fix(sidebar/authorized): authorized component fallback on id param if endpointId doesnt exist in router params

* feat(stack): added ui label in env var section

* feat(stack): added ui label in env var advanced section

* feat(stack): added showHelpMessage flag

* feat(stack): show help message when stack created from web editor.

.eslintrc.yml

@@ -31,7 +31,12 @@ rules:
     [
       'error',
       {
-        pathGroups: [{ pattern: '@/**', group: 'internal' }, { pattern: '{Kubernetes,Portainer,Agent,Azure,Docker}/**', group: 'internal' }],
+        pathGroups:
+          [
+            { pattern: '@@/**', group: 'internal', position: 'after' },
+            { pattern: '@/**', group: 'internal' },
+            { pattern: '{Kubernetes,Portainer,Agent,Azure,Docker}/**', group: 'internal' },
+          ],
         groups: ['builtin', 'external', 'internal', 'parent', 'sibling', 'index'],
         pathGroupsExcludedImportTypes: ['internal'],
       },
@@ -41,6 +46,7 @@ settings:
   'import/resolver':
     alias:
       map:
+        - ['@@', './app/react/components']
         - ['@', './app']
       extensions: ['.js', '.ts', '.tsx']
 
@@ -52,6 +58,7 @@ overrides:
     parser: '@typescript-eslint/parser'
     plugins:
       - '@typescript-eslint'
+      - 'regex'
     extends:
       - airbnb
       - airbnb-typescript
@@ -68,7 +75,14 @@ overrides:
         version: 'detect'
     rules:
       import/order:
-        ['error', { pathGroups: [{ pattern: '@/**', group: 'internal' }], groups: ['builtin', 'external', 'internal', 'parent', 'sibling', 'index'], 'newlines-between': 'always' }]
+        [
+          'error',
+          {
+            pathGroups: [{ pattern: '@@/**', group: 'internal', position: 'after' }, { pattern: '@/**', group: 'internal' }],
+            groups: ['builtin', 'external', 'internal', 'parent', 'sibling', 'index'],
+            'newlines-between': 'always',
+          },
+        ]
       func-style: [error, 'declaration']
       import/prefer-default-export: off
       no-use-before-define: ['error', { functions: false }]
@@ -90,6 +104,7 @@ overrides:
       'react/jsx-no-bind': off
       'no-await-in-loop': 'off'
       'react/jsx-no-useless-fragment': ['error', { allowExpressions: true }]
+      'regex/invalid': ['error', [{ 'regex': 'data-feather="(.*)"', 'message': 'Please use `react-feather` package instead' }]]
   - files:
       - app/**/*.test.*
     extends:

.storybook/preview.js

@@ -3,6 +3,7 @@ import '../app/assets/css';
 import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
 import { initialize as initMSW, mswDecorator } from 'msw-storybook-addon';
 import { handlers } from '@/setup-tests/server-handlers';
+import { QueryClient, QueryClientProvider } from 'react-query';
 
 // Initialize MSW
 initMSW({
@@ -31,11 +32,17 @@ export const parameters = {
   },
 };
 
+const testQueryClient = new QueryClient({
+  defaultOptions: { queries: { retry: false } },
+});
+
 export const decorators = [
   (Story) => (
-    <UIRouter plugins={[pushStateLocationPlugin]}>
-      <Story />
-    </UIRouter>
+    <QueryClientProvider client={testQueryClient}>
+      <UIRouter plugins={[pushStateLocationPlugin]}>
+        <Story />
+      </UIRouter>
+    </QueryClientProvider>
   ),
   mswDecorator,
 ];

README.md

@@ -22,7 +22,7 @@ Please note that the public demo cluster is **reset every 15min**.
 
 Portainer CE is updated regularly. We aim to do an update release every couple of months.
 
-**The latest version of Portainer is 2.9.x**. Portainer is on version 2, the second number denotes the month of release.
+**The latest version of Portainer is 2.13.x**.
 
 ## Getting started
 

api/database/boltdb/json_test.go

@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
 	passphrase = "my secret key"
 )
 

api/datastore/backup.go

@@ -103,8 +103,26 @@ func (store *Store) backupWithOptions(options *BackupOptions) (string, error) {
 	store.createBackupFolders()
 
 	options = store.setupOptions(options)
+	dbPath := store.databasePath()
 
-	return options.BackupPath, store.copyDBFile(store.databasePath(), options.BackupPath)
+	if err := store.Close(); err != nil {
+		return options.BackupPath, fmt.Errorf(
+			"error closing datastore before creating backup: %v",
+			err,
+		)
+	}
+
+	if err := store.copyDBFile(dbPath, options.BackupPath); err != nil {
+		return options.BackupPath, err
+	}
+
+	if _, err := store.Open(); err != nil {
+		return options.BackupPath, fmt.Errorf(
+			"error opening datastore after creating backup: %v",
+			err,
+		)
+	}
+	return options.BackupPath, nil
 }
 
 // RestoreWithOptions previously saved backup for the current Edition  with options

api/datastore/init.go

@@ -47,6 +47,9 @@ func (store *Store) checkOrCreateDefaultSettings() error {
 			EnableTelemetry:      true,
 			AuthenticationMethod: portainer.AuthenticationInternal,
 			BlackListedLabels:    make([]portainer.Pair, 0),
+			InternalAuthSettings: portainer.InternalAuthSettings{
+				RequiredPasswordLength: 12,
+			},
 			LDAPSettings: portainer.LDAPSettings{
 				AnonymousMode:   true,
 				AutoCreateUsers: true,

api/datastore/migrate_data_test.go

@@ -34,9 +34,9 @@ func TestMigrateData(t *testing.T) {
 		wantPath string
 	}{
 		{
-			testName: "migrate version 24 to 35",
+			testName: "migrate version 24 to latest",
 			srcPath:  "test_data/input_24.json",
-			wantPath: "test_data/output_35.json",
+			wantPath: "test_data/output_24_to_latest.json",
 		},
 	}
 	for _, test := range snapshotTests {

api/datastore/migrator/migrate_ce.go

@@ -101,6 +101,7 @@ func (m *Migrator) Migrate() error {
 		// Portainer 2.13
 		newMigration(40, m.migrateDBVersionToDB40),
 
+		// Portainer 2.14
 		newMigration(50, m.migrateDBVersionToDB50),
 	}
 

api/datastore/migrator/migrate_dbversion31.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log"
 
+	"github.com/docker/docker/api/types/volume"
 	"github.com/portainer/portainer/api/dataservices/errors"
 
 	portainer "github.com/portainer/portainer/api"
@@ -210,14 +211,14 @@ func (m *Migrator) updateVolumeResourceControlToDB32() error {
 			continue
 		}
 
-		if volumesData, done := snapshot.SnapshotRaw.Volumes.(map[string]interface{}); done {
-			if volumesData["Volumes"] == nil {
-				log.Println("[DEBUG] [volume migration] [message: no volume data found]")
-				continue
-			}
-
-			findResourcesToUpdateForDB32(endpointDockerID, volumesData, toUpdate, volumeResourceControls)
+		volumesData := snapshot.SnapshotRaw.Volumes
+		if volumesData.Volumes == nil {
+			log.Println("[DEBUG] [volume migration] [message: no volume data found]")
+			continue
 		}
+
+		findResourcesToUpdateForDB32(endpointDockerID, volumesData, toUpdate, volumeResourceControls)
+
 	}
 
 	for _, resourceControl := range volumeResourceControls {
@@ -240,18 +241,11 @@ func (m *Migrator) updateVolumeResourceControlToDB32() error {
 	return nil
 }
 
-func findResourcesToUpdateForDB32(dockerID string, volumesData map[string]interface{}, toUpdate map[portainer.ResourceControlID]string, volumeResourceControls map[string]*portainer.ResourceControl) {
-	volumes := volumesData["Volumes"].([]interface{})
-	for _, volumeMeta := range volumes {
-		volume := volumeMeta.(map[string]interface{})
-		volumeName, nameExist := volume["Name"].(string)
-		if !nameExist {
-			continue
-		}
-		createTime, createTimeExist := volume["CreatedAt"].(string)
-		if !createTimeExist {
-			continue
-		}
+func findResourcesToUpdateForDB32(dockerID string, volumesData volume.VolumeListOKBody, toUpdate map[portainer.ResourceControlID]string, volumeResourceControls map[string]*portainer.ResourceControl) {
+	volumes := volumesData.Volumes
+	for _, volume := range volumes {
+		volumeName := volume.Name
+		createTime := volume.CreatedAt
 
 		oldResourceID := fmt.Sprintf("%s%s", volumeName, createTime)
 		resourceControl, ok := volumeResourceControls[oldResourceID]

api/datastore/migrator/migrate_dbversion50.go

@@ -1,30 +1,20 @@
 package migrator
 
-import portainer "github.com/portainer/portainer/api"
+import (
+	"github.com/pkg/errors"
+)
 
 func (m *Migrator) migrateDBVersionToDB50() error {
-	if err := m.addGpuInputFieldDB50(); err != nil {
-		return err
-	}
-
-	return nil
+	return m.migratePasswordLengthSettings()
 }
 
-func (m *Migrator) addGpuInputFieldDB50() error {
-	migrateLog.Info("- add gpu input field")
-	endpoints, err := m.endpointService.Endpoints()
+func (m *Migrator) migratePasswordLengthSettings() error {
+	migrateLog.Info("Updating required password length")
+	s, err := m.settingsService.Settings()
 	if err != nil {
-		return err
+		return errors.Wrap(err, "unable to retrieve settings")
 	}
 
-	for _, endpoint := range endpoints {
-		endpoint.Gpus = []portainer.Pair{}
-		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
-		if err != nil {
-			return err
-		}
-
-	}
-
-	return nil
+	s.InternalAuthSettings.RequiredPasswordLength = 12
+	return m.settingsService.UpdateSettings(s)
 }

api/datastore/test_data/output_24_to_latest.json

@@ -35,9 +35,14 @@
         "TenantID": ""
       },
       "ComposeSyntaxMaxVersion": "",
+      "Edge": {
+        "AsyncMode": false,
+        "CommandInterval": 0,
+        "PingInterval": 0,
+        "SnapshotInterval": 0
+      },
       "EdgeCheckinInterval": 0,
       "EdgeKey": "",
-      "Gpus": [],
       "GroupId": 1,
       "Id": 1,
       "IsEdgeDevice": false,
@@ -71,14 +76,105 @@
           "DockerSnapshotRaw": {
             "Containers": null,
             "Images": null,
-            "Info": null,
+            "Info": {
+              "Architecture": "",
+              "BridgeNfIp6tables": false,
+              "BridgeNfIptables": false,
+              "CPUSet": false,
+              "CPUShares": false,
+              "CgroupDriver": "",
+              "ContainerdCommit": {
+                "Expected": "",
+                "ID": ""
+              },
+              "Containers": 0,
+              "ContainersPaused": 0,
+              "ContainersRunning": 0,
+              "ContainersStopped": 0,
+              "CpuCfsPeriod": false,
+              "CpuCfsQuota": false,
+              "Debug": false,
+              "DefaultRuntime": "",
+              "DockerRootDir": "",
+              "Driver": "",
+              "DriverStatus": null,
+              "ExperimentalBuild": false,
+              "GenericResources": null,
+              "HttpProxy": "",
+              "HttpsProxy": "",
+              "ID": "",
+              "IPv4Forwarding": false,
+              "Images": 0,
+              "IndexServerAddress": "",
+              "InitBinary": "",
+              "InitCommit": {
+                "Expected": "",
+                "ID": ""
+              },
+              "Isolation": "",
+              "KernelMemory": false,
+              "KernelMemoryTCP": false,
+              "KernelVersion": "",
+              "Labels": null,
+              "LiveRestoreEnabled": false,
+              "LoggingDriver": "",
+              "MemTotal": 0,
+              "MemoryLimit": false,
+              "NCPU": 0,
+              "NEventsListener": 0,
+              "NFd": 0,
+              "NGoroutines": 0,
+              "Name": "",
+              "NoProxy": "",
+              "OSType": "",
+              "OSVersion": "",
+              "OomKillDisable": false,
+              "OperatingSystem": "",
+              "PidsLimit": false,
+              "Plugins": {
+                "Authorization": null,
+                "Log": null,
+                "Network": null,
+                "Volume": null
+              },
+              "RegistryConfig": null,
+              "RuncCommit": {
+                "Expected": "",
+                "ID": ""
+              },
+              "Runtimes": null,
+              "SecurityOptions": null,
+              "ServerVersion": "",
+              "SwapLimit": false,
+              "Swarm": {
+                "ControlAvailable": false,
+                "Error": "",
+                "LocalNodeState": "",
+                "NodeAddr": "",
+                "NodeID": "",
+                "RemoteManagers": null
+              },
+              "SystemTime": "",
+              "Warnings": null
+            },
             "Networks": null,
-            "Version": null,
-            "Volumes": null
+            "Version": {
+              "ApiVersion": "",
+              "Arch": "",
+              "GitCommit": "",
+              "GoVersion": "",
+              "Os": "",
+              "Platform": {
+                "Name": ""
+              },
+              "Version": ""
+            },
+            "Volumes": {
+              "Volumes": null,
+              "Warnings": null
+            }
           },
           "DockerVersion": "20.10.13",
-          "GpuUseAll": false,
-          "GpuUseList": null,
           "HealthyContainerCount": 0,
           "ImageCount": 9,
           "NodeCount": 0,
@@ -592,6 +688,12 @@
     "BlackListedLabels": [],
     "DisplayDonationHeader": false,
     "DisplayExternalContributors": false,
+    "Edge": {
+      "AsyncMode": false,
+      "CommandInterval": 0,
+      "PingInterval": 0,
+      "SnapshotInterval": 0
+    },
     "EdgeAgentCheckinInterval": 5,
     "EdgePortainerUrl": "",
     "EnableEdgeComputeFeatures": false,
@@ -600,6 +702,9 @@
     "EnforceEdgeID": false,
     "FeatureFlagSettings": null,
     "HelmRepositoryURL": "https://charts.bitnami.com/bitnami",
+    "InternalAuthSettings": {
+      "RequiredPasswordLength": 12
+    },
     "KubeconfigExpiry": "0",
     "KubectlShellImage": "portainer/kubectl-shell",
     "LDAPSettings": {
@@ -685,6 +790,7 @@
       "IsComposeFormat": false,
       "Name": "alpine",
       "Namespace": "",
+      "Option": null,
       "ProjectPath": "/home/prabhat/portainer/data/ce1.25/compose/2",
       "ResourceControl": null,
       "Status": 1,
@@ -707,6 +813,7 @@
       "IsComposeFormat": false,
       "Name": "redis",
       "Namespace": "",
+      "Option": null,
       "ProjectPath": "/home/prabhat/portainer/data/ce1.25/compose/5",
       "ResourceControl": null,
       "Status": 1,
@@ -729,6 +836,7 @@
       "IsComposeFormat": false,
       "Name": "nginx",
       "Namespace": "",
+      "Option": null,
       "ProjectPath": "/home/prabhat/portainer/data/ce1.25/compose/6",
       "ResourceControl": null,
       "Status": 1,
@@ -805,7 +913,7 @@
   ],
   "version": {
     "DB_UPDATING": "false",
-    "DB_VERSION": "50",
+    "DB_VERSION": "60",
     "INSTANCE_ID": "null"
   }
 }

api/docker/snapshot.go

@@ -7,10 +7,9 @@ import (
 	"time"
 
 	"github.com/docker/docker/api/types"
-	contypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/client"
-	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api"
 )
 
 // Snapshotter represents a service used to create environment(endpoint) snapshots
@@ -155,40 +154,11 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 	healthyContainers := 0
 	unhealthyContainers := 0
 	stacks := make(map[string]struct{})
-	gpuUseSet := make(map[string]struct{})
-	gpuUseAll := false
 	for _, container := range containers {
 		if container.State == "exited" {
 			stoppedContainers++
 		} else if container.State == "running" {
 			runningContainers++
-
-			// snapshot GPUs
-			response, err := cli.ContainerInspect(context.Background(), container.ID)
-			if err != nil {
-				return err
-			}
-
-			var gpuOptions *contypes.DeviceRequest = nil
-			for _, deviceRequest := range response.HostConfig.Resources.DeviceRequests {
-				var cap string
-				if len(deviceRequest.Capabilities) > 0 && len(deviceRequest.Capabilities[0]) > 0 {
-					cap = deviceRequest.Capabilities[0][0]
-				}
-
-				if deviceRequest.Driver == "nvidia" || cap == "gpu" {
-					gpuOptions = &deviceRequest
-				}
-			}
-
-			if gpuOptions != nil {
-				if gpuOptions.Count == -1 {
-					gpuUseAll = true
-				}
-				for _, id := range gpuOptions.DeviceIDs {
-					gpuUseSet[id] = struct{}{}
-				}
-			}
 		}
 
 		if strings.Contains(container.Status, "(healthy)") {
@@ -204,14 +174,6 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 		}
 	}
 
-	gpuUseList := make([]string, 0, len(gpuUseSet))
-	for gpuUse := range gpuUseSet {
-		gpuUseList = append(gpuUseList, gpuUse)
-	}
-
-	snapshot.GpuUseAll = gpuUseAll
-	snapshot.GpuUseList = gpuUseList
-
 	snapshot.RunningContainerCount = runningContainers
 	snapshot.StoppedContainerCount = stoppedContainers
 	snapshot.HealthyContainerCount = healthyContainers

api/exec/compose_stack.go

@@ -6,7 +6,6 @@ import (
 	"io"
 	"os"
 	"path"
-	"regexp"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -14,7 +13,6 @@ import (
 	libstack "github.com/portainer/docker-compose-wrapper"
 	"github.com/portainer/docker-compose-wrapper/compose"
 
-	"github.com/docker/cli/cli/compose/loader"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory"
@@ -56,13 +54,13 @@ func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Sta
 		defer proxy.Close()
 	}
 
-	envFilePath, err := createEnvFile(stack)
+	envFile, err := createEnvFile(stack)
 	if err != nil {
 		return errors.Wrap(err, "failed to create env file")
 	}
 
 	filePaths := stackutils.GetStackFilePaths(stack)
-	err = manager.deployer.Deploy(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFilePath, forceRereate)
+	err = manager.deployer.Deploy(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFile, forceRereate)
 	return errors.Wrap(err, "failed to deploy a stack")
 }
 
@@ -76,12 +74,14 @@ func (manager *ComposeStackManager) Down(ctx context.Context, stack *portainer.S
 		defer proxy.Close()
 	}
 
-	if err := updateNetworkEnvFile(stack); err != nil {
-		return err
+	envFile, err := createEnvFile(stack)
+	if err != nil {
+		return errors.Wrap(err, "failed to create env file")
 	}
 
 	filePaths := stackutils.GetStackFilePaths(stack)
-	err = manager.deployer.Remove(ctx, stack.ProjectPath, url, stack.Name, filePaths)
+
+	err = manager.deployer.Remove(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFile)
 	return errors.Wrap(err, "failed to remove a stack")
 }
 
@@ -103,200 +103,42 @@ func (manager *ComposeStackManager) fetchEndpointProxy(endpoint *portainer.Endpo
 	return fmt.Sprintf("tcp://127.0.0.1:%d", proxy.Port), proxy, nil
 }
 
+// createEnvFile creates a file that would hold both "in-place" and default environment variables.
+// It will return the name of the file if the stack has "in-place" env vars, otherwise empty string.
 func createEnvFile(stack *portainer.Stack) (string, error) {
-	// workaround for EE-1862. It will have to be removed when
-	// docker/compose upgraded to v2.x.
-	if err := createNetworkEnvFile(stack); err != nil {
-		return "", errors.Wrap(err, "failed to create network env file")
-	}
-
 	if stack.Env == nil || len(stack.Env) == 0 {
 		return "", nil
 	}
 
 	envFilePath := path.Join(stack.ProjectPath, "stack.env")
-
 	envfile, err := os.OpenFile(envFilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return "", err
 	}
+	defer envfile.Close()
+
+	copyDefaultEnvFile(stack, envfile)
 
 	for _, v := range stack.Env {
 		envfile.WriteString(fmt.Sprintf("%s=%s\n", v.Name, v.Value))
 	}
-	envfile.Close()
 
 	return "stack.env", nil
 }
 
-func fileNotExist(filePath string) bool {
-	if _, err := os.Stat(filePath); errors.Is(err, os.ErrNotExist) {
-		return true
-	}
-
-	return false
-}
-
-func updateNetworkEnvFile(stack *portainer.Stack) error {
-	envFilePath := path.Join(stack.ProjectPath, ".env")
-	stackFilePath := path.Join(stack.ProjectPath, "stack.env")
-	if fileNotExist(envFilePath) {
-		if fileNotExist(stackFilePath) {
-			return nil
-		}
-
-		flags := os.O_WRONLY | os.O_SYNC | os.O_CREATE
-		envFile, err := os.OpenFile(envFilePath, flags, 0666)
-		if err != nil {
-			return err
-		}
-
-		defer envFile.Close()
-
-		stackFile, err := os.Open(stackFilePath)
-		if err != nil {
-			return err
-		}
-
-		defer stackFile.Close()
-
-		_, err = io.Copy(envFile, stackFile)
-		return err
-	}
-
-	return nil
-}
-
-func createNetworkEnvFile(stack *portainer.Stack) error {
-	networkNameSet := NewStringSet()
-
-	for _, filePath := range stackutils.GetStackFilePaths(stack) {
-		networkNames, err := extractNetworkNames(filePath)
-		if err != nil {
-			return errors.Wrap(err, "failed to extract network name")
-		}
-
-		if networkNames == nil || networkNames.Len() == 0 {
-			continue
-		}
-
-		networkNameSet.Union(networkNames)
-	}
-
-	for _, s := range networkNameSet.List() {
-		if _, ok := os.LookupEnv(s); ok {
-			networkNameSet.Remove(s)
-		}
-	}
-
-	if networkNameSet.Len() == 0 && stack.Env == nil {
-		return nil
-	}
-
-	envfile, err := os.OpenFile(path.Join(stack.ProjectPath, ".env"),
-		os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+// copyDefaultEnvFile copies the default .env file if it exists to the provided writer
+func copyDefaultEnvFile(stack *portainer.Stack, w io.Writer) {
+	defaultEnvFile, err := os.Open(path.Join(path.Join(stack.ProjectPath, path.Dir(stack.EntryPoint)), ".env"))
 	if err != nil {
-		return errors.Wrap(err, "failed to open env file")
+		// If cannot open a default file, then don't need to copy it.
+		// We could as well stat it and check if it exists, but this is more efficient.
+		return
 	}
 
-	defer envfile.Close()
+	defer defaultEnvFile.Close()
 
-	var scanEnvSettingFunc = func(name string) (string, bool) {
-		if stack.Env != nil {
-			for _, v := range stack.Env {
-				if name == v.Name {
-					return v.Value, true
-				}
-			}
-		}
-
-		return "", false
+	if _, err = io.Copy(w, defaultEnvFile); err == nil {
+		io.WriteString(w, "\n")
 	}
-
-	for _, s := range networkNameSet.List() {
-		if _, ok := scanEnvSettingFunc(s); !ok {
-			stack.Env = append(stack.Env, portainer.Pair{
-				Name:  s,
-				Value: "None",
-			})
-		}
-	}
-
-	if stack.Env != nil {
-		for _, v := range stack.Env {
-			envfile.WriteString(
-				fmt.Sprintf("%s=%s\n", v.Name, v.Value))
-		}
-	}
-
-	return nil
-}
-
-func extractNetworkNames(filePath string) (StringSet, error) {
-	if info, err := os.Stat(filePath); errors.Is(err,
-		os.ErrNotExist) || info.IsDir() {
-		return nil, nil
-	}
-
-	stackFileContent, err := os.ReadFile(filePath)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to open yaml file")
-	}
-
-	config, err := loader.ParseYAML(stackFileContent)
-	if err != nil {
-		// invalid stack file
-		return nil, errors.Wrap(err, "invalid stack file")
-	}
-
-	var version string
-	if _, ok := config["version"]; ok {
-		version, _ = config["version"].(string)
-	}
-
-	var networks map[string]interface{}
-	if value, ok := config["networks"]; ok {
-		if value == nil {
-			return nil, nil
-		}
-
-		if networks, ok = value.(map[string]interface{}); !ok {
-			return nil, nil
-		}
-	} else {
-		return nil, nil
-	}
-
-	networkContent, err := loader.LoadNetworks(networks, version)
-	if err != nil {
-		return nil, nil // skip the error
-	}
-
-	re := regexp.MustCompile(`^\$\{?([^\}]+)\}?$`)
-	networkNames := NewStringSet()
-
-	for _, v := range networkContent {
-		matched := re.FindAllStringSubmatch(v.Name, -1)
-		if matched != nil && matched[0] != nil {
-			if strings.Contains(matched[0][1], ":-") {
-				continue
-			}
-
-			if strings.Contains(matched[0][1], "?") {
-				continue
-			}
-
-			if strings.Contains(matched[0][1], "-") {
-				continue
-			}
-
-			networkNames.Add(matched[0][1])
-		}
-	}
-
-	if networkNames.Len() == 0 {
-		return nil, nil
-	}
-
-	return networkNames, nil
+	// If couldn't copy the .env file, then ignore the error and try to continue
 }

api/exec/compose_stack_integration_test.go

@@ -11,6 +11,7 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 )
 
 const composeFile = `version: "3.9"
@@ -41,6 +42,8 @@ func setup(t *testing.T) (*portainer.Stack, *portainer.Endpoint) {
 
 func Test_UpAndDown(t *testing.T) {
 
+	testhelpers.IntegrationTest(t)
+
 	stack, endpoint := setup(t)
 
 	w, err := NewComposeStackManager("", "", nil)

api/exec/compose_stack_test.go

@@ -65,56 +65,22 @@ func Test_createEnvFile(t *testing.T) {
 	}
 }
 
-func Test_createNetworkEnvFile(t *testing.T) {
+func Test_createEnvFile_mergesDefultAndInplaceEnvVars(t *testing.T) {
 	dir := t.TempDir()
-	buf := []byte(`
-version: '3.6'
-services:
-  nginx-example:
-    image: nginx:latest
-networks:
-  default:
-    name: ${test}
-    driver: bridge
-`)
-	if err := ioutil.WriteFile(path.Join(dir,
-		"docker-compose.yml"), buf, 0644); err != nil {
-		t.Fatalf("Failed to create yaml file: %s", err)
-	}
-
-	stackWithoutEnv := &portainer.Stack{
+	os.WriteFile(path.Join(dir, ".env"), []byte("VAR1=VAL1\nVAR2=VAL2\n"), 0600)
+	stack := &portainer.Stack{
 		ProjectPath: dir,
-		EntryPoint:  "docker-compose.yml",
-		Env:         []portainer.Pair{},
-	}
-
-	if err := createNetworkEnvFile(stackWithoutEnv); err != nil {
-		t.Fatalf("Failed to create network env file: %s", err)
-	}
-
-	content, err := ioutil.ReadFile(path.Join(dir, ".env"))
-	if err != nil {
-		t.Fatalf("Failed to read network env file: %s", err)
-	}
-
-	assert.Equal(t, "test=None\n", string(content))
-
-	stackWithEnv := &portainer.Stack{
-		ProjectPath: dir,
-		EntryPoint:  "docker-compose.yml",
 		Env: []portainer.Pair{
-			{Name: "test", Value: "test-value"},
+			{Name: "VAR1", Value: "NEW_VAL1"},
+			{Name: "VAR3", Value: "VAL3"},
 		},
 	}
+	result, err := createEnvFile(stack)
+	assert.Equal(t, "stack.env", result)
+	assert.NoError(t, err)
+	assert.FileExists(t, path.Join(dir, "stack.env"))
+	f, _ := os.Open(path.Join(dir, "stack.env"))
+	content, _ := ioutil.ReadAll(f)
 
-	if err := createNetworkEnvFile(stackWithEnv); err != nil {
-		t.Fatalf("Failed to create network env file: %s", err)
-	}
-
-	content, err = ioutil.ReadFile(path.Join(dir, ".env"))
-	if err != nil {
-		t.Fatalf("Failed to read network env file: %s", err)
-	}
-
-	assert.Equal(t, "test=test-value\n", string(content))
+	assert.Equal(t, []byte("VAR1=VAL1\nVAR2=VAL2\n\nVAR1=NEW_VAL1\nVAR3=VAL3\n"), content)
 }

api/go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/coreos/go-semver v0.3.0
 	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9
 	github.com/docker/cli v20.10.9+incompatible
-	github.com/docker/docker v20.10.9+incompatible
+	github.com/docker/docker v20.10.16+incompatible
 	github.com/fvbommel/sortorder v1.0.2
 	github.com/fxamacker/cbor/v2 v2.3.0
 	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
@@ -32,7 +32,7 @@ require (
 	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
 	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
 	github.com/pkg/errors v0.9.1
-	github.com/portainer/docker-compose-wrapper v0.0.0-20220407011010-3c7408969ad3
+	github.com/portainer/docker-compose-wrapper v0.0.0-20220708023447-a69a4ebaa021
 	github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a
 	github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108
 	github.com/portainer/libhttp v0.0.0-20211208103139-07a5f798eb3f
@@ -61,7 +61,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.1 // indirect
 	github.com/aws/smithy-go v1.9.0 // indirect
-	github.com/containerd/containerd v1.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/distribution v2.8.0+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
@@ -95,6 +94,9 @@ require (
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/onsi/ginkgo v1.16.4 // indirect
+	github.com/onsi/gomega v1.15.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -112,12 +114,11 @@ require (
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
-	google.golang.org/grpc v1.43.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gotest.tools/v3 v3.0.3 // indirect
 	k8s.io/klog/v2 v2.30.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c // indirect
 	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect

api/http/handler/auth/authenticate.go

@@ -13,7 +13,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/internal/authorization"
-	"github.com/portainer/portainer/api/internal/passwordutils"
 )
 
 type authenticatePayload struct {
@@ -101,7 +100,7 @@ func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portai
 		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
 	}
 
-	forceChangePassword := !passwordutils.StrengthCheck(password)
+	forceChangePassword := !handler.passwordStrengthChecker.Check(password)
 	return handler.writeToken(w, user, forceChangePassword)
 }
 

api/http/handler/auth/handler.go

@@ -22,12 +22,14 @@ type Handler struct {
 	OAuthService                portainer.OAuthService
 	ProxyManager                *proxy.Manager
 	KubernetesTokenCacheManager *kubernetes.TokenCacheManager
+	passwordStrengthChecker     security.PasswordStrengthChecker
 }
 
 // NewHandler creates a handler to manage authentication operations.
-func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter, passwordStrengthChecker security.PasswordStrengthChecker) *Handler {
 	h := &Handler{
-		Router: mux.NewRouter(),
+		Router:                  mux.NewRouter(),
+		passwordStrengthChecker: passwordStrengthChecker,
 	}
 
 	h.Handle("/auth/oauth/validate",

api/http/handler/customtemplates/customtemplate_create.go

@@ -1,6 +1,7 @@
 package customtemplates
 
 import (
+	"encoding/json"
 	"errors"
 	"log"
 	"net/http"
@@ -115,6 +116,8 @@ type customTemplateFromFileContentPayload struct {
 	Type portainer.StackType `example:"1" enums:"1,2,3" validate:"required"`
 	// Content of stack file
 	FileContent string `validate:"required"`
+	// Definitions of variables in the stack file
+	Variables []portainer.CustomTemplateVariableDefinition
 }
 
 func (payload *customTemplateFromFileContentPayload) Validate(r *http.Request) error {
@@ -136,6 +139,12 @@ func (payload *customTemplateFromFileContentPayload) Validate(r *http.Request) e
 	if !isValidNote(payload.Note) {
 		return errors.New("Invalid note. <img> tag is not supported")
 	}
+
+	err := validateVariablesDefinitions(payload.Variables)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -164,6 +173,7 @@ func (handler *Handler) createCustomTemplateFromFileContent(r *http.Request) (*p
 		Platform:    (payload.Platform),
 		Type:        (payload.Type),
 		Logo:        payload.Logo,
+		Variables:   payload.Variables,
 	}
 
 	templateFolder := strconv.Itoa(customTemplateID)
@@ -204,6 +214,8 @@ type customTemplateFromGitRepositoryPayload struct {
 	RepositoryPassword string `example:"myGitPassword"`
 	// Path to the Stack file inside the Git repository
 	ComposeFilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
+	// Definitions of variables in the stack file
+	Variables []portainer.CustomTemplateVariableDefinition
 }
 
 func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request) error {
@@ -236,6 +248,12 @@ func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request)
 	if !isValidNote(payload.Note) {
 		return errors.New("Invalid note. <img> tag is not supported")
 	}
+
+	err := validateVariablesDefinitions(payload.Variables)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -256,6 +274,7 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 		Platform:    payload.Platform,
 		Type:        payload.Type,
 		Logo:        payload.Logo,
+		Variables:   payload.Variables,
 	}
 
 	projectPath := handler.FileService.GetCustomTemplateProjectPath(strconv.Itoa(customTemplateID))
@@ -316,6 +335,8 @@ type customTemplateFromFileUploadPayload struct {
 	Platform    portainer.CustomTemplatePlatform
 	Type        portainer.StackType
 	FileContent []byte
+	// Definitions of variables in the stack file
+	Variables []portainer.CustomTemplateVariableDefinition
 }
 
 func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) error {
@@ -361,6 +382,17 @@ func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) er
 	}
 	payload.FileContent = composeFileContent
 
+	varsString, _ := request.RetrieveMultiPartFormValue(r, "Variables", true)
+	err = json.Unmarshal([]byte(varsString), &payload.Variables)
+	if err != nil {
+		return errors.New("Invalid variables. Ensure that the variables are valid JSON")
+	}
+
+	err = validateVariablesDefinitions(payload.Variables)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -381,6 +413,7 @@ func (handler *Handler) createCustomTemplateFromFileUpload(r *http.Request) (*po
 		Type:        payload.Type,
 		Logo:        payload.Logo,
 		EntryPoint:  filesystem.ComposeFileDefaultName,
+		Variables:   payload.Variables,
 	}
 
 	templateFolder := strconv.Itoa(customTemplateID)

api/http/handler/customtemplates/customtemplate_update.go

@@ -31,6 +31,8 @@ type customTemplateUpdatePayload struct {
 	Type portainer.StackType `example:"1" enums:"1,2,3" validate:"required"`
 	// Content of stack file
 	FileContent string `validate:"required"`
+	// Definitions of variables in the stack file
+	Variables []portainer.CustomTemplateVariableDefinition
 }
 
 func (payload *customTemplateUpdatePayload) Validate(r *http.Request) error {
@@ -52,6 +54,12 @@ func (payload *customTemplateUpdatePayload) Validate(r *http.Request) error {
 	if !isValidNote(payload.Note) {
 		return errors.New("Invalid note. <img> tag is not supported")
 	}
+
+	err := validateVariablesDefinitions(payload.Variables)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -124,6 +132,7 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 	customTemplate.Note = payload.Note
 	customTemplate.Platform = payload.Platform
 	customTemplate.Type = payload.Type
+	customTemplate.Variables = payload.Variables
 
 	err = handler.DataStore.CustomTemplate().UpdateCustomTemplate(customTemplate.ID, customTemplate)
 	if err != nil {

api/http/handler/customtemplates/utils.go

@@ -0,0 +1,19 @@
+package customtemplates
+
+import (
+	"errors"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+func validateVariablesDefinitions(variables []portainer.CustomTemplateVariableDefinition) error {
+	for _, variable := range variables {
+		if variable.Name == "" {
+			return errors.New("variable name is required")
+		}
+		if variable.Label == "" {
+			return errors.New("variable label is required")
+		}
+	}
+	return nil
+}

api/http/handler/endpoints/endpoint_association_delete.go

@@ -23,7 +23,7 @@ import (
 // @tags endpoints
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"
-// @success 200 {object} portainer.Endpoint "Success"
+// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 404 "Environment(Endpoint) not found"
 // @failure 500 "Server error"
@@ -61,7 +61,7 @@ func (handler *Handler) endpointAssociationDelete(w http.ResponseWriter, r *http
 
 	handler.ReverseTunnelService.SetTunnelStatusToIdle(endpoint.ID)
 
-	return response.JSON(w, endpoint)
+	return response.Empty(w)
 }
 
 func (handler *Handler) updateEdgeKey(edgeKey string) (string, error) {

api/http/handler/endpoints/endpoint_create.go

@@ -25,7 +25,6 @@ type endpointCreatePayload struct {
 	URL                    string
 	EndpointCreationType   endpointCreationEnum
 	PublicURL              string
-	Gpus                   []portainer.Pair
 	GroupID                int
 	TLS                    bool
 	TLSSkipVerify          bool
@@ -142,7 +141,7 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 		publicURL, _ := request.RetrieveMultiPartFormValue(r, "PublicURL", true)
 		payload.PublicURL = publicURL
 	}
-	payload.Gpus = []portainer.Pair{}
+
 	checkinInterval, _ := request.RetrieveNumericMultiPartFormValue(r, "CheckinInterval", true)
 	payload.EdgeCheckinInterval = checkinInterval
 
@@ -291,7 +290,6 @@ func (handler *Handler) createAzureEndpoint(payload *endpointCreatePayload) (*po
 		Type:               portainer.AzureEnvironment,
 		GroupID:            portainer.EndpointGroupID(payload.GroupID),
 		PublicURL:          payload.PublicURL,
-		Gpus:               payload.Gpus,
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
 		AzureCredentials:   credentials,
@@ -325,7 +323,6 @@ func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload)
 		URL:     portainerHost,
 		Type:    portainer.EdgeAgentOnDockerEnvironment,
 		GroupID: portainer.EndpointGroupID(payload.GroupID),
-		Gpus:    payload.Gpus,
 		TLSConfig: portainer.TLSConfiguration{
 			TLS: false,
 		},
@@ -381,7 +378,6 @@ func (handler *Handler) createUnsecuredEndpoint(payload *endpointCreatePayload)
 		Type:      endpointType,
 		GroupID:   portainer.EndpointGroupID(payload.GroupID),
 		PublicURL: payload.PublicURL,
-		Gpus:      payload.Gpus,
 		TLSConfig: portainer.TLSConfiguration{
 			TLS: false,
 		},
@@ -416,7 +412,6 @@ func (handler *Handler) createKubernetesEndpoint(payload *endpointCreatePayload)
 		Type:      portainer.KubernetesLocalEnvironment,
 		GroupID:   portainer.EndpointGroupID(payload.GroupID),
 		PublicURL: payload.PublicURL,
-		Gpus:      payload.Gpus,
 		TLSConfig: portainer.TLSConfiguration{
 			TLS:           payload.TLS,
 			TLSSkipVerify: payload.TLSSkipVerify,
@@ -446,7 +441,6 @@ func (handler *Handler) createTLSSecuredEndpoint(payload *endpointCreatePayload,
 		Type:      endpointType,
 		GroupID:   portainer.EndpointGroupID(payload.GroupID),
 		PublicURL: payload.PublicURL,
-		Gpus:      payload.Gpus,
 		TLSConfig: portainer.TLSConfiguration{
 			TLS:           payload.TLS,
 			TLSSkipVerify: payload.TLSSkipVerify,

api/http/handler/endpoints/endpoint_list.go

@@ -34,7 +34,7 @@ var endpointGroupNames map[portainer.EndpointGroupID]string
 // @id EndpointList
 // @summary List environments(endpoints)
 // @description List all environments(endpoints) based on the current user authorizations. Will
-// @description return all environments(endpoints) if using an administrator account otherwise it will
+// @description return all environments(endpoints) if using an administrator or team leader account otherwise it will
 // @description only return authorized environments(endpoints).
 // @description **Access policy**: restricted
 // @tags endpoints
@@ -92,12 +92,6 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve environment groups from the database", err}
 	}
 
-	// create endpoint groups as a map for more convenient access
-	endpointGroupNames = make(map[portainer.EndpointGroupID]string, 0)
-	for _, group := range endpointGroups {
-		endpointGroupNames[group.ID] = group.Name
-	}
-
 	endpoints, err := handler.DataStore.Endpoint().Endpoints()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve environments from the database", err}
@@ -163,7 +157,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 	}
 
 	// Sort endpoints by field
-	sortEndpointsByField(filteredEndpoints, sortField, sortOrder == "desc")
+	sortEndpointsByField(filteredEndpoints, endpointGroups, sortField, sortOrder == "desc")
 
 	filteredEndpointCount := len(filteredEndpoints)
 
@@ -260,7 +254,7 @@ func filterEndpointsByStatuses(endpoints []portainer.Endpoint, statuses []int, s
 	return filteredEndpoints
 }
 
-func sortEndpointsByField(endpoints []portainer.Endpoint, sortField string, isSortDesc bool) {
+func sortEndpointsByField(endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup, sortField string, isSortDesc bool) {
 
 	switch sortField {
 	case "Name":
@@ -271,10 +265,20 @@ func sortEndpointsByField(endpoints []portainer.Endpoint, sortField string, isSo
 		}
 
 	case "Group":
+		endpointGroupNames = make(map[portainer.EndpointGroupID]string, 0)
+		for _, group := range endpointGroups {
+			endpointGroupNames[group.ID] = group.Name
+		}
+
+		endpointsByGroup := EndpointsByGroup{
+			endpointGroupNames: endpointGroupNames,
+			endpoints:          endpoints,
+		}
+
 		if isSortDesc {
-			sort.Stable(sort.Reverse(EndpointsByGroup(endpoints)))
+			sort.Stable(sort.Reverse(endpointsByGroup))
 		} else {
-			sort.Stable(EndpointsByGroup(endpoints))
+			sort.Stable(endpointsByGroup)
 		}
 
 	case "Status":

api/http/handler/endpoints/endpoint_update.go

@@ -22,8 +22,6 @@ type endpointUpdatePayload struct {
 	// URL or IP address where exposed containers will be reachable.\
 	// Defaults to URL if not specified
 	PublicURL *string `example:"docker.mydomain.tld:2375"`
-	// GPUs information
-	Gpus []portainer.Pair
 	// Group identifier
 	GroupID *int `example:"1"`
 	// Require TLS to connect against this environment(endpoint)
@@ -112,10 +110,6 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		endpoint.PublicURL = *payload.PublicURL
 	}
 
-	if payload.Gpus != nil {
-		endpoint.Gpus = payload.Gpus
-	}
-
 	if payload.EdgeCheckinInterval != nil {
 		endpoint.EdgeCheckinInterval = *payload.EdgeCheckinInterval
 	}
@@ -271,7 +265,7 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}
 
-	if payload.URL != nil || payload.TLS != nil || endpoint.Type == portainer.AzureEnvironment {
+	if (payload.URL != nil && *payload.URL != endpoint.URL) || (payload.TLS != nil && endpoint.TLSConfig.TLS != *payload.TLS) || endpoint.Type == portainer.AzureEnvironment {
 		handler.ProxyManager.DeleteEndpointProxy(endpoint.ID)
 		_, err = handler.ProxyManager.CreateAndRegisterEndpointProxy(endpoint)
 		if err != nil {

api/http/handler/endpoints/sort.go

@@ -21,23 +21,26 @@ func (e EndpointsByName) Less(i, j int) bool {
 	return sortorder.NaturalLess(strings.ToLower(e[i].Name), strings.ToLower(e[j].Name))
 }
 
-type EndpointsByGroup []portainer.Endpoint
+type EndpointsByGroup struct {
+	endpointGroupNames map[portainer.EndpointGroupID]string
+	endpoints          []portainer.Endpoint
+}
 
 func (e EndpointsByGroup) Len() int {
-	return len(e)
+	return len(e.endpoints)
 }
 
 func (e EndpointsByGroup) Swap(i, j int) {
-	e[i], e[j] = e[j], e[i]
+	e.endpoints[i], e.endpoints[j] = e.endpoints[j], e.endpoints[i]
 }
 
 func (e EndpointsByGroup) Less(i, j int) bool {
-	if e[i].GroupID == e[j].GroupID {
+	if e.endpoints[i].GroupID == e.endpoints[j].GroupID {
 		return false
 	}
 
-	groupA := endpointGroupNames[e[i].GroupID]
-	groupB := endpointGroupNames[e[j].GroupID]
+	groupA := endpointGroupNames[e.endpoints[i].GroupID]
+	groupB := endpointGroupNames[e.endpoints[j].GroupID]
 
 	return sortorder.NaturalLess(strings.ToLower(groupA), strings.ToLower(groupB))
 }

api/http/handler/handler.go

@@ -80,7 +80,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.13.0
+// @version 2.15.0
 // @description.markdown api-description.md
 // @termsOfService
 

api/http/handler/settings/settings_public.go

@@ -14,6 +14,8 @@ type publicSettingsResponse struct {
 	LogoURL string `json:"LogoURL" example:"https://mycompany.mydomain.tld/logo.png"`
 	// Active authentication method for the Portainer instance. Valid values are: 1 for internal, 2 for LDAP, or 3 for oauth
 	AuthenticationMethod portainer.AuthenticationMethod `json:"AuthenticationMethod" example:"1"`
+	// The minimum required length for a password of any user when using internal auth mode
+	RequiredPasswordLength int `json:"RequiredPasswordLength" example:"1"`
 	// Whether edge compute features are enabled
 	EnableEdgeComputeFeatures bool `json:"EnableEdgeComputeFeatures" example:"true"`
 	// Supported feature flags
@@ -26,6 +28,21 @@ type publicSettingsResponse struct {
 	EnableTelemetry bool `json:"EnableTelemetry" example:"true"`
 	// The expiry of a Kubeconfig
 	KubeconfigExpiry string `example:"24h" default:"0"`
+	// Whether team sync is enabled
+	TeamSync bool `json:"TeamSync" example:"true"`
+
+	Edge struct {
+		// Whether the device has been started in edge async mode
+		AsyncMode bool
+		// The ping interval for edge agent - used in edge async mode [seconds]
+		PingInterval int `json:"PingInterval" example:"60"`
+		// The snapshot interval for edge agent - used in edge async mode [seconds]
+		SnapshotInterval int `json:"SnapshotInterval" example:"60"`
+		// The command list interval for edge agent - used in edge async mode [seconds]
+		CommandInterval int `json:"CommandInterval" example:"60"`
+		// The check in interval for edge agent (in seconds) - used in non async mode [seconds]
+		CheckinInterval int `example:"60"`
+	}
 }
 
 // @id SettingsPublic
@@ -51,11 +68,19 @@ func generatePublicSettings(appSettings *portainer.Settings) *publicSettingsResp
 	publicSettings := &publicSettingsResponse{
 		LogoURL:                   appSettings.LogoURL,
 		AuthenticationMethod:      appSettings.AuthenticationMethod,
+		RequiredPasswordLength:    appSettings.InternalAuthSettings.RequiredPasswordLength,
 		EnableEdgeComputeFeatures: appSettings.EnableEdgeComputeFeatures,
 		EnableTelemetry:           appSettings.EnableTelemetry,
 		KubeconfigExpiry:          appSettings.KubeconfigExpiry,
 		Features:                  appSettings.FeatureFlagSettings,
 	}
+
+	publicSettings.Edge.AsyncMode = appSettings.Edge.AsyncMode
+	publicSettings.Edge.PingInterval = appSettings.Edge.PingInterval
+	publicSettings.Edge.SnapshotInterval = appSettings.Edge.SnapshotInterval
+	publicSettings.Edge.CommandInterval = appSettings.Edge.CommandInterval
+	publicSettings.Edge.CheckinInterval = appSettings.EdgeAgentCheckinInterval
+
 	//if OAuth authentication is on, compose the related fields from application settings
 	if publicSettings.AuthenticationMethod == portainer.AuthenticationOAuth {
 		publicSettings.OAuthLogoutURI = appSettings.OAuthSettings.LogoutURI
@@ -69,5 +94,9 @@ func generatePublicSettings(appSettings *portainer.Settings) *publicSettingsResp
 			publicSettings.OAuthLoginURI += "&prompt=login"
 		}
 	}
+	//if LDAP authentication is on, compose the related fields from application settings
+	if publicSettings.AuthenticationMethod == portainer.AuthenticationLDAP {
+		publicSettings.TeamSync = len(appSettings.LDAPSettings.GroupSearchSettings) > 0
+	}
 	return publicSettings
 }

api/http/handler/settings/settings_update.go

@@ -22,9 +22,10 @@ type settingsUpdatePayload struct {
 	// A list of label name & value that will be used to hide containers when querying containers
 	BlackListedLabels []portainer.Pair
 	// Active authentication method for the Portainer instance. Valid values are: 1 for internal, 2 for LDAP, or 3 for oauth
-	AuthenticationMethod *int                     `example:"1"`
-	LDAPSettings         *portainer.LDAPSettings  `example:""`
-	OAuthSettings        *portainer.OAuthSettings `example:""`
+	AuthenticationMethod *int                            `example:"1"`
+	InternalAuthSettings *portainer.InternalAuthSettings `example:""`
+	LDAPSettings         *portainer.LDAPSettings         `example:""`
+	OAuthSettings        *portainer.OAuthSettings        `example:""`
 	// The interval in which environment(endpoint) snapshots are created
 	SnapshotInterval *string `example:"5m"`
 	// URL to the templates that will be displayed in the UI when navigating to App Templates
@@ -153,6 +154,10 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.BlackListedLabels = payload.BlackListedLabels
 	}
 
+	if payload.InternalAuthSettings != nil {
+		settings.InternalAuthSettings.RequiredPasswordLength = payload.InternalAuthSettings.RequiredPasswordLength
+	}
+
 	if payload.LDAPSettings != nil {
 		ldapReaderDN := settings.LDAPSettings.ReaderDN
 		ldapPassword := settings.LDAPSettings.Password

api/http/handler/stacks/stack_update_git.go

@@ -18,6 +18,7 @@ import (
 type stackGitUpdatePayload struct {
 	AutoUpdate               *portainer.StackAutoUpdate
 	Env                      []portainer.Pair
+	Prune                    bool
 	RepositoryReferenceName  string
 	RepositoryAuthentication bool
 	RepositoryUsername       string
@@ -131,6 +132,12 @@ func (handler *Handler) stackUpdateGit(w http.ResponseWriter, r *http.Request) *
 	stack.UpdatedBy = user.Username
 	stack.UpdateDate = time.Now().Unix()
 
+	if stack.Type == portainer.DockerSwarmStack {
+		stack.Option = &portainer.StackOption{
+			Prune: payload.Prune,
+		}
+	}
+
 	if payload.RepositoryAuthentication {
 		password := payload.RepositoryPassword
 		if password == "" && stack.GitConfig != nil && stack.GitConfig.Authentication != nil {

api/http/handler/stacks/stack_update_git_redeploy.go

@@ -24,6 +24,7 @@ type stackGitRedployPayload struct {
 	RepositoryUsername       string
 	RepositoryPassword       string
 	Env                      []portainer.Pair
+	Prune                    bool
 }
 
 func (payload *stackGitRedployPayload) Validate(r *http.Request) error {
@@ -118,6 +119,11 @@ func (handler *Handler) stackGitRedeploy(w http.ResponseWriter, r *http.Request)
 
 	stack.GitConfig.ReferenceName = payload.RepositoryReferenceName
 	stack.Env = payload.Env
+	if stack.Type == portainer.DockerSwarmStack {
+		stack.Option = &portainer.StackOption{
+			Prune: payload.Prune,
+		}
+	}
 
 	backupProjectPath := fmt.Sprintf("%s-old", stack.ProjectPath)
 	err = filesystem.MoveDirectory(stack.ProjectPath, backupProjectPath)
@@ -187,7 +193,11 @@ func (handler *Handler) stackGitRedeploy(w http.ResponseWriter, r *http.Request)
 func (handler *Handler) deployStack(r *http.Request, stack *portainer.Stack, endpoint *portainer.Endpoint) *httperror.HandlerError {
 	switch stack.Type {
 	case portainer.DockerSwarmStack:
-		config, httpErr := handler.createSwarmDeployConfig(r, stack, endpoint, false)
+		prune := false
+		if stack.Option != nil {
+			prune = stack.Option.Prune
+		}
+		config, httpErr := handler.createSwarmDeployConfig(r, stack, endpoint, prune)
 		if httpErr != nil {
 			return httpErr
 		}

api/http/handler/teammemberships/handler.go

@@ -21,14 +21,13 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	h := &Handler{
 		Router: mux.NewRouter(),
 	}
-	h.Handle("/team_memberships",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.teamMembershipCreate))).Methods(http.MethodPost)
-	h.Handle("/team_memberships",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.teamMembershipList))).Methods(http.MethodGet)
-	h.Handle("/team_memberships/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.teamMembershipUpdate))).Methods(http.MethodPut)
-	h.Handle("/team_memberships/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.teamMembershipDelete))).Methods(http.MethodDelete)
+
+	h.Use(bouncer.TeamLeaderAccess)
+
+	h.Handle("/team_memberships", httperror.LoggerHandler(h.teamMembershipCreate)).Methods(http.MethodPost)
+	h.Handle("/team_memberships", httperror.LoggerHandler(h.teamMembershipList)).Methods(http.MethodGet)
+	h.Handle("/team_memberships/{id}", httperror.LoggerHandler(h.teamMembershipUpdate)).Methods(http.MethodPut)
+	h.Handle("/team_memberships/{id}", httperror.LoggerHandler(h.teamMembershipDelete)).Methods(http.MethodDelete)
 
 	return h
 }

api/http/handler/teammemberships/teammembership_list.go

@@ -5,8 +5,6 @@ import (
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api/http/errors"
-	"github.com/portainer/portainer/api/http/security"
 )
 
 // @id TeamMembershipList
@@ -23,15 +21,6 @@ import (
 // @failure 500 "Server error"
 // @router /team_memberships [get]
 func (handler *Handler) teamMembershipList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
-	}
-
-	if !securityContext.IsAdmin && !securityContext.IsTeamLeader {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to list team memberships", errors.ErrResourceAccessDenied}
-	}
-
 	memberships, err := handler.DataStore.TeamMembership().TeamMemberships()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve team memberships from the database", err}

api/http/handler/teammemberships/teammembership_update.go

@@ -36,8 +36,8 @@ func (payload *teamMembershipUpdatePayload) Validate(r *http.Request) error {
 
 // @id TeamMembershipUpdate
 // @summary Update a team membership
-// @description Update a team membership. Access is only available to administrators leaders of the associated team.
-// @description **Access policy**: administrator
+// @description Update a team membership. Access is only available to administrators or leaders of the associated team.
+// @description **Access policy**: administrator or leaders of the associated team
 // @tags team_memberships
 // @security ApiKeyAuth
 // @security jwt
@@ -63,15 +63,6 @@ func (handler *Handler) teamMembershipUpdate(w http.ResponseWriter, r *http.Requ
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}
 
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
-	}
-
-	if !security.AuthorizedTeamManagement(portainer.TeamID(payload.TeamID), securityContext) {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update the membership", httperrors.ErrResourceAccessDenied}
-	}
-
 	membership, err := handler.DataStore.TeamMembership().TeamMembership(portainer.TeamMembershipID(membershipID))
 	if handler.DataStore.IsErrObjectNotFound(err) {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a team membership with the specified identifier inside the database", err}
@@ -79,8 +70,15 @@ func (handler *Handler) teamMembershipUpdate(w http.ResponseWriter, r *http.Requ
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a team membership with the specified identifier inside the database", err}
 	}
 
-	if securityContext.IsTeamLeader && membership.Role != portainer.MembershipRole(payload.Role) {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update the role of membership", httperrors.ErrResourceAccessDenied}
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
+	}
+
+	isLeadingBothTeam := security.AuthorizedTeamManagement(portainer.TeamID(payload.TeamID), securityContext) &&
+		security.AuthorizedTeamManagement(membership.TeamID, securityContext)
+	if !(securityContext.IsAdmin || isLeadingBothTeam) {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update the membership", httperrors.ErrResourceAccessDenied}
 	}
 
 	membership.UserID = portainer.UserID(payload.UserID)

api/http/handler/teams/handler.go

@@ -20,18 +20,22 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	h := &Handler{
 		Router: mux.NewRouter(),
 	}
-	h.Handle("/teams",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.teamCreate))).Methods(http.MethodPost)
-	h.Handle("/teams",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.teamList))).Methods(http.MethodGet)
-	h.Handle("/teams/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.teamInspect))).Methods(http.MethodGet)
-	h.Handle("/teams/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.teamUpdate))).Methods(http.MethodPut)
-	h.Handle("/teams/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.teamDelete))).Methods(http.MethodDelete)
-	h.Handle("/teams/{id}/memberships",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.teamMemberships))).Methods(http.MethodGet)
+
+	adminRouter := h.NewRoute().Subrouter()
+	adminRouter.Use(bouncer.AdminAccess)
+
+	restrictedRouter := h.NewRoute().Subrouter()
+	restrictedRouter.Use(bouncer.RestrictedAccess)
+
+	teamLeaderRouter := h.NewRoute().Subrouter()
+	teamLeaderRouter.Use(bouncer.TeamLeaderAccess)
+
+	adminRouter.Handle("/teams", httperror.LoggerHandler(h.teamCreate)).Methods(http.MethodPost)
+	restrictedRouter.Handle("/teams", httperror.LoggerHandler(h.teamList)).Methods(http.MethodGet)
+	teamLeaderRouter.Handle("/teams/{id}", httperror.LoggerHandler(h.teamInspect)).Methods(http.MethodGet)
+	adminRouter.Handle("/teams/{id}", httperror.LoggerHandler(h.teamUpdate)).Methods(http.MethodPut)
+	adminRouter.Handle("/teams/{id}", httperror.LoggerHandler(h.teamDelete)).Methods(http.MethodDelete)
+	teamLeaderRouter.Handle("/teams/{id}/memberships", httperror.LoggerHandler(h.teamMemberships)).Methods(http.MethodGet)
 
 	return h
 }

api/http/handler/teams/team_create.go

@@ -14,6 +14,8 @@ import (
 type teamCreatePayload struct {
 	// Name
 	Name string `example:"developers" validate:"required"`
+	// TeamLeaders
+	TeamLeaders []portainer.UserID `example:"3,5"`
 }
 
 func (payload *teamCreatePayload) Validate(r *http.Request) error {
@@ -62,5 +64,18 @@ func (handler *Handler) teamCreate(w http.ResponseWriter, r *http.Request) *http
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the team inside the database", err}
 	}
 
+	for _, teamLeader := range payload.TeamLeaders {
+		membership := &portainer.TeamMembership{
+			UserID: teamLeader,
+			TeamID: team.ID,
+			Role:   portainer.TeamLeader,
+		}
+
+		err = handler.DataStore.TeamMembership().Create(membership)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist team leadership inside the database", err}
+		}
+	}
+
 	return response.JSON(w, team)
 }

api/http/handler/users/admin_init.go

@@ -9,7 +9,6 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/internal/passwordutils"
 )
 
 type adminInitPayload struct {
@@ -58,7 +57,7 @@ func (handler *Handler) adminInit(w http.ResponseWriter, r *http.Request) *httpe
 		return &httperror.HandlerError{http.StatusConflict, "Unable to create administrator user", errAdminAlreadyInitialized}
 	}
 
-	if !passwordutils.StrengthCheck(payload.Password) {
+	if !handler.passwordStrengthChecker.Check(payload.Password) {
 		return &httperror.HandlerError{http.StatusBadRequest, "Password does not meet the requirements", nil}
 	}
 

api/http/handler/users/handler.go

@@ -31,45 +31,51 @@ func hideFields(user *portainer.User) {
 // Handler is the HTTP handler used to handle user operations.
 type Handler struct {
 	*mux.Router
-	bouncer       *security.RequestBouncer
-	apiKeyService apikey.APIKeyService
-	demoService   *demo.Service
-	DataStore     dataservices.DataStore
-	CryptoService portainer.CryptoService
+	bouncer                 *security.RequestBouncer
+	apiKeyService           apikey.APIKeyService
+	demoService             *demo.Service
+	DataStore               dataservices.DataStore
+	CryptoService           portainer.CryptoService
+	passwordStrengthChecker security.PasswordStrengthChecker
 }
 
 // NewHandler creates a handler to manage user operations.
-func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter, apiKeyService apikey.APIKeyService, demoService *demo.Service) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter, apiKeyService apikey.APIKeyService, demoService *demo.Service, passwordStrengthChecker security.PasswordStrengthChecker) *Handler {
 	h := &Handler{
-		Router:        mux.NewRouter(),
-		bouncer:       bouncer,
-		apiKeyService: apiKeyService,
-		demoService:   demoService,
+		Router:                  mux.NewRouter(),
+		bouncer:                 bouncer,
+		apiKeyService:           apiKeyService,
+		demoService:             demoService,
+		passwordStrengthChecker: passwordStrengthChecker,
 	}
-	h.Handle("/users",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.userCreate))).Methods(http.MethodPost)
-	h.Handle("/users",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.userList))).Methods(http.MethodGet)
-	h.Handle("/users/{id}",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.userInspect))).Methods(http.MethodGet)
-	h.Handle("/users/{id}",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.userUpdate))).Methods(http.MethodPut)
-	h.Handle("/users/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.userDelete))).Methods(http.MethodDelete)
-	h.Handle("/users/{id}/tokens",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.userGetAccessTokens))).Methods(http.MethodGet)
-	h.Handle("/users/{id}/tokens",
-		rateLimiter.LimitAccess(bouncer.RestrictedAccess(httperror.LoggerHandler(h.userCreateAccessToken)))).Methods(http.MethodPost)
-	h.Handle("/users/{id}/tokens/{keyID}",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.userRemoveAccessToken))).Methods(http.MethodDelete)
-	h.Handle("/users/{id}/memberships",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.userMemberships))).Methods(http.MethodGet)
-	h.Handle("/users/{id}/passwd",
-		rateLimiter.LimitAccess(bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.userUpdatePassword)))).Methods(http.MethodPut)
-	h.Handle("/users/admin/check",
-		bouncer.PublicAccess(httperror.LoggerHandler(h.adminCheck))).Methods(http.MethodGet)
-	h.Handle("/users/admin/init",
-		bouncer.PublicAccess(httperror.LoggerHandler(h.adminInit))).Methods(http.MethodPost)
+
+	adminRouter := h.NewRoute().Subrouter()
+	adminRouter.Use(bouncer.AdminAccess)
+
+	teamLeaderRouter := h.NewRoute().Subrouter()
+	teamLeaderRouter.Use(bouncer.TeamLeaderAccess)
+
+	restrictedRouter := h.NewRoute().Subrouter()
+	restrictedRouter.Use(bouncer.RestrictedAccess)
+
+	authenticatedRouter := h.NewRoute().Subrouter()
+	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
+
+	publicRouter := h.NewRoute().Subrouter()
+	publicRouter.Use(bouncer.PublicAccess)
+
+	adminRouter.Handle("/users", httperror.LoggerHandler(h.userCreate)).Methods(http.MethodPost)
+	restrictedRouter.Handle("/users", httperror.LoggerHandler(h.userList)).Methods(http.MethodGet)
+	restrictedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userInspect)).Methods(http.MethodGet)
+	authenticatedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userUpdate)).Methods(http.MethodPut)
+	adminRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userDelete)).Methods(http.MethodDelete)
+	restrictedRouter.Handle("/users/{id}/tokens", httperror.LoggerHandler(h.userGetAccessTokens)).Methods(http.MethodGet)
+	restrictedRouter.Handle("/users/{id}/tokens", rateLimiter.LimitAccess(httperror.LoggerHandler(h.userCreateAccessToken))).Methods(http.MethodPost)
+	restrictedRouter.Handle("/users/{id}/tokens/{keyID}", httperror.LoggerHandler(h.userRemoveAccessToken)).Methods(http.MethodDelete)
+	restrictedRouter.Handle("/users/{id}/memberships", httperror.LoggerHandler(h.userMemberships)).Methods(http.MethodGet)
+	authenticatedRouter.Handle("/users/{id}/passwd", rateLimiter.LimitAccess(httperror.LoggerHandler(h.userUpdatePassword))).Methods(http.MethodPut)
+	publicRouter.Handle("/users/admin/check", httperror.LoggerHandler(h.adminCheck)).Methods(http.MethodGet)
+	publicRouter.Handle("/users/admin/init", httperror.LoggerHandler(h.adminInit)).Methods(http.MethodPost)
 
 	return h
 }

api/http/handler/users/user_create.go

@@ -9,9 +9,6 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
-	httperrors "github.com/portainer/portainer/api/http/errors"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/passwordutils"
 )
 
 type userCreatePayload struct {
@@ -35,8 +32,7 @@ func (payload *userCreatePayload) Validate(r *http.Request) error {
 // @id UserCreate
 // @summary Create a new user
 // @description Create a new Portainer user.
-// @description Only team leaders and administrators can create users.
-// @description Only administrators can create an administrator user account.
+// @description Only administrators can create users.
 // @description **Access policy**: restricted
 // @tags users
 // @security ApiKeyAuth
@@ -57,19 +53,6 @@ func (handler *Handler) userCreate(w http.ResponseWriter, r *http.Request) *http
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}
 
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
-	}
-
-	if !securityContext.IsAdmin && !securityContext.IsTeamLeader {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to create user", httperrors.ErrResourceAccessDenied}
-	}
-
-	if securityContext.IsTeamLeader && payload.Role == 1 {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to create administrator user", httperrors.ErrResourceAccessDenied}
-	}
-
 	user, err := handler.DataStore.User().UserByUsername(payload.Username)
 	if err != nil && !handler.DataStore.IsErrObjectNotFound(err) {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve users from the database", err}
@@ -95,7 +78,7 @@ func (handler *Handler) userCreate(w http.ResponseWriter, r *http.Request) *http
 	}
 
 	if settings.AuthenticationMethod == portainer.AuthenticationInternal {
-		if !passwordutils.StrengthCheck(payload.Password) {
+		if !handler.passwordStrengthChecker.Check(payload.Password) {
 			return &httperror.HandlerError{http.StatusBadRequest, "Password does not meet the requirements", nil}
 		}
 

api/http/handler/users/user_create_access_token_test.go

@@ -39,8 +39,9 @@ func Test_userCreateAccessToken(t *testing.T) {
 	apiKeyService := apikey.NewAPIKeyService(store.APIKeyRepository(), store.User())
 	requestBouncer := security.NewRequestBouncer(store, jwtService, apiKeyService)
 	rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour)
+	passwordChecker := security.NewPasswordStrengthChecker(store.SettingsService)
 
-	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil)
+	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil, passwordChecker)
 	h.DataStore = store
 
 	// generate standard and admin user tokens

api/http/handler/users/user_delete_test.go

@@ -31,8 +31,9 @@ func Test_deleteUserRemovesAccessTokens(t *testing.T) {
 	apiKeyService := apikey.NewAPIKeyService(store.APIKeyRepository(), store.User())
 	requestBouncer := security.NewRequestBouncer(store, jwtService, apiKeyService)
 	rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour)
+	passwordChecker := security.NewPasswordStrengthChecker(store.SettingsService)
 
-	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil)
+	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil, passwordChecker)
 	h.DataStore = store
 
 	t.Run("standard user deletion removes all associated access tokens", func(t *testing.T) {

api/http/handler/users/user_get_access_tokens_test.go

@@ -38,8 +38,9 @@ func Test_userGetAccessTokens(t *testing.T) {
 	apiKeyService := apikey.NewAPIKeyService(store.APIKeyRepository(), store.User())
 	requestBouncer := security.NewRequestBouncer(store, jwtService, apiKeyService)
 	rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour)
+	passwordChecker := security.NewPasswordStrengthChecker(store.SettingsService)
 
-	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil)
+	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil, passwordChecker)
 	h.DataStore = store
 
 	// generate standard and admin user tokens

api/http/handler/users/user_remove_access_token_test.go

@@ -36,8 +36,9 @@ func Test_userRemoveAccessToken(t *testing.T) {
 	apiKeyService := apikey.NewAPIKeyService(store.APIKeyRepository(), store.User())
 	requestBouncer := security.NewRequestBouncer(store, jwtService, apiKeyService)
 	rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour)
+	passwordChecker := security.NewPasswordStrengthChecker(store.SettingsService)
 
-	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil)
+	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil, passwordChecker)
 	h.DataStore = store
 
 	// generate standard and admin user tokens

api/http/handler/users/user_update_password.go

@@ -12,7 +12,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/passwordutils"
 )
 
 type userUpdatePasswordPayload struct {
@@ -83,10 +82,10 @@ func (handler *Handler) userUpdatePassword(w http.ResponseWriter, r *http.Reques
 
 	err = handler.CryptoService.CompareHashAndData(user.Password, payload.Password)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusForbidden, "Specified password do not match actual password", httperrors.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusForbidden, "Current password doesn't match", errors.New("Current password does not match the password provided. Please try again")}
 	}
 
-	if !passwordutils.StrengthCheck(payload.NewPassword) {
+	if !handler.passwordStrengthChecker.Check(payload.NewPassword) {
 		return &httperror.HandlerError{http.StatusBadRequest, "Password does not meet the requirements", nil}
 	}
 

api/http/handler/users/user_update_test.go

@@ -31,8 +31,9 @@ func Test_updateUserRemovesAccessTokens(t *testing.T) {
 	apiKeyService := apikey.NewAPIKeyService(store.APIKeyRepository(), store.User())
 	requestBouncer := security.NewRequestBouncer(store, jwtService, apiKeyService)
 	rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour)
+	passwordChecker := security.NewPasswordStrengthChecker(store.SettingsService)
 
-	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil)
+	h := NewHandler(requestBouncer, rateLimiter, apiKeyService, nil, passwordChecker)
 	h.DataStore = store
 
 	t.Run("standard user deletion removes all associated access tokens", func(t *testing.T) {

api/http/proxy/factory/docker/registry.go

@@ -23,7 +23,7 @@ type (
 	}
 
 	portainerRegistryAuthenticationHeader struct {
-		RegistryId portainer.RegistryID `json:"registryId"`
+		RegistryId *portainer.RegistryID `json:"registryId"`
 	}
 )
 

api/http/proxy/factory/docker/transport.go

@@ -446,7 +446,20 @@ func (transport *Transport) decorateRegistryAuthenticationHeader(request *http.R
 			return err
 		}
 
-		authenticationHeader, err := createRegistryAuthenticationHeader(transport.dataStore, originalHeaderData.RegistryId, accessContext)
+		// delete header and exist function without error if Front End
+		// passes empty json. This is to restore original behavior which
+		// never originally passed this header
+		if string(decodedHeaderData) == "{}" {
+			request.Header.Del("X-Registry-Auth")
+			return nil
+		}
+
+		// only set X-Registry-Auth if registryId is defined
+		if originalHeaderData.RegistryId == nil {
+			return nil
+		}
+
+		authenticationHeader, err := createRegistryAuthenticationHeader(transport.dataStore, *originalHeaderData.RegistryId, accessContext)
 		if err != nil {
 			return err
 		}

api/http/security/authorization.go

@@ -103,6 +103,16 @@ func AuthorizedTeamManagement(teamID portainer.TeamID, context *RestrictedReques
 	return false
 }
 
+// AuthorizedIsTeamLeader ensure that the user is an admin or a team leader
+func AuthorizedIsTeamLeader(context *RestrictedRequestContext) bool {
+	return context.IsAdmin || context.IsTeamLeader
+}
+
+// AuthorizedIsAdmin ensure that the user is an admin
+func AuthorizedIsAdmin(context *RestrictedRequestContext) bool {
+	return context.IsAdmin
+}
+
 // authorizedEndpointAccess ensure that the user can access the specified environment(endpoint).
 // It will check if the user is part of the authorized users or part of a team that is
 // listed in the authorized teams of the environment(endpoint) and the associated group.

api/http/security/bouncer.go

@@ -78,6 +78,19 @@ func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler {
 	return h
 }
 
+// TeamLeaderAccess defines a security check for APIs require team leader privilege
+//
+// Bouncer operations are applied backwards:
+//  - Parse the JWT from the request and stored in context, user has to be authenticated
+//  - Upgrade to the restricted request
+//  - User is admin or team leader
+func (bouncer *RequestBouncer) TeamLeaderAccess(h http.Handler) http.Handler {
+	h = bouncer.mwIsTeamLeader(h)
+	h = bouncer.mwUpgradeToRestrictedRequest(h)
+	h = bouncer.mwAuthenticatedUser(h)
+	return h
+}
+
 // AuthenticatedAccess defines a security check for restricted API environments(endpoints).
 // Authentication is required to access these environments(endpoints).
 // The request context will be enhanced with a RestrictedRequestContext object
@@ -219,6 +232,24 @@ func (bouncer *RequestBouncer) mwUpgradeToRestrictedRequest(next http.Handler) h
 	})
 }
 
+// mwIsTeamLeader will verify that the user is an admin or a team leader
+func (bouncer *RequestBouncer) mwIsTeamLeader(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		securityContext, err := RetrieveRestrictedRequestContext(r)
+		if err != nil {
+			httperror.WriteError(w, http.StatusInternalServerError, "Unable to retrieve restricted request context ", err)
+			return
+		}
+
+		if !securityContext.IsAdmin && !securityContext.IsTeamLeader {
+			httperror.WriteError(w, http.StatusForbidden, "Access denied", httperrors.ErrUnauthorized)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
 // mwAuthenticateFirst authenticates a request an auth token.
 // A result of a first succeded token lookup would be used for the authentication.
 func (bouncer *RequestBouncer) mwAuthenticateFirst(tokenLookups []tokenLookup, next http.Handler) http.Handler {

api/http/security/filter.go

@@ -81,11 +81,11 @@ func FilterRegistries(registries []portainer.Registry, user *portainer.User, tea
 }
 
 // FilterEndpoints filters environments(endpoints) based on user role and team memberships.
-// Non administrator users only have access to authorized environments(endpoints) (can be inherited via endpoint groups).
+// Non administrator and non-team-leader only have access to authorized environments(endpoints) (can be inherited via endpoint groups).
 func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.EndpointGroup, context *RestrictedRequestContext) []portainer.Endpoint {
 	filteredEndpoints := endpoints
 
-	if !context.IsAdmin {
+	if !context.IsAdmin && !context.IsTeamLeader {
 		filteredEndpoints = make([]portainer.Endpoint, 0)
 
 		for _, endpoint := range endpoints {
@@ -101,11 +101,11 @@ func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.Endpoint
 }
 
 // FilterEndpointGroups filters environment(endpoint) groups based on user role and team memberships.
-// Non administrator users only have access to authorized environment(endpoint) groups.
+// Non administrator users and Non-team-leaders only have access to authorized environment(endpoint) groups.
 func FilterEndpointGroups(endpointGroups []portainer.EndpointGroup, context *RestrictedRequestContext) []portainer.EndpointGroup {
 	filteredEndpointGroups := endpointGroups
 
-	if !context.IsAdmin {
+	if !context.IsAdmin && !context.IsTeamLeader {
 		filteredEndpointGroups = make([]portainer.EndpointGroup, 0)
 
 		for _, group := range endpointGroups {

api/http/security/passwordStrengthCheck.go

@@ -0,0 +1,35 @@
+package security
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/sirupsen/logrus"
+)
+
+type PasswordStrengthChecker interface {
+	Check(password string) bool
+}
+
+type passwordStrengthChecker struct {
+	settings settingsService
+}
+
+func NewPasswordStrengthChecker(settings settingsService) *passwordStrengthChecker {
+	return &passwordStrengthChecker{
+		settings: settings,
+	}
+}
+
+// Check returns true if the password is strong enough
+func (c *passwordStrengthChecker) Check(password string) bool {
+	s, err := c.settings.Settings()
+	if err != nil {
+		logrus.WithError(err).Warn("failed to fetch Portainer settings to validate user password")
+		return true
+	}
+
+	return len(password) >= s.InternalAuthSettings.RequiredPasswordLength
+}
+
+type settingsService interface {
+	Settings() (*portainer.Settings, error)
+}

api/http/security/passwordStrengthCheck_test.go

@@ -1,8 +1,14 @@
-package passwordutils
+package security
 
-import "testing"
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+)
 
 func TestStrengthCheck(t *testing.T) {
+	checker := NewPasswordStrengthChecker(settingsStub{minLength: 12})
+
 	type args struct {
 		password string
 	}
@@ -23,9 +29,21 @@ func TestStrengthCheck(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if gotStrong := StrengthCheck(tt.args.password); gotStrong != tt.wantStrong {
+			if gotStrong := checker.Check(tt.args.password); gotStrong != tt.wantStrong {
 				t.Errorf("StrengthCheck() = %v, want %v", gotStrong, tt.wantStrong)
 			}
 		})
 	}
 }
+
+type settingsStub struct {
+	minLength int
+}
+
+func (s settingsStub) Settings() (*portainer.Settings, error) {
+	return &portainer.Settings{
+		InternalAuthSettings: portainer.InternalAuthSettings{
+			RequiredPasswordLength: s.minLength,
+		},
+	}, nil
+}

api/http/server.go

@@ -111,7 +111,9 @@ func (server *Server) Start() error {
 	rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour)
 	offlineGate := offlinegate.NewOfflineGate()
 
-	var authHandler = auth.NewHandler(requestBouncer, rateLimiter)
+	passwordStrengthChecker := security.NewPasswordStrengthChecker(server.DataStore.Settings())
+
+	var authHandler = auth.NewHandler(requestBouncer, rateLimiter, passwordStrengthChecker)
 	authHandler.DataStore = server.DataStore
 	authHandler.CryptoService = server.CryptoService
 	authHandler.JWTService = server.JWTService
@@ -254,7 +256,7 @@ func (server *Server) Start() error {
 	var uploadHandler = upload.NewHandler(requestBouncer)
 	uploadHandler.FileService = server.FileService
 
-	var userHandler = users.NewHandler(requestBouncer, rateLimiter, server.APIKeyService, server.DemoService)
+	var userHandler = users.NewHandler(requestBouncer, rateLimiter, server.APIKeyService, server.DemoService, passwordStrengthChecker)
 	userHandler.DataStore = server.DataStore
 	userHandler.CryptoService = server.CryptoService
 

api/internal/passwordutils/strengthCheck.go

@@ -1,11 +0,0 @@
-package passwordutils
-
-const MinPasswordLen = 12
-
-func lengthCheck(password string) bool {
-	return len(password) >= MinPasswordLen
-}
-
-func StrengthCheck(password string) bool {
-	return lengthCheck(password)
-}

api/internal/registryutils/ecr_reg_token.go

@@ -37,7 +37,7 @@ func parseRegToken(registry *portainer.Registry) (username, password string, err
 func EnsureRegTokenValid(dataStore dataservices.DataStore, registry *portainer.Registry) (err error) {
 	if registry.Type == portainer.EcrRegistry {
 		if isRegTokenValid(registry) {
-			log.Println("[DEBUG] [registry, GetEcrAccessToken] [message: curretn ECR token is still valid]")
+			log.Println("[DEBUG] [registry, GetEcrAccessToken] [message: current ECR token is still valid]")
 		} else {
 			err = doGetRegToken(dataStore, registry)
 			if err != nil {

api/internal/snapshot/snapshot.go

@@ -188,24 +188,17 @@ func (service *Service) snapshotEndpoints() error {
 
 // FetchDockerID fetches info.Swarm.Cluster.ID if environment(endpoint) is swarm and info.ID otherwise
 func FetchDockerID(snapshot portainer.DockerSnapshot) (string, error) {
-	info, done := snapshot.SnapshotRaw.Info.(map[string]interface{})
-	if !done {
-		return "", errors.New("failed getting snapshot info")
-	}
+	info := snapshot.SnapshotRaw.Info
 
 	if !snapshot.Swarm {
-		return info["ID"].(string), nil
+		return info.ID, nil
 	}
 
-	if info["Swarm"] == nil {
-		return "", errors.New("swarm environment is missing swarm info snapshot")
-	}
-
-	swarmInfo := info["Swarm"].(map[string]interface{})
-	if swarmInfo["Cluster"] == nil {
+	swarmInfo := info.Swarm
+	if swarmInfo.Cluster == nil {
 		return "", errors.New("swarm environment is missing cluster info snapshot")
 	}
 
-	clusterInfo := swarmInfo["Cluster"].(map[string]interface{})
-	return clusterInfo["ID"].(string), nil
+	clusterInfo := swarmInfo.Cluster
+	return clusterInfo.ID, nil
 }

api/oauth/oauth.go

@@ -3,16 +3,18 @@ package oauth
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"io/ioutil"
-	"log"
 	"mime"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"golang.org/x/oauth2"
 
+	"github.com/golang-jwt/jwt"
+	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
+	log "github.com/sirupsen/logrus"
 )
 
 // Service represents a service used to authenticate users against an authorization server
@@ -29,17 +31,39 @@ func NewService() *Service {
 func (*Service) Authenticate(code string, configuration *portainer.OAuthSettings) (string, error) {
 	token, err := getOAuthToken(code, configuration)
 	if err != nil {
-		log.Printf("[DEBUG] - Failed retrieving access token: %v", err)
+		log.Debugf("[internal,oauth] [message: failed retrieving oauth token: %v]", err)
 		return "", err
 	}
-	username, err := getUsername(token.AccessToken, configuration)
+
+	idToken, err := getIdToken(token)
 	if err != nil {
-		log.Printf("[DEBUG] - Failed retrieving oauth user name: %v", err)
+		log.Debugf("[internal,oauth] [message: failed parsing id_token: %v]", err)
+	}
+
+	resource, err := getResource(token.AccessToken, configuration)
+	if err != nil {
+		log.Debugf("[internal,oauth] [message: failed retrieving resource: %v]", err)
+		return "", err
+	}
+
+	resource = mergeSecondIntoFirst(idToken, resource)
+
+	username, err := getUsername(resource, configuration)
+	if err != nil {
+		log.Debugf("[internal,oauth] [message: failed retrieving username: %v]", err)
 		return "", err
 	}
 	return username, nil
 }
 
+// mergeSecondIntoFirst merges the overlap map into the base overwriting any existing values.
+func mergeSecondIntoFirst(base map[string]interface{}, overlap map[string]interface{}) map[string]interface{} {
+	for k, v := range overlap {
+		base[k] = v
+	}
+	return base
+}
+
 func getOAuthToken(code string, configuration *portainer.OAuthSettings) (*oauth2.Token, error) {
 	unescapedCode, err := url.QueryUnescape(code)
 	if err != nil {
@@ -55,27 +79,55 @@ func getOAuthToken(code string, configuration *portainer.OAuthSettings) (*oauth2
 	return token, nil
 }
 
-func getUsername(token string, configuration *portainer.OAuthSettings) (string, error) {
+// getIdToken retrieves parsed id_token from the OAuth token response.
+// This is necessary for OAuth providers like Azure
+// that do not provide information about user groups on the user resource endpoint.
+func getIdToken(token *oauth2.Token) (map[string]interface{}, error) {
+	tokenData := make(map[string]interface{})
+
+	idToken := token.Extra("id_token")
+	if idToken == nil {
+		return tokenData, nil
+	}
+
+	jwtParser := jwt.Parser{
+		SkipClaimsValidation: true,
+	}
+
+	t, _, err := jwtParser.ParseUnverified(idToken.(string), jwt.MapClaims{})
+	if err != nil {
+		return tokenData, errors.Wrap(err, "failed to parse id_token")
+	}
+
+	if claims, ok := t.Claims.(jwt.MapClaims); ok {
+		for k, v := range claims {
+			tokenData[k] = v
+		}
+	}
+	return tokenData, nil
+}
+
+func getResource(token string, configuration *portainer.OAuthSettings) (map[string]interface{}, error) {
 	req, err := http.NewRequest("GET", configuration.ResourceURI, nil)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
 	client := &http.Client{}
 	req.Header.Set("Authorization", "Bearer "+token)
 	resp, err := client.Do(req)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
 	defer resp.Body.Close()
 	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return "", &oauth2.RetrieveError{
+		return nil, &oauth2.RetrieveError{
 			Response: resp,
 			Body:     body,
 		}
@@ -83,47 +135,32 @@ func getUsername(token string, configuration *portainer.OAuthSettings) (string,
 
 	content, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
 	if content == "application/x-www-form-urlencoded" || content == "text/plain" {
 		values, err := url.ParseQuery(string(body))
 		if err != nil {
-			return "", err
+			return nil, err
 		}
 
-		username := values.Get(configuration.UserIdentifier)
-		if username == "" {
-			return username, &oauth2.RetrieveError{
-				Response: resp,
-				Body:     body,
+		datamap := make(map[string]interface{})
+		for k, v := range values {
+			if len(v) == 0 {
+				datamap[k] = ""
+			} else {
+				datamap[k] = v[0]
 			}
 		}
-
-		return username, nil
+		return datamap, nil
 	}
 
 	var datamap map[string]interface{}
 	if err = json.Unmarshal(body, &datamap); err != nil {
-		return "", err
+		return nil, err
 	}
 
-	username, ok := datamap[configuration.UserIdentifier].(string)
-	if ok && username != "" {
-		return username, nil
-	}
-
-	if !ok {
-		username, ok := datamap[configuration.UserIdentifier].(float64)
-		if ok && username != 0 {
-			return fmt.Sprint(int(username)), nil
-		}
-	}
-
-	return "", &oauth2.RetrieveError{
-		Response: resp,
-		Body:     body,
-	}
+	return datamap, nil
 }
 
 func buildConfig(configuration *portainer.OAuthSettings) *oauth2.Config {
@@ -137,6 +174,6 @@ func buildConfig(configuration *portainer.OAuthSettings) *oauth2.Config {
 		ClientSecret: configuration.ClientSecret,
 		Endpoint:     endpoint,
 		RedirectURL:  configuration.RedirectURI,
-		Scopes:       []string{configuration.Scopes},
+		Scopes:       strings.Split(configuration.Scopes, ","),
 	}
 }

api/oauth/oauth_resource.go

@@ -0,0 +1,24 @@
+package oauth
+
+import (
+	"errors"
+	"fmt"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+func getUsername(datamap map[string]interface{}, configuration *portainer.OAuthSettings) (string, error) {
+	username, ok := datamap[configuration.UserIdentifier].(string)
+	if ok && username != "" {
+		return username, nil
+	}
+
+	if !ok {
+		username, ok := datamap[configuration.UserIdentifier].(float64)
+		if ok && username != 0 {
+			return fmt.Sprint(int(username)), nil
+		}
+	}
+
+	return "", errors.New("failed to extract username from oauth resource")
+}

api/oauth/oauth_resource_test.go

@@ -0,0 +1,80 @@
+package oauth
+
+import (
+	"testing"
+
+	portaineree "github.com/portainer/portainer/api"
+)
+
+func Test_getUsername(t *testing.T) {
+	t.Run("fails for non-matching user identifier", func(t *testing.T) {
+		oauthSettings := &portaineree.OAuthSettings{UserIdentifier: "username"}
+		datamap := map[string]interface{}{"name": "john"}
+
+		_, err := getUsername(datamap, oauthSettings)
+		if err == nil {
+			t.Errorf("getUsername should fail if user identifier doesn't exist as key in oauth userinfo object")
+		}
+	})
+
+	t.Run("fails if username is empty string", func(t *testing.T) {
+		oauthSettings := &portaineree.OAuthSettings{UserIdentifier: "username"}
+		datamap := map[string]interface{}{"username": ""}
+
+		_, err := getUsername(datamap, oauthSettings)
+		if err == nil {
+			t.Errorf("getUsername should fail if username from oauth userinfo object is empty string")
+		}
+	})
+
+	t.Run("fails if username is 0 int", func(t *testing.T) {
+		oauthSettings := &portaineree.OAuthSettings{UserIdentifier: "username"}
+		datamap := map[string]interface{}{"username": 0}
+
+		_, err := getUsername(datamap, oauthSettings)
+		if err == nil {
+			t.Errorf("getUsername should fail if username from oauth userinfo object is 0 val int")
+		}
+	})
+
+	t.Run("fails if username is negative int", func(t *testing.T) {
+		oauthSettings := &portaineree.OAuthSettings{UserIdentifier: "username"}
+		datamap := map[string]interface{}{"username": -1}
+
+		_, err := getUsername(datamap, oauthSettings)
+		if err == nil {
+			t.Errorf("getUsername should fail if username from oauth userinfo object is -1 (negative) int")
+		}
+	})
+
+	t.Run("succeeds if username is matched and is not empty", func(t *testing.T) {
+		oauthSettings := &portaineree.OAuthSettings{UserIdentifier: "username"}
+		datamap := map[string]interface{}{"username": "john"}
+
+		_, err := getUsername(datamap, oauthSettings)
+		if err != nil {
+			t.Errorf("getUsername should succeed if username from oauth userinfo object matched and non-empty")
+		}
+	})
+
+	// looks like a bug!?
+	t.Run("fails if username is matched and is positive int", func(t *testing.T) {
+		oauthSettings := &portaineree.OAuthSettings{UserIdentifier: "username"}
+		datamap := map[string]interface{}{"username": 1}
+
+		_, err := getUsername(datamap, oauthSettings)
+		if err == nil {
+			t.Errorf("getUsername should fail if username from oauth userinfo object matched is positive int")
+		}
+	})
+
+	t.Run("succeeds if username is matched and is non-zero (or negative) float", func(t *testing.T) {
+		oauthSettings := &portaineree.OAuthSettings{UserIdentifier: "username"}
+		datamap := map[string]interface{}{"username": 1.1}
+
+		_, err := getUsername(datamap, oauthSettings)
+		if err != nil {
+			t.Errorf("getUsername should succeed if username from oauth userinfo object matched and non-zero (or negative)")
+		}
+	})
+}

api/oauth/oauth_test.go

@@ -0,0 +1,145 @@
+package oauth
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/oauth/oauthtest"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/oauth2"
+)
+
+func Test_getOAuthToken(t *testing.T) {
+	validCode := "valid-code"
+	srv, config := oauthtest.RunOAuthServer(validCode, &portainer.OAuthSettings{})
+	defer srv.Close()
+
+	t.Run("getOAuthToken fails upon invalid code", func(t *testing.T) {
+		code := ""
+		_, err := getOAuthToken(code, config)
+		if err == nil {
+			t.Errorf("getOAuthToken should fail upon providing invalid code; code=%v", code)
+		}
+	})
+
+	t.Run("getOAuthToken succeeds upon providing valid code", func(t *testing.T) {
+		code := validCode
+		token, err := getOAuthToken(code, config)
+
+		if token == nil || err != nil {
+			t.Errorf("getOAuthToken should successfully return access token upon providing valid code")
+		}
+	})
+}
+
+func Test_getIdToken(t *testing.T) {
+	verifiedToken := `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2NTM1NDA3MjksImV4cCI6MTY4NTA3NjcyOSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoiam9obi5kb2VAZXhhbXBsZS5jb20iLCJHaXZlbk5hbWUiOiJKb2huIiwiU3VybmFtZSI6IkRvZSIsIkdyb3VwcyI6WyJGaXJzdCIsIlNlY29uZCJdfQ.GeU8XCV4Y4p5Vm-i63Aj7UP5zpb_0Zxb7-DjM2_z-s8`
+	nonVerifiedToken := `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2NTM1NDA3MjksImV4cCI6MTY4NTA3NjcyOSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoiam9obi5kb2VAZXhhbXBsZS5jb20iLCJHaXZlbk5hbWUiOiJKb2huIiwiU3VybmFtZSI6IkRvZSIsIkdyb3VwcyI6WyJGaXJzdCIsIlNlY29uZCJdfQ.`
+	claims := map[string]interface{}{
+		"iss":       "Online JWT Builder",
+		"iat":       float64(1653540729),
+		"exp":       float64(1685076729),
+		"aud":       "www.example.com",
+		"sub":       "john.doe@example.com",
+		"GivenName": "John",
+		"Surname":   "Doe",
+		"Groups":    []interface{}{"First", "Second"},
+	}
+
+	tests := []struct {
+		testName       string
+		idToken        string
+		expectedResult map[string]interface{}
+		expectedError  error
+	}{
+		{
+			testName:       "should return claims if token exists and is verified",
+			idToken:        verifiedToken,
+			expectedResult: claims,
+			expectedError:  nil,
+		},
+		{
+			testName:       "should return claims if token exists but is not verified",
+			idToken:        nonVerifiedToken,
+			expectedResult: claims,
+			expectedError:  nil,
+		},
+		{
+			testName:       "should return empty map if token does not exist",
+			idToken:        "",
+			expectedResult: make(map[string]interface{}),
+			expectedError:  nil,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.testName, func(t *testing.T) {
+			token := &oauth2.Token{}
+			if tc.idToken != "" {
+				token = token.WithExtra(map[string]interface{}{"id_token": tc.idToken})
+			}
+
+			result, err := getIdToken(token)
+			assert.Equal(t, err, tc.expectedError)
+			assert.Equal(t, result, tc.expectedResult)
+		})
+	}
+}
+
+func Test_getResource(t *testing.T) {
+	srv, config := oauthtest.RunOAuthServer("", &portainer.OAuthSettings{})
+	defer srv.Close()
+
+	t.Run("should fail upon missing Authorization Bearer header", func(t *testing.T) {
+		_, err := getResource("", config)
+		if err == nil {
+			t.Errorf("getResource should fail if access token is not provided in auth bearer header")
+		}
+	})
+
+	t.Run("should fail upon providing incorrect Authorization Bearer header", func(t *testing.T) {
+		_, err := getResource("incorrect-token", config)
+		if err == nil {
+			t.Errorf("getResource should fail if incorrect access token provided in auth bearer header")
+		}
+	})
+
+	t.Run("should succeed upon providing correct Authorization Bearer header", func(t *testing.T) {
+		_, err := getResource(oauthtest.AccessToken, config)
+		if err != nil {
+			t.Errorf("getResource should succeed if correct access token provided in auth bearer header")
+		}
+	})
+}
+
+func Test_Authenticate(t *testing.T) {
+	code := "valid-code"
+	authService := NewService()
+
+	t.Run("should fail if user identifier does not get matched in resource", func(t *testing.T) {
+		srv, config := oauthtest.RunOAuthServer(code, &portainer.OAuthSettings{})
+		defer srv.Close()
+
+		_, err := authService.Authenticate(code, config)
+		if err == nil {
+			t.Error("Authenticate should fail to extract username from resource if incorrect UserIdentifier provided")
+		}
+	})
+
+	t.Run("should succeed if user identifier does get matched in resource", func(t *testing.T) {
+		config := &portainer.OAuthSettings{UserIdentifier: "username"}
+		srv, config := oauthtest.RunOAuthServer(code, config)
+		defer srv.Close()
+
+		username, err := authService.Authenticate(code, config)
+		if err != nil {
+			t.Errorf("Authenticate should succeed to extract username from resource if correct UserIdentifier provided; UserIdentifier=%s", config.UserIdentifier)
+		}
+
+		want := "test-oauth-user"
+		if username != want {
+			t.Errorf("Authenticate should return correct username; got=%s, want=%s", username, want)
+		}
+	})
+
+}

api/oauth/oauthtest/oauth_server.go

@@ -0,0 +1,96 @@
+package oauthtest
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+
+	"github.com/gorilla/mux"
+	portainer "github.com/portainer/portainer/api"
+)
+
+const (
+	AccessToken = "test-token"
+)
+
+// OAuthRoutes is an OAuth 2.0 compliant handler
+func OAuthRoutes(code string, config *portainer.OAuthSettings) http.Handler {
+	router := mux.NewRouter()
+
+	router.HandleFunc(
+		"/authorize",
+		func(w http.ResponseWriter, req *http.Request) {
+			location := fmt.Sprintf("%s?code=%s&state=%s", config.RedirectURI, code, "anything")
+			// w.Header().Set("Location", location)
+			// w.WriteHeader(http.StatusFound)
+			http.Redirect(w, req, location, http.StatusFound)
+		},
+	).Methods(http.MethodGet)
+
+	router.HandleFunc(
+		"/access_token",
+		func(w http.ResponseWriter, req *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+
+			if err := req.ParseForm(); err != nil {
+				fmt.Fprintf(w, "ParseForm() err: %v", err)
+				return
+			}
+
+			reqCode := req.FormValue("code")
+			if reqCode != code {
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
+
+			w.WriteHeader(http.StatusOK)
+			json.NewEncoder(w).Encode(map[string]interface{}{
+				"token_type":   "Bearer",
+				"expires_in":   86400,
+				"access_token": AccessToken,
+				"scope":        "groups",
+			})
+		},
+	).Methods(http.MethodPost)
+
+	router.HandleFunc(
+		"/user",
+		func(w http.ResponseWriter, req *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+
+			authHeader := req.Header.Get("Authorization")
+			splitToken := strings.Split(authHeader, "Bearer ")
+			if len(splitToken) < 2 || splitToken[1] != AccessToken {
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
+
+			w.WriteHeader(http.StatusOK)
+			json.NewEncoder(w).Encode(map[string]interface{}{
+				"username": "test-oauth-user",
+				"groups":   "testing",
+			})
+		},
+	).Methods(http.MethodGet)
+
+	return router
+}
+
+// RunOAuthServer is a barebones OAuth 2.0 compliant test server which can be used to test OAuth 2 functionality
+func RunOAuthServer(code string, config *portainer.OAuthSettings) (*httptest.Server, *portainer.OAuthSettings) {
+	srv := httptest.NewUnstartedServer(http.DefaultServeMux)
+
+	addr := srv.Listener.Addr()
+
+	config.AuthorizationURI = fmt.Sprintf("http://%s/authorize", addr)
+	config.AccessTokenURI = fmt.Sprintf("http://%s/access_token", addr)
+	config.ResourceURI = fmt.Sprintf("http://%s/user", addr)
+	config.RedirectURI = fmt.Sprintf("http://%s/", addr)
+
+	srv.Config.Handler = OAuthRoutes(code, config)
+	srv.Start()
+
+	return srv, config
+}

api/portainer.go

@@ -5,6 +5,8 @@ import (
 	"io"
 	"time"
 
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/volume"
 	gittypes "github.com/portainer/portainer/api/git/types"
 	v1 "k8s.io/api/core/v1"
 )
@@ -128,6 +130,14 @@ type (
 		SecretKeyName             *string
 	}
 
+	// CustomTemplateVariableDefinition
+	CustomTemplateVariableDefinition struct {
+		Name         string `json:"name" example:"MY_VAR"`
+		Label        string `json:"label" example:"My Variable"`
+		DefaultValue string `json:"defaultValue" example:"default value"`
+		Description  string `json:"description" example:"Description"`
+	}
+
 	// CustomTemplate represents a custom template
 	CustomTemplate struct {
 		// CustomTemplate Identifier
@@ -152,6 +162,7 @@ type (
 		// Type of created stack (1 - swarm, 2 - compose)
 		Type            StackType        `json:"Type" example:"1"`
 		ResourceControl *ResourceControl `json:"ResourceControl"`
+		Variables       []CustomTemplateVariableDefinition
 	}
 
 	// CustomTemplateID represents a custom template identifier
@@ -188,18 +199,17 @@ type (
 		StackCount              int               `json:"StackCount"`
 		SnapshotRaw             DockerSnapshotRaw `json:"DockerSnapshotRaw"`
 		NodeCount               int               `json:"NodeCount"`
-		GpuUseAll               bool              `json:"GpuUseAll"`
-		GpuUseList              []string          `json:"GpuUseList"`
 	}
 
 	// DockerSnapshotRaw represents all the information related to a snapshot as returned by the Docker API
+
 	DockerSnapshotRaw struct {
-		Containers interface{} `json:"Containers"`
-		Volumes    interface{} `json:"Volumes"`
-		Networks   interface{} `json:"Networks"`
-		Images     interface{} `json:"Images"`
-		Info       interface{} `json:"Info"`
-		Version    interface{} `json:"Version"`
+		Containers []types.Container       `json:"Containers" swaggerignore:"true"`
+		Volumes    volume.VolumeListOKBody `json:"Volumes" swaggerignore:"true"`
+		Networks   []types.NetworkResource `json:"Networks" swaggerignore:"true"`
+		Images     []types.ImageSummary    `json:"Images" swaggerignore:"true"`
+		Info       types.Info              `json:"Info" swaggerignore:"true"`
+		Version    types.Version           `json:"Version" swaggerignore:"true"`
 	}
 
 	// EdgeGroup represents an Edge group
@@ -300,7 +310,6 @@ type (
 		GroupID EndpointGroupID `json:"GroupId" example:"1"`
 		// URL or IP address where exposed containers will be reachable
 		PublicURL        string           `json:"PublicURL" example:"docker.mydomain.tld:2375"`
-		Gpus             []Pair           `json:"Gpus"`
 		TLSConfig        TLSConfiguration `json:"TLSConfig"`
 		AzureCredentials AzureCredentials `json:"AzureCredentials,omitempty" example:""`
 		// List of tag identifiers to which this environment(endpoint) is associated
@@ -336,6 +345,17 @@ type (
 		// Whether the device has been trusted or not by the user
 		UserTrusted bool
 
+		Edge struct {
+			// Whether the device has been started in edge async mode
+			AsyncMode bool
+			// The ping interval for edge agent - used in edge async mode [seconds]
+			PingInterval int `json:"PingInterval" example:"60"`
+			// The snapshot interval for edge agent - used in edge async mode [seconds]
+			SnapshotInterval int `json:"SnapshotInterval" example:"60"`
+			// The command list interval for edge agent - used in edge async mode [seconds]
+			CommandInterval int `json:"CommandInterval" example:"60"`
+		}
+
 		// Deprecated fields
 		// Deprecated in DBVersion == 4
 		TLS           bool   `json:"TLS,omitempty"`
@@ -540,6 +560,11 @@ type (
 		ShellExecCommand string
 	}
 
+	// InternalAuthSettings represents settings used for the default 'internal' authentication
+	InternalAuthSettings struct {
+		RequiredPasswordLength int
+	}
+
 	// LDAPGroupSearchSettings represents settings used to search for groups in a LDAP server
 	LDAPGroupSearchSettings struct {
 		// The distinguished name of the element from which the LDAP server will search for groups
@@ -790,6 +815,7 @@ type (
 		BlackListedLabels []Pair `json:"BlackListedLabels"`
 		// Active authentication method for the Portainer instance. Valid values are: 1 for internal, 2 for LDAP, or 3 for oauth
 		AuthenticationMethod AuthenticationMethod `json:"AuthenticationMethod" example:"1"`
+		InternalAuthSettings InternalAuthSettings `json:"InternalAuthSettings" example:""`
 		LDAPSettings         LDAPSettings         `json:"LDAPSettings" example:""`
 		OAuthSettings        OAuthSettings        `json:"OAuthSettings" example:""`
 		OpenAMTConfiguration OpenAMTConfiguration `json:"openAMTConfiguration" example:""`
@@ -822,6 +848,17 @@ type (
 		// EdgePortainerURL is the URL that is exposed to edge agents
 		EdgePortainerURL string `json:"EdgePortainerUrl"`
 
+		Edge struct {
+			// The command list interval for edge agent - used in edge async mode (in seconds)
+			CommandInterval int `json:"CommandInterval" example:"5"`
+			// The ping interval for edge agent - used in edge async mode (in seconds)
+			PingInterval int `json:"PingInterval" example:"5"`
+			// The snapshot interval for edge agent - used in edge async mode (in seconds)
+			SnapshotInterval int `json:"SnapshotInterval" example:"5"`
+			// EdgeAsyncMode enables edge async mode by default
+			AsyncMode bool
+		}
+
 		// Deprecated fields
 		DisplayDonationHeader       bool
 		DisplayExternalContributors bool
@@ -885,6 +922,8 @@ type (
 		AdditionalFiles []string `json:"AdditionalFiles"`
 		// The auto update settings of a git stack
 		AutoUpdate *StackAutoUpdate `json:"AutoUpdate"`
+		// The stack deployment option
+		Option *StackOption `json:"Option"`
 		// The git config of this stack
 		GitConfig *gittypes.RepoConfig
 		// Whether the stack is from a app template
@@ -905,6 +944,12 @@ type (
 		JobID string `example:"15"`
 	}
 
+	// StackOption represents the options for stack deployment
+	StackOption struct {
+		// Prune services that are no longer referenced
+		Prune bool `example:"false"`
+	}
+
 	// StackID represents a stack identifier (it must be composed of Name + "_" + SwarmID to create a unique identifier)
 	StackID int
 
@@ -1348,9 +1393,9 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.13.0"
+	APIVersion = "2.15.0"
 	// DBVersion is the version number of the Portainer database
-	DBVersion = 50
+	DBVersion = 60
 	// ComposeSyntaxMaxVersion is a maximum supported version of the docker compose syntax
 	ComposeSyntaxMaxVersion = "3.9"
 	// AssetsServerURL represents the URL of the Portainer asset server

app/__mocks__/svg.js

@@ -0,0 +1,2 @@
+export default 'SvgrURL';
+export const ReactComponent = 'div';

app/angulartics.matomo/analytics-services.ts

@@ -1,6 +1,6 @@
 import _ from 'lodash';
 
-import { useSettings } from '@/portainer/settings/queries';
+import { usePublicSettings } from '@/portainer/settings/queries';
 
 const categories = [
   'docker',
@@ -64,7 +64,9 @@ export function push(
 }
 
 export function useAnalytics() {
-  const telemetryQuery = useSettings((settings) => settings.EnableTelemetry);
+  const telemetryQuery = usePublicSettings({
+    select: (settings) => settings.EnableTelemetry,
+  });
 
   return { trackEvent: handleTrackEvent };
 

app/app.js

@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import feather from 'feather-icons';
 import { PortainerEndpointTypes } from 'Portainer/models/endpoint/models';
 
 /* @ngInject */
@@ -6,7 +7,14 @@ export function onStartupAngular($rootScope, $state, $interval, LocalStorage, En
   EndpointProvider.initialize();
 
   $rootScope.$state = $state;
-  $rootScope.defaultTitle = document.title;
+  const defaultTitle = document.title;
+
+  $transitions.onEnter({}, () => {
+    const endpoint = EndpointProvider.currentEndpoint();
+    if (endpoint) {
+      document.title = `${defaultTitle} | ${endpoint.Name}`;
+    }
+  });
 
   // Workaround to prevent the loading bar from going backward
   // https://github.com/chieffancypants/angular-loading-bar/issues/273
@@ -21,6 +29,10 @@ export function onStartupAngular($rootScope, $state, $interval, LocalStorage, En
     HttpRequestHelper.resetAgentHeaders();
   });
 
+  $transitions.onSuccess({}, () => {
+    feather.replace();
+  });
+
   // Keep-alive Edge endpoints by sending a ping request every minute
   $interval(() => {
     ping(EndpointProvider, SystemService);

app/assets/css/app.css

@@ -2,8 +2,27 @@
 @tailwind components;
 @tailwind utilities;
 
+@font-face {
+  font-family: 'Inter';
+  src: url('../fonts/Inter-VariableFont.ttf') format('truetype');
+  font-weight: 100 900;
+  font-style: normal;
+}
+@media screen and (-webkit-min-device-pixel-ratio: 0) {
+  select {
+    font-family: Inter, Arial, Helvetica, sans-serif;
+  }
+}
+
 html {
   font-size: 16px;
+  overflow-y: scroll;
+}
+
+body {
+  background: var(--bg-body-color);
+  font-family: 'Inter';
+  color: var(--text-body-color) !important;
 }
 
 html,
@@ -67,11 +86,11 @@ body,
 }
 
 .form-section-title {
-  border-bottom: 1px solid var(--border-form-section-title-color);
   margin-top: 5px;
   margin-bottom: 15px;
   color: var(--text-form-section-title-color);
   padding-left: 0;
+  font-weight: 500;
 }
 
 .form-horizontal .control-label.text-left {
@@ -149,7 +168,7 @@ a[ng-click] {
 }
 
 .fa.red-icon {
-  color: #ae2323;
+  color: #f04438;
 }
 
 .fa.orange-icon {
@@ -221,12 +240,13 @@ a[ng-click] {
 }
 
 .blocklist-item {
-  padding: 7px;
-  margin-bottom: 7px;
+  padding: 10px;
+  margin-bottom: 10px;
   cursor: pointer;
-  border: 1px solid var(--border-blocklist-color);
-  border-radius: 2px;
+  border: 1px solid var(--border-blocklist);
+  border-radius: 8px;
   box-shadow: var(--shadow-box-color);
+  margin-right: 10px;
 }
 
 .blocklist-item--disabled {
@@ -241,6 +261,8 @@ a[ng-click] {
 }
 
 .blocklist-item:hover {
+  @apply border border-blue-7;
+
   background-color: var(--bg-blocklist-hover-color);
   color: var(--text-blocklist-hover-color);
 }
@@ -379,12 +401,13 @@ a[ng-click] {
 }
 
 .panel-body {
-  padding-top: 30px;
-  background-color: var(--white-color) fff;
+  padding: 30px 25px;
+  background-color: var(--white-color);
+  border-radius: 8px;
 }
 
 .user-box {
-  margin-right: 25px;
+  margin-right: 15px;
 }
 
 .select-endpoint {
@@ -814,12 +837,6 @@ json-tree .branch-preview {
 }
 /* !uib-typeahead override */
 
-.kubectl-shell {
-  display: block;
-  text-align: center;
-  padding-bottom: 5px;
-}
-
 .no-margin {
   margin: 0 !important;
 }
@@ -842,3 +859,12 @@ json-tree .branch-preview {
 .form-check.radio {
   margin-left: 15px;
 }
+
+.inline-text {
+  display: inline;
+  position: absolute;
+  font-family: 'Montserrat';
+  font-size: smaller;
+  margin-left: 5px;
+  margin-right: 5px;
+}

app/assets/css/bootstrap-override.css

@@ -0,0 +1,328 @@
+/* Label, Section Title */
+
+.control-label {
+  color: var(--ui-gray-7);
+  font-weight: 500;
+}
+
+.form-section-title {
+  color: var(--ui-gray-9);
+  font-size: 16px;
+}
+
+.vertical-center {
+  display: inline-flex;
+  align-items: center;
+  gap: 5px;
+}
+
+.blue {
+  background: var(--bg-dashboard-item) !important;
+}
+
+.form-control {
+  border-radius: 5px;
+}
+
+/* Input Group Addon */
+.input-group-addon:first-child {
+  border-top-left-radius: 5px;
+  border-bottom-left-radius: 5px;
+}
+
+.input-group .form-control:not(:first-child):not(:last-child) {
+  border-top-right-radius: 5px;
+  border-bottom-right-radius: 5px;
+}
+
+.input-group-btn:last-child .btn {
+  margin-left: 5px;
+  border-radius: 5px;
+}
+
+/* Toggle switch */
+.switch {
+  position: relative;
+  display: inline-block;
+  width: 42px;
+  height: 25px;
+}
+
+.switch input {
+  opacity: 0;
+  width: 0;
+  height: 0;
+}
+
+.switch input[type='checkbox']:disabled + .slider {
+  background-color: var(--ui-gray-3);
+}
+
+/* Toggle */
+
+.slider {
+  position: absolute;
+  cursor: pointer;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  background-color: var(--bg-switch-box-color);
+  -webkit-transition: 0.4s;
+  transition: 0.4s;
+}
+
+.slider:before {
+  position: absolute;
+  content: '';
+  height: 19px;
+  width: 19px;
+  left: 3px;
+  bottom: 3px;
+  background-color: var(--white-color);
+  -webkit-transition: 0.4s;
+  transition: 0.4s;
+}
+
+input:checked + .slider {
+  background-color: var(--ui-blue-8);
+}
+
+input:focus + .slider {
+  box-shadow: 0 0 1px var(--ui-blue-8);
+}
+
+input:checked + .slider:before {
+  -webkit-transform: translateX(17px);
+  -ms-transform: translateX(17px);
+  transform: translateX(17px);
+}
+
+.slider.round {
+  border-radius: 25px;
+}
+
+.slider.round:before {
+  border-radius: 50%;
+}
+
+/* Checkbox */
+
+.md-checkbox input[type='checkbox']:enabled + label:before {
+  background-color: var(--bg-checkbox) !important;
+  border: 1px solid var(--border-checkbox) !important;
+  border-radius: 5px;
+}
+
+.md-checkbox input[type='checkbox']:disabled + label:before {
+  border-radius: 5px;
+}
+
+.md-checkbox input[type='checkbox']:checked + label:before {
+  background-color: var(--ui-blue-8) !important;
+  color: var(--ui-blue-8) !important;
+  border: 1px solid var(--ui-blue-8) !important;
+}
+
+.md-checkbox input[type='checkbox']:checked + .checkmark {
+  border-color: var(--grey-6);
+  background-color: var(--bg-checkbox);
+}
+
+/* Slider */
+
+.rzslider .rz-pointer {
+  background-color: var(--white-color);
+  border: 3px solid var(--ui-blue-8);
+  width: 25px;
+  height: 25px;
+  top: -10px;
+}
+
+.rzslider .rz-bar {
+  background-color: var(--ui-gray-5);
+  height: 8px;
+  border-radius: 5px;
+}
+
+.rzslider .rz-selection {
+  background-color: var(--ui-blue-8);
+}
+
+.rzslider .rz-pointer:after {
+  display: none;
+}
+
+/* Widget */
+
+.widget .widget-icon i {
+  color: var(--ui-blue-8);
+}
+
+.widget .widget-body table thead {
+  border-top: 1px solid var(--border-table-color);
+}
+
+/* Toaster */
+
+#toast-container > .toast-success {
+  background-image: url(../images/icon-success.svg) !important;
+  background-position: top 20px left 20px;
+}
+
+#toast-container > .toast-error {
+  background-image: url(../images/icon-error.svg) !important;
+  background-position: top 20px left 20px;
+}
+
+#toast-container > .toast-warning {
+  background-image: url(../images/icon-warning.svg) !important;
+}
+
+.toast-success .toast-progress {
+  background-color: var(--ui-success-7);
+}
+.toast-warning .toast-progress {
+  background-color: var(--ui-warning-6);
+}
+.toast-error .toast-progress {
+  background-color: var(--ui-error-8);
+}
+
+#toast-container > div {
+  color: var(--ui-gray-7);
+  background-color: var(--white-color);
+  border-radius: 8px;
+  padding: 20px 20px 20px 80px;
+  width: 300px;
+  opacity: 1;
+  -ms-filter: progid:DXImageTransform.Microsoft.Alpha(Opacity=100);
+  filter: alpha(opacity=100);
+}
+
+#toast-container > div:hover {
+  -moz-box-shadow: 0 0 12px var(--ui-gray-7);
+  -webkit-box-shadow: 0 0 12px var(--ui-gray-7);
+  box-shadow: 0 0 12px var(--ui-gray-7);
+}
+
+.toast-close-button {
+  color: var(--black-color);
+  text-decoration: none;
+  cursor: pointer;
+  opacity: 0.4;
+  -ms-filter: progid:DXImageTransform.Microsoft.Alpha(Opacity=40);
+  filter: alpha(opacity=40);
+}
+
+.toast-close-button:hover,
+.toast-close-button:focus {
+  color: var(--black-color);
+  text-decoration: none;
+  cursor: pointer;
+  opacity: 0.6;
+  -ms-filter: progid:DXImageTransform.Microsoft.Alpha(Opacity=60);
+  filter: alpha(opacity=60);
+}
+
+.toast-title {
+  color: var(--black-color);
+  padding: 10px 0px;
+}
+
+/* Modal */
+
+.modal-dialog {
+  width: 450px;
+}
+
+.modal-content {
+  padding: 55px 20px 20px 20px;
+  background-image: url(../images/icon-warning.svg);
+  background-repeat: no-repeat;
+  background-position: top 10px left 10px;
+}
+
+.modal-header {
+  padding: 10px 0px 10px 0px;
+  border-bottom: none;
+}
+
+.modal-header .close {
+  margin-top: -40px;
+}
+
+.modal-header .modal-title {
+  font-weight: bold;
+}
+
+.modal-body {
+  padding: 10px 0px;
+  border-bottom: none;
+}
+
+.modal-body .bootbox-body {
+  font-size: 12px;
+  color: var(--text-bootbox);
+}
+
+.modal-footer {
+  padding: 10px 0px;
+  border-top: none;
+  display: flex;
+}
+
+.modal-footer .bootbox-cancel {
+  width: 100%;
+}
+
+.modal-footer .bootbox-accept {
+  width: 100%;
+}
+
+.bootbox-checkbox-list {
+  border: 0px;
+}
+
+/* Databatle Setting Menu */
+
+.tableMenu {
+  border: 1px solid var(--border-bootbox);
+  border-radius: 8px;
+}
+
+[data-reach-menu-list],
+[data-reach-menu-items] {
+  background: none;
+}
+
+.dropdown-menu {
+  border-radius: 8px;
+}
+.dropdown-menu .tableMenu {
+  border: 0px;
+}
+
+/* Status Indicator Inside Table Section Label Style */
+.table .label {
+  border-radius: 8px !important;
+}
+
+.table .label .label-danger {
+  background-color: var(--ui-error-8);
+}
+
+.table .label .label-success {
+  background-color: var(--ui-success-7);
+}
+
+/* Required Label with asterisk */
+
+.required:after {
+  content: '*';
+  color: var(--ui-error-9);
+}
+
+.control-label {
+  @apply inline-flex items-center;
+}

app/assets/css/button.css

@@ -0,0 +1,92 @@
+.btn {
+  border-radius: 5px;
+  display: inline-flex;
+  justify-content: space-around;
+  align-items: center;
+  gap: 5px;
+}
+
+.btn-group {
+  display: inline-flex;
+}
+
+.btn.active {
+  box-shadow: none;
+}
+
+.btn-primary {
+  background-color: var(--ui-blue-8);
+}
+
+.btn-primary:hover,
+.btn-primary:focus,
+.btn-primary:active .active {
+  background-color: var(--ui-blue-9);
+}
+
+.btn-primary:active,
+.btn-primary.active,
+.open > .dropdown-toggle.btn-primary {
+  background-color: var(--ui-blue-9);
+}
+
+.nav-pills > li.active > a,
+.nav-pills > li.active > a:hover,
+.nav-pills > li.active > a:focus {
+  background-color: var(--ui-blue-8);
+}
+
+.btn-danger {
+  background-color: var(--ui-error-8);
+}
+
+.btn-success {
+  background-color: var(--ui-success-7);
+}
+
+.btn-dangerlight {
+  background-color: var(--ui-error-2) !important;
+  border: 1px solid var(--border-button-group);
+  color: var(--ui-error-8);
+}
+
+.btn-dangerlight:hover {
+  color: var(--ui-error-9) !important;
+  background-color: var(--ui-error-3) !important;
+}
+
+.btn-light {
+  background-color: var(--bg-button-group);
+  border: 1px solid var(--border-button-group);
+  color: var(--text-button-group);
+}
+
+.btn-light:hover {
+  background-color: var(--ui-gray-2) !important;
+}
+
+.btn-light:active,
+.btn-light.active,
+.open > .dropdown-toggle.btn-light {
+  background-color: var(--ui-gray-3);
+}
+
+/* Button Secondary */
+.btn-secondary {
+  background-color: var(--ui-blue-2);
+  border: 1px solid var(--ui-blue-8);
+  color: var(--ui-blue-9);
+}
+
+.btn-secondary:hover,
+.btn-secondary:focus,
+.btn-secondary:active .active {
+  background-color: var(--ui-blue-3) !important;
+  color: var(--ui-blue-9) !important;
+}
+
+.btn-secondary:disabled {
+  background-color: var(--ui-blue-1);
+  border: 1px solid var(--ui-blue-1);
+  color: var(--ui-blue-5);
+}

app/assets/css/colors.json

@@ -0,0 +1,355 @@
+{
+  "black": "#000000",
+  "white": "#ffffff",
+  "gray": {
+    "1": "#fcfcfd",
+    "2": "#f9fafb",
+    "3": "#f2f4f7",
+    "4": "#eaecf0",
+    "5": "#d0d5dd",
+    "6": "#98a2b3",
+    "7": "#667085",
+    "8": "#475467",
+    "9": "#344054",
+    "10": "#1d2939",
+    "11": "#101828"
+  },
+  "blue": {
+    "1": "#f5fbff",
+    "2": "#f0f9ff",
+    "3": "#e0f2fe",
+    "4": "#b9e6fe",
+    "5": "#7cd4fd",
+    "6": "#36bffa",
+    "7": "#0ba5ec",
+    "8": "#0086c9",
+    "9": "#026aa2",
+    "10": "#065986",
+    "11": "#0b4a6f"
+  },
+  "error": {
+    "1": "#fffbfa",
+    "2": "#fef3f2",
+    "3": "#fee4e2",
+    "4": "#fecdca",
+    "5": "#fda29b",
+    "6": "#f97066",
+    "7": "#f04438",
+    "8": "#d92d20",
+    "9": "#b42318",
+    "10": "#912018",
+    "11": "#7a271a"
+  },
+  "warning": {
+    "1": "#fffcf5",
+    "2": "#fffaeb",
+    "3": "#fef0c7",
+    "4": "#fedf89",
+    "5": "#fec84b",
+    "6": "#fdb022",
+    "7": "#f79009",
+    "8": "#dc6803",
+    "9": "#b54708",
+    "10": "#93370d",
+    "11": "#7a2e0e"
+  },
+  "success": {
+    "1": "#f6fef9",
+    "2": "#ecfdf3",
+    "3": "#d1fadf",
+    "4": "#a6f4c5",
+    "5": "#6ce9a6",
+    "6": "#32d583",
+    "7": "#12b76a",
+    "8": "#039855",
+    "9": "#027a48",
+    "10": "#05603a",
+    "11": "#054f31"
+  },
+  "gray-blue": {
+    "1": "#fcfcfd",
+    "2": "#f8f9fc",
+    "3": "#eaecf5",
+    "4": "#d5d9eb",
+    "5": "#b3b8db",
+    "6": "#717bbc",
+    "7": "#4e5ba6",
+    "8": "#3e4784",
+    "9": "#363f72",
+    "10": "#293056",
+    "11": "#293056"
+  },
+  "gray-cool": {
+    "1": "#fcfcfd",
+    "2": "#f9f9fb",
+    "3": "#eff1f5",
+    "4": "#dcdfea",
+    "5": "#b9c0d4",
+    "6": "#7d89b0",
+    "7": "#5d6b98",
+    "8": "#4a5578",
+    "9": "#404968",
+    "10": "#30374f",
+    "11": "#111322"
+  },
+  "gray-modern": {
+    "1": "#fcfcfd",
+    "2": "#f8fafc",
+    "3": "#eef2f6",
+    "4": "#e3e8ef",
+    "5": "#cdd5df",
+    "6": "#9aa4b2",
+    "7": "#697586",
+    "8": "#4b5565",
+    "9": "#364152",
+    "10": "#202939",
+    "11": "#121926"
+  },
+  "gray-neutral": {
+    "1": "#fcfcfd",
+    "2": "#f9fafb",
+    "3": "#f3f4f6",
+    "4": "#e5e7eb",
+    "5": "#d2d6db",
+    "6": "#9da4ae",
+    "7": "#6c737f",
+    "8": "#4d5761",
+    "9": "#384250",
+    "10": "#1f2a37",
+    "11": "#111927"
+  },
+  "gray-iron": {
+    "1": "#fcfcfc",
+    "2": "#fafafa",
+    "3": "#f4f4f5",
+    "4": "#e4e4e7",
+    "5": "#d1d1d6",
+    "6": "#d1d1d6",
+    "7": "#70707b",
+    "8": "#51525c",
+    "9": "#3f3f46",
+    "10": "#26272b",
+    "11": "#18181b"
+  },
+  "gray-true": {
+    "1": "#fcfcfc",
+    "2": "#fafafa",
+    "3": "#f5f5f5",
+    "4": "#e5e5e5",
+    "5": "#d6d6d6",
+    "6": "#a3a3a3",
+    "7": "#737373",
+    "8": "#525252",
+    "9": "#424242",
+    "10": "#292929",
+    "11": "#141414"
+  },
+  "gray-warm": {
+    "1": "#fdfdfc",
+    "2": "#fafaf9",
+    "3": "#f5f5f4",
+    "4": "#e7e5e4",
+    "5": "#d7d3d0",
+    "6": "#d7d3d0",
+    "7": "#79716b",
+    "8": "#57534e",
+    "9": "#44403c",
+    "10": "#292524",
+    "11": "#1c1917"
+  },
+  "moss": {
+    "1": "#fafdf7",
+    "2": "#f5fbee",
+    "3": "#e6f4d7",
+    "4": "#ceeab0",
+    "5": "#acdc79",
+    "6": "#86cb3c",
+    "7": "#669f2a",
+    "8": "#4f7a21",
+    "9": "#3f621a",
+    "10": "#335015",
+    "11": "#2b4212"
+  },
+  "green-light": {
+    "1": "#fafef5",
+    "2": "#f3fee7",
+    "3": "#e4fbcc",
+    "4": "#d0f8ab",
+    "5": "#a6ef67",
+    "6": "#85e13a",
+    "7": "#66c61c",
+    "8": "#4ca30d",
+    "9": "#3b7c0f",
+    "10": "#326212",
+    "11": "#2b5314"
+  },
+  "green": {
+    "1": "#f6fef9",
+    "2": "#edfcf2",
+    "3": "#d3f8df",
+    "4": "#aaf0c4",
+    "5": "#73e2a3",
+    "6": "#73e2a3",
+    "7": "#16b364",
+    "8": "#099250",
+    "9": "#087443",
+    "10": "#095c37",
+    "11": "#084c2e"
+  },
+  "teal": {
+    "1": "#f6fefc",
+    "2": "#f0fdf9",
+    "3": "#ccfbef",
+    "4": "#99f6e0",
+    "5": "#5fe9d0",
+    "6": "#2ed3b7",
+    "7": "#15b79e",
+    "8": "#0e9384",
+    "9": "#107569",
+    "10": "#125d56",
+    "11": "#134e48"
+  },
+  "cyan": {
+    "1": "#f5feff",
+    "2": "#ecfdff",
+    "3": "#cff9fe",
+    "4": "#a5f0fc",
+    "5": "#67e3f9",
+    "6": "#22ccee",
+    "7": "#06aed4",
+    "8": "#088ab2",
+    "9": "#0e7090",
+    "10": "#155b75",
+    "11": "#164c63"
+  },
+  "blue-dark": {
+    "1": "#f5f8ff",
+    "2": "#eff4ff",
+    "3": "#d1e0ff",
+    "4": "#b2ccff",
+    "5": "#84adff",
+    "6": "#528bff",
+    "7": "#2970ff",
+    "8": "#155eef",
+    "9": "#004eeb",
+    "10": "#0040c1",
+    "11": "#00359e"
+  },
+  "indigo": {
+    "1": "#f5f8ff",
+    "2": "#eef4ff",
+    "3": "#e0eaff",
+    "4": "#c7d7fe",
+    "5": "#a4bcfd",
+    "6": "#8098f9",
+    "7": "#8098f9",
+    "8": "#444ce7",
+    "9": "#3538cd",
+    "10": "#2d31a6",
+    "11": "#2d3282"
+  },
+  "violet": {
+    "1": "#fbfaff",
+    "2": "#f5f3ff",
+    "3": "#ece9fe",
+    "4": "#ddd6fe",
+    "5": "#c3b5fd",
+    "6": "#a48afb",
+    "7": "#875bf7",
+    "8": "#7839ee",
+    "9": "#6927da",
+    "10": "#5720b7",
+    "11": "#491c96"
+  },
+  "purple": {
+    "1": "#fafaff",
+    "2": "#f4f3ff",
+    "3": "#ebe9fe",
+    "4": "#d9d6fe",
+    "5": "#bdb4fe",
+    "6": "#9b8afb",
+    "7": "#7a5af8",
+    "8": "#6938ef",
+    "9": "#5925dc",
+    "10": "#4a1fb8",
+    "11": "#3e1c96"
+  },
+  "fuchsia": {
+    "1": "#fefaff",
+    "2": "#fdf4ff",
+    "3": "#fbe8ff",
+    "4": "#f6d0fe",
+    "5": "#eeaafd",
+    "6": "#e478fa",
+    "7": "#d444f1",
+    "8": "#ba24d5",
+    "9": "#9f1ab1",
+    "10": "#821890",
+    "11": "#6f1877"
+  },
+  "pink": {
+    "1": "#fef6fb",
+    "2": "#fdf2fa",
+    "3": "#fce7f6",
+    "4": "#fce7f6",
+    "5": "#faa7e0",
+    "6": "#f670c7",
+    "7": "#ee46bc",
+    "8": "#dd2590",
+    "9": "#c11574",
+    "10": "#9e165f",
+    "11": "#851651"
+  },
+  "rose": {
+    "1": "#fff5f6",
+    "2": "#fff1f3",
+    "3": "#ffe4e8",
+    "4": "#fecdd6",
+    "5": "#fea3b4",
+    "6": "#fd6f8e",
+    "7": "#f63d68",
+    "8": "#e31b54",
+    "9": "#c01048",
+    "10": "#a11043",
+    "11": "#89123e"
+  },
+  "orange-dark": {
+    "1": "#fff9f5",
+    "2": "#fff4ed",
+    "3": "#ffe6d5",
+    "4": "#ffd6ae",
+    "5": "#ff9c66",
+    "6": "#ff692e",
+    "7": "#ff4405",
+    "8": "#e62e05",
+    "9": "#bc1b06",
+    "10": "#97180c",
+    "11": "#771a0d"
+  },
+  "orange": {
+    "1": "#fefaf5",
+    "2": "#fef6ee",
+    "3": "#fdead7",
+    "4": "#f9dbaf",
+    "5": "#f7b27a",
+    "6": "#f38744",
+    "7": "#ef6820",
+    "8": "#e04f16",
+    "9": "#b93815",
+    "10": "#932f19",
+    "11": "#772917"
+  },
+  "yellow": {
+    "1": "#fefdf0",
+    "2": "#fefbe8",
+    "3": "#fef7c3",
+    "4": "#feee95",
+    "5": "#feee95",
+    "6": "#fac515",
+    "7": "#eaaa08",
+    "8": "#ca8504",
+    "9": "#a15c07",
+    "10": "#854a0e",
+    "11": "#713b12"
+  }
+}

app/assets/css/colors.ts

@@ -0,0 +1,19 @@
+import colors from './colors.json';
+
+const element = document.createElement('style');
+
+element.innerHTML = `:root {
+  ${Object.entries(colors)
+    .map(([color, hex]) => {
+      if (typeof hex === 'string') {
+        return `--ui-${color}: ${hex}`;
+      }
+
+      return Object.entries(hex)
+        .map(([key, value]) => `--ui-${color}-${key}: ${value}`)
+        .join(';\n');
+    })
+    .join(';\n')}
+}`;
+
+document.head.prepend(element);

app/assets/css/icon.css

@@ -0,0 +1,132 @@
+.feather {
+  display: block;
+  height: 1em;
+  width: 1em;
+  color: inherit;
+}
+
+pr-icon {
+  display: inline-block;
+}
+
+.icon {
+  color: currentColor;
+  margin: 0;
+
+  font-size: var(--icon-size);
+  height: var(--icon-size);
+  width: var(--icon-size);
+
+  --icon-size: 1em;
+}
+
+.icon-xs {
+  --icon-size: 10px;
+}
+
+.icon-sm {
+  --icon-size: 14px;
+}
+
+.icon-md {
+  --icon-size: 16px;
+}
+
+.icon-lg {
+  --icon-size: 22px;
+}
+
+.icon-xl {
+  --icon-size: 26px;
+}
+
+.icon.icon-alt {
+  fill: var(--black-color);
+  stroke: var(--white-color);
+}
+
+.icon-primary {
+  color: var(--ui-blue-8);
+}
+
+.icon.icon-primary-alt {
+  fill: var(--ui-blue-8);
+  stroke: var(--white-color);
+}
+
+.icon-secondary {
+  color: var(--ui-gray-8);
+}
+
+.icon.icon-secondary-alt {
+  fill: var(--ui-gray-8);
+  stroke: var(--black-color);
+}
+
+.icon-warning {
+  color: var(--ui-warning-8);
+}
+
+.icon.icon-warning-alt {
+  fill: var(--ui-warning-8);
+  stroke: var(--white-color);
+}
+
+.icon-danger {
+  color: var(--ui-error-8);
+}
+
+.icon.icon-danger-alt {
+  fill: var(--ui-error-8);
+  stroke: var(--white-color);
+}
+
+.icon-success {
+  color: var(--ui-success-6);
+}
+
+.icon.icon-success-alt {
+  fill: var(--ui-success-8);
+  stroke: var(--white-color);
+}
+
+.icon-badge {
+  border-radius: 50%;
+  display: flex;
+  justify-content: center;
+  align-items: center;
+  padding: 1.5%;
+}
+
+.icon-nested-gray {
+  height: 30px;
+  width: 30px;
+  padding: 5px;
+  text-align: center;
+  border-radius: 50%;
+  background-color: var(--ui-gray-4);
+  margin-right: 5px;
+}
+
+.icon-nested-blue {
+  height: 30px;
+  width: 30px;
+  padding: 5px;
+  text-align: center;
+  border-radius: 50%;
+  background-color: var(--ui-blue-3);
+  margin-right: 5px;
+}
+
+.icon-container {
+  display: flex;
+  align-items: center;
+}
+
+.btn-only-icon {
+  padding: 6px;
+}
+
+.btn-only-icon pr-icon {
+  margin-top: 0;
+}

app/assets/css/index.js

@@ -15,8 +15,14 @@ import 'angular-multiselect/isteven-multi-select.css';
 import 'spinkit/spinkit.min.css';
 import '@reach/menu-button/styles.css';
 
+import './colors';
+
 import './rdash.css';
 import './app.css';
 
 import './theme.css';
 import './vendor-override.css';
+import '../fonts/nomad-icon.css';
+import './bootstrap-override.css';
+import './icon.css';
+import './button.css';

app/assets/css/rdash.css

@@ -4,49 +4,6 @@
   width: 100%;
   height: auto;
 }
-@media only screen and (min-width: 561px) {
-  #page-wrapper.open {
-    padding-left: 250px;
-  }
-}
-@media only screen and (max-width: 560px) {
-  #page-wrapper.open {
-    padding-left: 70px;
-  }
-}
-
-/**
- * Hamburg Menu
- * When the class of 'hamburg' is applied to the body tag of the document, 
- * the sidebar changes it's style to attempt to mimic a menu on a phone app,
- * where the content is overlaying the content, rather than push it.
- */
-@media only screen and (max-width: 560px) {
-  body.hamburg #page-wrapper {
-    padding-left: 0;
-  }
-  body.hamburg #page-wrapper:not(.open) #sidebar-wrapper {
-    position: absolute;
-    left: -100px;
-  }
-  body.hamburg #page-wrapper:not(.open) ul.sidebar .sidebar-title.separator {
-    display: none;
-  }
-  body.hamburg #page-wrapper.open #sidebar-wrapper {
-    position: fixed;
-  }
-  body.hamburg #page-wrapper.open #sidebar-wrapper ul.sidebar li.sidebar-main {
-    margin-left: 0px;
-  }
-  body.hamburg #sidebar-wrapper ul.sidebar li.sidebar-main,
-  body.hamburg .row.header .meta {
-    margin-left: 70px;
-  }
-  body.hamburg #sidebar-wrapper ul.sidebar li.sidebar-main,
-  body.hamburg #page-wrapper.open #sidebar-wrapper ul.sidebar li.sidebar-main {
-    transition: margin-left 0.4s ease 0s;
-  }
-}
 
 .loading {
   width: 40px;
@@ -92,33 +49,6 @@
   }
 }
 
-/* Fonts */
-@font-face {
-  font-family: 'Montserrat';
-  src: url('../fonts/montserrat-regular-webfont.eot');
-  src: url('../fonts/montserrat-regular-webfont.eot?#iefix') format('embedded-opentype'), url('../fonts/montserrat-regular-webfont.woff') format('woff'),
-    url('../fonts/montserrat-regular-webfont.ttf') format('truetype'), url('../fonts/montserrat-regular-webfont.svg#montserratregular') format('svg');
-  font-weight: normal;
-  font-style: normal;
-}
-@media screen and (-webkit-min-device-pixel-ratio: 0) {
-  @font-face {
-    font-family: 'Montserrat';
-    src: url('../fonts/montserrat-regular-webfont.svg') format('svg');
-  }
-  select {
-    font-family: Arial, Helvetica, sans-serif;
-  }
-}
-/* Base */
-html {
-  overflow-y: scroll;
-}
-body {
-  background: var(--bg-body-color);
-  font-family: 'Montserrat';
-  color: var(--text-body-color) !important;
-}
 .row {
   margin-left: 0 !important;
   margin-right: 0 !important;
@@ -129,22 +59,7 @@ body {
 .alerts-container .alert:last-child {
   margin-bottom: 0;
 }
-#page-wrapper {
-  padding-left: 70px;
-  height: 100%;
-}
-#sidebar-wrapper {
-  margin-left: -150px;
-  left: -30px;
-  width: 250px;
-  position: fixed;
-  height: 100%;
-  z-index: 999;
-}
-#page-wrapper,
-#sidebar-wrapper {
-  transition: all 0.4s ease 0s;
-}
+
 .green {
   background: #23ae89 !important;
 }
@@ -172,9 +87,8 @@ div.input-mask {
   -moz-box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);
   box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);
   background: var(--bg-widget-color);
-  border: 1px solid transparent;
-  border-radius: 2px;
-  border-color: var(--border-widget-color);
+  border: 1px solid var(--border-widget);
+  border-radius: 8px;
 }
 .widget .widget-header .pagination,
 .widget .widget-footer .pagination {
@@ -182,25 +96,25 @@ div.input-mask {
 }
 .widget .widget-header {
   color: var(--text-widget-header-color);
-  background-color: var(--bg-widget-header-color);
   padding: 10px 15px;
-  border-bottom: 1px solid var(--border-widget-color);
   line-height: 30px;
+  font-weight: 500;
 }
 .widget .widget-header i {
   margin-right: 5px;
 }
 .widget .widget-body {
   padding: 20px;
+  border-radius: 8px;
 }
 .widget .widget-body table thead {
   background: var(--bg-widget-table-color);
 }
 .widget .widget-body table thead * {
-  font-size: 14px !important;
+  font-size: 14px;
 }
 .widget .widget-body table tbody * {
-  font-size: 13px !important;
+  font-size: 13px;
 }
 .widget .widget-body .error {
   color: #ff0000;

app/assets/css/theme.css

@@ -1,13 +1,12 @@
 /* Color Variable */
-html {
-  --black-color: #000;
-  --white-color: #fff;
+:root {
+  --black-color: var(--ui-black);
+  --white-color: var(--ui-white);
 
   --grey-1: #212121;
   --grey-2: #181818;
   --grey-3: #383838;
   --grey-4: #585858;
-  --grey-5: #323c48;
   --grey-6: #333333;
   --grey-7: #767676;
   --grey-8: #aaa;
@@ -35,7 +34,6 @@ html {
   --grey-30: #444;
   --grey-31: #868686;
   --grey-32: #65798e;
-  --grey-34: #314252;
   --grey-35: #546477;
   --grey-36: #55637d;
   --grey-37: #2d3e63;
@@ -53,15 +51,12 @@ html {
   --grey-49: rgba(0, 0, 0, 0.54);
   --grey-50: rgba(161, 170, 166, 0.5);
   --grey-51: rgba(0, 0, 0, 0.15);
-  --grey-52: rgba(255, 255, 255, 0.3);
   --grey-53: rgba(255, 255, 255, 0.6);
   --grey-54: rgb(54, 54, 54);
   --grey-55: rgba(255, 255, 255, 0.8);
-  --grey-56: #b2bfdc;
   --grey-57: #999;
   --grey-58: #ebf4f8;
   --grey-59: #e6e6e6;
-  --grey-60: #cacaca;
   --grey-61: rgb(231, 231, 231);
 
   --blue-1: #219;
@@ -76,7 +71,6 @@ html {
   --blue-10: #61b6ff;
   --blue-11: #3ea5ff;
   --blue-12: #41a6ff;
-  --blue-13: #2361ae;
   --blue-14: #357ebd;
 
   --red-1: #a94442;
@@ -84,7 +78,6 @@ html {
   --red-3: #a11;
   --red-4: #d9534f;
   --red-5: #ff2727;
-  --red-6: #ff00e0;
   --red-7: #f00;
 
   --green-1: #164;
@@ -94,25 +87,22 @@ html {
   --orange-1: #e86925;
 
   --BE-only: var(--orange-1);
-}
 
-/* Default Theme */
-:root {
-  --bg-card-color: var(--grey-10);
+  /* Default Theme */
+  --bg-card-color: var(--white-color);
   --bg-main-color: var(--white-color);
   --bg-body-color: var(--grey-9);
   --bg-checkbox-border-color: var(--grey-49);
-  --bg-sidebar-color: var(--grey-37);
   --bg-sidebar-header-color: var(--grey-37);
   --bg-widget-color: var(--white-color);
   --bg-widget-header-color: var(--grey-10);
   --bg-widget-table-color: var(--grey-13);
   --bg-header-color: var(--white-color);
   --bg-hover-table-color: var(--grey-14);
-  --bg-switch-box-color: var(--white-color);
-  --bg-input-group-addon-color: var(--grey-11);
+  --bg-switch-box-color: var(--ui-gray-5);
+  --bg-input-group-addon-color: var(--ui-gray-3);
   --bg-btn-default-color: var(--white-color);
-  --bg-blocklist-hover-color: var(--grey-12);
+  --bg-blocklist-hover-color: var(--ui-blue-3);
   --bg-boxselector-color: var(--white-color);
   --bg-table-color: var(--white-color);
   --bg-md-checkbox-color: var(--grey-12);
@@ -139,10 +129,16 @@ html {
   --bg-row-header-color: var(--white-color);
   --bg-image-multiselect-button: linear-gradient(var(--white-color), var(--grey-17));
   --bg-multiselect-checkbox-color: var(--white-color);
-  --bg-sidebar-wrapper-color: var(--blue-5);
   --bg-panel-body-color: var(--white-color);
   --bg-codemirror-color: var(--white-color);
   --bg-codemirror-selected-color: var(--grey-22);
+  --bg-tooltip-color: var(--ui-gray-11);
+  --bg-input-sm-color: var(--white-color);
+  --bg-service-datatable-thead: var(--grey-23);
+  --bg-app-datatable-thead: var(--grey-23);
+  --bg-inner-datatable-thead: var(--grey-23);
+  --bg-service-datatable-tbody: var(--grey-24);
+  --bg-app-datatable-tbody: var(--grey-24);
   --bg-multiselect-color: var(--white-color);
   --bg-daterangepicker-color: var(--white-color);
   --bg-calendar-color: var(--white-color);
@@ -151,7 +147,6 @@ html {
   --bg-daterangepicker-hover: var(--grey-16);
   --bg-daterangepicker-in-range: var(--grey-58);
   --bg-daterangepicker-active: var(--blue-14);
-  --bg-tooltip-color: var(--white-color);
   --bg-input-autofill-color: var(--white-color);
   --bg-btn-default-hover-color: var(--grey-59);
   --bg-btn-focus: var(--grey-59);
@@ -162,11 +157,14 @@ html {
   --bg-stepper-item-active: var(--white-color);
   --bg-stepper-item-counter: var(--grey-61);
   --bg-sortbutton-color: var(--white-color);
+  --bg-dashboard-item: var(--ui-blue-3);
+  --bg-searchbar: var(--ui-gray-2);
+  --bg-inputbox: var(--ui-gray-2);
+  --bg-dropdown-hover: var(--ui-gray-3);
 
   --text-main-color: var(--grey-7);
   --text-body-color: var(--grey-6);
-  --text-sidebar-title-color: var(--blue-3);
-  --text-widget-header-color: var(--grey-7);
+  --text-widget-header-color: var(--ui-gray-11);
   --text-form-control-color: var(--grey-25);
   --text-muted-color: var(--grey-26);
   --text-link-color: var(--blue-2);
@@ -193,23 +191,21 @@ html {
   --text-blocklist-item-selected-color: var(--grey-37);
   --text-progress-bar-color: var(--grey-27);
   --text-pagination-color: var(--grey-26);
-  --text-pagination-span-color: var(--blue-2);
+  --text-pagination-span-color: var(--ui-gray-3);
   --text-pagination-span-hover-color: var(--blue-4);
   --text-ui-select-color: var(--grey-6);
   --text-ui-select-hover-color: var(--grey-28);
   --text-summary-color: var(--black-color);
-  --text-multiselect-button-color: var(--grey-29);
-  --text-multiselect-item-color: var(--grey-30);
-  --text-sidebar-list-color: var(--grey-56);
+  --text-tooltip-color: var(--white-color);
   --text-rzslider-color: var(--grey-36);
   --text-rzslider-limit-color: var(--grey-36);
   --text-daterangepicker-end-date: var(--grey-57);
   --text-daterangepicker-in-range: var(--black-color);
   --text-daterangepicker-active: var(--white-color);
-  --text-tooltip-color: var(--grey-6);
   --text-input-autofill-color: var(--black-color);
   --text-button-hover-color: var(--grey-6);
   --text-small-select-color: var(--grey-25);
+  --text-bootbox: var(--ui-gray-7);
 
   --border-color: var(--grey-42);
   --border-widget-color: var(--grey-43);
@@ -244,8 +240,10 @@ html {
   --border-tooltip-color: var(--grey-47);
   --border-modal: 0px;
   --border-sortbutton: var(--grey-8);
+  --border-bootbox: var(--ui-gray-5);
+  --border-blocklist: var(--ui-gray-5);
+  --border-widget: var(--ui-gray-5);
 
-  --hover-sidebar-color: var(--grey-37);
   --shadow-box-color: 0 3px 10px -2px var(--grey-50);
   --shadow-boxselector-color: 0 3px 10px -2px var(--grey-50);
   --blue-color: var(--blue-13);
@@ -265,9 +263,16 @@ html {
   --text-multiselect-item: var(--grey-30);
   --bg-multiselect-helpercontainer: var(--white-color);
   --text-input-textarea: var(--white-color);
-  --bg-service-datatable-thead: var(--grey-23);
-  --bg-inner-datatable-thead: var(--grey-23);
-  --bg-service-datatable-tbody: var(--grey-24);
+
+  --sort-icon-muted: var(--ui-gray-5);
+  --sort-icon-hover: var(--ui-gray-6);
+  --sort-icon: var(--ui-gray-9);
+  --border-checkbox: var(--ui-gray-5);
+  --bg-checkbox: var(--white-color);
+  --border-searchbar: var(--ui-gray-5);
+  --bg-button-group: var(--white-color);
+  --border-button-group: var(--ui-gray-5);
+  --text-button-group: var(--ui-gray-9);
 }
 
 :root[theme='dark'] {
@@ -275,7 +280,6 @@ html {
   --bg-main-color: var(--grey-2);
   --bg-body-color: var(--grey-2);
   --bg-checkbox-border-color: var(--grey-8);
-  --bg-sidebar-color: var(--grey-3);
   --bg-widget-color: var(--grey-1);
   --bg-widget-header-color: var(--grey-1);
   --bg-widget-table-color: var(--grey-1);
@@ -313,7 +317,6 @@ html {
   --bg-multiselect-button-color: var(--grey-3);
   --bg-image-multiselect-button: none !important;
   --bg-multiselect-checkbox-color: var(--grey-3);
-  --bg-sidebar-wrapper-color: var(--grey-1);
   --bg-panel-body-color: var(--grey-1);
   --bg-boxselector-wrapper-disabled-color: var(--grey-39);
   --bg-codemirror-selected-color: var(--grey-3);
@@ -337,10 +340,13 @@ html {
   --bg-stepper-item-active: var(--grey-1);
   --bg-stepper-item-counter: var(--grey-7);
   --bg-sortbutton-color: var(--grey-1);
+  --bg-dashboard-item: var(--grey-3);
+  --bg-searchbar: var(--grey-1);
+  --bg-inputbox: var(--grey-2);
+  --bg-dropdown-hover: var(--grey-3);
 
   --text-main-color: var(--white-color);
   --text-body-color: var(--white-color);
-  --text-sidebar-title-color: var(--grey-8);
   --text-widget-header-color: var(--white-color);
   --text-form-control-color: var(--white-color);
   --text-muted-color: var(--grey-8);
@@ -368,14 +374,13 @@ html {
   --text-blocklist-item-selected-color: var(--white-color);
   --text-progress-bar-color: var(--white-color);
   --text-pagination-color: var(--white-color);
-  --text-pagination-span-color: var(--blue-2);
+  --text-pagination-span-color: var(--ui-gray-3);
   --text-pagination-span-hover-color: var(--white-color);
   --text-ui-select-color: var(--white-color);
   --text-ui-select-hover-color: var(--white-color);
   --text-summary-color: var(--white-color);
   --text-multiselect-button-color: var(--white-color);
   --text-multiselect-item-color: var(--white-color);
-  --text-sidebar-list-color: var(--white-color);
   --text-boxselector-wrapper-color: var(--white-color);
   --text-daterangepicker-end-date: var(--grey-7);
   --text-daterangepicker-in-range: var(--white-color);
@@ -385,6 +390,7 @@ html {
   --text-input-autofill-color: var(--grey-8);
   --text-button-hover-color: var(--white-color);
   --text-small-select-color: var(--grey-7);
+  --text-bootbox: var(--white-color);
 
   --border-color: var(--grey-3);
   --border-widget-color: var(--grey-1);
@@ -408,9 +414,7 @@ html {
   --border-pagination-color: var(--grey-3);
   --border-pagination-span-color: var(--grey-3);
   --border-pagination-hover-color: var(--grey-3);
-  --border-pagination-hover-color: var(--grey-3);
-  --border-multiselect-button-color: var(--grey-3);
-  --border-searchbar-color: var(--grey-1);
+  --border-boxselector-wrapper-hover: 3px solid var(--blue-8);
   --border-panel-color: var(--grey-2);
   --border-daterangepicker-color: var(--grey-3);
   --border-calendar-table: var(--grey-3);
@@ -420,8 +424,10 @@ html {
   --border-tooltip-color: var(--grey-3);
   --border-modal: 0px;
   --border-sortbutton: var(--grey-3);
+  --border-bootbox: var(--ui-gray-9);
+  --border-blocklist: var(--ui-gray-9);
+  --border-widget: var(--ui-gray-9);
 
-  --hover-sidebar-color: var(--grey-3);
   --blue-color: var(--blue-2);
   --button-close-color: var(--white-color);
   --button-opacity: 0.6;
@@ -439,9 +445,16 @@ html {
   --text-multiselect-item: var(--white-color);
   --bg-multiselect-helpercontainer: var(--grey-1);
   --text-input-textarea: var(--grey-1);
-  --bg-service-datatable-thead: var(--grey-1);
-  --bg-inner-datatable-thead: var(--grey-1);
-  --bg-service-datatable-tbody: var(--grey-1);
+
+  --sort-icon-muted: var(--ui-gray-7);
+  --sort-icon-hover: var(--ui-gray-6);
+  --sort-icon: var(--ui-gray-3);
+  --border-checkbox: var(--ui-gray-5);
+  --bg-checkbox: var(--white-color);
+  --border-searchbar: var(--ui-gray-5);
+  --bg-button-group: var(--white-color);
+  --border-button-group: var(--ui-gray-5);
+  --text-button-group: var(--ui-gray-9);
 }
 
 :root[theme='highcontrast'] {
@@ -449,7 +462,6 @@ html {
   --bg-main-color: var(--black-color);
   --bg-body-color: var(--black-color);
   --bg-checkbox-border-color: var(--grey-8);
-  --bg-sidebar-color: var(--black-color);
   --bg-widget-color: var(--black-color);
   --bg-widget-header-color: var(--black-color);
   --bg-widget-table-color: var(--black-color);
@@ -461,11 +473,10 @@ html {
   --bg-dropdown-menu-color: var(--black-color);
   --bg-codemirror-selected-color: var(--grey-3);
   --bg-row-header-color: var(--black-color);
-  --bg-sidebar-wrapper-color: var(--black-color);
   --bg-motd-body-color: var(--black-color);
   --bg-blocklist-hover-color: var(--black-color);
   --bg-blocklist-item-selected-color: var(--black-color);
-  --bg-input-group-addon-color: var(--grey-1);
+  --bg-input-group-addon-color: var(--grey-3);
   --bg-table-color: var(--black-color);
   --bg-codemirror-gutters-color: var(--black-color);
   --bg-codemirror-color: var(--black-color);
@@ -512,10 +523,12 @@ html {
   --bg-stepper-item-active: var(--black-color);
   --bg-stepper-item-counter: var(--grey-3);
   --bg-sortbutton-color: var(--grey-1);
+  --bg-inputbox: var(--black-color);
+  --bg-searchbar: var(--black-color);
+  --bg-dropdown-hover: var(--black-color);
 
   --text-main-color: var(--white-color);
   --text-body-color: var(--white-color);
-  --text-sidebar-title-color: var(--grey-8);
   --text-widget-header-color: var(--white-color);
   --text-link-color: var(--blue-9);
   --text-link-hover-color: var(--blue-9);
@@ -540,7 +553,6 @@ html {
   --text-daterangepicker-end-date: var(--grey-7);
   --text-daterangepicker-in-range: var(--white-color);
   --text-daterangepicker-active: var(--white-color);
-  --text-sidebar-list-color: var(--white-color);
   --text-ui-select-color: var(--white-color);
   --text-btn-default-color: var(--white-color);
   --text-json-tree-color: var(--white-color);
@@ -554,7 +566,8 @@ html {
   --text-btn-default-color: var(--white-color);
   --text-small-select-color: var(--white-color);
   --text-multiselect-item-color: var(--white-color);
-  --text-pagination-span-color: var(--blue-2);
+  --text-pagination-span-color: var(--ui-gray-3);
+  --text-bootbox: var(--white-color);
 
   --border-color: var(--grey-55);
   --border-widget-color: var(--white-color);
@@ -584,9 +597,10 @@ html {
   --border-modal: 1px solid var(--white-color);
   --border-blocklist-color: var(--white-color);
   --border-sortbutton: var(--black-color);
+  --border-bootbox: var(--black-color);
+  --border-blocklist: var(--white-color);
+  --border-widget: var(--white-color);
 
-  --hover-sidebar-color: var(--blue-9);
-  --hover-sidebar-color: var(--black-color);
   --shadow-box-color: none;
   --shadow-boxselector-color: none;
 
@@ -605,4 +619,14 @@ html {
   --text-cm-meta-color: var(--white-color);
   --text-cm-string-color: var(--red-7);
   --text-progress-bar-color: var(--black-color);
+
+  --sort-icon-muted: var(--ui-gray-7);
+  --sort-icon-hover: var(--ui-gray-6);
+  --sort-icon: var(--ui-gray-3);
+  --border-checkbox: var(--ui-gray-5);
+  --bg-checkbox: var(--white-color);
+  --border-searchbar: var(--ui-gray-5);
+  --bg-button-group: var(--white-color);
+  --border-button-group: var(--ui-gray-5);
+  --text-button-group: var(--ui-gray-9);
 }

app/assets/css/vendor-override.css

@@ -1,7 +1,7 @@
 /* Overide Vendor CSS */
 .form-control {
-  background-color: var(--bg-main-color) !important;
   border: 1px solid var(--border-form-control-color);
+  background-color: var(--bg-inputbox);
   color: var(--text-form-control-color);
 }
 
@@ -10,7 +10,7 @@
 }
 
 .table > thead > tr > th {
-  border-bottom: 2px solid var(--border-table-color);
+  border-bottom: 1px solid var(--border-table-color);
 }
 
 .table-hover > tbody > tr:hover {
@@ -32,12 +32,14 @@
 }
 
 a {
-  color: var(--text-link-color);
+  color: inherit;
+  cursor: pointer;
 }
 
 a:hover,
 a:focus {
-  color: var(--text-link-hover-color);
+  color: inherit;
+  text-decoration: none;
 }
 
 .input-group-addon {
@@ -53,7 +55,7 @@ a:focus {
 }
 
 .text-danger {
-  color: var(--text-danger-color);
+  color: var(--ui-error-9);
 }
 
 .table .table {
@@ -243,6 +245,10 @@ json-tree .branch-preview {
 .panel {
   border: 1px solid var(--border-panel-color);
   background-color: var(--bg-panel-body-color);
+  border-radius: 8px;
+  -webkit-box-shadow: 0 4px 4px rgba(0, 0, 0, 0.05);
+  -moz-box-shadow: 0 4px 4px rgba(0, 0, 0, 0.05);
+  box-shadow: 0 4px 4px rgba(0, 0, 0, 0.05);
 }
 
 .theme-information .col-sm-12 {
@@ -369,6 +375,10 @@ input:-webkit-autofill {
   color: var(--white-color);
 }
 
+.btn-success:hover {
+  color: var(--white-color);
+}
+
 /* Overide Vendor CSS */
 
 .btn.disabled,
@@ -381,3 +391,10 @@ fieldset[disabled] .btn {
 .multiSelect.inlineBlock button {
   margin: 0;
 }
+
+.nav-tabs > li.active > a {
+  border-top: 0px;
+  border-left: 0px;
+  border-right: 0px;
+  border-bottom: 3px solid red;
+}

app/assets/fonts/nomad-icon.css

@@ -0,0 +1,32 @@
+/* created using https://icomoon.io/app */
+/* https://stackoverflow.com/a/35092005/681629 */
+/* for additional icons, we should create a new set that includes the existing icons */
+
+@font-face {
+  font-family: 'nomad-icon';
+  src: url('nomad-icon/nomad-icon.eot?6tre2n');
+  src: url('nomad-icon/nomad-icon.eot?6tre2n#iefix') format('embedded-opentype'), url('nomad-icon/nomad-icon.ttf?6tre2n') format('truetype'),
+    url('nomad-icon/nomad-icon.woff?6tre2n') format('woff'), url('nomad-icon/nomad-icon.svg?6tre2n#nomad-icon') format('svg');
+  font-weight: normal;
+  font-style: normal;
+  font-display: block;
+}
+
+.nomad-icon {
+  /* use !important to prevent issues with browser extensions that change fonts */
+  font-family: 'nomad-icon' !important;
+  speak: never;
+  font-style: normal;
+  font-weight: normal;
+  font-variant: normal;
+  text-transform: none;
+  line-height: 1;
+
+  /* Better Font Rendering =========== */
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+.nomad-icon:before {
+  content: '\e900';
+}

app/assets/fonts/nomad-icon/nomad-icon.svg

@@ -0,0 +1,11 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >
+<svg xmlns="http://www.w3.org/2000/svg">
+<metadata>Generated by IcoMoon</metadata>
+<defs>
+<font id="icomoon" horiz-adv-x="1024">
+<font-face units-per-em="1024" ascent="960" descent="-64" />
+<missing-glyph horiz-adv-x="1024" />
+<glyph unicode="&#x20;" horiz-adv-x="512" d="" />
+<glyph unicode="&#xe900;" glyph-name="nomad_black" d="M507.999 959.562l-443.079-255.649v-511.675l443.079-255.8 443.079 255.8v511.675l-443.079 255.649zM705.402 396.893l-118.079-67.992-142.631 77.435v-163.256l-134.095-84.839v340.865l106.369 65.121 147.617-77.813v166.202l140.894 84.612-0.076-340.336z" />
+</font></defs></svg>

app/assets/ico/checked.svg

@@ -0,0 +1,5 @@
+<svg width="17" height="16" viewBox="0 0 17 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="1.21426" y="0.5" width="15" height="15" rx="7.5" fill="#0086C9"/>
+<path d="M12.0474 5.5L7.4641 10.0833L5.38077 8" stroke="white" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round"/>
+<rect x="1.21426" y="0.5" width="15" height="15" rx="7.5" stroke="#0086C9"/>
+</svg>

app/assets/ico/custom.svg

@@ -0,0 +1,4 @@
+<svg width="36" height="40" viewBox="0 0 36 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M14.3817 5.28009C22.1592 5.28009 28.4649 11.5864 28.4649 19.3646C28.4649 27.1428 22.1592 33.4491 14.3817 33.4491C6.60065 33.4526 0.294922 27.1428 0.294922 19.3646C0.294922 11.5864 6.60065 5.28009 14.3817 5.28009Z" fill="#E0F2FE"/>
+<path d="M18.059 25.043H10.414C9.9746 25.043 9.56654 24.8721 9.25613 24.5617C8.94573 24.2513 8.77832 23.8397 8.77832 23.4037V15.7615C8.77832 15.3255 8.94922 14.9139 9.25962 14.6035C9.57002 14.293 9.98157 14.1221 10.4175 14.1221H14.24C14.54 14.1221 14.7876 14.3663 14.7876 14.6697C14.7876 14.9732 14.5435 15.2174 14.24 15.2174H10.4175C10.271 15.2174 10.135 15.2732 10.0304 15.3778C9.92577 15.4824 9.86996 15.6185 9.86996 15.765V23.4072C9.86996 23.5537 9.92577 23.6897 10.0304 23.7943C10.135 23.899 10.271 23.9548 10.4175 23.9548H18.059C18.2055 23.9548 18.3415 23.899 18.4462 23.7943C18.5508 23.6897 18.6066 23.5537 18.6066 23.4072V19.5843C18.6066 19.2844 18.8507 19.0367 19.1542 19.0367C19.4576 19.0367 19.7017 19.2809 19.7017 19.5843V23.4072C19.7017 23.8432 19.5308 24.2547 19.2204 24.5652C18.91 24.8756 18.4985 25.0465 18.0625 25.0465L18.059 25.043ZM12.6008 21.7678C12.4578 21.7678 12.3183 21.712 12.2137 21.6074C12.0777 21.4713 12.0254 21.276 12.0707 21.0876L12.6148 18.9042C12.6392 18.8065 12.688 18.7193 12.7578 18.6495L17.9439 13.4629C18.5892 12.8176 19.7087 12.8176 20.3539 13.4629C20.6748 13.7838 20.8527 14.2128 20.8527 14.6663C20.8527 15.1197 20.6748 15.5487 20.3539 15.8696L15.1678 21.0563C15.098 21.126 15.0108 21.1748 14.9132 21.1993L12.7299 21.7469C12.6845 21.7573 12.6427 21.7643 12.5973 21.7643L12.6008 21.7678ZM13.6401 19.3157L13.3507 20.4703L14.5051 20.1808L19.5832 15.1023C19.6983 14.9872 19.761 14.8337 19.761 14.6697C19.761 14.5058 19.6983 14.3523 19.5832 14.2372C19.353 14.007 18.9484 14.007 18.7182 14.2372L13.6401 19.3157Z" fill="#0086C9"/>
+</svg>

app/assets/ico/ldap.svg

@@ -0,0 +1,6 @@
+<svg width="79" height="44" viewBox="0 0 79 44" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M45.3224 11.3193L54.6351 27.3044L63.9515 43.2856H45.3224H26.6934L36.006 27.3044L45.3224 11.3193Z" fill="#CB2026"/>
+<path d="M64.1569 38.7032H79.0003L69.6839 22.7181L60.3713 6.73692L52.9496 19.4733L59.1631 30.1388L64.1569 38.7032Z" fill="#CB2026"/>
+<path d="M31.9306 29.5575L27.9455 22.7181L18.6291 6.73692L9.31645 22.7181L0 38.7032H18.6291H26.5993L29.2151 34.2158L31.9306 29.5575Z" fill="#CB2026"/>
+<path d="M33.2951 27.2245L33.763 26.4228L40.4214 15.0011L31.78 0.174988L24.6575 12.3984L30.5258 22.4674L33.2951 27.2245Z" fill="#CB2026"/>
+</svg>

app/assets/ico/microsoft.svg

@@ -0,0 +1,6 @@
+<svg width="53" height="53" viewBox="0 0 53 53" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M24.6796 0.74147H0V25.1903H24.6796V0.74147Z" fill="#F35325"/>
+<path d="M52.0165 0.741547H27.3369V25.1904H52.0165V0.741547Z" fill="#81BC06"/>
+<path d="M24.6796 27.8229H0V52.2718H24.6796V27.8229Z" fill="#05A6F0"/>
+<path d="M52.0165 27.8229H27.3369V52.2718H52.0165V27.8229Z" fill="#FFBA08"/>
+</svg>

app/assets/ico/oauth.svg

@@ -0,0 +1,4 @@
+<svg width="51" height="57" viewBox="0 0 51 57" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M49.4176 17.75L43.882 0.819107H7.28089L1.74531 17.75C1.74531 17.75 -4.79215 34.8935 10.4787 45.4348C24.3922 55.0404 25.5814 56.2077 25.5814 56.2077C25.5814 56.2077 26.7707 55.038 40.6842 45.4348C55.955 34.8935 49.4176 17.75 49.4176 17.75Z" fill="#F4552A"/>
+<path d="M25.5851 0.984695L31.4835 17.6745L49.4453 18.0361L35.1283 28.7097L40.3323 45.6217L25.5851 35.5293L10.838 45.6217L16.042 28.7097L1.72498 18.0361L19.6868 17.6745L25.5851 0.984695Z" fill="white"/>
+</svg>

app/assets/ico/theme/auto.svg

@@ -0,0 +1,4 @@
+<svg width="36" height="40" viewBox="0 0 36 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M14.3817 5.28003C22.1592 5.28003 28.4649 11.5865 28.4649 19.365C28.4649 27.1435 22.1592 33.45 14.3817 33.45C6.60065 33.4535 0.294922 27.1435 0.294922 19.365C0.294922 11.5865 6.60065 5.28003 14.3817 5.28003Z" fill="#E0F2FE"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M15.5297 15.5683C14.8574 15.3761 14.1468 15.3553 13.4642 15.508C12.7816 15.6606 12.1493 15.9817 11.6262 16.4413C11.1031 16.9008 10.7063 17.4839 10.4728 18.136C10.3554 18.464 9.99118 18.6358 9.65933 18.5198C9.32747 18.4037 9.15365 18.0437 9.27108 17.7157C9.57638 16.8629 10.0953 16.1004 10.7793 15.4995C11.4634 14.8985 12.2903 14.4786 13.1829 14.279C14.0755 14.0794 15.0048 14.1065 15.8839 14.3579C16.7598 14.6083 17.5575 15.0731 18.2032 15.7092L19.5868 16.9943V15.3008C19.5868 14.9528 19.8722 14.6707 20.2242 14.6707C20.5762 14.6707 20.8616 14.9528 20.8616 15.3008V18.4509C20.8616 18.7988 20.5762 19.0809 20.2242 19.0809H17.0373C16.6852 19.0809 16.3999 18.7988 16.3999 18.4509C16.3999 18.1029 16.6852 17.8208 17.0373 17.8208H18.6151L17.3232 16.6209L17.3088 16.6072C16.8141 16.1179 16.202 15.7605 15.5297 15.5683ZM7.90137 20.5509C7.90137 20.203 8.18674 19.9209 8.53875 19.9209H11.7257C12.0777 19.9209 12.3631 20.203 12.3631 20.5509C12.3631 20.8989 12.0777 21.1809 11.7257 21.1809H10.1479L11.4398 22.3809L11.4541 22.3946C11.9489 22.8839 12.561 23.2413 13.2332 23.4335C13.9055 23.6257 14.6161 23.6465 15.2987 23.4938C15.9813 23.3411 16.6137 23.0201 17.1368 22.5605C17.6599 22.1009 18.0566 21.5179 18.2901 20.8658C18.4075 20.5377 18.7718 20.3659 19.1036 20.482C19.4355 20.5981 19.6093 20.9581 19.4919 21.2861C19.1866 22.1389 18.6677 22.9013 17.9836 23.5023C17.2996 24.1033 16.4727 24.5231 15.58 24.7228C14.6874 24.9224 13.7582 24.8953 12.879 24.6439C12.0032 24.3935 11.2055 23.9287 10.5598 23.2926L9.17614 22.0074V23.701C9.17614 24.049 8.89077 24.331 8.53875 24.331C8.18674 24.331 7.90137 24.049 7.90137 23.701V20.5509Z" fill="#0086C9"/>
+</svg>

app/assets/ico/theme/darkmode.svg

@@ -0,0 +1,4 @@
+<svg width="36" height="40" viewBox="0 0 36 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M14.3817 5.28003C22.1592 5.28003 28.4649 11.5865 28.4649 19.365C28.4649 27.1435 22.1592 33.45 14.3817 33.45C6.60065 33.4535 0.294922 27.1435 0.294922 19.365C0.294922 11.5865 6.60065 5.28003 14.3817 5.28003Z" fill="#E0F2FE"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M14.4242 13.7577C14.5475 13.974 14.5308 14.2418 14.3815 14.4415C13.8988 15.087 13.6665 15.8823 13.7269 16.6828C13.7873 17.4832 14.1363 18.2357 14.7105 18.8033C15.2848 19.3709 16.046 19.7159 16.8559 19.7756C17.6657 19.8353 18.4703 19.6057 19.1234 19.1286C19.3254 18.981 19.5963 18.9644 19.8152 19.0863C20.0341 19.2083 20.1601 19.4459 20.1369 19.6932C20.0353 20.7805 19.6224 21.8167 18.9467 22.6806C18.271 23.5444 17.3604 24.2002 16.3213 24.5712C15.2823 24.9421 14.1579 25.0129 13.0797 24.7753C12.0014 24.5376 11.014 24.0014 10.2328 23.2293C9.45166 22.4571 8.90913 21.4811 8.66871 20.4153C8.42828 19.3495 8.49991 18.2381 8.87521 17.2111C9.25051 16.1841 9.91396 15.284 10.7879 14.6161C11.6619 13.9482 12.7102 13.5401 13.8103 13.4396C14.0604 13.4168 14.3008 13.5413 14.4242 13.7577ZM12.6775 14.989C12.2816 15.1435 11.9077 15.353 11.5677 15.6129C10.8852 16.1344 10.3672 16.8373 10.0742 17.6392C9.78113 18.4411 9.7252 19.3089 9.91293 20.1411C10.1007 20.9733 10.5243 21.7354 11.1342 22.3383C11.7442 22.9412 12.5152 23.3599 13.3571 23.5454C14.199 23.731 15.077 23.6757 15.8883 23.3861C16.6996 23.0964 17.4106 22.5844 17.9382 21.9098C18.2012 21.5737 18.4131 21.2041 18.5695 20.8128C17.9916 21.0012 17.3774 21.0776 16.7611 21.0321C15.6468 20.95 14.5993 20.4753 13.8091 19.6943C13.019 18.9133 12.5387 17.8779 12.4556 16.7765C12.4097 16.1672 12.4869 15.5602 12.6775 14.989Z" fill="#0086C9"/>
+</svg>

app/assets/ico/theme/highcontrastmode.svg

@@ -0,0 +1,4 @@
+<svg width="36" height="40" viewBox="0 0 36 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M14.3817 5.28003C22.1592 5.28003 28.4649 11.5865 28.4649 19.365C28.4649 27.1435 22.1592 33.45 14.3817 33.45C6.60065 33.4535 0.294922 27.1435 0.294922 19.365C0.294922 11.5865 6.60065 5.28003 14.3817 5.28003Z" fill="#E0F2FE"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M8.72192 19.1859C8.78197 19.2875 8.85875 19.4126 8.95184 19.555C9.21567 19.9588 9.60629 20.4957 10.1132 21.0301C11.1385 22.1111 12.5641 23.106 14.3234 23.106C16.0828 23.106 17.5084 22.1111 18.5337 21.0301C19.0406 20.4957 19.4312 19.9588 19.695 19.555C19.7881 19.4126 19.8649 19.2875 19.925 19.1859C19.8649 19.0843 19.7881 18.9592 19.695 18.8167C19.4312 18.4129 19.0406 17.8761 18.5337 17.3417C17.5084 16.2606 16.0828 15.2658 14.3234 15.2658C12.5641 15.2658 11.1385 16.2606 10.1132 17.3417C9.60629 17.8761 9.21567 18.4129 8.95184 18.8167C8.85875 18.9592 8.78197 19.0843 8.72192 19.1859ZM20.6531 19.1859C21.2231 18.9041 21.223 18.9039 21.2229 18.9037L21.2219 18.9018L21.2199 18.8977L21.2132 18.8848C21.2076 18.874 21.1997 18.859 21.1896 18.8401C21.1693 18.8023 21.14 18.7487 21.1018 18.6815C21.0254 18.5473 20.9131 18.3584 20.7659 18.1331C20.4723 17.6838 20.0358 17.0831 19.4637 16.4799C18.3313 15.2859 16.5921 14.0057 14.3234 14.0057C12.0548 14.0057 10.3156 15.2859 9.18316 16.4799C8.61112 17.0831 8.17458 17.6838 7.88098 18.1331C7.73378 18.3584 7.62146 18.5473 7.54507 18.6815C7.50685 18.7487 7.47754 18.8023 7.45729 18.8401C7.44716 18.859 7.43929 18.874 7.4337 18.8848L7.42701 18.8977L7.42494 18.9018L7.42423 18.9032C7.42412 18.9034 7.42374 18.9041 7.99383 19.1859L7.42374 18.9041C7.33402 19.0815 7.33402 19.2903 7.42374 19.4676L7.99383 19.1859C7.42374 19.4676 7.42362 19.4674 7.42374 19.4676L7.42423 19.4686L7.42494 19.47L7.42701 19.4741L7.4337 19.487C7.43929 19.4978 7.44716 19.5127 7.45729 19.5317C7.47754 19.5695 7.50685 19.6231 7.54507 19.6903C7.62146 19.8245 7.73378 20.0134 7.88098 20.2386C8.17458 20.688 8.61112 21.2887 9.18316 21.8919C10.3156 23.0858 12.0548 24.366 14.3234 24.366C16.5921 24.366 18.3313 23.0858 19.4637 21.8919C20.0358 21.2887 20.4723 20.688 20.7659 20.2386C20.9131 20.0134 21.0254 19.8245 21.1018 19.6903C21.14 19.6231 21.1693 19.5695 21.1896 19.5317C21.1997 19.5127 21.2076 19.4978 21.2132 19.487L21.2199 19.4741L21.2219 19.47L21.2227 19.4686C21.2228 19.4684 21.2231 19.4676 20.6531 19.1859ZM20.6531 19.1859L21.2231 19.4676C21.3129 19.2903 21.3126 19.0811 21.2229 18.9037L20.6531 19.1859ZM14.3234 18.1096C13.7221 18.1096 13.2346 18.5915 13.2346 19.1859C13.2346 19.7803 13.7221 20.2622 14.3234 20.2622C14.9248 20.2622 15.4123 19.7803 15.4123 19.1859C15.4123 18.5915 14.9248 18.1096 14.3234 18.1096ZM11.9598 19.1859C11.9598 17.8956 13.018 16.8496 14.3234 16.8496C15.6288 16.8496 16.6871 17.8956 16.6871 19.1859C16.6871 20.4762 15.6288 21.5222 14.3234 21.5222C13.018 21.5222 11.9598 20.4762 11.9598 19.1859Z" fill="#0086C9"/>
+</svg>

app/assets/ico/theme/lightmode.svg

@@ -0,0 +1,4 @@
+<svg width="36" height="40" viewBox="0 0 36 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M14.3817 5.28003C22.1592 5.28003 28.4649 11.5865 28.4649 19.365C28.4649 27.1435 22.1592 33.45 14.3817 33.45C6.60065 33.4535 0.294922 27.1435 0.294922 19.365C0.294922 11.5865 6.60065 5.28003 14.3817 5.28003Z" fill="#E0F2FE"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M14.3225 11.6122C14.7096 11.6122 15.0235 11.9224 15.0235 12.3051V13.5561C15.0235 13.9388 14.7096 14.249 14.3225 14.249C13.9353 14.249 13.6215 13.9388 13.6215 13.5561V12.3051C13.6215 11.9224 13.9353 11.6122 14.3225 11.6122ZM8.90324 13.8293C9.17699 13.5587 9.62084 13.5587 9.8946 13.8293L10.7932 14.7176C11.067 14.9882 11.067 15.4269 10.7932 15.6975C10.5195 15.9681 10.0756 15.9681 9.80188 15.6975L8.90324 14.8092C8.62948 14.5386 8.62948 14.0999 8.90324 13.8293ZM19.7417 13.8293C20.0154 14.0999 20.0154 14.5386 19.7417 14.8092L18.843 15.6975C18.5693 15.9681 18.1254 15.9681 17.8517 15.6975C17.5779 15.4269 17.5779 14.9882 17.8517 14.7176L18.7503 13.8293C19.0241 13.5587 19.4679 13.5587 19.7417 13.8293ZM14.3225 16.7511C12.9621 16.7511 11.8592 17.8412 11.8592 19.1859C11.8592 20.5306 12.9621 21.6207 14.3225 21.6207C15.6829 21.6207 16.7857 20.5306 16.7857 19.1859C16.7857 17.8412 15.6829 16.7511 14.3225 16.7511ZM10.4572 19.1859C10.4572 17.0759 12.1878 15.3654 14.3225 15.3654C16.4572 15.3654 18.1877 17.0759 18.1877 19.1859C18.1877 21.2959 16.4572 23.0064 14.3225 23.0064C12.1878 23.0064 10.4572 21.2959 10.4572 19.1859ZM6.66016 19.1859C6.66016 18.8032 6.974 18.493 7.36115 18.493H8.62685C9.014 18.493 9.32784 18.8032 9.32784 19.1859C9.32784 19.5686 9.014 19.8788 8.62685 19.8788H7.36115C6.974 19.8788 6.66016 19.5686 6.66016 19.1859ZM19.3171 19.1859C19.3171 18.8032 19.6309 18.493 20.0181 18.493H21.2838C21.6709 18.493 21.9848 18.8032 21.9848 19.1859C21.9848 19.5686 21.6709 19.8788 21.2838 19.8788H20.0181C19.6309 19.8788 19.3171 19.5686 19.3171 19.1859ZM10.7932 22.6743C11.067 22.9449 11.067 23.3836 10.7932 23.6542L9.8946 24.5425C9.62084 24.8131 9.17699 24.8131 8.90324 24.5425C8.62948 24.2719 8.62948 23.8332 8.90324 23.5626L9.80188 22.6743C10.0756 22.4037 10.5195 22.4037 10.7932 22.6743ZM17.8517 22.6743C18.1254 22.4037 18.5693 22.4037 18.843 22.6743L19.7417 23.5626C20.0154 23.8332 20.0154 24.2719 19.7417 24.5425C19.4679 24.8131 19.0241 24.8131 18.7503 24.5425L17.8517 23.6542C17.5779 23.3836 17.5779 22.9449 17.8517 22.6743ZM14.3225 24.1228C14.7096 24.1228 15.0235 24.433 15.0235 24.8157V26.0667C15.0235 26.4494 14.7096 26.7596 14.3225 26.7596C13.9353 26.7596 13.6215 26.4494 13.6215 26.0667V24.8157C13.6215 24.433 13.9353 24.1228 14.3225 24.1228Z" fill="#0086C9"/>
+</svg>

app/assets/ico/vendor/aws.svg

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 19.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 304 182" style="enable-background:new 0 0 304 182;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#252F3E;}
+	.st1{fill-rule:evenodd;clip-rule:evenodd;fill:#FF9900;}
+</style>
+<g>
+	<path class="st0" d="M86.4,66.4c0,3.7,0.4,6.7,1.1,8.9c0.8,2.2,1.8,4.6,3.2,7.2c0.5,0.8,0.7,1.6,0.7,2.3c0,1-0.6,2-1.9,3l-6.3,4.2
+		c-0.9,0.6-1.8,0.9-2.6,0.9c-1,0-2-0.5-3-1.4C76.2,90,75,88.4,74,86.8c-1-1.7-2-3.6-3.1-5.9c-7.8,9.2-17.6,13.8-29.4,13.8
+		c-8.4,0-15.1-2.4-20-7.2c-4.9-4.8-7.4-11.2-7.4-19.2c0-8.5,3-15.4,9.1-20.6c6.1-5.2,14.2-7.8,24.5-7.8c3.4,0,6.9,0.3,10.6,0.8
+		c3.7,0.5,7.5,1.3,11.5,2.2v-7.3c0-7.6-1.6-12.9-4.7-16c-3.2-3.1-8.6-4.6-16.3-4.6c-3.5,0-7.1,0.4-10.8,1.3c-3.7,0.9-7.3,2-10.8,3.4
+		c-1.6,0.7-2.8,1.1-3.5,1.3c-0.7,0.2-1.2,0.3-1.6,0.3c-1.4,0-2.1-1-2.1-3.1v-4.9c0-1.6,0.2-2.8,0.7-3.5c0.5-0.7,1.4-1.4,2.8-2.1
+		c3.5-1.8,7.7-3.3,12.6-4.5c4.9-1.3,10.1-1.9,15.6-1.9c11.9,0,20.6,2.7,26.2,8.1c5.5,5.4,8.3,13.6,8.3,24.6V66.4z M45.8,81.6
+		c3.3,0,6.7-0.6,10.3-1.8c3.6-1.2,6.8-3.4,9.5-6.4c1.6-1.9,2.8-4,3.4-6.4c0.6-2.4,1-5.3,1-8.7v-4.2c-2.9-0.7-6-1.3-9.2-1.7
+		c-3.2-0.4-6.3-0.6-9.4-0.6c-6.7,0-11.6,1.3-14.9,4c-3.3,2.7-4.9,6.5-4.9,11.5c0,4.7,1.2,8.2,3.7,10.6
+		C37.7,80.4,41.2,81.6,45.8,81.6z M126.1,92.4c-1.8,0-3-0.3-3.8-1c-0.8-0.6-1.5-2-2.1-3.9L96.7,10.2c-0.6-2-0.9-3.3-0.9-4
+		c0-1.6,0.8-2.5,2.4-2.5h9.8c1.9,0,3.2,0.3,3.9,1c0.8,0.6,1.4,2,2,3.9l16.8,66.2l15.6-66.2c0.5-2,1.1-3.3,1.9-3.9c0.8-0.6,2.2-1,4-1
+		h8c1.9,0,3.2,0.3,4,1c0.8,0.6,1.5,2,1.9,3.9l15.8,67l17.3-67c0.6-2,1.3-3.3,2-3.9c0.8-0.6,2.1-1,3.9-1h9.3c1.6,0,2.5,0.8,2.5,2.5
+		c0,0.5-0.1,1-0.2,1.6c-0.1,0.6-0.3,1.4-0.7,2.5l-24.1,77.3c-0.6,2-1.3,3.3-2.1,3.9c-0.8,0.6-2.1,1-3.8,1h-8.6c-1.9,0-3.2-0.3-4-1
+		c-0.8-0.7-1.5-2-1.9-4L156,23l-15.4,64.4c-0.5,2-1.1,3.3-1.9,4c-0.8,0.7-2.2,1-4,1H126.1z M254.6,95.1c-5.2,0-10.4-0.6-15.4-1.8
+		c-5-1.2-8.9-2.5-11.5-4c-1.6-0.9-2.7-1.9-3.1-2.8c-0.4-0.9-0.6-1.9-0.6-2.8v-5.1c0-2.1,0.8-3.1,2.3-3.1c0.6,0,1.2,0.1,1.8,0.3
+		c0.6,0.2,1.5,0.6,2.5,1c3.4,1.5,7.1,2.7,11,3.5c4,0.8,7.9,1.2,11.9,1.2c6.3,0,11.2-1.1,14.6-3.3c3.4-2.2,5.2-5.4,5.2-9.5
+		c0-2.8-0.9-5.1-2.7-7c-1.8-1.9-5.2-3.6-10.1-5.2L246,52c-7.3-2.3-12.7-5.7-16-10.2c-3.3-4.4-5-9.3-5-14.5c0-4.2,0.9-7.9,2.7-11.1
+		c1.8-3.2,4.2-6,7.2-8.2c3-2.3,6.4-4,10.4-5.2c4-1.2,8.2-1.7,12.6-1.7c2.2,0,4.5,0.1,6.7,0.4c2.3,0.3,4.4,0.7,6.5,1.1
+		c2,0.5,3.9,1,5.7,1.6c1.8,0.6,3.2,1.2,4.2,1.8c1.4,0.8,2.4,1.6,3,2.5c0.6,0.8,0.9,1.9,0.9,3.3v4.7c0,2.1-0.8,3.2-2.3,3.2
+		c-0.8,0-2.1-0.4-3.8-1.2c-5.7-2.6-12.1-3.9-19.2-3.9c-5.7,0-10.2,0.9-13.3,2.8c-3.1,1.9-4.7,4.8-4.7,8.9c0,2.8,1,5.2,3,7.1
+		c2,1.9,5.7,3.8,11,5.5l14.2,4.5c7.2,2.3,12.4,5.5,15.5,9.6c3.1,4.1,4.6,8.8,4.6,14c0,4.3-0.9,8.2-2.6,11.6
+		c-1.8,3.4-4.2,6.4-7.3,8.8c-3.1,2.5-6.8,4.3-11.1,5.6C264.4,94.4,259.7,95.1,254.6,95.1z"/>
+	<g>
+		<path class="st1" d="M273.5,143.7c-32.9,24.3-80.7,37.2-121.8,37.2c-57.6,0-109.5-21.3-148.7-56.7c-3.1-2.8-0.3-6.6,3.4-4.4
+			c42.4,24.6,94.7,39.5,148.8,39.5c36.5,0,76.6-7.6,113.5-23.2C274.2,133.6,278.9,139.7,273.5,143.7z"/>
+		<path class="st1" d="M287.2,128.1c-4.2-5.4-27.8-2.6-38.5-1.3c-3.2,0.4-3.7-2.4-0.8-4.5c18.8-13.2,49.7-9.4,53.3-5
+			c3.6,4.5-1,35.4-18.6,50.2c-2.7,2.3-5.3,1.1-4.1-1.9C282.5,155.7,291.4,133.4,287.2,128.1z"/>
+	</g>
+</g>
+</svg>

app/assets/ico/vendor/azure.svg

@@ -0,0 +1,23 @@
+<svg width="36" height="40" viewBox="0 0 36 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M8.33911 7.95502H15.7413L8.0577 31.2225C7.9787 31.4619 7.82847 31.6695 7.62746 31.8165C7.42715 31.9636 7.18594 32.0428 6.93908 32.0428H1.17885C0.991942 32.0428 0.807152 31.9974 0.640699 31.9102C0.474247 31.823 0.330365 31.6961 0.221042 31.5411C0.11172 31.3862 0.040484 31.206 0.012977 31.0171C-0.0145299 30.8283 0.0016923 30.6351 0.0616433 30.4534L7.2212 8.77604C7.3002 8.53672 7.45043 8.32913 7.65144 8.18208C7.85175 8.03503 8.09296 7.95574 8.33982 7.95574L8.33911 7.95502Z" fill="url(#paint0_linear_7969_394201)"/>
+<path d="M19.0959 23.5616H7.35817C7.24885 23.5616 7.14235 23.5948 7.05207 23.6575C6.96179 23.7202 6.89196 23.8096 6.85247 23.9127C6.81227 24.0165 6.8038 24.1304 6.82778 24.2385C6.85176 24.3473 6.90748 24.4461 6.98718 24.5218L14.5297 31.7163C14.7491 31.9261 15.0382 32.0421 15.3387 32.0421H21.9848L19.0959 23.5602V23.5616Z" fill="#0078D4"/>
+<path d="M8.33953 7.95502C8.08985 7.9543 7.84652 8.03503 7.6448 8.18497C7.44308 8.33562 7.29356 8.54754 7.2188 8.79118L0.0712212 30.4347C0.00703836 30.6163 -0.0127103 30.8117 0.0126807 31.0027C0.0380717 31.1944 0.108602 31.3768 0.21722 31.5347C0.326542 31.6925 0.47113 31.8216 0.638993 31.9102C0.806855 31.9989 0.993057 32.045 1.18208 32.0443H7.09114C7.31119 32.0039 7.51714 31.9052 7.68712 31.7567C7.8578 31.6089 7.98617 31.4172 8.06023 31.2017L9.48565 26.9091L14.5773 31.7625C14.7903 31.9427 15.0583 32.0429 15.3355 32.045H21.9569L19.0524 23.5631L10.5866 23.5652L15.7685 7.95502H8.33953Z" fill="url(#paint1_linear_7969_394201)"/>
+<path d="M17.7935 8.7746C17.7145 8.536 17.5643 8.3284 17.364 8.18136C17.1637 8.03431 16.9231 7.95502 16.677 7.95502H8.42773C8.67459 7.95502 8.91439 8.03431 9.1147 8.18136C9.31501 8.3284 9.46524 8.536 9.54423 8.7746L16.7038 30.4542C16.7637 30.6351 16.7807 30.8283 16.7525 31.0178C16.725 31.2067 16.6537 31.3869 16.5444 31.5419C16.4351 31.6969 16.2919 31.8237 16.1247 31.9109C15.9583 31.9982 15.7742 32.0436 15.5866 32.0436H23.8358C24.0228 32.0436 24.2075 31.9982 24.374 31.9109C24.5404 31.8237 24.6843 31.6969 24.7929 31.5419C24.9023 31.3869 24.9735 31.2067 25.001 31.0178C25.0285 30.829 25.0123 30.6358 24.9523 30.4542L17.7935 8.7746Z" fill="url(#paint2_linear_7969_394201)"/>
+<defs>
+<linearGradient id="paint0_linear_7969_394201" x1="11.0376" y1="9.7405" x2="3.0443" y2="32.844" gradientUnits="userSpaceOnUse">
+<stop stop-color="#114A8B"/>
+<stop offset="1" stop-color="#0669BC"/>
+</linearGradient>
+<linearGradient id="paint1_linear_7969_394201" x1="13.4382" y1="20.5565" x2="11.6523" y2="21.1471" gradientUnits="userSpaceOnUse">
+<stop stop-opacity="0.3"/>
+<stop offset="0.07" stop-opacity="0.2"/>
+<stop offset="0.32" stop-opacity="0.1"/>
+<stop offset="0.62" stop-opacity="0.05"/>
+<stop offset="1" stop-opacity="0"/>
+</linearGradient>
+<linearGradient id="paint2_linear_7969_394201" x1="12.5157" y1="9.04202" x2="21.2812" y2="31.8921" gradientUnits="userSpaceOnUse">
+<stop stop-color="#3CCBF4"/>
+<stop offset="1" stop-color="#2892DF"/>
+</linearGradient>
+</defs>
+</svg>

app/assets/ico/vendor/civo.svg

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 16.0.4, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 width="711.364px" height="238.193px" viewBox="0 0 711.364 238.193" enable-background="new 0 0 711.364 238.193"
+	 xml:space="preserve">
+<g>
+	<path fill="#239DFF" d="M273.539,0.081h-29.424c-5.424,0-8.981,4.179-8.981,9.423v219.13c0,5.245,3.557,9.447,8.981,9.447h29.424
+		c5.424,0,9.595-4.202,9.595-9.447V9.504C283.134,4.26,278.963,0.081,273.539,0.081"/>
+	<path fill="#239DFF" d="M181.662,173.122c-2.671-5.859-10.327-7.473-15.027-3.072c-12.446,11.658-29.136,18.819-47.538,18.819
+		c-48.218,0-85.012-48.909-63.477-99.824c6.365-15.049,18.442-27.092,33.495-33.447c29.421-12.421,58.048-5.345,77.037,12.095
+		c4.749,4.361,12.365,2.814,15.04-3.054l12.744-27.956c2.039-4.474,0.631-9.721-3.292-12.685
+		C160.789,1.437,120.037-7.42,77.562,7.052C43.472,18.666,16.89,46.154,6.065,80.503c-25.894,82.163,34.749,157.69,113.032,157.69
+		c27.245,0,52.286-9.214,72.327-24.633c3.786-2.913,4.973-8.113,2.991-12.462L181.662,173.122z"/>
+	<path fill="#239DFF" d="M705.299,80.503c-10.825-34.349-37.407-61.837-71.497-73.451c-24.128-8.221-47.698-8.906-69.033-3.835
+		c-35.585,7.946-61.358,24.817-84.01,73.453l-45.455,98.598L358.15,5.667c-1.541-3.381-4.911-5.554-8.626-5.56l-33.706-0.053
+		c-6.917-0.011-11.524,7.142-8.653,13.436l100.064,218.79c1.542,3.383,4.917,5.67,8.634,5.671l1.637,0.131h37.841
+		c0.761,0,1.522-0.157,2.244-0.403c2.604-0.887,4.798-2.745,5.938-5.311c0,0,50.098-114.027,50.681-115.402
+		c15.244-35.949,24.495-50.922,48.691-61.206c18.307-7.78,39.955-8.727,60.885,0.753c14.57,6.599,26.028,18.657,32.122,33.443
+		c3.857,9.254,5.801,18.768,6.122,28.142c0.545,38.992-30.891,70.773-69.758,70.773c-18.402,0-35.092-7.162-47.538-18.819
+		c-4.7-4.402-12.356-2.788-15.027,3.071L516.947,201.1c-1.981,4.348-0.795,9.547,2.993,12.461
+		c20.04,15.418,45.081,24.633,72.326,24.633C670.55,238.193,731.192,162.666,705.299,80.503"/>
+</g>
+</svg>

app/assets/ico/vendor/digitalocean.svg

@@ -0,0 +1 @@
+<svg height="2500" width="2500" xmlns="http://www.w3.org/2000/svg" viewBox="0 -3.954 53.927 53.954"><g fill="#0080ff" fill-rule="evenodd"><path d="M24.915 50v-9.661c10.226 0 18.164-10.141 14.237-20.904a14.438 14.438 0 0 0-8.615-8.616C19.774 6.921 9.633 14.83 9.633 25.056H0C0 8.758 15.763-3.954 32.853 1.384 40.311 3.73 46.271 9.661 48.588 17.12 53.927 34.237 41.243 50 24.915 50"/><path d="M15.339 40.367h9.604v-9.604H15.34zm-7.401 7.401h7.4v-7.4h-7.4zm-6.187-7.4h6.187V34.18H1.751z"/></g></svg>