+	if exists, _ := store.fileService.FileExists(backupDir); !exists {
+		if err := os.MkdirAll(backupDir, 0o700); err != nil {
+			return fmt.Errorf("unable to create backup folder: %w", err)
 		}
 	}
+	return nil
+}
+
+func (store *Store) backupFilename() string {
+	return path.Join(store.connection.GetStorePath(), "backups", store.connection.GetDatabaseFileName()+".bak")
 }
 
 func (store *Store) databasePath() string {
 	return store.connection.GetDatabaseFilePath()
 }
-
-func (store *Store) commonBackupDir() string {
-	return path.Join(store.connection.GetStorePath(), backupDefaults.backupDir, backupDefaults.commonDir)
-}
-
-func (store *Store) copyDBFile(from string, to string) error {
-	log.Info().Str("from", from).Str("to", to).Msg("copying DB file")
-
-	err := store.fileService.Copy(from, to, true)
-	if err != nil {
-		log.Error().Err(err).Msg("failed")
-	}
-
-	return err
-}
-
-// BackupOptions provide a helper to inject backup options
-type BackupOptions struct {
-	Version        string
-	BackupDir      string
-	BackupFileName string
-	BackupPath     string
-}
-
-// getBackupRestoreOptions returns options to store db at common backup dir location; used by:
-// - db backup prior to version upgrade
-// - db rollback
-func getBackupRestoreOptions(backupDir string) *BackupOptions {
-	return &BackupOptions{
-		BackupDir:      backupDir, //connection.commonBackupDir(),
-		BackupFileName: beforePortainerVersionUpgradeBackup,
-	}
-}
-
-// Backup current database with default options
-func (store *Store) Backup(version *models.Version) (string, error) {
-	if version == nil {
-		return store.backupWithOptions(nil)
-	}
-
-	return store.backupWithOptions(&BackupOptions{
-		Version: version.SchemaVersion,
-	})
-}
-
-func (store *Store) setupOptions(options *BackupOptions) *BackupOptions {
-	if options == nil {
-		options = &BackupOptions{}
-	}
-	if options.Version == "" {
-		v, err := store.VersionService.Version()
-		if err != nil {
-			options.Version = ""
-		}
-		options.Version = v.SchemaVersion
-	}
-	if options.BackupDir == "" {
-		options.BackupDir = store.commonBackupDir()
-	}
-	if options.BackupFileName == "" {
-		options.BackupFileName = fmt.Sprintf("%s.%s.%s", store.connection.GetDatabaseFileName(), options.Version, time.Now().Format("20060102150405"))
-	}
-	if options.BackupPath == "" {
-		options.BackupPath = path.Join(options.BackupDir, options.BackupFileName)
-	}
-	return options
-}
-
-// BackupWithOptions backup current database with options
-func (store *Store) backupWithOptions(options *BackupOptions) (string, error) {
-	log.Info().Msg("creating DB backup")
-
-	store.createBackupFolders()
-
-	options = store.setupOptions(options)
-	dbPath := store.databasePath()
-
-	if err := store.Close(); err != nil {
-		return options.BackupPath, fmt.Errorf(
-			"error closing datastore before creating backup: %w",
-			err,
-		)
-	}
-
-	if err := store.copyDBFile(dbPath, options.BackupPath); err != nil {
-		return options.BackupPath, err
-	}
-
-	if _, err := store.Open(); err != nil {
-		return options.BackupPath, fmt.Errorf(
-			"error opening datastore after creating backup: %w",
-			err,
-		)
-	}
-
-	return options.BackupPath, nil
-}
-
-// RestoreWithOptions previously saved backup for the current Edition  with options
-// Restore strategies:
-// - default: restore latest from current edition
-// - restore a specific
-func (store *Store) restoreWithOptions(options *BackupOptions) error {
-	options = store.setupOptions(options)
-
-	// Check if backup file exist before restoring
-	_, err := os.Stat(options.BackupPath)
-	if os.IsNotExist(err) {
-		log.Error().Str("path", options.BackupPath).Err(err).Msg("backup file to restore does not exist %s")
-
-		return err
-	}
-
-	err = store.Close()
-	if err != nil {
-		log.Error().Err(err).Msg("error while closing store before restore")
-
-		return err
-	}
-
-	log.Info().Msg("restoring DB backup")
-	err = store.copyDBFile(options.BackupPath, store.databasePath())
-	if err != nil {
-		return err
-	}
-
-	_, err = store.Open()
-	return err
-}
-
-// RemoveWithOptions removes backup database based on supplied options
-func (store *Store) removeWithOptions(options *BackupOptions) error {
-	log.Info().Msg("removing DB backup")
-
-	options = store.setupOptions(options)
-	_, err := os.Stat(options.BackupPath)
-
-	if os.IsNotExist(err) {
-		log.Error().Str("path", options.BackupPath).Err(err).Msg("backup file to remove does not exist")
-		return err
-	}
-
-	log.Info().Str("path", options.BackupPath).Msg("removing DB file")
-	err = os.Remove(options.BackupPath)
-	if err != nil {
-		log.Error().Err(err).Msg("failed")
-		return err
-	}
-
-	return nil
-}

api/datastore/backup_test.go

@@ -2,106 +2,79 @@ package datastore
 
 import (
 	"fmt"
-	"os"
-	"path"
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
+
+	"github.com/rs/zerolog/log"
 )
 
-func TestCreateBackupFolders(t *testing.T) {
-	_, store := MustNewTestStore(t, true, true)
-
-	connection := store.GetConnection()
-	backupPath := path.Join(connection.GetStorePath(), backupDefaults.backupDir)
-
-	if isFileExist(backupPath) {
-		t.Error("Expect backups folder to not exist")
-	}
-
-	store.createBackupFolders()
-	if !isFileExist(backupPath) {
-		t.Error("Expect backups folder to exist")
-	}
-}
-
 func TestStoreCreation(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)
 	if store == nil {
-		t.Error("Expect to create a store")
+		t.Fatal("Expect to create a store")
 	}
 
-	if store.CheckCurrentEdition() != nil {
+	v, err := store.VersionService.Version()
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+
+	if portainer.SoftwareEdition(v.Edition) != portainer.PortainerCE {
 		t.Error("Expect to get CE Edition")
 	}
+
+	if v.SchemaVersion != portainer.APIVersion {
+		t.Error("Expect to get APIVersion")
+	}
 }
 
 func TestBackup(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)
-	connection := store.GetConnection()
-
-	t.Run("Backup should create default db backup", func(t *testing.T) {
+	backupFileName := store.backupFilename()
+	t.Run(fmt.Sprintf("Backup should create %s", backupFileName), func(t *testing.T) {
 		v := models.Version{
+			Edition:       int(portainer.PortainerCE),
 			SchemaVersion: portainer.APIVersion,
 		}
 		store.VersionService.UpdateVersion(&v)
-		store.backupWithOptions(nil)
+		store.Backup("")
 
-		backupFileName := path.Join(connection.GetStorePath(), "backups", "common", fmt.Sprintf("portainer.edb.%s.*", portainer.APIVersion))
-		if !isFileExist(backupFileName) {
-			t.Errorf("Expect backup file to be created %s", backupFileName)
-		}
-	})
-
-	t.Run("BackupWithOption should create a name specific backup at common path", func(t *testing.T) {
-		store.backupWithOptions(&BackupOptions{
-			BackupFileName: beforePortainerVersionUpgradeBackup,
-			BackupDir:      store.commonBackupDir(),
-		})
-		backupFileName := path.Join(connection.GetStorePath(), "backups", "common", beforePortainerVersionUpgradeBackup)
 		if !isFileExist(backupFileName) {
 			t.Errorf("Expect backup file to be created %s", backupFileName)
 		}
 	})
 }
 
-func TestRemoveWithOptions(t *testing.T) {
-	_, store := MustNewTestStore(t, true, true)
+func TestRestore(t *testing.T) {
+	_, store := MustNewTestStore(t, true, false)
 
-	t.Run("successfully removes file if existent", func(t *testing.T) {
-		store.createBackupFolders()
-		options := &BackupOptions{
-			BackupDir:      store.commonBackupDir(),
-			BackupFileName: "test.txt",
-		}
+	t.Run("Basic Restore", func(t *testing.T) {
+		// override and set initial db version and edition
+		updateEdition(store, portainer.PortainerCE)
+		updateVersion(store, "2.4")
 
-		filePath := path.Join(options.BackupDir, options.BackupFileName)
-		f, err := os.Create(filePath)
-		if err != nil {
-			t.Fatalf("file should be created; err=%s", err)
-		}
-		f.Close()
+		store.Backup("")
+		updateVersion(store, "2.16")
+		testVersion(store, "2.16", t)
+		store.Restore()
 
-		err = store.removeWithOptions(options)
-		if err != nil {
-			t.Errorf("RemoveWithOptions should successfully remove file; err=%v", err)
-		}
-
-		if isFileExist(f.Name()) {
-			t.Errorf("RemoveWithOptions should successfully remove file; file=%s", f.Name())
-		}
+		// check if the restore is successful and the version is correct
+		testVersion(store, "2.4", t)
 	})
 
-	t.Run("fails to removes file if non-existent", func(t *testing.T) {
-		options := &BackupOptions{
-			BackupDir:      store.commonBackupDir(),
-			BackupFileName: "test.txt",
-		}
+	t.Run("Basic Restore After Multiple Backups", func(t *testing.T) {
+		// override and set initial db version and edition
+		updateEdition(store, portainer.PortainerCE)
+		updateVersion(store, "2.4")
+		store.Backup("")
+		updateVersion(store, "2.14")
+		updateVersion(store, "2.16")
+		testVersion(store, "2.16", t)
+		store.Restore()
 
-		err := store.removeWithOptions(options)
-		if err == nil {
-			t.Error("RemoveWithOptions should fail for non-existent file")
-		}
+		// check if the restore is successful and the version is correct
+		testVersion(store, "2.4", t)
 	})
 }

api/datastore/datastore.go

@@ -31,8 +31,14 @@ func (store *Store) Open() (newStore bool, err error) {
 	}
 
 	if encryptionReq {
+		backupFilename, err := store.Backup("")
+		if err != nil {
+			return false, fmt.Errorf("failed to backup database prior to encrypting: %w", err)
+		}
+
 		err = store.encryptDB()
 		if err != nil {
+			store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
 			return false, err
 		}
 	}

api/datastore/helpers_test.go

@@ -0,0 +1,58 @@
+package datastore
+
+import (
+	"path/filepath"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+
+	"github.com/rs/zerolog/log"
+)
+
+// isFileExist is helper function to check for file existence
+func isFileExist(path string) bool {
+	matches, err := filepath.Glob(path)
+	if err != nil {
+		return false
+	}
+	return len(matches) > 0
+}
+
+func updateVersion(store *Store, v string) {
+	version, err := store.VersionService.Version()
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+
+	version.SchemaVersion = v
+
+	err = store.VersionService.UpdateVersion(version)
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+}
+
+func updateEdition(store *Store, edition portainer.SoftwareEdition) {
+	version, err := store.VersionService.Version()
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+
+	version.Edition = int(edition)
+
+	err = store.VersionService.UpdateVersion(version)
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+}
+
+// testVersion is a helper which tests current store version against wanted version
+func testVersion(store *Store, versionWant string, t *testing.T) {
+	v, err := store.VersionService.Version()
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	if v.SchemaVersion != versionWant {
+		t.Errorf("Expect store version to be %s but was %s", versionWant, v.SchemaVersion)
+	}
+}

api/datastore/init.go

@@ -53,7 +53,7 @@ func (store *Store) checkOrCreateDefaultSettings() error {
 			},
 			SnapshotInterval:         portainer.DefaultSnapshotInterval,
 			EdgeAgentCheckinInterval: portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
-			TemplatesURL:             portainer.DefaultTemplatesURL,
+			TemplatesURL:             "",
 			HelmRepositoryURL:        portainer.DefaultHelmRepositoryURL,
 			UserSessionTimeout:       portainer.DefaultUserSessionTimeout,
 			KubeconfigExpiry:         portainer.DefaultKubeconfigExpiry,

api/datastore/migrate_data.go

@@ -2,6 +2,7 @@ package datastore
 
 import (
 	"fmt"
+	"os"
 	"runtime/debug"
 
 	portainer "github.com/portainer/portainer/api"
@@ -15,8 +16,6 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-const beforePortainerVersionUpgradeBackup = "portainer.db.bak"
-
 func (store *Store) MigrateData() error {
 	updating, err := store.VersionService.IsUpdating()
 	if err != nil {
@@ -41,7 +40,7 @@ func (store *Store) MigrateData() error {
 	}
 
 	// before we alter anything in the DB, create a backup
-	backupPath, err := store.Backup(version)
+	_, err = store.Backup("")
 	if err != nil {
 		return errors.Wrap(err, "while backing up database")
 	}
@@ -50,10 +49,10 @@ func (store *Store) MigrateData() error {
 	if err != nil {
 		err = errors.Wrap(err, "failed to migrate database")
 
-		log.Warn().Msg("migration failed, restoring database to previous version")
-		err = store.restoreWithOptions(&BackupOptions{BackupPath: backupPath})
-		if err != nil {
-			return errors.Wrap(err, "failed to restore database")
+		log.Warn().Err(err).Msg("migration failed, restoring database to previous version")
+		restoreErr := store.Restore()
+		if restoreErr != nil {
+			return errors.Wrap(restoreErr, "failed to restore database")
 		}
 
 		log.Info().Msg("database restored to previous version")
@@ -117,6 +116,11 @@ func (store *Store) FailSafeMigrate(migrator *migrator.Migrator, version *models
 		return err
 	}
 
+	// Special test code to simulate a failure (used by migrate_data_test.go).  Do not remove...
+	if os.Getenv("PORTAINER_TEST_MIGRATE_FAIL") == "FAIL" {
+		panic("test migration failure")
+	}
+
 	err = store.VersionService.StoreIsUpdating(false)
 	if err != nil {
 		return errors.Wrap(err, "failed to update the store")
@@ -127,7 +131,6 @@ func (store *Store) FailSafeMigrate(migrator *migrator.Migrator, version *models
 
 // Rollback to a pre-upgrade backup copy/snapshot of portainer.db
 func (store *Store) connectionRollback(force bool) error {
-
 	if !force {
 		confirmed, err := cli.Confirm("Are you sure you want to rollback your database to the previous backup?")
 		if err != nil || !confirmed {
@@ -135,9 +138,7 @@ func (store *Store) connectionRollback(force bool) error {
 		}
 	}
 
-	options := getBackupRestoreOptions(store.commonBackupDir())
-
-	err := store.restoreWithOptions(options)
+	err := store.Restore()
 	if err != nil {
 		return err
 	}

api/datastore/migrate_data_test.go

@@ -7,29 +7,20 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"
 
+	"github.com/Masterminds/semver"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/database/models"
+	"github.com/portainer/portainer/api/datastore/migrator"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/portainer/portainer/api/database/models"
 	"github.com/rs/zerolog/log"
 )
 
-// testVersion is a helper which tests current store version against wanted version
-func testVersion(store *Store, versionWant string, t *testing.T) {
-	v, err := store.VersionService.Version()
-	if err != nil {
-		t.Errorf("Expect store version to be %s but was %s with error: %s", versionWant, v.SchemaVersion, err)
-	}
-	if v.SchemaVersion != versionWant {
-		t.Errorf("Expect store version to be %s but was %s", versionWant, v.SchemaVersion)
-	}
-}
-
 func TestMigrateData(t *testing.T) {
-	snapshotTests := []struct {
+	tests := []struct {
 		testName           string
 		srcPath            string
 		wantPath           string
@@ -42,7 +33,7 @@ func TestMigrateData(t *testing.T) {
 			overrideInstanceId: true,
 		},
 	}
-	for _, test := range snapshotTests {
+	for _, test := range tests {
 		t.Run(test.testName, func(t *testing.T) {
 			err := migrateDBTestHelper(t, test.srcPath, test.wantPath, test.overrideInstanceId)
 			if err != nil {
@@ -55,147 +46,133 @@ func TestMigrateData(t *testing.T) {
 		})
 	}
 
-	// t.Run("MigrateData for New Store & Re-Open Check", func(t *testing.T) {
-	// 	newStore, store, teardown := MustNewTestStore(t, true, false)
-	// 	defer teardown()
+	t.Run("MigrateData for New Store & Re-Open Check", func(t *testing.T) {
+		newStore, store := MustNewTestStore(t, true, false)
+		if !newStore {
+			t.Error("Expect a new DB")
+		}
 
-	// 	if !newStore {
-	// 		t.Error("Expect a new DB")
-	// 	}
+		testVersion(store, portainer.APIVersion, t)
+		store.Close()
 
-	// 	testVersion(store, portainer.APIVersion, t)
-	// 	store.Close()
+		newStore, _ = store.Open()
+		if newStore {
+			t.Error("Expect store to NOT be new DB")
+		}
+	})
 
-	// 	newStore, _ = store.Open()
-	// 	if newStore {
-	// 		t.Error("Expect store to NOT be new DB")
-	// 	}
-	// })
+	t.Run("MigrateData should create backup file upon update", func(t *testing.T) {
+		_, store := MustNewTestStore(t, true, false)
+		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "1.0", Edition: int(portainer.PortainerCE)})
+		store.MigrateData()
 
-	// tests := []struct {
-	// 	version         string
-	// 	expectedVersion string
-	// }{
-	// 	{version: "1.24.1", expectedVersion: portainer.APIVersion},
-	// 	{version: "2.0.0", expectedVersion: portainer.APIVersion},
-	// }
-	// for _, tc := range tests {
-	// 	_, store, teardown := MustNewTestStore(t, true, true)
-	// 	defer teardown()
+		backupfilename := store.backupFilename()
+		if exists, _ := store.fileService.FileExists(backupfilename); !exists {
+			t.Errorf("Expect backup file to be created %s", backupfilename)
+		}
+	})
 
-	// 	// Setup data
-	// 	v := models.Version{SchemaVersion: tc.version}
-	// 	store.VersionService.UpdateVersion(&v)
+	t.Run("MigrateData should recover and restore backup during migration critical failure", func(t *testing.T) {
+		os.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")
 
-	// 	// Required roles by migrations 22.2
-	// 	store.RoleService.Create(&portainer.Role{ID: 1})
-	// 	store.RoleService.Create(&portainer.Role{ID: 2})
-	// 	store.RoleService.Create(&portainer.Role{ID: 3})
-	// 	store.RoleService.Create(&portainer.Role{ID: 4})
+		version := "2.15"
+		_, store := MustNewTestStore(t, true, false)
+		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
+		store.MigrateData()
 
-	// 	t.Run(fmt.Sprintf("MigrateData for version %s", tc.version), func(t *testing.T) {
-	// 		store.MigrateData()
-	// 		testVersion(store, tc.expectedVersion, t)
-	// 	})
+		store.Open()
+		testVersion(store, version, t)
+	})
 
-	// 	t.Run(fmt.Sprintf("Restoring DB after migrateData for version %s", tc.version), func(t *testing.T) {
-	// 		store.Rollback(true)
-	// 		store.Open()
-	// 		testVersion(store, tc.version, t)
-	// 	})
-	// }
+	t.Run("MigrateData should fail to create backup if database file is set to updating", func(t *testing.T) {
+		_, store := MustNewTestStore(t, true, false)
+		store.VersionService.StoreIsUpdating(true)
+		store.MigrateData()
 
-	// t.Run("Error in MigrateData should restore backup before MigrateData", func(t *testing.T) {
-	// 	_, store, teardown := MustNewTestStore(t, false, true)
-	// 	defer teardown()
+		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
+		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
+		// only create a backup when the version changes.
+		backupfilename := store.backupFilename()
+		if exists, _ := store.fileService.FileExists(backupfilename); exists {
+			t.Errorf("Backup file should not exist for dirty database")
+		}
+	})
 
-	// 	v := models.Version{SchemaVersion: "1.24.1"}
-	// 	store.VersionService.UpdateVersion(&v)
+	t.Run("MigrateData should not create backup on startup if portainer version matches db", func(t *testing.T) {
+		_, store := MustNewTestStore(t, true, false)
 
-	// 	store.MigrateData()
+		// Set migrator the count to match our migrations array (simulate no changes).
+		// Should not create a backup
+		v, err := store.VersionService.Version()
+		if err != nil {
+			t.Errorf("Unable to read version from db: %s", err)
+			t.FailNow()
+		}
 
-	// 	testVersion(store, v.SchemaVersion, t)
-	// })
+		migratorParams := store.newMigratorParameters(v)
+		m := migrator.NewMigrator(migratorParams)
+		latestMigrations := m.LatestMigrations()
 
-	// t.Run("MigrateData should create backup file upon update", func(t *testing.T) {
-	// 	_, store, teardown := MustNewTestStore(t, false, true)
-	// 	defer teardown()
+		if latestMigrations.Version.Equal(semver.MustParse(portainer.APIVersion)) {
+			v.MigratorCount = len(latestMigrations.MigrationFuncs)
+			store.VersionService.UpdateVersion(v)
+		}
 
-	// 	v := models.Version{SchemaVersion: "0.0.0"}
-	// 	store.VersionService.UpdateVersion(&v)
+		store.MigrateData()
 
-	// 	store.MigrateData()
+		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
+		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
+		// only create a backup when the version changes.
+		backupfilename := store.backupFilename()
+		if exists, _ := store.fileService.FileExists(backupfilename); exists {
+			t.Errorf("Backup file should not exist for dirty database")
+		}
+	})
 
-	// 	options := store.setupOptions(getBackupRestoreOptions(store.commonBackupDir()))
+	t.Run("MigrateData should create backup on startup if portainer version matches db and migrationFuncs counts differ", func(t *testing.T) {
+		_, store := MustNewTestStore(t, true, false)
 
-	// 	if !isFileExist(options.BackupPath) {
-	// 		t.Errorf("Backup file should exist; file=%s", options.BackupPath)
-	// 	}
-	// })
+		// Set migrator count very large to simulate changes
+		// Should not create a backup
+		v, err := store.VersionService.Version()
+		if err != nil {
+			t.Errorf("Unable to read version from db: %s", err)
+			t.FailNow()
+		}
 
-	// t.Run("MigrateData should fail to create backup if database file is set to updating", func(t *testing.T) {
-	// 	_, store, teardown := MustNewTestStore(t, false, true)
-	// 	defer teardown()
+		v.MigratorCount = 1000
+		store.VersionService.UpdateVersion(v)
+		store.MigrateData()
 
-	// 	store.VersionService.StoreIsUpdating(true)
-
-	// 	store.MigrateData()
-
-	// 	options := store.setupOptions(getBackupRestoreOptions(store.commonBackupDir()))
-
-	// 	if isFileExist(options.BackupPath) {
-	// 		t.Errorf("Backup file should not exist for dirty database; file=%s", options.BackupPath)
-	// 	}
-	// })
-
-	// t.Run("MigrateData should not create backup on startup if portainer version matches db", func(t *testing.T) {
-	// 	_, store, teardown := MustNewTestStore(t, false, true)
-	// 	defer teardown()
-
-	// 	store.MigrateData()
-
-	// 	options := store.setupOptions(getBackupRestoreOptions(store.commonBackupDir()))
-
-	// 	if isFileExist(options.BackupPath) {
-	// 		t.Errorf("Backup file should not exist for dirty database; file=%s", options.BackupPath)
-	// 	}
-	// })
-}
-
-func Test_getBackupRestoreOptions(t *testing.T) {
-	_, store := MustNewTestStore(t, false, true)
-
-	options := getBackupRestoreOptions(store.commonBackupDir())
-
-	wantDir := store.commonBackupDir()
-	if !strings.HasSuffix(options.BackupDir, wantDir) {
-		log.Fatal().Str("got", options.BackupDir).Str("want", wantDir).Msg("incorrect backup dir")
-	}
-
-	wantFilename := "portainer.db.bak"
-	if options.BackupFileName != wantFilename {
-		log.Fatal().Str("got", options.BackupFileName).Str("want", wantFilename).Msg("incorrect backup file")
-	}
+		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
+		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
+		// only create a backup when the version changes.
+		backupfilename := store.backupFilename()
+		if exists, _ := store.fileService.FileExists(backupfilename); !exists {
+			t.Errorf("DB backup should exist and there should be no error")
+		}
+	})
 }
 
 func TestRollback(t *testing.T) {
 	t.Run("Rollback should restore upgrade after backup", func(t *testing.T) {
-		version := models.Version{SchemaVersion: "2.4.0"}
-		_, store := MustNewTestStore(t, true, false)
+		version := "2.11"
 
-		err := store.VersionService.UpdateVersion(&version)
-		if err != nil {
-			t.Errorf("Failed updating version: %v", err)
+		v := models.Version{
+			SchemaVersion: version,
 		}
 
-		_, err = store.backupWithOptions(getBackupRestoreOptions(store.commonBackupDir()))
+		_, store := MustNewTestStore(t, false, false)
+		store.VersionService.UpdateVersion(&v)
+
+		_, err := store.Backup("")
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
 
-		// Change the current version
-		version2 := models.Version{SchemaVersion: "2.6.0"}
-		err = store.VersionService.UpdateVersion(&version2)
+		v.SchemaVersion = "2.14"
+		// Change the current edition
+		err = store.VersionService.UpdateVersion(&v)
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -207,26 +184,45 @@ func TestRollback(t *testing.T) {
 			return
 		}
 
-		_, err = store.Open()
+		store.Open()
+		testVersion(store, version, t)
+	})
+
+	t.Run("Rollback should restore upgrade after backup", func(t *testing.T) {
+		version := "2.15"
+
+		v := models.Version{
+			SchemaVersion: version,
+			Edition:       int(portainer.PortainerCE),
+		}
+
+		_, store := MustNewTestStore(t, true, false)
+		store.VersionService.UpdateVersion(&v)
+
+		_, err := store.Backup("")
 		if err != nil {
-			t.Logf("Open failed: %s", err)
+			log.Fatal().Err(err).Msg("")
+		}
+
+		v.SchemaVersion = "2.14"
+		// Change the current edition
+		err = store.VersionService.UpdateVersion(&v)
+		if err != nil {
+			log.Fatal().Err(err).Msg("")
+		}
+
+		err = store.Rollback(true)
+		if err != nil {
+			t.Logf("Rollback failed: %s", err)
 			t.Fail()
 			return
 		}
 
-		testVersion(store, version.SchemaVersion, t)
+		store.Open()
+		testVersion(store, version, t)
 	})
 }
 
-// isFileExist is helper function to check for file existence
-func isFileExist(path string) bool {
-	matches, err := filepath.Glob(path)
-	if err != nil {
-		return false
-	}
-	return len(matches) > 0
-}
-
 // migrateDBTestHelper loads a json representation of a bolt database from srcPath,
 // parses it into a database, runs a migration on that database, and then
 // compares it with an expected output database.
@@ -309,7 +305,7 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 		os.WriteFile(
 			gotPath,
 			gotJSON,
-			0600,
+			0o600,
 		)
 		t.Errorf(
 			"migrate data from %s to %s failed\nwrote migrated input to %s\nmismatch (-want +got):\n%s",

api/datastore/migrate_legacyversion.go

@@ -1,7 +1,7 @@
 package datastore
 
 import (
-	portaineree "github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices"
 )
@@ -72,7 +72,7 @@ func dbVersionToSemanticVersion(dbVersion int) string {
 func (store *Store) getOrMigrateLegacyVersion() (*models.Version, error) {
 	// Very old versions of portainer did not have a version bucket, lets set some defaults
 	dbVersion := 24
-	edition := int(portaineree.PortainerCE)
+	edition := int(portainer.PortainerCE)
 	instanceId := ""
 
 	// If we already have a version key, we don't need to migrate

api/datastore/migrator/migrate_dbversion100.go

@@ -10,8 +10,8 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-func (m *Migrator) migrateDockerDesktopExtentionSetting() error {
-	log.Info().Msg("updating docker desktop extention flag in settings")
+func (m *Migrator) migrateDockerDesktopExtensionSetting() error {
+	log.Info().Msg("updating docker desktop extension flag in settings")
 
 	isDDExtension := false
 	if _, ok := os.LookupEnv("DOCKER_EXTENSION"); ok {
@@ -115,10 +115,16 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 			}
 
 			if environmentStatus.Details.Ok {
-				statusArray = append(statusArray, portainer.EdgeStackDeploymentStatus{
-					Type: portainer.EdgeStackStatusRunning,
-					Time: time.Now().Unix(),
-				})
+				statusArray = append(statusArray,
+					portainer.EdgeStackDeploymentStatus{
+						Type: portainer.EdgeStackStatusDeploymentReceived,
+						Time: time.Now().Unix(),
+					},
+					portainer.EdgeStackDeploymentStatus{
+						Type: portainer.EdgeStackStatusRunning,
+						Time: time.Now().Unix(),
+					},
+				)
 			}
 
 			if environmentStatus.Details.ImagesPulled {

api/datastore/migrator/migrate_dbversion110.go

@@ -0,0 +1,51 @@
+package migrator
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/rs/zerolog/log"
+)
+
+// updateAppTemplatesVersionForDB110 changes the templates URL to be empty if it was never changed
+// from the default value (version 2.0 URL)
+func (migrator *Migrator) updateAppTemplatesVersionForDB110() error {
+	log.Info().Msg("updating app templates url to v3.0")
+
+	version2URL := "https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json"
+
+	settings, err := migrator.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	if settings.TemplatesURL == version2URL || settings.TemplatesURL == portainer.DefaultTemplatesURL {
+		settings.TemplatesURL = ""
+	}
+
+	return migrator.settingsService.UpdateSettings(settings)
+}
+
+// In PortainerCE the resource overcommit option should always be true across all endpoints
+func (migrator *Migrator) updateResourceOverCommitToDB110() error {
+	log.Info().Msg("updating resource overcommit setting to true")
+
+	endpoints, err := migrator.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		if endpoint.Type == portainer.KubernetesLocalEnvironment ||
+			endpoint.Type == portainer.AgentOnKubernetesEnvironment ||
+			endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+
+			endpoint.Kubernetes.Configuration.EnableResourceOverCommit = true
+
+			err = migrator.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}

api/datastore/migrator/migrate_dbversion24.go

@@ -14,8 +14,10 @@ func (m *Migrator) updateSettingsToDB25() error {
 		return err
 	}
 
+	// to keep the same migration functionality as before 2.20.0, we need to set the templates URL to v2
+	version2URL := "https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json"
 	if legacySettings.TemplatesURL == "" {
-		legacySettings.TemplatesURL = portainer.DefaultTemplatesURL
+		legacySettings.TemplatesURL = version2URL
 	}
 
 	legacySettings.UserSessionTimeout = portainer.DefaultUserSessionTimeout

api/datastore/migrator/migrate_dbversion31.go

@@ -245,7 +245,7 @@ func (m *Migrator) updateVolumeResourceControlToDB32() error {
 	return nil
 }
 
-func findResourcesToUpdateForDB32(dockerID string, volumesData volume.VolumeListOKBody, toUpdate map[portainer.ResourceControlID]string, volumeResourceControls map[string]*portainer.ResourceControl) {
+func findResourcesToUpdateForDB32(dockerID string, volumesData volume.ListResponse, toUpdate map[portainer.ResourceControlID]string, volumeResourceControls map[string]*portainer.ResourceControl) {
 	volumes := volumesData.Volumes
 	for _, volume := range volumes {
 		volumeName := volume.Name

api/datastore/migrator/migrator.go

@@ -148,6 +148,17 @@ func (m *Migrator) LatestMigrations() Migrations {
 	return m.migrations[len(m.migrations)-1]
 }
 
+func (m *Migrator) GetMigratorCountOfCurrentAPIVersion() int {
+	migratorCount := 0
+	latestMigrations := m.LatestMigrations()
+
+	if latestMigrations.Version.Equal(semver.MustParse(portainer.APIVersion)) {
+		migratorCount = len(latestMigrations.MigrationFuncs)
+	}
+
+	return migratorCount
+}
+
 // !NOTE: Migration funtions should ideally be idempotent.
 // !      Which simply means the function can run over the same data many times but only transform it once.
 // !      In practice this really just means an extra check or two to ensure we're not destroying valid data.
@@ -214,9 +225,13 @@ func (m *Migrator) initMigrations() {
 	m.addMigrations("2.18", m.migrateDBVersionToDB90)
 	m.addMigrations("2.19",
 		m.convertSeedToPrivateKeyForDB100,
-		m.migrateDockerDesktopExtentionSetting,
+		m.migrateDockerDesktopExtensionSetting,
 		m.updateEdgeStackStatusForDB100,
 	)
+	m.addMigrations("2.20",
+		m.updateAppTemplatesVersionForDB110,
+		m.updateResourceOverCommitToDB110,
+	)
 
 	// Add new migrations below...
 	// One function per migration, each versions migration funcs in the same file.

api/datastore/services.go

@@ -1,7 +1,6 @@
 package datastore
 
 import (
-	"encoding/json"
 	"fmt"
 	"os"
 
@@ -20,6 +19,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/extension"
 	"github.com/portainer/portainer/api/dataservices/fdoprofile"
 	"github.com/portainer/portainer/api/dataservices/helmuserrepository"
+	"github.com/portainer/portainer/api/dataservices/pendingactions"
 	"github.com/portainer/portainer/api/dataservices/registry"
 	"github.com/portainer/portainer/api/dataservices/resourcecontrol"
 	"github.com/portainer/portainer/api/dataservices/role"
@@ -37,6 +37,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/webhook"
 
 	"github.com/rs/zerolog/log"
+	"github.com/segmentio/encoding/json"
 )
 
 // Store defines the implementation of portainer.DataStore using
@@ -72,6 +73,7 @@ type Store struct {
 	UserService               *user.Service
 	VersionService            *version.Service
 	WebhookService            *webhook.Service
+	PendingActionsService     *pendingactions.Service
 }
 
 func (store *Store) initServices() error {
@@ -238,9 +240,20 @@ func (store *Store) initServices() error {
 	}
 	store.ScheduleService = scheduleService
 
+	pendingActionsService, err := pendingactions.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.PendingActionsService = pendingActionsService
+
 	return nil
 }
 
+// PendingActions gives access to the PendingActions data management layer
+func (store *Store) PendingActions() dataservices.PendingActionsService {
+	return store.PendingActionsService
+}
+
 // CustomTemplate gives access to the CustomTemplate data management layer
 func (store *Store) CustomTemplate() dataservices.CustomTemplateService {
 	return store.CustomTemplateService

api/datastore/services_tx.go

@@ -16,6 +16,8 @@ func (tx *StoreTx) IsErrObjectNotFound(err error) bool {
 
 func (tx *StoreTx) CustomTemplate() dataservices.CustomTemplateService { return nil }
 
+func (tx *StoreTx) PendingActions() dataservices.PendingActionsService { return nil }
+
 func (tx *StoreTx) EdgeGroup() dataservices.EdgeGroupService {
 	return tx.store.EdgeGroupService.Tx(tx.tx)
 }

api/datastore/test_data/output_24_to_latest.json

@@ -46,12 +46,10 @@
       },
       "EdgeCheckinInterval": 0,
       "EdgeKey": "",
-      "EnableGPUManagement": false,
       "Gpus": [],
       "GroupId": 1,
       "Heartbeat": false,
       "Id": 1,
-      "IsEdgeDevice": false,
       "Kubernetes": {
         "Configuration": {
           "AllowNoneIngressClass": false,
@@ -101,8 +99,7 @@
       "TeamAccessPolicies": {},
       "Type": 1,
       "URL": "unix:///var/run/docker.sock",
-      "UserAccessPolicies": {},
-      "UserTrusted": false
+      "UserAccessPolicies": {}
     }
   ],
   "registries": [
@@ -124,8 +121,7 @@
       "Name": "canister.io",
       "Password": "MjWbx8A6YK7cw7",
       "Quay": {
-        "OrganisationName": "",
-        "UseOrganisation": false
+        "OrganisationName": ""
       },
       "RegistryAccesses": {
         "1": {
@@ -584,11 +580,8 @@
     "AllowHostNamespaceForRegularUsers": true,
     "AllowPrivilegedModeForRegularUsers": true,
     "AllowStackManagementForRegularUsers": true,
-    "AllowVolumeBrowserForRegularUsers": false,
     "AuthenticationMethod": 1,
     "BlackListedLabels": [],
-    "DisplayDonationHeader": false,
-    "DisplayExternalContributors": false,
     "Edge": {
       "AsyncMode": false,
       "CommandInterval": 0,
@@ -598,15 +591,16 @@
     "EdgeAgentCheckinInterval": 5,
     "EdgePortainerUrl": "",
     "EnableEdgeComputeFeatures": false,
-    "EnableHostManagementFeatures": false,
     "EnableTelemetry": true,
     "EnforceEdgeID": false,
     "FeatureFlagSettings": null,
+    "GlobalDeploymentOptions": {
+      "hideStacksFunctionality": false
+    },
     "HelmRepositoryURL": "https://charts.bitnami.com/bitnami",
     "InternalAuthSettings": {
       "RequiredPasswordLength": 12
     },
-    "IsDockerDesktopExtension": false,
     "KubeconfigExpiry": "0",
     "KubectlShellImage": "portainer/kubectl-shell",
     "LDAPSettings": {
@@ -651,7 +645,7 @@
     },
     "ShowKomposeBuildOption": false,
     "SnapshotInterval": "5m",
-    "TemplatesURL": "https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json",
+    "TemplatesURL": "",
     "TrustOnFirstConnect": false,
     "UserSessionTimeout": "8h",
     "fdoConfiguration": {
@@ -675,6 +669,7 @@
   "snapshots": [
     {
       "Docker": {
+        "ContainerCount": 0,
         "DockerSnapshotRaw": {
           "Containers": null,
           "Images": null,
@@ -909,7 +904,7 @@
         "color": ""
       },
       "TokenIssueAt": 0,
-      "UserTheme": "",
+      "UseCache": false,
       "Username": "admin"
     },
     {
@@ -939,11 +934,11 @@
         "color": ""
       },
       "TokenIssueAt": 0,
-      "UserTheme": "",
+      "UseCache": false,
       "Username": "prabhat"
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.19.0\",\"MigratorCount\":3,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.20.0\",\"MigratorCount\":2,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   }
 }

api/docker/client/client.go

@@ -1,18 +1,24 @@
 package client
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
+	"io"
+	"maps"
 	"net/http"
 	"strings"
 	"time"
 
-	"github.com/docker/docker/client"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/segmentio/encoding/json"
 )
 
-var errUnsupportedEnvironmentType = errors.New("Environment not supported")
+var errUnsupportedEnvironmentType = errors.New("environment not supported")
 
 const (
 	defaultDockerRequestTimeout = 60 * time.Second
@@ -42,9 +48,16 @@ func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeNam
 	case portainer.AzureEnvironment:
 		return nil, errUnsupportedEnvironmentType
 	case portainer.AgentOnDockerEnvironment:
-		return createAgentClient(endpoint, factory.signatureService, nodeName, timeout)
+		return createAgentClient(endpoint, endpoint.URL, factory.signatureService, nodeName, timeout)
 	case portainer.EdgeAgentOnDockerEnvironment:
-		return createEdgeClient(endpoint, factory.signatureService, factory.reverseTunnelService, nodeName, timeout)
+		tunnel, err := factory.reverseTunnelService.GetActiveTunnel(endpoint)
+		if err != nil {
+			return nil, err
+		}
+
+		endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
+
+		return createAgentClient(endpoint, endpointURL, factory.signatureService, nodeName, timeout)
 	}
 
 	if strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://") {
@@ -57,20 +70,20 @@ func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeNam
 func createLocalClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 	)
 }
 
 func CreateClientFromEnv() (*client.Client, error) {
 	return client.NewClientWithOpts(
 		client.FromEnv,
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 	)
 }
 
 func CreateSimpleClient() (*client.Client, error) {
 	return client.NewClientWithOpts(
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 	)
 }
 
@@ -82,12 +95,12 @@ func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*cli
 
 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 		client.WithHTTPClient(httpCli),
 	)
 }
 
-func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, nodeName string, timeout *time.Duration) (*client.Client, error) {
+func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) {
 	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
 		return nil, err
@@ -107,51 +120,73 @@ func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.D
 		headers[portainer.PortainerAgentTargetHeader] = nodeName
 	}
 
-	tunnel, err := reverseTunnelService.GetActiveTunnel(endpoint)
-	if err != nil {
-		return nil, err
-	}
-
-	endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
-
-	return client.NewClientWithOpts(
+	opts := []client.Opt{
 		client.WithHost(endpointURL),
-		client.WithVersion(dockerClientVersion),
+		client.WithAPIVersionNegotiation(),
 		client.WithHTTPClient(httpCli),
 		client.WithHTTPHeaders(headers),
-	)
+	}
+
+	if nnTransport, ok := httpCli.Transport.(*NodeNameTransport); ok && nnTransport.TLSClientConfig != nil {
+		opts = append(opts, client.WithScheme("https"))
+	}
+
+	return client.NewClientWithOpts(opts...)
 }
 
-func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) {
-	httpCli, err := httpClient(endpoint, timeout)
+type NodeNameTransport struct {
+	*http.Transport
+	nodeNames map[string]string
+}
+
+func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	resp, err := t.Transport.RoundTrip(req)
+	if err != nil ||
+		resp.StatusCode != http.StatusOK ||
+		resp.ContentLength == 0 ||
+		!strings.HasSuffix(req.URL.Path, "/images/json") {
+		return resp, err
+	}
+
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return nil, err
+		resp.Body.Close()
+		return resp, err
 	}
 
-	signature, err := signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
-	if err != nil {
-		return nil, err
+	resp.Body.Close()
+
+	resp.Body = io.NopCloser(bytes.NewReader(body))
+
+	var rs []struct {
+		types.ImageSummary
+		Portainer struct {
+			Agent struct {
+				NodeName string
+			}
+		}
 	}
 
-	headers := map[string]string{
-		portainer.PortainerAgentPublicKeyHeader: signatureService.EncodedPublicKey(),
-		portainer.PortainerAgentSignatureHeader: signature,
+	if err = json.Unmarshal(body, &rs); err != nil {
+		return resp, nil
 	}
 
-	if nodeName != "" {
-		headers[portainer.PortainerAgentTargetHeader] = nodeName
+	t.nodeNames = make(map[string]string)
+	for _, r := range rs {
+		t.nodeNames[r.ID] = r.Portainer.Agent.NodeName
 	}
 
-	return client.NewClientWithOpts(
-		client.WithHost(endpoint.URL),
-		client.WithVersion(dockerClientVersion),
-		client.WithHTTPClient(httpCli),
-		client.WithHTTPHeaders(headers),
-	)
+	return resp, err
+}
+
+func (t *NodeNameTransport) NodeNames() map[string]string {
+	return maps.Clone(t.nodeNames)
 }
 
 func httpClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*http.Client, error) {
-	transport := &http.Transport{}
+	transport := &NodeNameTransport{
+		Transport: &http.Transport{},
+	}
 
 	if endpoint.TLSConfig.TLS {
 		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)

api/docker/images/status.go

@@ -2,6 +2,7 @@ package images
 
 import (
 	"context"
+	"slices"
 	"strings"
 	"time"
 
@@ -9,7 +10,6 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	portainer "github.com/portainer/portainer/api"
 	consts "github.com/portainer/portainer/api/docker/consts"
-	"github.com/portainer/portainer/api/internal/slices"
 
 	"github.com/opencontainers/go-digest"
 	"github.com/patrickmn/go-cache"

api/docker/snapshot.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/docker/docker/api/types"
 	_container "github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/volume"
 	"github.com/docker/docker/client"
 	portainer "github.com/portainer/portainer/api"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
@@ -174,7 +174,12 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 				if !snapshot.Swarm {
 					return err
 				} else {
-					log.Info().Str("container", container.ID).Err(err).Msg("unable to inspect container in other Swarm nodes")
+					if !strings.Contains(err.Error(), "No such container") {
+						return err
+					}
+					// It is common to have containers running on different Swarm nodes,
+					// so we just log the error in the debug level
+					log.Debug().Str("container", container.ID).Err(err).Msg("unable to inspect container in other Swarm nodes")
 				}
 			} else {
 				var gpuOptions *_container.DeviceRequest = nil
@@ -196,9 +201,12 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 			}
 		}
 
-		if strings.Contains(container.Status, "(healthy)") {
+		if container.State == "healthy" {
+			runningContainers++
 			healthyContainers++
-		} else if strings.Contains(container.Status, "(unhealthy)") {
+		}
+
+		if container.State == "unhealthy" {
 			unhealthyContainers++
 		}
 
@@ -217,6 +225,7 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 	snapshot.GpuUseAll = gpuUseAll
 	snapshot.GpuUseList = gpuUseList
 
+	snapshot.ContainerCount = len(containers)
 	snapshot.RunningContainerCount = runningContainers
 	snapshot.StoppedContainerCount = stoppedContainers
 	snapshot.HealthyContainerCount = healthyContainers
@@ -240,7 +249,7 @@ func snapshotImages(snapshot *portainer.DockerSnapshot, cli *client.Client) erro
 }
 
 func snapshotVolumes(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	volumes, err := cli.VolumeList(context.Background(), filters.Args{})
+	volumes, err := cli.VolumeList(context.Background(), volume.ListOptions{})
 	if err != nil {
 		return err
 	}

api/edge/edge.go

@@ -51,6 +51,10 @@ type (
 		// Used only for EE
 		// EnvVars is a list of environment variables to inject into the stack
 		EnvVars []portainer.Pair
+
+		// Used only for EE async edge agent
+		// ReadyRePullImage is a flag to indicate whether the auto update is trigger to re-pull image
+		ReadyRePullImage bool
 	}
 
 	// RegistryCredentials holds the credentials for a Docker registry.

api/exec/common.go

@@ -3,48 +3,3 @@ package exec
 import "regexp"
 
 var stackNameNormalizeRegex = regexp.MustCompile("[^-_a-z0-9]+")
-
-type StringSet map[string]bool
-
-func NewStringSet() StringSet {
-	return make(StringSet)
-}
-
-func (s StringSet) Add(x string) {
-	s[x] = true
-}
-
-func (s StringSet) Remove(x string) {
-	if s.Contains(x) {
-		delete(s, x)
-	}
-}
-
-func (s StringSet) Contains(x string) bool {
-	_, ok := s[x]
-	return ok
-}
-
-func (s StringSet) Len() int {
-	return len(s)
-}
-
-func (s StringSet) List() []string {
-	list := make([]string, s.Len())
-
-	i := 0
-	for k := range s {
-		list[i] = k
-		i++
-	}
-
-	return list
-}
-
-func (s StringSet) Union(x StringSet) {
-	if x.Len() != 0 {
-		for k := range x {
-			s.Add(k)
-		}
-	}
-}

api/exec/compose_stack_integration_test.go

@@ -10,8 +10,8 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/pkg/libstack/compose"
+	"github.com/portainer/portainer/pkg/testhelpers"
 
 	"github.com/rs/zerolog/log"
 )

api/exec/swarm_stack.go

@@ -2,7 +2,6 @@ package exec
 
 import (
 	"bytes"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
@@ -15,6 +14,9 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/registryutils"
 	"github.com/portainer/portainer/api/stacks/stackutils"
+
+	"github.com/rs/zerolog/log"
+	"github.com/segmentio/encoding/json"
 )
 
 // SwarmStackManager represents a service for managing stacks.
@@ -64,16 +66,35 @@ func (manager *SwarmStackManager) Login(registries []portainer.Registry, endpoin
 		if registry.Authentication {
 			err = registryutils.EnsureRegTokenValid(manager.dataStore, &registry)
 			if err != nil {
-				return err
+				log.
+					Warn().
+					Err(err).
+					Str("RegistryName", registry.Name).
+					Msg("Failed to validate registry token. Skip logging with this registry.")
+
+				continue
 			}
 
 			username, password, err := registryutils.GetRegEffectiveCredential(&registry)
 			if err != nil {
-				return err
+				log.
+					Warn().
+					Err(err).
+					Str("RegistryName", registry.Name).
+					Msg("Failed to get effective credential. Skip logging with this registry.")
+
+				continue
 			}
 
 			registryArgs := append(args, "login", "--username", username, "--password", password, registry.URL)
-			runCommandAndCaptureStdErr(command, registryArgs, nil, "")
+			err = runCommandAndCaptureStdErr(command, registryArgs, nil, "")
+			if err != nil {
+				log.
+					Warn().
+					Err(err).
+					Str("RegistryName", registry.Name).
+					Msg("Failed to login.")
+			}
 		}
 	}
 

api/filesystem/filesystem.go

@@ -2,7 +2,6 @@ package filesystem
 
 import (
 	"bytes"
-	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -15,6 +14,7 @@ import (
 
 	"github.com/gofrs/uuid"
 	"github.com/rs/zerolog/log"
+	"github.com/segmentio/encoding/json"
 )
 
 const (
@@ -173,7 +173,7 @@ func (service *Service) GetStackProjectPathByVersion(stackIdentifier string, ver
 	}
 
 	if commitHash != "" {
-		versionStr = fmt.Sprintf("%s", commitHash)
+		versionStr = commitHash
 	}
 	return JoinPaths(service.wrapFileStore(ComposeStorePath), stackIdentifier, versionStr)
 }
@@ -302,6 +302,38 @@ func (service *Service) UpdateStoreStackFileFromBytes(stackIdentifier, fileName
 	return service.wrapFileStore(stackStorePath), nil
 }
 
+// UpdateStoreStackFileFromBytesByVersion makes stack file backup and updates a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) UpdateStoreStackFileFromBytesByVersion(stackIdentifier, fileName string, version int, commitHash string, data []byte) (string, error) {
+	stackStorePath := JoinPaths(ComposeStorePath, stackIdentifier)
+
+	versionStr := ""
+	if version != 0 {
+		versionStr = fmt.Sprintf("v%d", version)
+	}
+	if commitHash != "" {
+		versionStr = commitHash
+	}
+
+	if versionStr != "" {
+		stackStorePath = JoinPaths(stackStorePath, versionStr)
+	}
+
+	composeFilePath := JoinPaths(stackStorePath, fileName)
+	err := service.createBackupFileInStore(composeFilePath)
+	if err != nil {
+		return "", err
+	}
+
+	r := bytes.NewReader(data)
+	err = service.createFileInStore(composeFilePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return service.wrapFileStore(stackStorePath), nil
+}
+
 // RemoveStackFileBackup removes the stack file backup in the ComposeStorePath.
 func (service *Service) RemoveStackFileBackup(stackIdentifier, fileName string) error {
 	stackStorePath := JoinPaths(ComposeStorePath, stackIdentifier)

api/filesystem/serialize.go

@@ -49,8 +49,8 @@ func FilterDirForEntryFile(dirEntries []DirEntry, entryFile string) []DirEntry {
 	return filteredDirEntries
 }
 
+// FilterDirForCompatibility returns the content of the entry file if agent version is less than 2.19.0
 func FilterDirForCompatibility(dirEntries []DirEntry, entryFilePath, agentVersion string) (string, error) {
-
 	if semver.Compare(fmt.Sprintf("v%s", agentVersion), "v2.19.0") == -1 {
 		for _, dirEntry := range dirEntries {
 			if dirEntry.IsFile {

api/filesystem/serialize_per_dev_configs.go

@@ -9,6 +9,39 @@ import (
 	"github.com/portainer/portainer/api"
 )
 
+type MultiFilterArgs []struct {
+	FilterKey  string
+	FilterType portainer.PerDevConfigsFilterType
+}
+
+// MultiFilterDirForPerDevConfigs filers the given dirEntries with multiple filter args, returns the merged entries for the given device
+func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) []DirEntry {
+	var filteredDirEntries []DirEntry
+
+	for _, multiFilterArg := range multiFilterArgs {
+		tmp := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
+		filteredDirEntries = append(filteredDirEntries, tmp...)
+	}
+
+	return deduplicate(filteredDirEntries)
+}
+
+func deduplicate(dirEntries []DirEntry) []DirEntry {
+	var deduplicatedDirEntries []DirEntry
+
+	marks := make(map[string]struct{})
+
+	for _, dirEntry := range dirEntries {
+		_, ok := marks[dirEntry.Name]
+		if !ok {
+			marks[dirEntry.Name] = struct{}{}
+			deduplicatedDirEntries = append(deduplicatedDirEntries, dirEntry)
+		}
+	}
+
+	return deduplicatedDirEntries
+}
+
 // FilterDirForPerDevConfigs filers the given dirEntries, returns entries for the given device
 // For given configPath A/B/C, return entries:
 //  1. all entries outside of dir A
@@ -47,10 +80,14 @@ func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filter
 		return shouldIncludeFile(dirEntry, deviceName, configPath)
 	}
 
-	// Include:
-	// dir entry A/B/C/<deviceName>
-	// all entries A/B/C/<deviceName>/*
-	return shouldIncludeDir(dirEntry, deviceName, configPath)
+	if filterType == portainer.PerDevConfigsTypeDir {
+		// Include:
+		// dir entry A/B/C/<deviceName>
+		// all entries A/B/C/<deviceName>/*
+		return shouldIncludeDir(dirEntry, deviceName, configPath)
+	}
+
+	return false
 }
 
 func isInConfigRootDir(dirEntry DirEntry, configPath string) bool {

api/filesystem/serialize_per_dev_configs_test.go

@@ -0,0 +1,91 @@
+package filesystem
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
+	type args struct {
+		dirEntries      []DirEntry
+		configPath      string
+		multiFilterArgs MultiFilterArgs
+	}
+
+	baseDirEntries := []DirEntry{
+		{".env", "", true, 420},
+		{"docker-compose.yaml", "", true, 420},
+		{"configs", "", false, 420},
+		{"configs/file1.conf", "", true, 420},
+		{"configs/file2.conf", "", true, 420},
+		{"configs/folder1", "", false, 420},
+		{"configs/folder1/config1", "", true, 420},
+		{"configs/folder2", "", false, 420},
+		{"configs/folder2/config2", "", true, 420},
+	}
+
+	tests := []struct {
+		name string
+		args args
+		want []DirEntry
+	}{
+		{
+			name: "filter file1",
+			args: args{
+				baseDirEntries,
+				"configs",
+				MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
+			},
+			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+		},
+		{
+			name: "filter folder1",
+			args: args{
+				baseDirEntries,
+				"configs",
+				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+			},
+			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+		},
+		{
+			name: "filter file1 and folder1",
+			args: args{
+				baseDirEntries,
+				"configs",
+				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+			},
+			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+		},
+		{
+			name: "filter file1 and file2",
+			args: args{
+				baseDirEntries,
+				"configs",
+				MultiFilterArgs{
+					{"file1", portainer.PerDevConfigsTypeFile},
+					{"file2", portainer.PerDevConfigsTypeFile},
+				},
+			},
+			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
+		},
+		{
+			name: "filter folder1 and folder2",
+			args: args{
+				baseDirEntries,
+				"configs",
+				MultiFilterArgs{
+					{"folder1", portainer.PerDevConfigsTypeDir},
+					{"folder2", portainer.PerDevConfigsTypeDir},
+				},
+			},
+			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, MultiFilterDirForPerDevConfigs(tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs), "MultiFilterDirForPerDevConfigs(%v, %v, %v)", tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs)
+		})
+	}
+}

api/git/azure.go

@@ -2,7 +2,6 @@ package git
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
@@ -11,12 +10,13 @@ import (
 	"strings"
 	"time"
 
-	"github.com/go-git/go-git/v5/plumbing/filemode"
 	"github.com/portainer/portainer/api/archive"
 	"github.com/portainer/portainer/api/crypto"
 	gittypes "github.com/portainer/portainer/api/git/types"
 
+	"github.com/go-git/go-git/v5/plumbing/filemode"
 	"github.com/pkg/errors"
+	"github.com/segmentio/encoding/json"
 )
 
 const (

api/hostmanagement/openamt/authorization.go

@@ -2,12 +2,13 @@ package openamt
 
 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
+
+	"github.com/segmentio/encoding/json"
 )
 
 type authenticationResponse struct {

api/hostmanagement/openamt/configCIRA.go

@@ -2,7 +2,6 @@ package openamt
 
 import (
 	"encoding/base64"
-	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"io"
@@ -11,6 +10,8 @@ import (
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
+
+	"github.com/segmentio/encoding/json"
 )
 
 type CIRAConfig struct {

api/hostmanagement/openamt/configDevice.go

@@ -1,11 +1,12 @@
 package openamt
 
 import (
-	"encoding/json"
 	"fmt"
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
+
+	"github.com/segmentio/encoding/json"
 )
 
 type Device struct {

api/hostmanagement/openamt/configDomain.go

@@ -1,11 +1,12 @@
 package openamt
 
 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
+
+	"github.com/segmentio/encoding/json"
 )
 
 type (

api/hostmanagement/openamt/configProfile.go

@@ -1,11 +1,12 @@
 package openamt
 
 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
+
+	"github.com/segmentio/encoding/json"
 )
 
 type (

api/hostmanagement/openamt/deviceActions.go

@@ -1,12 +1,13 @@
 package openamt
 
 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
+
+	"github.com/segmentio/encoding/json"
 )
 
 type ActionResponse struct {

api/hostmanagement/openamt/deviceFeatures.go

@@ -1,11 +1,12 @@
 package openamt
 
 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
+
+	"github.com/segmentio/encoding/json"
 )
 
 func (service *Service) enableDeviceFeatures(configuration portainer.OpenAMTConfiguration, deviceGUID string, features portainer.OpenAMTDeviceEnabledFeatures) error {

api/hostmanagement/openamt/openamt.go

@@ -2,7 +2,6 @@ package openamt
 
 import (
 	"bytes"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -12,6 +11,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
 
+	"github.com/segmentio/encoding/json"
 	"golang.org/x/sync/errgroup"
 )
 

api/http/client/client.go

@@ -2,7 +2,6 @@ package client
 
 import (
 	"crypto/tls"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -14,6 +13,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 
 	"github.com/rs/zerolog/log"
+	"github.com/segmentio/encoding/json"
 )
 
 var errInvalidResponseStatus = errors.New("invalid response status (expecting 200)")

api/http/csrf/csrf.go

@@ -0,0 +1,66 @@
+package csrf
+
+import (
+	"crypto/rand"
+	"fmt"
+	"net/http"
+
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+
+	gorillacsrf "github.com/gorilla/csrf"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/urfave/negroni"
+)
+
+func WithProtect(handler http.Handler) (http.Handler, error) {
+	handler = withSendCSRFToken(handler)
+
+	token := make([]byte, 32)
+	_, err := rand.Read(token)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate CSRF token: %w", err)
+	}
+
+	handler = gorillacsrf.Protect(
+		[]byte(token),
+		gorillacsrf.Path("/"),
+		gorillacsrf.Secure(false),
+	)(handler)
+
+	return withSkipCSRF(handler), nil
+}
+
+func withSendCSRFToken(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		sw := negroni.NewResponseWriter(w)
+
+		sw.Before(func(sw negroni.ResponseWriter) {
+			statusCode := sw.Status()
+			if statusCode >= 200 && statusCode < 300 {
+				csrfToken := gorillacsrf.Token(r)
+				sw.Header().Set("X-CSRF-Token", csrfToken)
+			}
+		})
+
+		handler.ServeHTTP(sw, r)
+
+	})
+}
+
+func withSkipCSRF(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		skip, err := security.ShouldSkipCSRFCheck(r)
+		if err != nil {
+			httperror.WriteError(w, http.StatusForbidden, err.Error(), err)
+			return
+		}
+
+		if skip {
+			r = gorillacsrf.UnsafeSkipCheck(r)
+		}
+
+		handler.ServeHTTP(w, r)
+	})
+}

api/http/errors/tx.go

@@ -3,7 +3,7 @@ package errors
 import (
 	"errors"
 
-	httperror "github.com/portainer/libhttp/error"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 )
 
 func TxResponse(err error, validResponse func() *httperror.HandlerError) *httperror.HandlerError {

api/http/handler/auth/authenticate.go

@@ -4,12 +4,13 @@ import (
 	"net/http"
 	"strings"
 
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
 
 	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
@@ -25,7 +26,7 @@ type authenticatePayload struct {
 
 type authenticateResponse struct {
 	// JWT token used to authenticate against the API
-	JWT string `json:"jwt" example:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTQ5OTM3NjE1NH0.NJ6vE8FY1WG6jsRQzfMqeatJ4vh2TWAeeYfDhP71YEE"`
+	JWT string `json:"jwt" example:"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzAB"`
 }
 
 func (payload *authenticatePayload) Validate(r *http.Request) error {
@@ -74,7 +75,7 @@ func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *h
 		if settings.AuthenticationMethod == portainer.AuthenticationInternal ||
 			settings.AuthenticationMethod == portainer.AuthenticationOAuth ||
 			(settings.AuthenticationMethod == portainer.AuthenticationLDAP && !settings.LDAPSettings.AutoCreateUsers) {
-			return &httperror.HandlerError{StatusCode: http.StatusUnprocessableEntity, Message: "Invalid credentials", Err: httperrors.ErrUnauthorized}
+			return httperror.NewError(http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized)
 		}
 	}
 
@@ -83,14 +84,14 @@ func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *h
 	}
 
 	if settings.AuthenticationMethod == portainer.AuthenticationOAuth {
-		return &httperror.HandlerError{StatusCode: http.StatusUnprocessableEntity, Message: "Only initial admin is allowed to login without oauth", Err: httperrors.ErrUnauthorized}
+		return httperror.NewError(http.StatusUnprocessableEntity, "Only initial admin is allowed to login without oauth", httperrors.ErrUnauthorized)
 	}
 
 	if settings.AuthenticationMethod == portainer.AuthenticationLDAP {
 		return handler.authenticateLDAP(rw, user, payload.Username, payload.Password, &settings.LDAPSettings)
 	}
 
-	return &httperror.HandlerError{StatusCode: http.StatusUnprocessableEntity, Message: "Login method is not supported", Err: httperrors.ErrUnauthorized}
+	return httperror.NewError(http.StatusUnprocessableEntity, "Login method is not supported", httperrors.ErrUnauthorized)
 }
 
 func isUserInitialAdmin(user *portainer.User) bool {
@@ -100,7 +101,7 @@ func isUserInitialAdmin(user *portainer.User) bool {
 func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portainer.User, password string) *httperror.HandlerError {
 	err := handler.CryptoService.CompareHashAndData(user.Password, password)
 	if err != nil {
-		return &httperror.HandlerError{StatusCode: http.StatusUnprocessableEntity, Message: "Invalid credentials", Err: httperrors.ErrUnauthorized}
+		return httperror.NewError(http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized)
 	}
 
 	forceChangePassword := !handler.passwordStrengthChecker.Check(password)
@@ -142,12 +143,15 @@ func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User,
 }
 
 func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
-	token, err := handler.JWTService.GenerateToken(tokenData)
+	token, expirationTime, err := handler.JWTService.GenerateToken(tokenData)
 	if err != nil {
 		return httperror.InternalServerError("Unable to generate JWT token", err)
 	}
 
+	security.AddAuthCookie(w, token, expirationTime)
+
 	return response.JSON(w, &authenticateResponse{JWT: token})
+
 }
 
 func (handler *Handler) syncUserTeamsWithLDAPGroups(user *portainer.User, settings *portainer.LDAPSettings) error {
@@ -196,7 +200,7 @@ func (handler *Handler) syncUserTeamsWithLDAPGroups(user *portainer.User, settin
 
 func teamExists(teamName string, ldapGroups []string) bool {
 	for _, group := range ldapGroups {
-		if strings.ToLower(group) == strings.ToLower(teamName) {
+		if strings.EqualFold(group, teamName) {
 			return true
 		}
 	}

api/http/handler/auth/authenticate_oauth.go

@@ -4,10 +4,10 @@ import (
 	"errors"
 	"net/http"
 
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
 
 	"github.com/asaskevich/govalidator"
 	"github.com/rs/zerolog/log"

api/http/handler/auth/handler.go

@@ -3,12 +3,12 @@ package auth
 import (
 	"net/http"
 
-	httperror "github.com/portainer/libhttp/error"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/http/security"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/gorilla/mux"
 )
@@ -18,12 +18,13 @@ type Handler struct {
 	*mux.Router
 	DataStore                   dataservices.DataStore
 	CryptoService               portainer.CryptoService
-	JWTService                  dataservices.JWTService
+	JWTService                  portainer.JWTService
 	LDAPService                 portainer.LDAPService
 	OAuthService                portainer.OAuthService
 	ProxyManager                *proxy.Manager
 	KubernetesTokenCacheManager *kubernetes.TokenCacheManager
 	passwordStrengthChecker     security.PasswordStrengthChecker
+	bouncer                     security.BouncerService
 }
 
 // NewHandler creates a handler to manage authentication operations.
@@ -31,6 +32,7 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	h := &Handler{
 		Router:                  mux.NewRouter(),
 		passwordStrengthChecker: passwordStrengthChecker,
+		bouncer:                 bouncer,
 	}
 
 	h.Handle("/auth/oauth/validate",
@@ -38,7 +40,6 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	h.Handle("/auth",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
 	h.Handle("/auth/logout",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.logout))).Methods(http.MethodPost)
-
+		bouncer.PublicAccess(httperror.LoggerHandler(h.logout))).Methods(http.MethodPost)
 	return h
 }

api/http/handler/auth/logout.go

@@ -3,14 +3,15 @@ package auth
 import (
 	"net/http"
 
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/logoutcontext"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/response"
 )
 
 // @id Logout
 // @summary Logout
-// @description **Access policy**: authenticated
+// @description **Access policy**: public
 // @security ApiKeyAuth
 // @security jwt
 // @tags auth
@@ -18,12 +19,14 @@ import (
 // @failure 500 "Server error"
 // @router /auth/logout [post]
 func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve user details from authentication token", err)
+	tokenData, _ := handler.bouncer.CookieAuthLookup(r)
+
+	if tokenData != nil {
+		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
+		logoutcontext.Cancel(tokenData.Token)
 	}
 
-	handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
+	security.RemoveAuthCookie(w)
 
 	return response.Empty(w)
 }

api/http/handler/backup/backup.go

@@ -6,9 +6,9 @@ import (
 	"os"
 	"path/filepath"
 
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
 	operations "github.com/portainer/portainer/api/backup"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
 )
 
 type (

api/http/handler/backup/handler.go

@@ -4,13 +4,13 @@ import (
 	"context"
 	"net/http"
 
-	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/portainer/api/adminmonitor"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/offlinegate"
 	"github.com/portainer/portainer/api/http/security"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/gorilla/mux"
 )