fix(templates): App templates not loading with error in browser console

* feat(api): introduce swagger

* feat(api): anottate api

* chore(api): tag endpoints

* chore(api): remove tags

* chore(api): add docs for oauth auth

* chore(api): document create endpoint api

* chore(api): document endpoint inspect and list

* chore(api): document endpoint update and snapshots

* docs(endpointgroups): document groups api

* docs(auth): document auth api

* chore(build): introduce a yarn script to build api docs

* docs(api): document auth

* docs(customtemplates): document customtemplates api

* docs(tags): document api

* docs(api): document the use of token

* docs(dockerhub): document dockerhub api

* docs(edgegroups): document edgegroups api

* docs(edgejobs): document api

* docs(edgestacks): doc api

* docs(http/upload): add security

* docs(api): document edge templates

* docs(edge): document edge jobs

* docs(endpointgroups): change description

* docs(endpoints): document missing apis

* docs(motd): doc api

* docs(registries): doc api

* docs(resourcecontrol): api doc

* docs(role): add swagger docs

* docs(settings): add swagger docs

* docs(api/status): add swagger docs

* docs(api/teammembership): add swagger docs

* docs(api/teams): add swagger docs

* docs(api/templates): add swagger docs

* docs(api/users): add swagger docs

* docs(api/webhooks): add swagger docs

* docs(api/webscokets): add swagger docs

* docs(api/stacks): swagger

* docs(api): fix missing apis

* docs(swagger): regen

* chore(build): remove docs from build

* docs(api): update tags

* docs(api): document tags

* docs(api): add description

* docs(api): rename jwt token

* docs(api): add info about types

* docs(api): document types

* docs(api): update request types annotation

* docs(api): doc registry and resource control

* chore(docs): add snippet

* docs(api): add description to role

* docs(api): add types for settings

* docs(status): add types

* style(swagger): remove documented code

* docs(http/upload): update docs with types

* docs(http/tags): add types

* docs(api/custom_templates): add types

* docs(api/teammembership): add types

* docs(http/teams): add types

* docs(http/stacks): add types

* docs(edge): add types to edgestack

* docs(http/teammembership): remove double returns

* docs(api/user): add types

* docs(http): fixes to make file built

* chore(snippets): add scope to swagger snippet

* chore(deps): install swag

* chore(swagger): remove handler

* docs(api): add description

* docs(api): ignore docs folder

* docs(api): add contributing guidelines

* docs(api): cleanup handler

* chore(deps): require swaggo

* fix(auth): fix typo

* fix(docs): make http ids pascal case

* feat(edge): add ids to http handlers

* fix(docs): add ids

* fix(docs): show correct api version

* chore(deps): remove swaggo dependency

* chore(docs): add install script for swag

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,6 +1,10 @@
 ---
 name: Bug report
 about: Create a bug report
+title: ''
+labels: bug/need-confirmation, kind/bug
+assignees: ''
+
 ---
 
 <!--
@@ -44,6 +48,8 @@ You can see how [here](https://documentation.portainer.io/archive/1.23.2/faq/#ho
 - Platform (windows/linux):
 - Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
 - Browser:
+- Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.
+- Have you reviewed our technical documentation and knowledge base? Yes/No
 
 **Additional context**
 Add any other context about the problem here.

.github/ISSUE_TEMPLATE/Custom.md

@@ -1,11 +1,20 @@
 ---
 name: Question
 about: Ask us a question about Portainer usage or deployment
+title: ''
+labels: ''
+assignees: ''
+
 ---
+Before you start, we need a little bit more information from you:
+
+Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.
+
+Have you reviewed our technical documentation and knowledge base? Yes/No
 
 <!--
 
-You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
+You can find more information about Portainer support framework policy here: https://old.portainer.io/2019/04/portainer-support-policy/
 
 Do you need help or have a question? Come chat with us on Slack http://portainer.slack.com/
 

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -1,6 +1,10 @@
 ---
 name: Feature request
 about: Suggest a feature/enhancement that should be added in Portainer
+title: ''
+labels: ''
+assignees: ''
+
 ---
 
 <!--

.github/workflows/rebase.yml

@@ -0,0 +1,19 @@
+name: Automatic Rebase
+on:
+  issue_comment:
+    types: [created]
+jobs:
+  rebase:
+    name: Rebase
+    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the latest code
+        uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
+      - name: Automatic Rebase
+        uses: cirrus-actions/rebase@1.4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -8,3 +8,6 @@ api/cmd/portainer/portainer*
 **/.vscode/tasks.json
 
 .eslintcache
+__debug_bin
+
+api/docs

.vscode.example/launch.json

@@ -0,0 +1,19 @@
+{
+  // Use IntelliSense to learn about possible attributes.
+  // Hover to view descriptions of existing attributes.
+  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Launch",
+      "type": "go",
+      "request": "launch",
+      "mode": "debug",
+      "program": "${workspaceRoot}/api/cmd/portainer/main.go",
+      "cwd": "${workspaceRoot}",
+      "env": {},
+      "showLog": true,
+      "args": ["--data", "${env:HOME}/portainer-data", "--assets", "${workspaceRoot}/dist"]
+    }
+  ]
+}

.vscode.example/portainer.code-snippets

@@ -21,11 +21,11 @@
     "description": "Dummy Angularjs Component",
     "body": [
       "import angular from 'angular';",
-      "import ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/}Controller from './${TM_FILENAME_BASE}Controller'",
+      "import controller from './${TM_FILENAME_BASE}Controller'",
       "",
       "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').component('$TM_FILENAME_BASE', {",
       "  templateUrl: './$TM_FILENAME_BASE.html',",
-      "  controller: ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/}Controller,",
+      "  controller,",
       "});",
       ""
     ]
@@ -44,25 +44,6 @@
     ],
     "description": "Dummy ES6+ controller"
   },
-  "Model": {
-    "scope": "javascript",
-    "prefix": "mymodel",
-    "description": "Dummy ES6+ model",
-    "body": [
-      "/**",
-      " * $1 Model",
-      " */",
-      "const _$1 = Object.freeze({",
-      "  $0",
-      "});",
-      "",
-      "export class $1 {",
-      "  constructor() {",
-      "    Object.assign(this, JSON.parse(JSON.stringify(_$1)));",
-      "  }",
-      "}"
-    ]
-  },
   "Service": {
     "scope": "javascript",
     "prefix": "myservice",
@@ -158,5 +139,29 @@
       "export default $1;",
       "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').service('$1', $1);"
     ]
+  },
+  "swagger-api-doc": {
+    "prefix": "swapi",
+    "scope": "go",
+    "description": "Snippet for a api doc",
+    "body": [
+      "// @id ",
+      "// @summary ",
+      "// @description ",
+      "// @description **Access policy**: ",
+      "// @tags ",
+      "// @security jwt",
+      "// @accept json",
+      "// @produce json",
+      "// @param id path int true \"identifier\"",
+      "// @param body body Object true \"details\"",
+      "// @success 200 {object} portainer. \"Success\"",
+      "// @success 204 \"Success\"",
+      "// @failure 400 \"Invalid request\"",
+      "// @failure 403 \"Permission denied\"",
+      "// @failure 404 \" not found\"",
+      "// @failure 500 \"Server error\"",
+      "// @router /{id} [get]"
+    ]
   }
 }

CONTRIBUTING.md

@@ -94,3 +94,36 @@ $ yarn start
 Portainer can now be accessed at <http://localhost:9000>.
 
 Find more detailed steps at <https://documentation.portainer.io/contributing/instructions/>.
+
+## Adding api docs
+
+When adding a new resource (or a route handler), we should add a new tag to api/http/handler/handler.go#L136 like this:
+
+```
+// @tag.name <Name of resource>
+// @tag.description a short description
+```
+
+When adding a new route to an existing handler use the following as a template (you can use `swapi` snippet if you're using vscode):
+
+```
+// @id
+// @summary
+// @description
+// @description **Access policy**:
+// @tags
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "identifier"
+// @param body body Object true "details"
+// @success 200 {object} portainer. "Success"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied"
+// @failure 404 " not found"
+// @failure 500 "Server error"
+// @router /{id} [get]
+```
+
+explanation about each line can be found (here)[https://github.com/swaggo/swag#api-operation]

README.md

@@ -28,15 +28,15 @@ Unlike the public demo, the playground sessions are deleted after 4 hours. Apart
 
 ## Getting started
 
-- [Deploy Portainer](https://www.portainer.io/installation/)
+- [Deploy Portainer](https://documentation.portainer.io/quickstart/)
 - [Documentation](https://documentation.portainer.io)
 - [Building Portainer](https://documentation.portainer.io/contributing/instructions/)
 
 ## Getting help
 
-For FORMAL Support, please purchase a support subscription from here: https://www.portainer.io/products-services/portainer-business-support/
+For FORMAL Support, please purchase a support subscription from here: https://www.portainer.io/products/portainer-business
 
-For community support: You can find more information about Portainer's community support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
+For community support: You can find more information about Portainer's community support framework policy here: https://www.portainer.io/products/community-edition/customer-success
 
 - Issues: https://github.com/portainer/portainer/issues
 - FAQ: https://documentation.portainer.io

api/api-description.md

@@ -0,0 +1,53 @@
+Portainer API is an HTTP API served by Portainer. It is used by the Portainer UI and everything you can do with the UI can be done using the HTTP API.
+Examples are available at https://gist.github.com/deviantony/77026d402366b4b43fa5918d41bc42f8
+You can find out more about Portainer at [http://portainer.io](http://portainer.io) and get some support on [Slack](http://portainer.io/slack/).
+
+# Authentication
+
+Most of the API endpoints require to be authenticated as well as some level of authorization to be used.
+Portainer API uses JSON Web Token to manage authentication and thus requires you to provide a token in the **Authorization** header of each request
+with the **Bearer** authentication mechanism.
+
+Example:
+
+```
+Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTQ5OTM3NjE1NH0.NJ6vE8FY1WG6jsRQzfMqeatJ4vh2TWAeeYfDhP71YEE
+```
+
+# Security
+
+Each API endpoint has an associated access policy, it is documented in the description of each endpoint.
+
+Different access policies are available:
+
+- Public access
+- Authenticated access
+- Restricted access
+- Administrator access
+
+### Public access
+
+No authentication is required to access the endpoints with this access policy.
+
+### Authenticated access
+
+Authentication is required to access the endpoints with this access policy.
+
+### Restricted access
+
+Authentication is required to access the endpoints with this access policy.
+Extra-checks might be added to ensure access to the resource is granted. Returned data might also be filtered.
+
+### Administrator access
+
+Authentication as well as an administrator role are required to access the endpoints with this access policy.
+
+# Execute Docker requests
+
+Portainer **DO NOT** expose specific endpoints to manage your Docker resources (create a container, remove a volume, etc...).
+
+Instead, it acts as a reverse-proxy to the Docker HTTP API. This means that you can execute Docker requests **via** the Portainer HTTP API.
+
+To do so, you can use the `/endpoints/{id}/docker` Portainer API endpoint (which is not documented below due to Swagger limitations). This endpoint has a restricted access policy so you still need to be authenticated to be able to query this endpoint. Any query on this endpoint will be proxied to the Docker API of the associated endpoint (requests and responses objects are the same as documented in the Docker API).
+
+**NOTE**: You can find more information on how to query the Docker API in the [Docker official documentation](https://docs.docker.com/engine/api/v1.30/) as well as in [this Portainer example](https://gist.github.com/deviantony/77026d402366b4b43fa5918d41bc42f8).

api/bolt/datastore.go

@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/customtemplate"
 	"github.com/portainer/portainer/api/bolt/dockerhub"
 	"github.com/portainer/portainer/api/bolt/edgegroup"
@@ -69,6 +69,14 @@ type Store struct {
 	WebhookService          *webhook.Service
 }
 
+func (store *Store) edition() portainer.SoftwareEdition {
+	edition, err := store.VersionService.Edition()
+	if err == errors.ErrObjectNotFound {
+		edition = portainer.PortainerCE
+	}
+	return edition
+}
+
 // NewStore initializes a new Store and the associated services
 func NewStore(storePath string, fileService portainer.FileService) (*Store, error) {
 	store := &Store{
@@ -116,6 +124,14 @@ func (store *Store) IsNew() bool {
 	return store.isNew
 }
 
+// CheckCurrentEdition checks if current edition is community edition
+func (store *Store) CheckCurrentEdition() error {
+	if store.edition() != portainer.PortainerCE {
+		return errors.ErrWrongDBEdition
+	}
+	return nil
+}
+
 // MigrateData automatically migrate the data based on the DBVersion.
 // This process is only triggered on an existing database, not if the database was just created.
 func (store *Store) MigrateData() error {

api/bolt/errors/errors.go

@@ -4,4 +4,5 @@ import "errors"
 
 var (
 	ErrObjectNotFound = errors.New("Object not found inside the database")
+	ErrWrongDBEdition = errors.New("The Portainer database is set for Portainer Business Edition, please follow the instructions in our documention to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
 )

api/bolt/init.go

@@ -40,18 +40,11 @@ func (store *Store) Init() error {
 					portainer.LDAPGroupSearchSettings{},
 				},
 			},
-			OAuthSettings:                             portainer.OAuthSettings{},
-			AllowBindMountsForRegularUsers:            true,
-			AllowPrivilegedModeForRegularUsers:        true,
-			AllowVolumeBrowserForRegularUsers:         false,
-			AllowHostNamespaceForRegularUsers:         true,
-			AllowDeviceMappingForRegularUsers:         true,
-			AllowStackManagementForRegularUsers:       true,
-			AllowContainerCapabilitiesForRegularUsers: true,
-			EnableHostManagementFeatures:              false,
-			EdgeAgentCheckinInterval:                  portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
-			TemplatesURL:                              portainer.DefaultTemplatesURL,
-			UserSessionTimeout:                        portainer.DefaultUserSessionTimeout,
+			OAuthSettings: portainer.OAuthSettings{},
+
+			EdgeAgentCheckinInterval: portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
+			TemplatesURL:             portainer.DefaultTemplatesURL,
+			UserSessionTimeout:       portainer.DefaultUserSessionTimeout,
 		}
 
 		err = store.SettingsService.UpdateSettings(defaultSettings)

api/bolt/migrator/migrate_dbversion25.go

@@ -0,0 +1,51 @@
+package migrator
+
+import (
+	portainer "github.com/portainer/portainer/api"
+)
+
+func (m *Migrator) updateEndpointSettingsToDB25() error {
+	settings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	endpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for i := range endpoints {
+		endpoint := endpoints[i]
+
+		securitySettings := portainer.EndpointSecuritySettings{}
+
+		if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment ||
+			endpoint.Type == portainer.AgentOnDockerEnvironment ||
+			endpoint.Type == portainer.DockerEnvironment {
+
+			securitySettings = portainer.EndpointSecuritySettings{
+				AllowBindMountsForRegularUsers:            settings.AllowBindMountsForRegularUsers,
+				AllowContainerCapabilitiesForRegularUsers: settings.AllowContainerCapabilitiesForRegularUsers,
+				AllowDeviceMappingForRegularUsers:         settings.AllowDeviceMappingForRegularUsers,
+				AllowHostNamespaceForRegularUsers:         settings.AllowHostNamespaceForRegularUsers,
+				AllowPrivilegedModeForRegularUsers:        settings.AllowPrivilegedModeForRegularUsers,
+				AllowStackManagementForRegularUsers:       settings.AllowStackManagementForRegularUsers,
+			}
+
+			if endpoint.Type == portainer.AgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
+				securitySettings.AllowVolumeBrowserForRegularUsers = settings.AllowVolumeBrowserForRegularUsers
+				securitySettings.EnableHostManagementFeatures = settings.EnableHostManagementFeatures
+			}
+		}
+
+		endpoint.SecuritySettings = securitySettings
+
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrator.go

@@ -342,5 +342,13 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 
+	// Portainer 2.1.0
+	if m.currentDBVersion < 26 {
+		err := m.updateEndpointSettingsToDB25()
+		if err != nil {
+			return err
+		}
+	}
+
 	return m.versionService.StoreDBVersion(portainer.DBVersion)
 }

api/bolt/user/user.go

@@ -4,6 +4,7 @@ import (
 	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"
+	"strings"
 
 	"github.com/boltdb/bolt"
 )
@@ -47,6 +48,8 @@ func (service *Service) User(ID portainer.UserID) (*portainer.User, error) {
 func (service *Service) UserByUsername(username string) (*portainer.User, error) {
 	var user *portainer.User
 
+	username = strings.ToLower(username)
+
 	err := service.db.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 		cursor := bucket.Cursor()
@@ -58,7 +61,7 @@ func (service *Service) UserByUsername(username string) (*portainer.User, error)
 				return err
 			}
 
-			if u.Username == username {
+			if strings.ToLower(u.Username) == username {
 				user = &u
 				break
 			}
@@ -123,6 +126,7 @@ func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User,
 // UpdateUser saves a user.
 func (service *Service) UpdateUser(ID portainer.UserID, user *portainer.User) error {
 	identifier := internal.Itob(int(ID))
+	user.Username = strings.ToLower(user.Username)
 	return internal.UpdateObject(service.db, BucketName, identifier, user)
 }
 
@@ -133,6 +137,7 @@ func (service *Service) CreateUser(user *portainer.User) error {
 
 		id, _ := bucket.NextSequence()
 		user.ID = portainer.UserID(id)
+		user.Username = strings.ToLower(user.Username)
 
 		data, err := internal.MarshalObject(user)
 		if err != nil {

api/bolt/version/version.go

@@ -4,6 +4,7 @@ import (
 	"strconv"
 
 	"github.com/boltdb/bolt"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"
 )
@@ -13,6 +14,7 @@ const (
 	BucketName  = "version"
 	versionKey  = "DB_VERSION"
 	instanceKey = "INSTANCE_ID"
+	editionKey  = "EDITION"
 )
 
 // Service represents a service to manage stored versions.
@@ -56,6 +58,21 @@ func (service *Service) DBVersion() (int, error) {
 	return strconv.Atoi(string(data))
 }
 
+// Edition retrieves the stored portainer edition.
+func (service *Service) Edition() (portainer.SoftwareEdition, error) {
+	editionData, err := service.getKey(editionKey)
+	if err != nil {
+		return 0, err
+	}
+
+	edition, err := strconv.Atoi(string(editionData))
+	if err != nil {
+		return 0, err
+	}
+
+	return portainer.SoftwareEdition(edition), nil
+}
+
 // StoreDBVersion store the database version.
 func (service *Service) StoreDBVersion(version int) error {
 	return service.db.Update(func(tx *bolt.Tx) error {
@@ -99,3 +116,36 @@ func (service *Service) StoreInstanceID(ID string) error {
 		return bucket.Put([]byte(instanceKey), data)
 	})
 }
+
+func (service *Service) getKey(key string) ([]byte, error) {
+	var data []byte
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		value := bucket.Get([]byte(key))
+		if value == nil {
+			return errors.ErrObjectNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+
+		return nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return data, nil
+}
+
+func (service *Service) setKey(key string, value string) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		data := []byte(value)
+		return bucket.Put([]byte(key), data)
+	})
+}

api/cmd/portainer/main.go

@@ -12,16 +12,17 @@ import (
 	"github.com/portainer/portainer/api/cli"
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/docker"
+
 	"github.com/portainer/portainer/api/exec"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/git"
 	"github.com/portainer/portainer/api/http"
 	"github.com/portainer/portainer/api/http/client"
 	"github.com/portainer/portainer/api/http/proxy"
-	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
+	kubeproxy "github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/internal/snapshot"
 	"github.com/portainer/portainer/api/jwt"
-	k8s "github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/api/kubernetes"
 	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
 	"github.com/portainer/portainer/api/libcompose"
@@ -73,7 +74,7 @@ func initDataStore(dataStorePath string, fileService portainer.FileService) port
 	return store
 }
 
-func initComposeStackManager(assetsPath string, dataStorePath string, reverseTunnelService portainer.ReverseTunnelService, proxyManager proxy.Manager) portainer.ComposeStackManager {
+func initComposeStackManager(assetsPath string, dataStorePath string, reverseTunnelService portainer.ReverseTunnelService, proxyManager *proxy.Manager) portainer.ComposeStackManager {
 	composeWrapper := exec.NewComposeWrapper(assetsPath, proxyManager)
 	if composeWrapper != nil {
 		return composeWrapper
@@ -96,6 +97,10 @@ func initJWTService(dataStore portainer.DataStore) (portainer.JWTService, error)
 		return nil, err
 	}
 
+	if settings.UserSessionTimeout == "" {
+		settings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
+		dataStore.Settings().UpdateSettings(settings)
+	}
 	jwtService, err := jwt.NewService(settings.UserSessionTimeout)
 	if err != nil {
 		return nil, err
@@ -133,7 +138,7 @@ func initKubernetesClientFactory(signatureService portainer.DigitalSignatureServ
 
 func initSnapshotService(snapshotInterval string, dataStore portainer.DataStore, dockerClientFactory *docker.ClientFactory, kubernetesClientFactory *kubecli.ClientFactory) (portainer.SnapshotService, error) {
 	dockerSnapshotter := docker.NewSnapshotter(dockerClientFactory)
-	kubernetesSnapshotter := k8s.NewSnapshotter(kubernetesClientFactory)
+	kubernetesSnapshotter := kubernetes.NewSnapshotter(kubernetesClientFactory)
 
 	snapshotService, err := snapshot.NewService(snapshotInterval, dataStore, dockerSnapshotter, kubernetesSnapshotter)
 	if err != nil {
@@ -244,6 +249,18 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.DockerSnapshot{},
 		Kubernetes:         portainer.KubernetesDefault(),
+
+		SecuritySettings: portainer.EndpointSecuritySettings{
+			AllowVolumeBrowserForRegularUsers: false,
+			EnableHostManagementFeatures:      false,
+
+			AllowBindMountsForRegularUsers:            true,
+			AllowPrivilegedModeForRegularUsers:        true,
+			AllowHostNamespaceForRegularUsers:         true,
+			AllowContainerCapabilitiesForRegularUsers: true,
+			AllowDeviceMappingForRegularUsers:         true,
+			AllowStackManagementForRegularUsers:       true,
+		},
 	}
 
 	if strings.HasPrefix(endpoint.URL, "tcp://") {
@@ -293,6 +310,18 @@ func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore,
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.DockerSnapshot{},
 		Kubernetes:         portainer.KubernetesDefault(),
+
+		SecuritySettings: portainer.EndpointSecuritySettings{
+			AllowVolumeBrowserForRegularUsers: false,
+			EnableHostManagementFeatures:      false,
+
+			AllowBindMountsForRegularUsers:            true,
+			AllowPrivilegedModeForRegularUsers:        true,
+			AllowHostNamespaceForRegularUsers:         true,
+			AllowContainerCapabilitiesForRegularUsers: true,
+			AllowDeviceMappingForRegularUsers:         true,
+			AllowStackManagementForRegularUsers:       true,
+		},
 	}
 
 	err := snapshotService.SnapshotEndpoint(endpoint)
@@ -347,6 +376,10 @@ func main() {
 	dataStore := initDataStore(*flags.Data, fileService)
 	defer dataStore.Close()
 
+	if err := dataStore.CheckCurrentEdition(); err != nil {
+		log.Fatal(err)
+	}
+
 	jwtService, err := initJWTService(dataStore)
 	if err != nil {
 		log.Fatal(err)
@@ -387,10 +420,10 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	kubernetesTokenCacheManager := kubernetes.NewTokenCacheManager()
+	kubernetesTokenCacheManager := kubeproxy.NewTokenCacheManager()
 	proxyManager := proxy.NewManager(dataStore, digitalSignatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager)
 
-	composeStackManager := initComposeStackManager(*flags.Assets, *flags.Data, reverseTunnelService, *proxyManager)
+	composeStackManager := initComposeStackManager(*flags.Assets, *flags.Data, reverseTunnelService, proxyManager)
 
 	kubernetesDeployer := initKubernetesDeployer(*flags.Assets)
 
@@ -471,7 +504,7 @@ func main() {
 		LDAPService:                 ldapService,
 		OAuthService:                oauthService,
 		GitService:                  gitService,
-		ProxyManager:                *proxyManager,
+		ProxyManager:                proxyManager,
 		KubernetesTokenCacheManager: kubernetesTokenCacheManager,
 		SignatureService:            digitalSignatureService,
 		SnapshotService:             snapshotService,

api/exec/compose_wrapper.go

@@ -4,12 +4,10 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
-	"log"
-	"net"
-	"net/http"
 	"os"
 	"os/exec"
 	"path"
+	"strings"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy"
@@ -18,11 +16,11 @@ import (
 // ComposeWrapper is a wrapper for docker-compose binary
 type ComposeWrapper struct {
 	binaryPath   string
-	proxyManager proxy.Manager
+	proxyManager *proxy.Manager
 }
 
 // NewComposeWrapper returns a docker-compose wrapper if corresponding binary present, otherwise nil
-func NewComposeWrapper(binaryPath string, proxyManager proxy.Manager) *ComposeWrapper {
+func NewComposeWrapper(binaryPath string, proxyManager *proxy.Manager) *ComposeWrapper {
 	if !IsBinaryPresent(programPath(binaryPath, "docker-compose")) {
 		return nil
 	}
@@ -33,6 +31,11 @@ func NewComposeWrapper(binaryPath string, proxyManager proxy.Manager) *ComposeWr
 	}
 }
 
+// ComposeSyntaxMaxVersion returns the maximum supported version of the docker compose syntax
+func (w *ComposeWrapper) ComposeSyntaxMaxVersion() string {
+	return portainer.ComposeSyntaxMaxVersion
+}
+
 // Up builds, (re)creates and starts containers in the background. Wraps `docker-compose up -d` command
 func (w *ComposeWrapper) Up(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
 	_, err := w.command([]string{"up", "-d"}, stack, endpoint)
@@ -46,6 +49,10 @@ func (w *ComposeWrapper) Down(stack *portainer.Stack, endpoint *portainer.Endpoi
 }
 
 func (w *ComposeWrapper) command(command []string, stack *portainer.Stack, endpoint *portainer.Endpoint) ([]byte, error) {
+	if endpoint == nil {
+		return nil, errors.New("cannot call a compose command on an empty endpoint")
+	}
+
 	program := programPath(w.binaryPath, "docker-compose")
 
 	options := setComposeFile(stack)
@@ -56,42 +63,17 @@ func (w *ComposeWrapper) command(command []string, stack *portainer.Stack, endpo
 		return nil, err
 	}
 
-	if endpoint != nil {
+	if !(endpoint.URL == "" || strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://")) {
 
-		if endpoint.URL != "" {
-			proxy, err := w.proxyManager.CreateAndRegisterComposeEndpointProxy(endpoint)
-
-			listener, err := net.Listen("tcp", ":0")
-			if err != nil {
-				return nil, err
-			}
-			log.Printf("Proxy Server: %v", proxy)
-			server := http.Server{
-				Handler: proxy,
-			}
-
-			shutdownChan := make(chan error, 1)
-			port := listener.Addr().(*net.TCPAddr).Port
-			go func() {
-				log.Printf("Starting Proxy server on %s...\n", fmt.Sprintf("http://localhost:%d", port))
-				// details are the same as for the `server.ListenAndServe()` section above
-				err := server.Serve(listener)
-				log.Printf("Proxy Server exited with '%v' error\n", err)
-
-				if err != http.ErrServerClosed {
-					log.Printf("Put '%v' error returned by Proxy Server to shutdown channel\n", err)
-					shutdownChan <- err
-				}
-			}()
-
-			defer server.Close()
-
-			options = append(options, "-H", fmt.Sprintf("http://localhost:%d", port))
+		proxy, err := w.proxyManager.CreateComposeProxyServer(endpoint)
+		if err != nil {
+			return nil, err
 		}
 
-	}
+		defer proxy.Close()
 
-	// options = addTLSConnectionOptions(options, endpoint)
+		options = append(options, "-H", fmt.Sprintf("http://127.0.0.1:%d", proxy.Port))
+	}
 
 	args := append(options, command...)
 
@@ -119,46 +101,6 @@ func setComposeFile(stack *portainer.Stack) []string {
 	return options
 }
 
-func addTLSConnectionOptions(options []string, endpoint *portainer.Endpoint) []string {
-	if endpoint.TLSConfig.TLS {
-		options = append(options, "--tls")
-
-		if !endpoint.TLSConfig.TLSSkipVerify {
-			options = append(options, "--tlsverify", "--tlscacert", endpoint.TLSConfig.TLSCACertPath)
-		}
-
-		if endpoint.TLSConfig.TLSCertPath != "" && endpoint.TLSConfig.TLSKeyPath != "" {
-			options = append(options, "--tlscert", endpoint.TLSConfig.TLSCertPath, "--tlskey", endpoint.TLSConfig.TLSKeyPath)
-		}
-	}
-
-	return options
-}
-
-func addConnectionOptions(options []string, endpoint *portainer.Endpoint) []string {
-	if endpoint == nil {
-		return options
-	}
-
-	if endpoint.URL != "" {
-		options = append(options, "-H", endpoint.URL)
-	}
-
-	if endpoint.TLSConfig.TLS {
-		options = append(options, "--tls")
-
-		if !endpoint.TLSConfig.TLSSkipVerify {
-			options = append(options, "--tlsverify", "--tlscacert", endpoint.TLSConfig.TLSCACertPath)
-		}
-
-		if endpoint.TLSConfig.TLSCertPath != "" && endpoint.TLSConfig.TLSKeyPath != "" {
-			options = append(options, "--tlscert", endpoint.TLSConfig.TLSCertPath, "--tlskey", endpoint.TLSConfig.TLSKeyPath)
-		}
-	}
-
-	return options
-}
-
 func addProjectNameOption(options []string, stack *portainer.Stack) []string {
 	if stack == nil || stack.Name == "" {
 		return options

api/exec/compose_wrapper_integration_test.go

@@ -42,7 +42,7 @@ func Test_UpAndDown(t *testing.T) {
 
 	stack, endpoint := setup(t)
 
-	w := NewComposeWrapper("")
+	w := NewComposeWrapper("", nil)
 
 	err := w.Up(stack, endpoint)
 	if err != nil {

api/exec/compose_wrapper_test.go

@@ -85,53 +85,6 @@ func Test_addProjectNameOption(t *testing.T) {
 	}
 }
 
-func Test_addConnectionOptions(t *testing.T) {
-	tests := []struct {
-		name     string
-		endpoint *portainer.Endpoint
-		expected []string
-	}{
-		{
-			name:     "should not add options if endpoint is missing",
-			endpoint: nil,
-			expected: []string{},
-		},
-		{
-			name:     "should not add hostname if endpoint doesn't have url",
-			endpoint: &portainer.Endpoint{},
-			expected: []string{},
-		},
-		{
-			name: "should add hostname name option if endpoint has url",
-			endpoint: &portainer.Endpoint{
-				URL: "host:port",
-			},
-			expected: []string{"-H", "host:port"},
-		},
-		{
-			name: "should add tls options if endpoint has tls setup",
-			endpoint: &portainer.Endpoint{
-				TLSConfig: portainer.TLSConfiguration{
-					TLS:           true,
-					TLSSkipVerify: false,
-					TLSCACertPath: "ca-cert-path",
-					TLSCertPath:   "cert-path",
-					TLSKeyPath:    "key-path",
-				},
-			},
-			expected: []string{"--tls", "--tlsverify", "--tlscacert", "ca-cert-path", "--tlscert", "cert-path", "--tlskey", "key-path"},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			options := []string{"-a", "b"}
-			result := addConnectionOptions(options, tt.endpoint)
-			assert.ElementsMatch(t, append(options, tt.expected...), result)
-		})
-	}
-}
-
 func Test_addEnvFileOption(t *testing.T) {
 	dir := t.TempDir()
 

api/exec/swarm_stack.go

@@ -134,6 +134,8 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, dataPa
 
 		if !endpoint.TLSConfig.TLSSkipVerify {
 			args = append(args, "--tlsverify", "--tlscacert", endpoint.TLSConfig.TLSCACertPath)
+		} else {
+			args = append(args, "--tlscacert", "''")
 		}
 
 		if endpoint.TLSConfig.TLSCertPath != "" && endpoint.TLSConfig.TLSKeyPath != "" {

api/go.mod

@@ -15,7 +15,6 @@ require (
 	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
 	github.com/go-ldap/ldap/v3 v3.1.8
 	github.com/gofrs/uuid v3.2.0+incompatible
-	github.com/gogo/protobuf v1.3.1 // indirect
 	github.com/gorilla/mux v1.7.3
 	github.com/gorilla/securecookie v1.1.1
 	github.com/gorilla/websocket v1.4.1
@@ -23,22 +22,16 @@ require (
 	github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389
 	github.com/json-iterator/go v1.1.8
 	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
-	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
 	github.com/mattn/go-shellwords v1.0.6 // indirect
 	github.com/mitchellh/mapstructure v1.1.2 // indirect
 	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/portainer/libcompose v0.5.3
 	github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2
 	github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33
-	github.com/sirupsen/logrus v1.4.2 // indirect
 	github.com/stretchr/testify v1.6.1
 	golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1
 	golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933 // indirect
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f // indirect
-	google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24 // indirect
-	google.golang.org/grpc v1.26.0 // indirect
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	k8s.io/api v0.17.2

api/go.sum

@@ -40,7 +40,6 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/boltdb/bolt v1.3.1 h1:JQmyP4ZBrce+ZQu0dY660FMfatumYDLun9hBCUVIkF4=
 github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/containerd/containerd v1.3.1 h1:LdbWxLhkAIxGO7h3mATHkyav06WuDs/yTWxIljJOTks=
 github.com/containerd/containerd v1.3.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
@@ -81,8 +80,6 @@ github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkg
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
@@ -112,9 +109,6 @@ github.com/gogo/protobuf v1.1.1 h1:72R+M5VuhED/KujmZVcIquuo8mBgX4oVda//DQb3PXo=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I=
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -182,8 +176,6 @@ github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c h1:N7A4JCA2G
 github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c/go.mod h1:Nn5wlyECw3iJrzi0AhIWg+AJUb4PlRQVW4/3XHH1LZA=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -231,8 +223,6 @@ github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -249,8 +239,6 @@ github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQ
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 h1:gQz4mCbXsO+nc9n1hCxHcGA3Zx3Eo+UHZoInFGUIXNM=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.6.0 h1:kRhiuYSXR3+uv2IbVbZhUxK5zVD/2pp3Gd2PpvPkpEo=
 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
@@ -264,8 +252,6 @@ github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -285,7 +271,6 @@ github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
-github.com/urfave/cli v1.21.0 h1:wYSSj06510qPIzGSua9ZqsncMmWE3Zr55KBERygyrxE=
 github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ=
 github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
@@ -347,15 +332,12 @@ golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3 h1:4y9KwBHBgBNwDbtu44R5o1fdOCQUEXhbk/P4A9WmJq0=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456 h1:ng0gs1AKnRRuEMZoTLLlbOd+C17zUDepwGQBb/n+JVg=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f h1:6Sc1XOXTulBN6imkqo6XoAXDEzoQ4/ro6xy7Vn8+rOM=
-golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -383,15 +365,9 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7 h1:ZUjXAXmrAyrmmCPHgCA/vChHcpsX27MZ3yBonD/z1KE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24 h1:wDju+RU97qa0FZT0QnZDg9Uc2dH0Ql513kFvHocz+WM=
-google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.22.1 h1:/7cs52RnTJmD43s3uxzlq2U7nqVTd/37viQwMrMNlOM=
 google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.26.0 h1:2dTRdpdFEEhJYQD8EMLB61nnrzSCTbG38PhqdhvOltg=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

api/http/handler/auth/authenticate.go

@@ -10,18 +10,21 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 )
 
 type authenticatePayload struct {
-	Username string
-	Password string
+	// Username
+	Username string `example:"admin" validate:"required"`
+	// Password
+	Password string `example:"mypassword" validate:"required"`
 }
 
 type authenticateResponse struct {
-	JWT string `json:"jwt"`
+	// JWT token used to authenticate against the API
+	JWT string `json:"jwt" example:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTQ5OTM3NjE1NH0.NJ6vE8FY1WG6jsRQzfMqeatJ4vh2TWAeeYfDhP71YEE"`
 }
 
 func (payload *authenticatePayload) Validate(r *http.Request) error {
@@ -34,6 +37,18 @@ func (payload *authenticatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
+// @id AuthenticateUser
+// @summary Authenticate
+// @description Use this endpoint to authenticate against Portainer using a username and password.
+// @tags auth
+// @accept json
+// @produce json
+// @param body body authenticatePayload true "Credentials used for authentication"
+// @success 200 {object} authenticateResponse "Success"
+// @failure 400 "Invalid request"
+// @failure 422 "Invalid Credentials"
+// @failure 500 "Server error"
+// @router /auth [post]
 func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload authenticatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)

api/http/handler/auth/authenticate_oauth.go

@@ -8,12 +8,13 @@ import (
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 )
 
 type oauthPayload struct {
+	// OAuth code returned from OAuth Provided
 	Code string
 }
 
@@ -24,6 +25,17 @@ func (payload *oauthPayload) Validate(r *http.Request) error {
 	return nil
 }
 
+// @id AuthenticateOauth
+// @summary Authenticate with OAuth
+// @tags auth
+// @accept json
+// @produce json
+// @param body body oauthPayload true "OAuth Credentials used for authentication"
+// @success 200 {object} authenticateResponse "Success"
+// @failure 400 "Invalid request"
+// @failure 422 "Invalid Credentials"
+// @failure 500 "Server error"
+// @router /auth/oauth/validate [post]
 func (handler *Handler) authenticateOAuth(code string, settings *portainer.OAuthSettings) (string, error) {
 	if code == "" {
 		return "", errors.New("Invalid OAuth authorization code")

api/http/handler/auth/logout.go

@@ -8,7 +8,13 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 )
 
-// POST request on /logout
+// @id Logout
+// @summary Logout
+// @security jwt
+// @tags auth
+// @success 204 "Success"
+// @failure 500 "Server error"
+// @router /auth/logout [post]
 func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	tokenData, err := security.RetrieveTokenData(r)
 	if err != nil {

api/http/handler/customtemplates/customtemplate_create.go

@@ -15,6 +15,27 @@ import (
 	"github.com/portainer/portainer/api/internal/authorization"
 )
 
+// @id CustomTemplateCreate
+// @summary Create a custom template
+// @description Create a custom template.
+// @description **Access policy**: authenticated
+// @tags custom_templates
+// @security jwt
+// @accept json, multipart/form-data
+// @produce json
+// @param method query string true "method for creating template" Enums(string, file, repository)
+// @param body_string body customTemplateFromFileContentPayload false "Required when using method=string"
+// @param body_repository body customTemplateFromGitRepositoryPayload false "Required when using method=repository"
+// @param Title formData string false "Title of the template. required when method is file"
+// @param Description formData string false "Description of the template. required when method is file"
+// @param Note formData string false "A note that will be displayed in the UI. Supports HTML content"
+// @param Platform formData int false "Platform associated to the template (1 - 'linux', 2 - 'windows'). required when method is file" Enums(1,2)
+// @param Type formData int false "Type of created stack (1 - swarm, 2 - compose), required when method is file" Enums(1,2)
+// @param file formData file false "required when method is file"
+// @success 200 {object} portainer.CustomTemplate
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /custom_templates [post]
 func (handler *Handler) customTemplateCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	method, err := request.RetrieveQueryParameter(r, "method", false)
 	if err != nil {
@@ -74,13 +95,21 @@ func (handler *Handler) createCustomTemplate(method string, r *http.Request) (*p
 }
 
 type customTemplateFromFileContentPayload struct {
-	Logo        string
-	Title       string
-	FileContent string
-	Description string
-	Note        string
-	Platform    portainer.CustomTemplatePlatform
-	Type        portainer.StackType
+	// URL of the template's logo
+	Logo string `example:"https://cloudinovasi.id/assets/img/logos/nginx.png"`
+	// Title of the template
+	Title string `example:"Nginx" validate:"required"`
+	// Description of the template
+	Description string `example:"High performance web server" validate:"required"`
+	// A note that will be displayed in the UI. Supports HTML content
+	Note string `example:"This is my <b>custom</b> template"`
+	// Platform associated to the template.
+	// Valid values are: 1 - 'linux', 2 - 'windows'
+	Platform portainer.CustomTemplatePlatform `example:"1" enums:"1,2" validate:"required"`
+	// Type of created stack (1 - swarm, 2 - compose)
+	Type portainer.StackType `example:"1" enums:"1,2" validate:"required"`
+	// Content of stack file
+	FileContent string `validate:"required"`
 }
 
 func (payload *customTemplateFromFileContentPayload) Validate(r *http.Request) error {
@@ -132,18 +161,32 @@ func (handler *Handler) createCustomTemplateFromFileContent(r *http.Request) (*p
 }
 
 type customTemplateFromGitRepositoryPayload struct {
-	Logo                        string
-	Title                       string
-	Description                 string
-	Note                        string
-	Platform                    portainer.CustomTemplatePlatform
-	Type                        portainer.StackType
-	RepositoryURL               string
-	RepositoryReferenceName     string
-	RepositoryAuthentication    bool
-	RepositoryUsername          string
-	RepositoryPassword          string
-	ComposeFilePathInRepository string
+	// URL of the template's logo
+	Logo string `example:"https://cloudinovasi.id/assets/img/logos/nginx.png"`
+	// Title of the template
+	Title string `example:"Nginx" validate:"required"`
+	// Description of the template
+	Description string `example:"High performance web server" validate:"required"`
+	// A note that will be displayed in the UI. Supports HTML content
+	Note string `example:"This is my <b>custom</b> template"`
+	// Platform associated to the template.
+	// Valid values are: 1 - 'linux', 2 - 'windows'
+	Platform portainer.CustomTemplatePlatform `example:"1" enums:"1,2" validate:"required"`
+	// Type of created stack (1 - swarm, 2 - compose)
+	Type portainer.StackType `example:"1" enums:"1,2" validate:"required"`
+
+	// URL of a Git repository hosting the Stack file
+	RepositoryURL string `example:"https://github.com/openfaas/faas" validate:"required"`
+	// Reference name of a Git repository hosting the Stack file
+	RepositoryReferenceName string `example:"refs/heads/master"`
+	// Use basic authentication to clone the Git repository
+	RepositoryAuthentication bool `example:"true"`
+	// Username used in basic authentication. Required when RepositoryAuthentication is true.
+	RepositoryUsername string `example:"myGitUsername"`
+	// Password used in basic authentication. Required when RepositoryAuthentication is true.
+	RepositoryPassword string `example:"myGitPassword"`
+	// Path to the Stack file inside the Git repository
+	ComposeFilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
 }
 
 func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request) error {
@@ -251,7 +294,7 @@ func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) er
 	}
 	payload.Type = templateType
 
-	composeFileContent, _, err := request.RetrieveMultiPartFormFile(r, "file")
+	composeFileContent, _, err := request.RetrieveMultiPartFormFile(r, "File")
 	if err != nil {
 		return errors.New("Invalid Compose file. Ensure that the Compose file is uploaded correctly")
 	}

api/http/handler/customtemplates/customtemplate_delete.go

@@ -13,6 +13,19 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 )
 
+// @id CustomTemplateDelete
+// @summary Remove a template
+// @description Remove a template.
+// @description **Access policy**: authorized
+// @tags custom_templates
+// @security jwt
+// @param id path int true "Template identifier"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Access denied to resource"
+// @failure 404 "Template not found"
+// @failure 500 "Server error"
+// @router /custom_templates/{id} [delete]
 func (handler *Handler) customTemplateDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	customTemplateID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/customtemplates/customtemplate_file.go

@@ -7,7 +7,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
@@ -15,7 +15,19 @@ type fileResponse struct {
 	FileContent string
 }
 
-// GET request on /api/custom_templates/:id/file
+// @id CustomTemplateFile
+// @summary Get Template stack file content.
+// @description Retrieve the content of the Stack file for the specified custom template
+// @description **Access policy**: authorized
+// @tags custom_templates
+// @security jwt
+// @produce json
+// @param id path int true "Template identifier"
+// @success 200 {object} fileResponse "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Custom template not found"
+// @failure 500 "Server error"
+// @router /custom_templates/{id}/file [get]
 func (handler *Handler) customTemplateFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	customTemplateID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/customtemplates/customtemplate_inspect.go

@@ -7,12 +7,26 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/security"
 )
 
+// @id CustomTemplateInspect
+// @summary Inspect a custom template
+// @description Retrieve details about a template.
+// @description **Access policy**: authenticated
+// @tags custom_templates
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "Template identifier"
+// @success 200 {object} portainer.CustomTemplate "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Template not found"
+// @failure 500 "Server error"
+// @router /custom_templates/{id} [get]
 func (handler *Handler) customTemplateInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	customTemplateID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/customtemplates/customtemplate_list.go

@@ -4,21 +4,28 @@ import (
 	"net/http"
 
 	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 )
 
+// @id CustomTemplateList
+// @summary List available custom templates
+// @description List available custom templates.
+// @description **Access policy**: authenticated
+// @tags custom_templates
+// @security jwt
+// @produce json
+// @success 200 {array} portainer.CustomTemplate "Success"
+// @failure 500 "Server error"
+// @router /custom_templates [get]
 func (handler *Handler) customTemplateList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	customTemplates, err := handler.DataStore.CustomTemplate().CustomTemplates()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve custom templates from the database", err}
 	}
 
-	stackType, _ := request.RetrieveNumericQueryParameter(r, "type", true)
-
 	resourceControls, err := handler.DataStore.ResourceControl().ResourceControls()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve resource controls from the database", err}
@@ -26,8 +33,6 @@ func (handler *Handler) customTemplateList(w http.ResponseWriter, r *http.Reques
 
 	customTemplates = authorization.DecorateCustomTemplates(customTemplates, resourceControls)
 
-	customTemplates = filterTemplatesByEngineType(customTemplates, portainer.StackType(stackType))
-
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
@@ -49,19 +54,3 @@ func (handler *Handler) customTemplateList(w http.ResponseWriter, r *http.Reques
 
 	return response.JSON(w, customTemplates)
 }
-
-func filterTemplatesByEngineType(templates []portainer.CustomTemplate, stackType portainer.StackType) []portainer.CustomTemplate {
-	if stackType == 0 {
-		return templates
-	}
-
-	filteredTemplates := []portainer.CustomTemplate{}
-
-	for _, template := range templates {
-		if template.Type == stackType {
-			filteredTemplates = append(filteredTemplates, template)
-		}
-	}
-
-	return filteredTemplates
-}

api/http/handler/customtemplates/customtemplate_update.go

@@ -17,13 +17,21 @@ import (
 )
 
 type customTemplateUpdatePayload struct {
-	Logo        string
-	Title       string
-	Description string
-	Note        string
-	Platform    portainer.CustomTemplatePlatform
-	Type        portainer.StackType
-	FileContent string
+	// URL of the template's logo
+	Logo string `example:"https://cloudinovasi.id/assets/img/logos/nginx.png"`
+	// Title of the template
+	Title string `example:"Nginx" validate:"required"`
+	// Description of the template
+	Description string `example:"High performance web server" validate:"required"`
+	// A note that will be displayed in the UI. Supports HTML content
+	Note string `example:"This is my <b>custom</b> template"`
+	// Platform associated to the template.
+	// Valid values are: 1 - 'linux', 2 - 'windows'
+	Platform portainer.CustomTemplatePlatform `example:"1" enums:"1,2" validate:"required"`
+	// Type of created stack (1 - swarm, 2 - compose)
+	Type portainer.StackType `example:"1" enums:"1,2" validate:"required"`
+	// Content of stack file
+	FileContent string `validate:"required"`
 }
 
 func (payload *customTemplateUpdatePayload) Validate(r *http.Request) error {
@@ -45,6 +53,22 @@ func (payload *customTemplateUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
+// @id CustomTemplateUpdate
+// @summary Update a template
+// @description Update a template.
+// @description **Access policy**: authenticated
+// @tags custom_templates
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "Template identifier"
+// @param body body customTemplateUpdatePayload true "Template details"
+// @success 200 {object} portainer.CustomTemplate "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access template"
+// @failure 404 "Template not found"
+// @failure 500 "Server error"
+// @router /custom_templates/{id} [put]
 func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	customTemplateID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/dockerhub/dockerhub_inspect.go

@@ -7,7 +7,16 @@ import (
 	"github.com/portainer/libhttp/response"
 )
 
-// GET request on /api/dockerhub
+// @id DockerHubInspect
+// @summary Retrieve DockerHub information
+// @description Use this endpoint to retrieve the information used to connect to the DockerHub
+// @description **Access policy**: authenticated
+// @tags dockerhub
+// @security jwt
+// @produce json
+// @success 200 {object} portainer.DockerHub
+// @failure 500 "Server error"
+// @router /dockerhub [get]
 func (handler *Handler) dockerhubInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	dockerhub, err := handler.DataStore.DockerHub().DockerHub()
 	if err != nil {

api/http/handler/dockerhub/dockerhub_update.go

@@ -8,13 +8,16 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 type dockerhubUpdatePayload struct {
-	Authentication bool
-	Username       string
-	Password       string
+	// Enable authentication against DockerHub
+	Authentication bool `validate:"required" example:"false"`
+	// Username used to authenticate against the DockerHub
+	Username string `validate:"required" example:"hub_user"`
+	// Password used to authenticate against the DockerHub
+	Password string `validate:"required" example:"hub_password"`
 }
 
 func (payload *dockerhubUpdatePayload) Validate(r *http.Request) error {
@@ -24,7 +27,19 @@ func (payload *dockerhubUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// PUT request on /api/dockerhub
+// @id DockerHubUpdate
+// @summary Update DockerHub information
+// @description Use this endpoint to update the information used to connect to the DockerHub
+// @description **Access policy**: administrator
+// @tags dockerhub
+// @security jwt
+// @accept json
+// @produce json
+// @param body body dockerhubUpdatePayload true "DockerHub information"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /dockerhub [put]
 func (handler *Handler) dockerhubUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload dockerhubUpdatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)

api/http/handler/edgegroups/edgegroup_create.go

@@ -8,7 +8,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 type edgeGroupCreatePayload struct {
@@ -32,6 +32,18 @@ func (payload *edgeGroupCreatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
+// @id EdgeGroupCreate
+// @summary Create an EdgeGroup
+// @description
+// @tags edge_groups
+// @security jwt
+// @accept json
+// @produce json
+// @param body body edgeGroupCreatePayload true "EdgeGroup data"
+// @success 200 {object} portainer.EdgeGroup
+// @failure 503 Edge compute features are disabled
+// @failure 500
+// @router /edge_groups [post]
 func (handler *Handler) edgeGroupCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload edgeGroupCreatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)

api/http/handler/edgegroups/edgegroup_delete.go

@@ -11,6 +11,18 @@ import (
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
+// @id EdgeGroupDelete
+// @summary Deletes an EdgeGroup
+// @description
+// @tags edge_groups
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "EdgeGroup Id"
+// @success 204
+// @failure 503 Edge compute features are disabled
+// @failure 500
+// @router /edge_groups/{id} [delete]
 func (handler *Handler) edgeGroupDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgegroups/edgegroup_inspect.go

@@ -6,10 +6,22 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
+// @id EdgeGroupInspect
+// @summary Inspects an EdgeGroup
+// @description
+// @tags edge_groups
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "EdgeGroup Id"
+// @success 200 {object} portainer.EdgeGroup
+// @failure 503 Edge compute features are disabled
+// @failure 500
+// @router /edge_groups/{id} [get]
 func (handler *Handler) edgeGroupInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgegroups/edgegroup_list.go

@@ -5,7 +5,7 @@ import (
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 type decoratedEdgeGroup struct {
@@ -13,6 +13,17 @@ type decoratedEdgeGroup struct {
 	HasEdgeStack bool `json:"HasEdgeStack"`
 }
 
+// @id EdgeGroupList
+// @summary list EdgeGroups
+// @description
+// @tags edge_groups
+// @security jwt
+// @accept json
+// @produce json
+// @success 200 {array} portainer.EdgeGroup{HasEdgeStack=bool} "EdgeGroups"
+// @failure 500
+// @failure 503 Edge compute features are disabled
+// @router /edge_groups [get]
 func (handler *Handler) edgeGroupList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
 	if err != nil {

api/http/handler/edgegroups/edgegroup_update.go

@@ -8,7 +8,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/internal/edge"
 )
@@ -34,6 +34,19 @@ func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
+// @id EgeGroupUpdate
+// @summary Updates an EdgeGroup
+// @description
+// @tags edge_groups
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "EdgeGroup Id"
+// @param body body edgeGroupUpdatePayload true "EdgeGroup data"
+// @success 200 {object} portainer.EdgeGroup
+// @failure 503 Edge compute features are disabled
+// @failure 500
+// @router /edge_groups/{id} [put]
 func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgejobs/edgejob_create.go

@@ -11,10 +11,23 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
-// POST /api/edge_jobs?method=file|string
+// @id EdgeJobCreate
+// @summary Create an EdgeJob
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @param method query string true "Creation Method" Enums(file, string)
+// @param body body edgeJobCreateFromFileContentPayload true "EdgeGroup data when method is string"
+// @param body body edgeJobCreateFromFilePayload true "EdgeGroup data when method is file"
+// @success 200 {object} portainer.EdgeGroup
+// @failure 503 Edge compute features are disabled
+// @failure 500
+// @router /edge_jobs [post]
 func (handler *Handler) edgeJobCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	method, err := request.RetrieveQueryParameter(r, "method", false)
 	if err != nil {

api/http/handler/edgejobs/edgejob_delete.go

@@ -7,10 +7,23 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
+// @id EdgeJobDelete
+// @summary Delete an EdgeJob
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeJob Id"
+// @success 204
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_jobs/{id} [delete]
 func (handler *Handler) edgeJobDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgejobs/edgejob_file.go

@@ -6,7 +6,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
@@ -14,7 +14,19 @@ type edgeJobFileResponse struct {
 	FileContent string `json:"FileContent"`
 }
 
-// GET request on /api/edge_jobs/:id/file
+// @id EdgeJobFile
+// @summary Fetch a file of an EdgeJob
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeJob Id"
+// @success 200 {object} edgeJobFileResponse
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_jobs/{id}/file [get]
 func (handler *Handler) edgeJobFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgejobs/edgejob_inspect.go

@@ -6,7 +6,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
@@ -15,6 +15,19 @@ type edgeJobInspectResponse struct {
 	Endpoints []portainer.EndpointID
 }
 
+// @id EdgeJobInspect
+// @summary Inspect an EdgeJob
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeJob Id"
+// @success 200 {object} portainer.EdgeJob
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_jobs/{id} [get]
 func (handler *Handler) edgeJobInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgejobs/edgejob_list.go

@@ -7,6 +7,18 @@ import (
 	"github.com/portainer/libhttp/response"
 )
 
+// @id EdgeJobList
+// @summary Fetch EdgeJobs list
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @success 200 {array} portainer.EdgeJob
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_jobs [get]
 // GET request on /api/edge_jobs
 func (handler *Handler) edgeJobList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobs, err := handler.DataStore.EdgeJob().EdgeJobs()

api/http/handler/edgejobs/edgejob_tasklogs_clear.go

@@ -7,11 +7,24 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
-// DELETE request on /api/edge_jobs/:id/tasks/:taskID/logs
+// @id EdgeJobTasksClear
+// @summary Clear the log for a specifc task on an EdgeJob
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeJob Id"
+// @param taskID path string true "Task Id"
+// @success 204
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_jobs/{id}/tasks/{taskID}/logs [delete]
 func (handler *Handler) edgeJobTasksClear(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgejobs/edgejob_tasklogs_collect.go

@@ -6,11 +6,24 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
-// POST request on /api/edge_jobs/:id/tasks/:taskID/logs
+// @id EdgeJobTasksCollect
+// @summary Collect the log for a specifc task on an EdgeJob
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeJob Id"
+// @param taskID path string true "Task Id"
+// @success 204
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_jobs/{id}/tasks/{taskID}/logs [post]
 func (handler *Handler) edgeJobTasksCollect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgejobs/edgejob_tasklogs_inspect.go

@@ -13,7 +13,20 @@ type fileResponse struct {
 	FileContent string `json:"FileContent"`
 }
 
-// GET request on /api/edge_jobs/:id/tasks/:taskID/logs
+// @id EdgeJobTaskLogsInspect
+// @summary Fetch the log for a specifc task on an EdgeJob
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeJob Id"
+// @param taskID path string true "Task Id"
+// @success 200 {object} fileResponse
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_jobs/{id}/tasks/{taskID}/logs [get]
 func (handler *Handler) edgeJobTaskLogsInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgejobs/edgejob_tasks_list.go

@@ -7,7 +7,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
@@ -17,7 +17,19 @@ type taskContainer struct {
 	LogsStatus portainer.EdgeJobLogsStatus `json:"LogsStatus"`
 }
 
-// GET request on /api/edge_jobs/:id/tasks
+// @id EdgeJobTasksList
+// @summary Fetch the list of tasks on an EdgeJob
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeJob Id"
+// @success 200 {array} taskContainer
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_jobs/{id}/tasks [get]
 func (handler *Handler) edgeJobTasksList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgejobs/edgejob_update.go

@@ -9,7 +9,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
@@ -28,6 +28,20 @@ func (payload *edgeJobUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
+// @id EdgeJobUpdate
+// @summary Update an EdgeJob
+// @description
+// @tags edge_jobs
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeJob Id"
+// @param body body edgeJobUpdatePayload true "EdgeGroup data"
+// @success 200 {object} portainer.EdgeJob
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_jobs/{id} [post]
 func (handler *Handler) edgeJobUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgestacks/edgestack_create.go

@@ -11,12 +11,26 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/internal/edge"
 )
 
-// POST request on /api/endpoint_groups
+// @id EdgeStackCreate
+// @summary Create an EdgeStack
+// @description
+// @tags edge_stacks
+// @security jwt
+// @accept json
+// @produce json
+// @param method query string true "Creation Method" Enums(file,string,repository)
+// @param body_string body swarmStackFromFileContentPayload true "Required when using method=string"
+// @param body_file body swarmStackFromFileUploadPayload true "Required when using method=file"
+// @param body_repository body swarmStackFromGitRepositoryPayload true "Required when using method=repository"
+// @success 200 {object} portainer.EdgeStack
+// @failure 500
+// @failure 503 Edge compute features are disabled
+// @router /edge_stacks [post]
 func (handler *Handler) edgeStackCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	method, err := request.RetrieveQueryParameter(r, "method", false)
 	if err != nil {
@@ -75,9 +89,12 @@ func (handler *Handler) createSwarmStack(method string, r *http.Request) (*porta
 }
 
 type swarmStackFromFileContentPayload struct {
-	Name             string
-	StackFileContent string
-	EdgeGroups       []portainer.EdgeGroupID
+	// Name of the stack
+	Name string `example:"myStack" validate:"required"`
+	// Content of the Stack file
+	StackFileContent string `example:"version: 3\n services:\n web:\n image:nginx" validate:"required"`
+	// List of identifiers of EdgeGroups
+	EdgeGroups []portainer.EdgeGroupID `example:"1"`
 }
 
 func (payload *swarmStackFromFileContentPayload) Validate(r *http.Request) error {
@@ -132,14 +149,22 @@ func (handler *Handler) createSwarmStackFromFileContent(r *http.Request) (*porta
 }
 
 type swarmStackFromGitRepositoryPayload struct {
-	Name                        string
-	RepositoryURL               string
-	RepositoryReferenceName     string
-	RepositoryAuthentication    bool
-	RepositoryUsername          string
-	RepositoryPassword          string
-	ComposeFilePathInRepository string
-	EdgeGroups                  []portainer.EdgeGroupID
+	// Name of the stack
+	Name string `example:"myStack" validate:"required"`
+	// URL of a Git repository hosting the Stack file
+	RepositoryURL string `example:"https://github.com/openfaas/faas" validate:"required"`
+	// Reference name of a Git repository hosting the Stack file
+	RepositoryReferenceName string `example:"refs/heads/master"`
+	// Use basic authentication to clone the Git repository
+	RepositoryAuthentication bool `example:"true"`
+	// Username used in basic authentication. Required when RepositoryAuthentication is true.
+	RepositoryUsername string `example:"myGitUsername"`
+	// Password used in basic authentication. Required when RepositoryAuthentication is true.
+	RepositoryPassword string `example:"myGitPassword"`
+	// Path to the Stack file inside the Git repository
+	ComposeFilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
+	// List of identifiers of EdgeGroups
+	EdgeGroups []portainer.EdgeGroupID `example:"1"`
 }
 
 func (payload *swarmStackFromGitRepositoryPayload) Validate(r *http.Request) error {

api/http/handler/edgestacks/edgestack_delete.go

@@ -6,11 +6,24 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/internal/edge"
 )
 
+// @id EdgeStackDelete
+// @summary Delete an EdgeStack
+// @description
+// @tags edge_stacks
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeStack Id"
+// @success 204
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_stacks/{id} [delete]
 func (handler *Handler) edgeStackDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeStackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgestacks/edgestack_file.go

@@ -7,7 +7,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
@@ -15,7 +15,19 @@ type stackFileResponse struct {
 	StackFileContent string `json:"StackFileContent"`
 }
 
-// GET request on /api/edge_stacks/:id/file
+// @id EdgeStackFile
+// @summary Fetches the stack file for an EdgeStack
+// @description
+// @tags edge_stacks
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeStack Id"
+// @success 200 {object} stackFileResponse
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_stacks/{id}/file [get]
 func (handler *Handler) edgeStackFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgestacks/edgestack_inspect.go

@@ -6,10 +6,23 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
+// @id EdgeStackInspect
+// @summary Inspect an EdgeStack
+// @description
+// @tags edge_stacks
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeStack Id"
+// @success 200 {object} portainer.EdgeStack
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_stacks/{id} [get]
 func (handler *Handler) edgeStackInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeStackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgestacks/edgestack_list.go

@@ -7,6 +7,18 @@ import (
 	"github.com/portainer/libhttp/response"
 )
 
+// @id EdgeStackList
+// @summary Fetches the list of EdgeStacks
+// @description
+// @tags edge_stacks
+// @security jwt
+// @accept json
+// @produce json
+// @success 200 {array} portainer.EdgeStack
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_stacks [get]
 func (handler *Handler) edgeStackList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
 	if err != nil {

api/http/handler/edgestacks/edgestack_status_update.go

@@ -8,7 +8,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
@@ -31,6 +31,19 @@ func (payload *updateStatusPayload) Validate(r *http.Request) error {
 	return nil
 }
 
+// @id EdgeStackStatusUpdate
+// @summary Update an EdgeStack status
+// @description Authorized only if the request is done by an Edge Endpoint
+// @tags edge_stacks
+// @accept json
+// @produce json
+// @param id path string true "EdgeStack Id"
+// @success 200 {object} portainer.EdgeStack
+// @failure 500
+// @failure 400
+// @failure 404
+// @failure 403
+// @router /edge_stacks/{id}/status [put]
 func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgestacks/edgestack_update.go

@@ -9,7 +9,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/internal/edge"
 )
@@ -31,6 +31,20 @@ func (payload *updateEdgeStackPayload) Validate(r *http.Request) error {
 	return nil
 }
 
+// @id EdgeStackUpdate
+// @summary Update an EdgeStack
+// @description
+// @tags edge_stacks
+// @security jwt
+// @accept json
+// @produce json
+// @param id path string true "EdgeStack Id"
+// @param body body updateEdgeStackPayload true "EdgeStack data"
+// @success 200 {object} portainer.EdgeStack
+// @failure 500
+// @failure 400
+// @failure 503 Edge compute features are disabled
+// @router /edge_stacks/{id} [put]
 func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/edgetemplates/edgetemplate_list.go

@@ -6,7 +6,7 @@ import (
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/client"
 )
 
@@ -15,7 +15,16 @@ type templateFileFormat struct {
 	Templates []portainer.Template `json:"templates"`
 }
 
-// GET request on /api/edgetemplates
+// @id EdgeTemplateList
+// @summary Fetches the list of Edge Templates
+// @description
+// @tags edge_templates
+// @security jwt
+// @accept json
+// @produce json
+// @success 200 {array} portainer.Template
+// @failure 500
+// @router /edge_templates [get]
 func (handler *Handler) edgeTemplateList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	settings, err := handler.DataStore.Settings().Settings()
 	if err != nil {

api/http/handler/endpointedge/endpoint_edgejob_logs.go

@@ -7,7 +7,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
@@ -19,7 +19,18 @@ func (payload *logsPayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// POST request on api/endpoints/:id/edge/jobs/:jobID/logs
+// endpointEdgeJobsLogs
+// @summary Inspect an EdgeJob Log
+// @description
+// @tags edge, endpoints
+// @accept json
+// @produce json
+// @param id path string true "Endpoint Id"
+// @param jobID path string true "Job Id"
+// @success 200
+// @failure 500
+// @failure 400
+// @router /endpoints/{id}/edge/jobs/{jobID}/logs [post]
 func (handler *Handler) endpointEdgeJobsLogs(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpointedge/endpoint_edgestack_inspect.go

@@ -17,7 +17,18 @@ type configResponse struct {
 	Name             string
 }
 
-// GET request on api/endpoints/:id/edge/stacks/:stackId
+// @summary Inspect an Edge Stack for an Endpoint
+// @description
+// @tags edge, endpoints, edge_stacks
+// @accept json
+// @produce json
+// @param id path string true "Endpoint Id"
+// @param stackID path string true "EdgeStack Id"
+// @success 200 {object} configResponse
+// @failure 500
+// @failure 400
+// @failure 404
+// @router /endpoints/{id}/edge/stacks/{stackId} [get]
 func (handler *Handler) endpointEdgeStackInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpointgroups/endpointgroup_create.go

@@ -8,14 +8,18 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 type endpointGroupCreatePayload struct {
-	Name                string
-	Description         string
-	AssociatedEndpoints []portainer.EndpointID
-	TagIDs              []portainer.TagID
+	// Endpoint group name
+	Name string `validate:"required" example:"my-endpoint-group"`
+	// Endpoint group description
+	Description string `example:"description"`
+	// List of endpoint identifiers that will be part of this group
+	AssociatedEndpoints []portainer.EndpointID `example:"1,3"`
+	// List of tag identifiers to which this endpoint group is associated
+	TagIDs []portainer.TagID `example:"1,2"`
 }
 
 func (payload *endpointGroupCreatePayload) Validate(r *http.Request) error {
@@ -28,7 +32,18 @@ func (payload *endpointGroupCreatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// POST request on /api/endpoint_groups
+// @summary Create an Endpoint Group
+// @description Create a new endpoint group.
+// @description **Access policy**: administrator
+// @tags endpoint_groups
+// @security jwt
+// @accept json
+// @produce json
+// @param body body endpointGroupCreatePayload true "Endpoint Group details"
+// @success 200 {object} portainer.EndpointGroup "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /endpoint_groups [post]
 func (handler *Handler) endpointGroupCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload endpointGroupCreatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)

api/http/handler/endpointgroups/endpointgroup_delete.go

@@ -7,11 +7,24 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
-// DELETE request on /api/endpoint_groups/:id
+// @id EndpointGroupDelete
+// @summary Remove an endpoint group
+// @description Remove an endpoint group.
+// @description **Access policy**: administrator
+// @tags endpoint_groups
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "EndpointGroup identifier"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "EndpointGroup not found"
+// @failure 500 "Server error"
+// @router /endpoint_groups/{id} [delete]
 func (handler *Handler) endpointGroupDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpointgroups/endpointgroup_endpoint_add.go

@@ -6,11 +6,23 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
-// PUT request on /api/endpoint_groups/:id/endpoints/:endpointId
+// @id EndpointGroupAddEndpoint
+// @summary Add an endpoint to an endpoint group
+// @description Add an endpoint to an endpoint group
+// @description **Access policy**: administrator
+// @tags endpoint_groups
+// @security jwt
+// @param id path int true "EndpointGroup identifier"
+// @param endpointId path int true "Endpoint identifier"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "EndpointGroup not found"
+// @failure 500 "Server error"
+// @router /endpoint_groups/{id}/endpoints/{endpointId} [put]
 func (handler *Handler) endpointGroupAddEndpoint(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpointgroups/endpointgroup_endpoint_delete.go

@@ -6,11 +6,22 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
-// DELETE request on /api/endpoint_groups/:id/endpoints/:endpointId
+// @id EndpointGroupDeleteEndpoint
+// @summary Removes endpoint from an endpoint group
+// @description **Access policy**: administrator
+// @tags endpoint_groups
+// @security jwt
+// @param id path int true "EndpointGroup identifier"
+// @param endpointId path int true "Endpoint identifier"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "EndpointGroup not found"
+// @failure 500 "Server error"
+// @router /endpoint_groups/{id}/endpoints/{endpointId} [delete]
 func (handler *Handler) endpointGroupDeleteEndpoint(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpointgroups/endpointgroup_inspect.go

@@ -6,11 +6,23 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
-// GET request on /api/endpoint_groups/:id
+// @summary Inspect an Endpoint group
+// @description Retrieve details abont an endpoint group.
+// @description **Access policy**: administrator
+// @tags endpoint_groups
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "Endpoint group identifier"
+// @success 200 {object} portainer.EndpointGroup "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "EndpointGroup not found"
+// @failure 500 "Server error"
+// @router /endpoint_groups/:id [get]
 func (handler *Handler) endpointGroupInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpointgroups/endpointgroup_list.go

@@ -8,7 +8,18 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 )
 
-// GET request on /api/endpoint_groups
+// @id EndpointGroupList
+// @summary List Endpoint groups
+// @description List all endpoint groups based on the current user authorizations. Will
+// @description return all endpoint groups if using an administrator account otherwise it will
+// @description only return authorized endpoint groups.
+// @description **Access policy**: restricted
+// @tags endpoint_groups
+// @security jwt
+// @produce json
+// @success 200 {array} portainer.EndpointGroup "Endpoint group"
+// @failure 500 "Server error"
+// @router /endpoint_groups [get]
 func (handler *Handler) endpointGroupList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
 	if err != nil {

api/http/handler/endpointgroups/endpointgroup_update.go

@@ -7,15 +7,18 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/internal/tag"
 )
 
 type endpointGroupUpdatePayload struct {
-	Name               string
-	Description        string
-	TagIDs             []portainer.TagID
+	// Endpoint group name
+	Name string `example:"my-endpoint-group"`
+	// Endpoint group description
+	Description string `example:"description"`
+	// List of tag identifiers associated to the endpoint group
+	TagIDs             []portainer.TagID `example:"3,4"`
 	UserAccessPolicies portainer.UserAccessPolicies
 	TeamAccessPolicies portainer.TeamAccessPolicies
 }
@@ -24,7 +27,21 @@ func (payload *endpointGroupUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// PUT request on /api/endpoint_groups/:id
+// @id EndpointGroupUpdate
+// @summary Update an endpoint group
+// @description Update an endpoint group.
+// @description **Access policy**: administrator
+// @tags endpoint_groups
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "EndpointGroup identifier"
+// @param body body endpointGroupUpdatePayload true "EndpointGroup details"
+// @success 200 {object} portainer.EndpointGroup "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "EndpointGroup not found"
+// @failure 500 "Server error"
+// @router /endpoint_groups/:id [put]
 func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_create.go

@@ -14,7 +14,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/http/client"
 	"github.com/portainer/portainer/api/internal/edge"
@@ -147,7 +147,34 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// POST request on /api/endpoints
+// @id EndpointCreate
+// @summary Create a new endpoint
+// @description  Create a new endpoint that will be used to manage an environment.
+// @description **Access policy**: administrator
+// @tags endpoints
+// @security jwt
+// @accept multipart/form-data
+// @produce json
+// @param Name formData string true "Name that will be used to identify this endpoint (example: my-endpoint)"
+// @param EndpointType formData integer true "Environment type. Value must be one of: 1 (Local Docker environment), 2 (Agent environment), 3 (Azure environment), 4 (Edge agent environment) or 5 (Local Kubernetes Environment" Enum(1,2,3,4,5)
+// @param URL formData string false "URL or IP address of a Docker host (example: docker.mydomain.tld:2375). Defaults to local if not specified (Linux: /var/run/docker.sock, Windows: //./pipe/docker_engine)"
+// @param PublicURL formData string false "URL or IP address where exposed containers will be reachable. Defaults to URL if not specified (example: docker.mydomain.tld:2375)"
+// @param GroupID formData int false "Endpoint group identifier. If not specified will default to 1 (unassigned)."
+// @param TLS formData bool false "Require TLS to connect against this endpoint"
+// @param TLSSkipVerify formData bool false "Skip server verification when using TLS"
+// @param TLSSkipClientVerify formData bool false "Skip client verification when using TLS"
+// @param TLSCACertFile formData file false "TLS CA certificate file"
+// @param TLSCertFile formData file false "TLS client certificate file"
+// @param TLSKeyFile formData file false "TLS client key file"
+// @param AzureApplicationID formData string false "Azure application ID. Required if endpoint type is set to 3"
+// @param AzureTenantID formData string false "Azure tenant ID. Required if endpoint type is set to 3"
+// @param AzureAuthenticationKey formData string false "Azure authentication key. Required if endpoint type is set to 3"
+// @param TagIDs formData []int false "List of tag identifiers to which this endpoint is associated"
+// @param EdgeCheckinInterval formData int false "The check in interval for edge agent (in seconds)"
+// @success 200 {object} portainer.Endpoint "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /endpoints [post]
 func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	payload := &endpointCreatePayload{}
 	err := payload.Validate(r)
@@ -440,6 +467,18 @@ func (handler *Handler) snapshotAndPersistEndpoint(endpoint *portainer.Endpoint)
 }
 
 func (handler *Handler) saveEndpointAndUpdateAuthorizations(endpoint *portainer.Endpoint) error {
+	endpoint.SecuritySettings = portainer.EndpointSecuritySettings{
+		AllowVolumeBrowserForRegularUsers: false,
+		EnableHostManagementFeatures:      false,
+
+		AllowBindMountsForRegularUsers:            true,
+		AllowPrivilegedModeForRegularUsers:        true,
+		AllowHostNamespaceForRegularUsers:         true,
+		AllowContainerCapabilitiesForRegularUsers: true,
+		AllowDeviceMappingForRegularUsers:         true,
+		AllowStackManagementForRegularUsers:       true,
+	}
+
 	err := handler.DataStore.Endpoint().CreateEndpoint(endpoint)
 	if err != nil {
 		return err

api/http/handler/endpoints/endpoint_delete.go

@@ -7,11 +7,22 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
-// DELETE request on /api/endpoints/:id
+// @id EndpointDelete
+// @summary Remove an endpoint
+// @description Remove an endpoint.
+// @description **Access policy**: administrator
+// @tags endpoints
+// @security jwt
+// @param id path int true "Endpoint identifier"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Endpoint not found"
+// @failure 500 "Server error"
+// @router /endpoints/{id} [delete]
 func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_extension_add.go

@@ -10,7 +10,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
@@ -29,7 +29,6 @@ func (payload *endpointExtensionAddPayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// POST request on /api/endpoints/:id/extensions
 func (handler *Handler) endpointExtensionAdd(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_extension_remove.go

@@ -8,11 +8,10 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
-// DELETE request on /api/endpoints/:id/extensions/:extensionType
 func (handler *Handler) endpointExtensionRemove(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_inspect.go

@@ -6,11 +6,23 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
-// GET request on /api/endpoints/:id
+// @id EndpointInspect
+// @summary Inspect an endpoint
+// @description Retrieve details about an endpoint.
+// @description **Access policy**: restricted
+// @tags endpoints
+// @security jwt
+// @produce json
+// @param id path int true "Endpoint identifier"
+// @success 200 {object} portainer.Endpoint "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Endpoint not found"
+// @failure 500 "Server error"
+// @router /endpoints/{id} [get]
 func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {
@@ -30,6 +42,7 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 	}
 
 	hideFields(endpoint)
+	endpoint.ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()
 
 	return response.JSON(w, endpoint)
 }

api/http/handler/endpoints/endpoint_list.go

@@ -5,16 +5,34 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/portainer/portainer/api"
-
 	"github.com/portainer/libhttp/request"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 )
 
-// GET request on /api/endpoints?(start=<start>)&(limit=<limit>)&(search=<search>)&(groupId=<groupId)
+// @id EndpointList
+// @summary List endpoints
+// @description List all endpoints based on the current user authorizations. Will
+// @description return all endpoints if using an administrator account otherwise it will
+// @description only return authorized endpoints.
+// @description **Access policy**: restricted
+// @tags endpoints
+// @security jwt
+// @produce json
+// @param start query int false "Start searching from"
+// @param search query string false "Search query"
+// @param groupId query int false "List endpoints of this group"
+// @param limit query int false "Limit results to this value"
+// @param type query int false "List endpoints of this type"
+// @param tagIds query []int false "search endpoints with these tags (depends on tagsPartialMatch)"
+// @param tagsPartialMatch query bool false "If true, will return endpoint which has one of tagIds, if false (or missing) will return only endpoints that has all the tags"
+// @param endpointIds query []int false "will return only these endpoints"
+// @success 200 {array} portainer.Endpoint "Endpoints"
+// @failure 500 Server error
+// @router /endpoints [get]
 func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	start, _ := request.RetrieveNumericQueryParameter(r, "start", true)
 	if start != 0 {
@@ -89,6 +107,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 
 	for idx := range paginatedEndpoints {
 		hideFields(&paginatedEndpoints[idx])
+		paginatedEndpoints[idx].ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()
 	}
 
 	w.Header().Set("X-Total-Count", strconv.Itoa(filteredEndpointCount))

api/http/handler/endpoints/endpoint_settings_update.go

@@ -0,0 +1,112 @@
+package endpoints
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
+)
+
+type endpointSettingsUpdatePayload struct {
+	// Whether non-administrator should be able to use bind mounts when creating containers
+	AllowBindMountsForRegularUsers *bool `json:"allowBindMountsForRegularUsers" example:"false"`
+	// Whether non-administrator should be able to use privileged mode when creating containers
+	AllowPrivilegedModeForRegularUsers *bool `json:"allowPrivilegedModeForRegularUsers" example:"false"`
+	// Whether non-administrator should be able to browse volumes
+	AllowVolumeBrowserForRegularUsers *bool `json:"allowVolumeBrowserForRegularUsers" example:"true"`
+	// Whether non-administrator should be able to use the host pid
+	AllowHostNamespaceForRegularUsers *bool `json:"allowHostNamespaceForRegularUsers" example:"true"`
+	// Whether non-administrator should be able to use device mapping
+	AllowDeviceMappingForRegularUsers *bool `json:"allowDeviceMappingForRegularUsers" example:"true"`
+	// Whether non-administrator should be able to manage stacks
+	AllowStackManagementForRegularUsers *bool `json:"allowStackManagementForRegularUsers" example:"true"`
+	// Whether non-administrator should be able to use container capabilities
+	AllowContainerCapabilitiesForRegularUsers *bool `json:"allowContainerCapabilitiesForRegularUsers" example:"true"`
+	// Whether host management features are enabled
+	EnableHostManagementFeatures *bool `json:"enableHostManagementFeatures" example:"true"`
+}
+
+func (payload *endpointSettingsUpdatePayload) Validate(r *http.Request) error {
+	return nil
+}
+
+// @id EndpointSettingsUpdate
+// @summary Update settings for an endpoint
+// @description Update settings for an endpoint.
+// @description **Access policy**: administrator
+// @security jwt
+// @tags endpoints
+// @accept json
+// @produce json
+// @param id path int true "Endpoint identifier"
+// @param body body endpointSettingsUpdatePayload true "Endpoint details"
+// @success 200 {object} portainer.Endpoint "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Endpoint not found"
+// @failure 500 "Server error"
+// @router /api/endpoints/:id/settings [put]
+func (handler *Handler) endpointSettingsUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	var payload endpointSettingsUpdatePayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	if err == errors.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	securitySettings := endpoint.SecuritySettings
+
+	if payload.AllowBindMountsForRegularUsers != nil {
+		securitySettings.AllowBindMountsForRegularUsers = *payload.AllowBindMountsForRegularUsers
+	}
+
+	if payload.AllowContainerCapabilitiesForRegularUsers != nil {
+		securitySettings.AllowContainerCapabilitiesForRegularUsers = *payload.AllowContainerCapabilitiesForRegularUsers
+	}
+
+	if payload.AllowDeviceMappingForRegularUsers != nil {
+		securitySettings.AllowDeviceMappingForRegularUsers = *payload.AllowDeviceMappingForRegularUsers
+	}
+
+	if payload.AllowHostNamespaceForRegularUsers != nil {
+		securitySettings.AllowHostNamespaceForRegularUsers = *payload.AllowHostNamespaceForRegularUsers
+	}
+
+	if payload.AllowPrivilegedModeForRegularUsers != nil {
+		securitySettings.AllowPrivilegedModeForRegularUsers = *payload.AllowPrivilegedModeForRegularUsers
+	}
+
+	if payload.AllowStackManagementForRegularUsers != nil {
+		securitySettings.AllowStackManagementForRegularUsers = *payload.AllowStackManagementForRegularUsers
+	}
+
+	if payload.AllowVolumeBrowserForRegularUsers != nil {
+		securitySettings.AllowVolumeBrowserForRegularUsers = *payload.AllowVolumeBrowserForRegularUsers
+	}
+
+	if payload.EnableHostManagementFeatures != nil {
+		securitySettings.EnableHostManagementFeatures = *payload.EnableHostManagementFeatures
+	}
+
+	endpoint.SecuritySettings = securitySettings
+
+	err = handler.DataStore.Endpoint().UpdateEndpoint(portainer.EndpointID(endpointID), endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Failed persisting endpoint in database", err}
+	}
+
+	return response.JSON(w, endpoint)
+}

api/http/handler/endpoints/endpoint_snapshot.go

@@ -6,12 +6,23 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/internal/snapshot"
 )
 
-// POST request on /api/endpoints/:id/snapshot
+// @id EndpointSnapshot
+// @summary Snapshots an endpoint
+// @description Snapshots an endpoint
+// @description **Access policy**: restricted
+// @tags endpoints
+// @security jwt
+// @param id path int true "Endpoint identifier"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Endpoint not found"
+// @failure 500 "Server error"
+// @router /endpoints/{id}/snapshot [post]
 func (handler *Handler) endpointSnapshot(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_snapshots.go

@@ -6,11 +6,19 @@ import (
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/internal/snapshot"
 )
 
-// POST request on /api/endpoints/snapshot
+// @id EndpointSnapshots
+// @summary Snapshot all endpoints
+// @description Snapshot all endpoints
+// @description **Access policy**: administrator
+// @tags endpoints
+// @security jwt
+// @success 204 "Success"
+// @failure 500 "Server Error"
+// @router /endpoints/snapshot [post]
 func (handler *Handler) endpointSnapshots(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpoints, err := handler.DataStore.Endpoint().Endpoints()
 	if err != nil {

api/http/handler/endpoints/endpoint_status_inspect.go

@@ -9,33 +9,58 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
 type stackStatusResponse struct {
-	ID      portainer.EdgeStackID
-	Version int
+	// EdgeStack Identifier
+	ID portainer.EdgeStackID `example:"1"`
+	// Version of this stack
+	Version int `example:"3"`
 }
 
 type edgeJobResponse struct {
-	ID             portainer.EdgeJobID `json:"Id"`
-	CollectLogs    bool                `json:"CollectLogs"`
-	CronExpression string              `json:"CronExpression"`
-	Script         string              `json:"Script"`
-	Version        int                 `json:"Version"`
+	// EdgeJob Identifier
+	ID portainer.EdgeJobID `json:"Id" example:"2"`
+	// Whether to collect logs
+	CollectLogs bool `json:"CollectLogs" example:"true"`
+	// A cron expression to schedule this job
+	CronExpression string `json:"CronExpression" example:"* * * * *"`
+	// Script to run
+	Script string `json:"Script" example:"echo hello"`
+	// Version of this EdgeJob
+	Version int `json:"Version" example:"2"`
 }
 
 type endpointStatusInspectResponse struct {
-	Status          string                `json:"status"`
-	Port            int                   `json:"port"`
-	Schedules       []edgeJobResponse     `json:"schedules"`
-	CheckinInterval int                   `json:"checkin"`
-	Credentials     string                `json:"credentials"`
-	Stacks          []stackStatusResponse `json:"stacks"`
+	// Status represents the endpoint status
+	Status string `json:"status" example:"REQUIRED"`
+	// The tunnel port
+	Port int `json:"port" example:"8732"`
+	// List of requests for jobs to run on the endpoint
+	Schedules []edgeJobResponse `json:"schedules"`
+	// The current value of CheckinInterval
+	CheckinInterval int `json:"checkin" example:"5"`
+	//
+	Credentials string `json:"credentials" example:""`
+	// List of stacks to be deployed on the endpoints
+	Stacks []stackStatusResponse `json:"stacks"`
 }
 
-// GET request on /api/endpoints/:id/status
+// @id EndpointStatusInspect
+// @summary Get endpoint status
+// @description Endpoint for edge agent to check status of environment
+// @description **Access policy**: restricted only to Edge endpoints
+// @tags endpoints
+// @security jwt
+// @param id path int true "Endpoint identifier"
+// @success 200 {object} endpointStatusInspectResponse "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access endpoint"
+// @failure 404 "Endpoint not found"
+// @failure 500 "Server error"
+// @router /endpoints/{id}/status [get]
 func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_update.go

@@ -8,7 +8,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/http/client"
 	"github.com/portainer/portainer/api/internal/edge"
@@ -16,29 +16,58 @@ import (
 )
 
 type endpointUpdatePayload struct {
-	Name                   *string
-	URL                    *string
-	PublicURL              *string
-	GroupID                *int
-	TLS                    *bool
-	TLSSkipVerify          *bool
-	TLSSkipClientVerify    *bool
-	Status                 *int
-	AzureApplicationID     *string
-	AzureTenantID          *string
-	AzureAuthenticationKey *string
-	TagIDs                 []portainer.TagID
-	UserAccessPolicies     portainer.UserAccessPolicies
-	TeamAccessPolicies     portainer.TeamAccessPolicies
-	EdgeCheckinInterval    *int
-	Kubernetes             *portainer.KubernetesData
+	// Name that will be used to identify this endpoint
+	Name *string `example:"my-endpoint"`
+	// URL or IP address of a Docker host
+	URL *string `example:"docker.mydomain.tld:2375"`
+	// URL or IP address where exposed containers will be reachable.\
+	// Defaults to URL if not specified
+	PublicURL *string `example:"docker.mydomain.tld:2375"`
+	// Group identifier
+	GroupID *int `example:"1"`
+	// Require TLS to connect against this endpoint
+	TLS *bool `example:"true"`
+	// Skip server verification when using TLS
+	TLSSkipVerify *bool `example:"false"`
+	// Skip client verification when using TLS
+	TLSSkipClientVerify *bool `example:"false"`
+	// The status of the endpoint (1 - up, 2 - down)
+	Status *int `example:"1"`
+	// Azure application ID
+	AzureApplicationID *string `example:"eag7cdo9-o09l-9i83-9dO9-f0b23oe78db4"`
+	// Azure tenant ID
+	AzureTenantID *string `example:"34ddc78d-4fel-2358-8cc1-df84c8o839f5"`
+	// Azure authentication key
+	AzureAuthenticationKey *string `example:"cOrXoK/1D35w8YQ8nH1/8ZGwzz45JIYD5jxHKXEQknk="`
+	// List of tag identifiers to which this endpoint is associated
+	TagIDs             []portainer.TagID `example:"1,2"`
+	UserAccessPolicies portainer.UserAccessPolicies
+	TeamAccessPolicies portainer.TeamAccessPolicies
+	// The check in interval for edge agent (in seconds)
+	EdgeCheckinInterval *int `example:"5"`
+	// Associated Kubernetes data
+	Kubernetes *portainer.KubernetesData
 }
 
 func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// PUT request on /api/endpoints/:id
+// @id EndpointUpdate
+// @summary Update an endpoint
+// @description Update an endpoint.
+// @description **Access policy**: administrator
+// @security jwt
+// @tags endpoints
+// @accept json
+// @produce json
+// @param id path int true "Endpoint identifier"
+// @param body body endpointUpdatePayload true "Endpoint details"
+// @success 200 {object} portainer.Endpoint "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Endpoint not found"
+// @failure 500 "Server error"
+// @router /endpoints/{id} [put]
 func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {
@@ -209,6 +238,11 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove TLS files from disk", err}
 			}
 		}
+
+		if endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = true
+		}
 	}
 
 	if payload.URL != nil || payload.TLS != nil || endpoint.Type == portainer.AzureEnvironment {

api/http/handler/endpoints/handler.go

@@ -27,6 +27,7 @@ type Handler struct {
 	ProxyManager         *proxy.Manager
 	ReverseTunnelService portainer.ReverseTunnelService
 	SnapshotService      portainer.SnapshotService
+	ComposeStackManager  portainer.ComposeStackManager
 }
 
 // NewHandler creates a handler to manage endpoint operations.
@@ -38,6 +39,8 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 
 	h.Handle("/endpoints",
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointCreate))).Methods(http.MethodPost)
+	h.Handle("/endpoints/{id}/settings",
+		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointSettingsUpdate))).Methods(http.MethodPut)
 	h.Handle("/endpoints/snapshot",
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointSnapshots))).Methods(http.MethodPost)
 	h.Handle("/endpoints",

api/http/handler/handler.go

@@ -64,6 +64,77 @@ type Handler struct {
 	WebhookHandler         *webhooks.Handler
 }
 
+// @title PortainerCE API
+// @version 2.1.1
+// @description.markdown api-description.md
+// @termsOfService
+
+// @contact.email info@portainer.io
+
+// @license.name
+// @license.url
+
+// @host
+// @BasePath /api
+// @schemes http https
+
+// @securitydefinitions.apikey jwt
+// @in header
+// @name Authorization
+
+// @tag.name auth
+// @tag.description Authenticate against Portainer HTTP API
+// @tag.name custom_templates
+// @tag.description Manage Custom Templates
+// @tag.name dockerhub
+// @tag.description Manage how Portainer connects to the DockerHub
+// @tag.name edge_groups
+// @tag.description Manage Edge Groups
+// @tag.name edge_jobs
+// @tag.description Manage Edge Jobs
+// @tag.name edge_stacks
+// @tag.description Manage Edge Stacks
+// @tag.name edge_templates
+// @tag.description Manage Edge Templates
+// @tag.name edge
+// @tag.description Manage Edge related endpoint settings
+// @tag.name endpoints
+// @tag.description Manage Docker environments
+// @tag.name endpoint_groups
+// @tag.description Manage endpoint groups
+// @tag.name motd
+// @tag.description Fetch the message of the day
+// @tag.name registries
+// @tag.description Manage Docker registries
+// @tag.name resource_controls
+// @tag.description Manage access control on Docker resources
+// @tag.name roles
+// @tag.description Manage roles
+// @tag.name settings
+// @tag.description Manage Portainer settings
+// @tag.name status
+// @tag.description Information about the Portainer instance
+// @tag.name stacks
+// @tag.description Manage Docker stacks
+// @tag.name users
+// @tag.description Manage users
+// @tag.name tags
+// @tag.description Manage tags
+// @tag.name teams
+// @tag.description Manage teams
+// @tag.name team_memberships
+// @tag.description Manage team memberships
+// @tag.name templates
+// @tag.description Manage App Templates
+// @tag.name stacks
+// @tag.description Manage stacks
+// @tag.name upload
+// @tag.description Upload files
+// @tag.name webhooks
+// @tag.description Manage webhooks
+// @tag.name websocket
+// @tag.description Create exec sessions using websockets
+
 // ServeHTTP delegates a request to the appropriate subhandler.
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	switch {

api/http/handler/motd/motd.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/portainer/libcrypto"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/client"
 )
 
@@ -26,6 +26,12 @@ type motdData struct {
 	Style         string            `json:"style"`
 }
 
+// @summary fetches the message of the day
+// @tags motd
+// @security jwt
+// @produce json
+// @success 200 {object} motdResponse
+// @router /motd [get]
 func (handler *Handler) motd(w http.ResponseWriter, r *http.Request) {
 	motd, err := client.Get(portainer.MessageOfTheDayURL, 0)
 	if err != nil {

api/http/handler/registries/registry_configure.go

@@ -8,19 +8,28 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
 type registryConfigurePayload struct {
-	Authentication bool
-	Username       string
-	Password       string
-	TLS            bool
-	TLSSkipVerify  bool
-	TLSCertFile    []byte
-	TLSKeyFile     []byte
-	TLSCACertFile  []byte
+	// Is authentication against this registry enabled
+	Authentication bool `example:"false" validate:"required"`
+	// Username used to authenticate against this registry. Required when Authentication is true
+	Username string `example:"registry_user"`
+	// Password used to authenticate against this registry. required when Authentication is true
+	Password string `example:"registry_password"`
+
+	// Use TLS
+	TLS bool `example:"true"`
+	// Skip the verification of the server TLS certificate
+	TLSSkipVerify bool `example:"false"`
+	// The TLS CA certificate file
+	TLSCACertFile []byte
+	// The TLS client certificate file
+	TLSCertFile []byte
+	// The TLS client key file
+	TLSKeyFile []byte
 }
 
 func (payload *registryConfigurePayload) Validate(r *http.Request) error {
@@ -67,7 +76,22 @@ func (payload *registryConfigurePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// POST request on /api/registries/:id/configure
+// @id RegistryConfigure
+// @summary Configures a registry
+// @description Configures a registry.
+// @description **Access policy**: admin
+// @tags registries
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "Registry identifier"
+// @param body body registryConfigurePayload true "Registry configuration"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied"
+// @failure 404 "Registry not found"
+// @failure 500 "Server error"
+// @router /registries/{id}/configure [post]
 func (handler *Handler) registryConfigure(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/registries/registry_create.go

@@ -8,17 +8,24 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 type registryCreatePayload struct {
-	Name           string
-	Type           portainer.RegistryType
-	URL            string
-	Authentication bool
-	Username       string
-	Password       string
-	Gitlab         portainer.GitlabRegistryData
+	// Name that will be used to identify this registry
+	Name string `example:"my-registry" validate:"required"`
+	// Registry Type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry) or 4 (Gitlab registry)
+	Type portainer.RegistryType `example:"1" validate:"required" enums:"1,2,3,4"`
+	// URL or IP address of the Docker registry
+	URL string `example:"registry.mydomain.tld:2375" validate:"required"`
+	// Is authentication against this registry enabled
+	Authentication bool `example:"false" validate:"required"`
+	// Username used to authenticate against this registry. Required when Authentication is true
+	Username string `example:"registry_user"`
+	// Password used to authenticate against this registry. required when Authentication is true
+	Password string `example:"registry_password"`
+	// Gitlab specific details, required when type = 4
+	Gitlab portainer.GitlabRegistryData
 }
 
 func (payload *registryCreatePayload) Validate(r *http.Request) error {
@@ -37,6 +44,19 @@ func (payload *registryCreatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
+// @id RegistryCreate
+// @summary Create a new registry
+// @description Create a new registry.
+// @description **Access policy**: administrator
+// @tags registries
+// @security jwt
+// @accept json
+// @produce json
+// @param body body registryCreatePayload true "Registry details"
+// @success 200 {object} portainer.Registry "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /registries [post]
 func (handler *Handler) registryCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload registryCreatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)

api/http/handler/registries/registry_delete.go

@@ -6,11 +6,22 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
-// DELETE request on /api/registries/:id
+// @id RegistryDelete
+// @summary Remove a registry
+// @description Remove a registry
+// @description **Access policy**: administrator
+// @tags registries
+// @security jwt
+// @param id path int true "Registry identifier"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Registry not found"
+// @failure 500 "Server error"
+// @router /registries/{id} [delete]
 func (handler *Handler) registryDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/registries/registry_inspect.go

@@ -3,16 +3,29 @@ package registries
 import (
 	"net/http"
 
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/http/errors"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
 )
 
-// GET request on /api/registries/:id
+// @id RegistryInspect
+// @summary Inspect a registry
+// @description Retrieve details about a registry.
+// @description **Access policy**: administrator
+// @tags registries
+// @security jwt
+// @produce json
+// @param id path int true "Registry identifier"
+// @success 200 {object} portainer.Registry "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access registry"
+// @failure 404 "Registry not found"
+// @failure 500 "Server error"
+// @router /registries/{id} [get]
 func (handler *Handler) registryInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/registries/registry_list.go

@@ -8,7 +8,18 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 )
 
-// GET request on /api/registries
+// @id RegistryList
+// @summary List Registries
+// @description List all registries based on the current user authorizations.
+// @description Will return all registries if using an administrator account otherwise it
+// @description will only return authorized registries.
+// @description **Access policy**: restricted
+// @tags registries
+// @security jwt
+// @produce json
+// @success 200 {array} portainer.Registry "Success"
+// @failure 500 "Server error"
+// @router /registries [get]
 func (handler *Handler) registryList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	registries, err := handler.DataStore.Registry().Registries()
 	if err != nil {

api/http/handler/registries/registry_update.go

@@ -7,16 +7,21 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )
 
 type registryUpdatePayload struct {
-	Name               *string
-	URL                *string
-	Authentication     *bool
-	Username           *string
-	Password           *string
+	// Name that will be used to identify this registry
+	Name *string `validate:"required" example:"my-registry"`
+	// URL or IP address of the Docker registry
+	URL *string `validate:"required" example:"registry.mydomain.tld:2375"`
+	// Is authentication against this registry enabled
+	Authentication *bool `example:"false" validate:"required"`
+	// Username used to authenticate against this registry. Required when Authentication is true
+	Username *string `example:"registry_user"`
+	// Password used to authenticate against this registry. required when Authentication is true
+	Password           *string `example:"registry_password"`
 	UserAccessPolicies portainer.UserAccessPolicies
 	TeamAccessPolicies portainer.TeamAccessPolicies
 }
@@ -25,7 +30,22 @@ func (payload *registryUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// PUT request on /api/registries/:id
+// @id RegistryUpdate
+// @summary Update a registry
+// @description Update a registry
+// @description **Access policy**: administrator
+// @tags registries
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "Registry identifier"
+// @param body body registryUpdatePayload true "Registry details"
+// @success 200 {object} portainer.Registry "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Registry not found"
+// @failure 409 "Another registry with the same URL already exists"
+// @failure 500 "Server error"
+// @router /registries/{id} [put]
 func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {
@@ -71,7 +91,7 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 				registry.Username = *payload.Username
 			}
 
-			if payload.Password != nil {
+			if payload.Password != nil && *payload.Password != "" {
 				registry.Password = *payload.Password
 			}
 

api/http/handler/resourcecontrols/resourcecontrol_create.go

@@ -8,17 +8,25 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 )
 
 type resourceControlCreatePayload struct {
-	ResourceID         string
-	Type               string
-	Public             bool
-	AdministratorsOnly bool
-	Users              []int
-	Teams              []int
-	SubResourceIDs     []string
+	//
+	ResourceID string `example:"617c5f22bb9b023d6daab7cba43a57576f83492867bc767d1c59416b065e5f08" validate:"required"`
+	// Type of Docker resource. Valid values are: container, volume\
+	// service, secret, config or stack
+	Type string `example:"container" validate:"required"`
+	// Permit access to the associated resource to any user
+	Public bool `example:"true"`
+	// Permit access to resource only to admins
+	AdministratorsOnly bool `example:"true"`
+	// List of user identifiers with access to the associated resource
+	Users []int `example:"1,4"`
+	// List of team identifiers with access to the associated resource
+	Teams []int `example:"56,7"`
+	// List of Docker resources that will inherit this access control
+	SubResourceIDs []string `example:"617c5f22bb9b023d6daab7cba43a57576f83492867bc767d1c59416b065e5f08"`
 }
 
 var (
@@ -45,7 +53,20 @@ func (payload *resourceControlCreatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// POST request on /api/resource_controls
+// @id ResourceControlCreate
+// @summary Create a new resource control
+// @description Create a new resource control to restrict access to a Docker resource.
+// @description **Access policy**: administrator
+// @tags resource_controls
+// @security jwt
+// @accept json
+// @produce json
+// @param body body resourceControlCreatePayload true "Resource control details"
+// @success 200 {object} portainer.ResourceControl "Success"
+// @failure 400 "Invalid request"
+// @failure 409 "Resource control already exists"
+// @failure 500 "Server error"
+// @router /resource_controls [post]
 func (handler *Handler) resourceControlCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload resourceControlCreatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)

api/http/handler/resourcecontrols/resourcecontrol_delete.go

@@ -6,11 +6,22 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
-// DELETE request on /api/resource_controls/:id
+// @id ResourceControlDelete
+// @summary Remove a resource control
+// @description Remove a resource control.
+// @description **Access policy**: administrator
+// @tags resource_controls
+// @security jwt
+// @param id path int true "Resource control identifier"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Resource control not found"
+// @failure 500 "Server error"
+// @router /resource_controls/{id} [delete]
 func (handler *Handler) resourceControlDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	resourceControlID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/resourcecontrols/resourcecontrol_update.go

@@ -7,17 +7,21 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/security"
 )
 
 type resourceControlUpdatePayload struct {
-	Public             bool
-	Users              []int
-	Teams              []int
-	AdministratorsOnly bool
+	// Permit access to the associated resource to any user
+	Public bool `example:"true"`
+	// List of user identifiers with access to the associated resource
+	Users []int `example:"4"`
+	// List of team identifiers with access to the associated resource
+	Teams []int `example:"7"`
+	// Permit access to resource only to admins
+	AdministratorsOnly bool `example:"true"`
 }
 
 func (payload *resourceControlUpdatePayload) Validate(r *http.Request) error {
@@ -31,7 +35,22 @@ func (payload *resourceControlUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// PUT request on /api/resource_controls/:id
+// @id ResourceControlUpdate
+// @summary Update a resource control
+// @description Update a resource control
+// @description **Access policy**: restricted
+// @tags resource_controls
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "Resource control identifier"
+// @param body body resourceControlUpdatePayload true "Resource control details"
+// @success 200 {object} portainer.ResourceControl "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Unauthorized"
+// @failure 404 "Resource control not found"
+// @failure 500 "Server error"
+// @router /resource_controls/{id} [put]
 func (handler *Handler) resourceControlUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	resourceControlID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/roles/role_list.go

@@ -7,7 +7,16 @@ import (
 	"github.com/portainer/libhttp/response"
 )
 
-// GET request on /api/Role
+// @id RoleList
+// @summary List roles
+// @description List all roles available for use
+// @description **Access policy**: administrator
+// @tags roles
+// @security jwt
+// @produce json
+// @success 200 {array} portainer.Role "Success"
+// @failure 500 "Server error"
+// @router /roles [get]
 func (handler *Handler) roleList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	roles, err := handler.DataStore.Role().Roles()
 	if err != nil {

api/http/handler/settings/settings_inspect.go

@@ -7,7 +7,16 @@ import (
 	"github.com/portainer/libhttp/response"
 )
 
-// GET request on /api/settings
+// @id SettingsInspect
+// @summary Retrieve Portainer settings
+// @description Retrieve Portainer settings.
+// @description **Access policy**: administrator
+// @tags settings
+// @security jwt
+// @produce json
+// @success 200 {object} portainer.Settings "Success"
+// @failure 500 "Server error"
+// @router /settings [get]
 func (handler *Handler) settingsInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	settings, err := handler.DataStore.Settings().Settings()
 	if err != nil {

api/http/handler/settings/settings_ldap_check.go

@@ -6,7 +6,7 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 )
 
@@ -18,7 +18,18 @@ func (payload *settingsLDAPCheckPayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// PUT request on /settings/ldap/check
+// @id SettingsLDAPCheck
+// @summary Test LDAP connectivity
+// @description Test LDAP connectivity using LDAP details
+// @description **Access policy**: administrator
+// @tags settings
+// @security jwt
+// @accept json
+// @param body body settingsLDAPCheckPayload true "details"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /settings/ldap/check [put]
 func (handler *Handler) settingsLDAPCheck(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload settingsLDAPCheckPayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)

api/http/handler/settings/settings_public.go

@@ -10,22 +10,27 @@ import (
 )
 
 type publicSettingsResponse struct {
-	LogoURL                                   string                         `json:"LogoURL"`
-	AuthenticationMethod                      portainer.AuthenticationMethod `json:"AuthenticationMethod"`
-	AllowBindMountsForRegularUsers            bool                           `json:"AllowBindMountsForRegularUsers"`
-	AllowPrivilegedModeForRegularUsers        bool                           `json:"AllowPrivilegedModeForRegularUsers"`
-	AllowVolumeBrowserForRegularUsers         bool                           `json:"AllowVolumeBrowserForRegularUsers"`
-	AllowHostNamespaceForRegularUsers         bool                           `json:"AllowHostNamespaceForRegularUsers"`
-	AllowDeviceMappingForRegularUsers         bool                           `json:"AllowDeviceMappingForRegularUsers"`
-	AllowStackManagementForRegularUsers       bool                           `json:"AllowStackManagementForRegularUsers"`
-	AllowContainerCapabilitiesForRegularUsers bool                           `json:"AllowContainerCapabilitiesForRegularUsers"`
-	EnableHostManagementFeatures              bool                           `json:"EnableHostManagementFeatures"`
-	EnableEdgeComputeFeatures                 bool                           `json:"EnableEdgeComputeFeatures"`
-	OAuthLoginURI                             string                         `json:"OAuthLoginURI"`
-	EnableTelemetry                           bool                           `json:"EnableTelemetry"`
+	// URL to a logo that will be displayed on the login page as well as on top of the sidebar. Will use default Portainer logo when value is empty string
+	LogoURL string `json:"LogoURL" example:"https://mycompany.mydomain.tld/logo.png"`
+	// Active authentication method for the Portainer instance. Valid values are: 1 for internal, 2 for LDAP, or 3 for oauth
+	AuthenticationMethod portainer.AuthenticationMethod `json:"AuthenticationMethod" example:"1"`
+	// Whether edge compute features are enabled
+	EnableEdgeComputeFeatures bool `json:"EnableEdgeComputeFeatures" example:"true"`
+	// The URL used for oauth login
+	OAuthLoginURI string `json:"OAuthLoginURI" example:"https://gitlab.com/oauth"`
+	// Whether telemetry is enabled
+	EnableTelemetry bool `json:"EnableTelemetry" example:"true"`
 }
 
-// GET request on /api/settings/public
+// @id SettingsPublic
+// @summary Retrieve Portainer public settings
+// @description Retrieve public settings. Returns a small set of settings that are not reserved to administrators only.
+// @description **Access policy**: public
+// @tags settings
+// @produce json
+// @success 200 {object} publicSettingsResponse "Success"
+// @failure 500 "Server error"
+// @router /settings/public [get]
 func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	settings, err := handler.DataStore.Settings().Settings()
 	if err != nil {
@@ -33,18 +38,10 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 	}
 
 	publicSettings := &publicSettingsResponse{
-		LogoURL:                                   settings.LogoURL,
-		AuthenticationMethod:                      settings.AuthenticationMethod,
-		AllowBindMountsForRegularUsers:            settings.AllowBindMountsForRegularUsers,
-		AllowPrivilegedModeForRegularUsers:        settings.AllowPrivilegedModeForRegularUsers,
-		AllowVolumeBrowserForRegularUsers:         settings.AllowVolumeBrowserForRegularUsers,
-		AllowHostNamespaceForRegularUsers:         settings.AllowHostNamespaceForRegularUsers,
-		AllowDeviceMappingForRegularUsers:         settings.AllowDeviceMappingForRegularUsers,
-		AllowStackManagementForRegularUsers:       settings.AllowStackManagementForRegularUsers,
-		AllowContainerCapabilitiesForRegularUsers: settings.AllowContainerCapabilitiesForRegularUsers,
-		EnableHostManagementFeatures:              settings.EnableHostManagementFeatures,
-		EnableEdgeComputeFeatures:                 settings.EnableEdgeComputeFeatures,
-		EnableTelemetry:                           settings.EnableTelemetry,
+		LogoURL:                   settings.LogoURL,
+		AuthenticationMethod:      settings.AuthenticationMethod,
+		EnableEdgeComputeFeatures: settings.EnableEdgeComputeFeatures,
+		EnableTelemetry:           settings.EnableTelemetry,
 		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&prompt=login",
 			settings.OAuthSettings.AuthorizationURI,
 			settings.OAuthSettings.ClientID,

api/http/handler/settings/settings_update.go

@@ -14,25 +14,26 @@ import (
 )
 
 type settingsUpdatePayload struct {
-	LogoURL                                   *string
-	BlackListedLabels                         []portainer.Pair
-	AuthenticationMethod                      *int
-	LDAPSettings                              *portainer.LDAPSettings
-	OAuthSettings                             *portainer.OAuthSettings
-	AllowBindMountsForRegularUsers            *bool
-	AllowPrivilegedModeForRegularUsers        *bool
-	AllowHostNamespaceForRegularUsers         *bool
-	AllowVolumeBrowserForRegularUsers         *bool
-	AllowDeviceMappingForRegularUsers         *bool
-	AllowStackManagementForRegularUsers       *bool
-	AllowContainerCapabilitiesForRegularUsers *bool
-	EnableHostManagementFeatures              *bool
-	SnapshotInterval                          *string
-	TemplatesURL                              *string
-	EdgeAgentCheckinInterval                  *int
-	EnableEdgeComputeFeatures                 *bool
-	UserSessionTimeout                        *string
-	EnableTelemetry                           *bool
+	// URL to a logo that will be displayed on the login page as well as on top of the sidebar. Will use default Portainer logo when value is empty string
+	LogoURL *string `example:"https://mycompany.mydomain.tld/logo.png"`
+	// A list of label name & value that will be used to hide containers when querying containers
+	BlackListedLabels []portainer.Pair
+	// Active authentication method for the Portainer instance. Valid values are: 1 for internal, 2 for LDAP, or 3 for oauth
+	AuthenticationMethod *int                     `example:"1"`
+	LDAPSettings         *portainer.LDAPSettings  `example:""`
+	OAuthSettings        *portainer.OAuthSettings `example:""`
+	// The interval in which endpoint snapshots are created
+	SnapshotInterval *string `example:"5m"`
+	// URL to the templates that will be displayed in the UI when navigating to App Templates
+	TemplatesURL *string `example:"https://raw.githubusercontent.com/portainer/templates/master/templates.json"`
+	// The default check in interval for edge agent (in seconds)
+	EdgeAgentCheckinInterval *int `example:"5"`
+	// Whether edge compute features are enabled
+	EnableEdgeComputeFeatures *bool `example:"true"`
+	// The duration of a user session
+	UserSessionTimeout *string `example:"5m"`
+	// Whether telemetry is enabled
+	EnableTelemetry *bool `example:"false"`
 }
 
 func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
@@ -55,7 +56,19 @@ func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// PUT request on /api/settings
+// @id SettingsUpdate
+// @summary Update Portainer settings
+// @description Update Portainer settings.
+// @description **Access policy**: administrator
+// @tags settings
+// @security jwt
+// @accept json
+// @produce json
+// @param body body settingsUpdatePayload true "New settings"
+// @success 200 {object} portainer.Settings "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /settings [put]
 func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload settingsUpdatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
@@ -107,38 +120,10 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.OAuthSettings.ClientSecret = clientSecret
 	}
 
-	if payload.AllowBindMountsForRegularUsers != nil {
-		settings.AllowBindMountsForRegularUsers = *payload.AllowBindMountsForRegularUsers
-	}
-
-	if payload.AllowPrivilegedModeForRegularUsers != nil {
-		settings.AllowPrivilegedModeForRegularUsers = *payload.AllowPrivilegedModeForRegularUsers
-	}
-
-	if payload.AllowVolumeBrowserForRegularUsers != nil {
-		settings.AllowVolumeBrowserForRegularUsers = *payload.AllowVolumeBrowserForRegularUsers
-	}
-
-	if payload.EnableHostManagementFeatures != nil {
-		settings.EnableHostManagementFeatures = *payload.EnableHostManagementFeatures
-	}
-
 	if payload.EnableEdgeComputeFeatures != nil {
 		settings.EnableEdgeComputeFeatures = *payload.EnableEdgeComputeFeatures
 	}
 
-	if payload.AllowHostNamespaceForRegularUsers != nil {
-		settings.AllowHostNamespaceForRegularUsers = *payload.AllowHostNamespaceForRegularUsers
-	}
-
-	if payload.AllowStackManagementForRegularUsers != nil {
-		settings.AllowStackManagementForRegularUsers = *payload.AllowStackManagementForRegularUsers
-	}
-
-	if payload.AllowContainerCapabilitiesForRegularUsers != nil {
-		settings.AllowContainerCapabilitiesForRegularUsers = *payload.AllowContainerCapabilitiesForRegularUsers
-	}
-
 	if payload.SnapshotInterval != nil && *payload.SnapshotInterval != settings.SnapshotInterval {
 		err := handler.updateSnapshotInterval(settings, *payload.SnapshotInterval)
 		if err != nil {
@@ -158,10 +143,6 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		handler.JWTService.SetUserSessionDuration(userSessionDuration)
 	}
 
-	if payload.AllowDeviceMappingForRegularUsers != nil {
-		settings.AllowDeviceMappingForRegularUsers = *payload.AllowDeviceMappingForRegularUsers
-	}
-
 	if payload.EnableTelemetry != nil {
 		settings.EnableTelemetry = *payload.EnableTelemetry
 	}

api/http/handler/stacks/create_compose_stack.go

@@ -7,6 +7,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
@@ -24,9 +25,12 @@ func normalizeStackName(name string) string {
 }
 
 type composeStackFromFileContentPayload struct {
-	Name             string
-	StackFileContent string
-	Env              []portainer.Pair
+	// Name of the stack
+	Name string `example:"myStack" validate:"required"`
+	// Content of the Stack file
+	StackFileContent string `example:"version: 3\n services:\n web:\n image:nginx" validate:"required"`
+	// A list of environment variables used during stack deployment
+	Env []portainer.Pair `example:""`
 }
 
 func (payload *composeStackFromFileContentPayload) Validate(r *http.Request) error {
@@ -60,13 +64,14 @@ func (handler *Handler) createComposeStackFromFileContent(w http.ResponseWriter,
 
 	stackID := handler.DataStore.Stack().GetNextIdentifier()
 	stack := &portainer.Stack{
-		ID:         portainer.StackID(stackID),
-		Name:       payload.Name,
-		Type:       portainer.DockerComposeStack,
-		EndpointID: endpoint.ID,
-		EntryPoint: filesystem.ComposeFileDefaultName,
-		Env:        payload.Env,
-		Status:     portainer.StackStatusActive,
+		ID:           portainer.StackID(stackID),
+		Name:         payload.Name,
+		Type:         portainer.DockerComposeStack,
+		EndpointID:   endpoint.ID,
+		EntryPoint:   filesystem.ComposeFileDefaultName,
+		Env:          payload.Env,
+		Status:       portainer.StackStatusActive,
+		CreationDate: time.Now().Unix(),
 	}
 
 	stackFolder := strconv.Itoa(int(stack.ID))
@@ -89,6 +94,8 @@ func (handler *Handler) createComposeStackFromFileContent(w http.ResponseWriter,
 		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
 	}
 
+	stack.CreatedBy = config.user.Username
+
 	err = handler.DataStore.Stack().CreateStack(stack)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
@@ -99,14 +106,24 @@ func (handler *Handler) createComposeStackFromFileContent(w http.ResponseWriter,
 }
 
 type composeStackFromGitRepositoryPayload struct {
-	Name                        string
-	RepositoryURL               string
-	RepositoryReferenceName     string
-	RepositoryAuthentication    bool
-	RepositoryUsername          string
-	RepositoryPassword          string
-	ComposeFilePathInRepository string
-	Env                         []portainer.Pair
+	// Name of the stack
+	Name string `example:"myStack" validate:"required"`
+
+	// URL of a Git repository hosting the Stack file
+	RepositoryURL string `example:"https://github.com/openfaas/faas" validate:"required"`
+	// Reference name of a Git repository hosting the Stack file
+	RepositoryReferenceName string `example:"refs/heads/master"`
+	// Use basic authentication to clone the Git repository
+	RepositoryAuthentication bool `example:"true"`
+	// Username used in basic authentication. Required when RepositoryAuthentication is true.
+	RepositoryUsername string `example:"myGitUsername"`
+	// Password used in basic authentication. Required when RepositoryAuthentication is true.
+	RepositoryPassword string `example:"myGitPassword"`
+	// Path to the Stack file inside the Git repository
+	ComposeFilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
+
+	// A list of environment variables used during stack deployment
+	Env []portainer.Pair
 }
 
 func (payload *composeStackFromGitRepositoryPayload) Validate(r *http.Request) error {
@@ -146,13 +163,14 @@ func (handler *Handler) createComposeStackFromGitRepository(w http.ResponseWrite
 
 	stackID := handler.DataStore.Stack().GetNextIdentifier()
 	stack := &portainer.Stack{
-		ID:         portainer.StackID(stackID),
-		Name:       payload.Name,
-		Type:       portainer.DockerComposeStack,
-		EndpointID: endpoint.ID,
-		EntryPoint: payload.ComposeFilePathInRepository,
-		Env:        payload.Env,
-		Status:     portainer.StackStatusActive,
+		ID:           portainer.StackID(stackID),
+		Name:         payload.Name,
+		Type:         portainer.DockerComposeStack,
+		EndpointID:   endpoint.ID,
+		EntryPoint:   payload.ComposeFilePathInRepository,
+		Env:          payload.Env,
+		Status:       portainer.StackStatusActive,
+		CreationDate: time.Now().Unix(),
 	}
 
 	projectPath := handler.FileService.GetStackProjectPath(strconv.Itoa(int(stack.ID)))
@@ -185,6 +203,8 @@ func (handler *Handler) createComposeStackFromGitRepository(w http.ResponseWrite
 		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
 	}
 
+	stack.CreatedBy = config.user.Username
+
 	err = handler.DataStore.Stack().CreateStack(stack)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
@@ -242,13 +262,14 @@ func (handler *Handler) createComposeStackFromFileUpload(w http.ResponseWriter,
 
 	stackID := handler.DataStore.Stack().GetNextIdentifier()
 	stack := &portainer.Stack{
-		ID:         portainer.StackID(stackID),
-		Name:       payload.Name,
-		Type:       portainer.DockerComposeStack,
-		EndpointID: endpoint.ID,
-		EntryPoint: filesystem.ComposeFileDefaultName,
-		Env:        payload.Env,
-		Status:     portainer.StackStatusActive,
+		ID:           portainer.StackID(stackID),
+		Name:         payload.Name,
+		Type:         portainer.DockerComposeStack,
+		EndpointID:   endpoint.ID,
+		EntryPoint:   filesystem.ComposeFileDefaultName,
+		Env:          payload.Env,
+		Status:       portainer.StackStatusActive,
+		CreationDate: time.Now().Unix(),
 	}
 
 	stackFolder := strconv.Itoa(int(stack.ID))
@@ -271,6 +292,8 @@ func (handler *Handler) createComposeStackFromFileUpload(w http.ResponseWriter,
 		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
 	}
 
+	stack.CreatedBy = config.user.Username
+
 	err = handler.DataStore.Stack().CreateStack(stack)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
@@ -329,21 +352,18 @@ func (handler *Handler) createComposeDeployConfig(r *http.Request, stack *portai
 // clean it. Hence the use of the mutex.
 // We should contribute to libcompose to support authentication without using the config.json file.
 func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig) error {
-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return err
-	}
-
 	isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
 	if err != nil {
 		return err
 	}
 
-	if (!settings.AllowBindMountsForRegularUsers ||
-		!settings.AllowPrivilegedModeForRegularUsers ||
-		!settings.AllowHostNamespaceForRegularUsers ||
-		!settings.AllowDeviceMappingForRegularUsers ||
-		!settings.AllowContainerCapabilitiesForRegularUsers) &&
+	securitySettings := &config.endpoint.SecuritySettings
+
+	if (!securitySettings.AllowBindMountsForRegularUsers ||
+		!securitySettings.AllowPrivilegedModeForRegularUsers ||
+		!securitySettings.AllowHostNamespaceForRegularUsers ||
+		!securitySettings.AllowDeviceMappingForRegularUsers ||
+		!securitySettings.AllowContainerCapabilitiesForRegularUsers) &&
 		!isAdminOrEndpointAdmin {
 
 		composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
@@ -352,7 +372,7 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
 			return err
 		}
 
-		err = handler.isValidStackFile(stackContent, settings)
+		err = handler.isValidStackFile(stackContent, securitySettings)
 		if err != nil {
 			return err
 		}

api/http/handler/stacks/create_swarm_stack.go

@@ -6,20 +6,25 @@ import (
 	"path"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/security"
 )
 
 type swarmStackFromFileContentPayload struct {
-	Name             string
-	SwarmID          string
-	StackFileContent string
-	Env              []portainer.Pair
+	// Name of the stack
+	Name string `example:"myStack" validate:"required"`
+	// Swarm cluster identifier
+	SwarmID string `example:"jpofkc0i9uo9wtx1zesuk649w" validate:"required"`
+	// Content of the Stack file
+	StackFileContent string `example:"version: 3\n services:\n web:\n image:nginx" validate:"required"`
+	// A list of environment variables used during stack deployment
+	Env []portainer.Pair
 }
 
 func (payload *swarmStackFromFileContentPayload) Validate(r *http.Request) error {
@@ -55,14 +60,15 @@ func (handler *Handler) createSwarmStackFromFileContent(w http.ResponseWriter, r
 
 	stackID := handler.DataStore.Stack().GetNextIdentifier()
 	stack := &portainer.Stack{
-		ID:         portainer.StackID(stackID),
-		Name:       payload.Name,
-		Type:       portainer.DockerSwarmStack,
-		SwarmID:    payload.SwarmID,
-		EndpointID: endpoint.ID,
-		EntryPoint: filesystem.ComposeFileDefaultName,
-		Env:        payload.Env,
-		Status:     portainer.StackStatusActive,
+		ID:           portainer.StackID(stackID),
+		Name:         payload.Name,
+		Type:         portainer.DockerSwarmStack,
+		SwarmID:      payload.SwarmID,
+		EndpointID:   endpoint.ID,
+		EntryPoint:   filesystem.ComposeFileDefaultName,
+		Env:          payload.Env,
+		Status:       portainer.StackStatusActive,
+		CreationDate: time.Now().Unix(),
 	}
 
 	stackFolder := strconv.Itoa(int(stack.ID))
@@ -85,6 +91,8 @@ func (handler *Handler) createSwarmStackFromFileContent(w http.ResponseWriter, r
 		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
 	}
 
+	stack.CreatedBy = config.user.Username
+
 	err = handler.DataStore.Stack().CreateStack(stack)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
@@ -95,15 +103,25 @@ func (handler *Handler) createSwarmStackFromFileContent(w http.ResponseWriter, r
 }
 
 type swarmStackFromGitRepositoryPayload struct {
-	Name                        string
-	SwarmID                     string
-	Env                         []portainer.Pair
-	RepositoryURL               string
-	RepositoryReferenceName     string
-	RepositoryAuthentication    bool
-	RepositoryUsername          string
-	RepositoryPassword          string
-	ComposeFilePathInRepository string
+	// Name of the stack
+	Name string `example:"myStack" validate:"required"`
+	// Swarm cluster identifier
+	SwarmID string `example:"jpofkc0i9uo9wtx1zesuk649w" validate:"required"`
+	// A list of environment variables used during stack deployment
+	Env []portainer.Pair
+
+	// URL of a Git repository hosting the Stack file
+	RepositoryURL string `example:"https://github.com/openfaas/faas" validate:"required"`
+	// Reference name of a Git repository hosting the Stack file
+	RepositoryReferenceName string `example:"refs/heads/master"`
+	// Use basic authentication to clone the Git repository
+	RepositoryAuthentication bool `example:"true"`
+	// Username used in basic authentication. Required when RepositoryAuthentication is true.
+	RepositoryUsername string `example:"myGitUsername"`
+	// Password used in basic authentication. Required when RepositoryAuthentication is true.
+	RepositoryPassword string `example:"myGitPassword"`
+	// Path to the Stack file inside the Git repository
+	ComposeFilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
 }
 
 func (payload *swarmStackFromGitRepositoryPayload) Validate(r *http.Request) error {
@@ -145,14 +163,15 @@ func (handler *Handler) createSwarmStackFromGitRepository(w http.ResponseWriter,
 
 	stackID := handler.DataStore.Stack().GetNextIdentifier()
 	stack := &portainer.Stack{
-		ID:         portainer.StackID(stackID),
-		Name:       payload.Name,
-		Type:       portainer.DockerSwarmStack,
-		SwarmID:    payload.SwarmID,
-		EndpointID: endpoint.ID,
-		EntryPoint: payload.ComposeFilePathInRepository,
-		Env:        payload.Env,
-		Status:     portainer.StackStatusActive,
+		ID:           portainer.StackID(stackID),
+		Name:         payload.Name,
+		Type:         portainer.DockerSwarmStack,
+		SwarmID:      payload.SwarmID,
+		EndpointID:   endpoint.ID,
+		EntryPoint:   payload.ComposeFilePathInRepository,
+		Env:          payload.Env,
+		Status:       portainer.StackStatusActive,
+		CreationDate: time.Now().Unix(),
 	}
 
 	projectPath := handler.FileService.GetStackProjectPath(strconv.Itoa(int(stack.ID)))
@@ -185,6 +204,8 @@ func (handler *Handler) createSwarmStackFromGitRepository(w http.ResponseWriter,
 		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
 	}
 
+	stack.CreatedBy = config.user.Username
+
 	err = handler.DataStore.Stack().CreateStack(stack)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
@@ -249,14 +270,15 @@ func (handler *Handler) createSwarmStackFromFileUpload(w http.ResponseWriter, r
 
 	stackID := handler.DataStore.Stack().GetNextIdentifier()
 	stack := &portainer.Stack{
-		ID:         portainer.StackID(stackID),
-		Name:       payload.Name,
-		Type:       portainer.DockerSwarmStack,
-		SwarmID:    payload.SwarmID,
-		EndpointID: endpoint.ID,
-		EntryPoint: filesystem.ComposeFileDefaultName,
-		Env:        payload.Env,
-		Status:     portainer.StackStatusActive,
+		ID:           portainer.StackID(stackID),
+		Name:         payload.Name,
+		Type:         portainer.DockerSwarmStack,
+		SwarmID:      payload.SwarmID,
+		EndpointID:   endpoint.ID,
+		EntryPoint:   filesystem.ComposeFileDefaultName,
+		Env:          payload.Env,
+		Status:       portainer.StackStatusActive,
+		CreationDate: time.Now().Unix(),
 	}
 
 	stackFolder := strconv.Itoa(int(stack.ID))
@@ -279,6 +301,8 @@ func (handler *Handler) createSwarmStackFromFileUpload(w http.ResponseWriter, r
 		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
 	}
 
+	stack.CreatedBy = config.user.Username
+
 	err = handler.DataStore.Stack().CreateStack(stack)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
@@ -334,16 +358,13 @@ func (handler *Handler) createSwarmDeployConfig(r *http.Request, stack *portaine
 }
 
 func (handler *Handler) deploySwarmStack(config *swarmStackDeploymentConfig) error {
-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return err
-	}
-
 	isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
 	if err != nil {
 		return err
 	}
 
+	settings := &config.endpoint.SecuritySettings
+
 	if !settings.AllowBindMountsForRegularUsers && !isAdminOrEndpointAdmin {
 		composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
 

api/http/handler/stacks/handler.go

@@ -78,6 +78,17 @@ func (handler *Handler) userCanAccessStack(securityContext *security.RestrictedR
 	return handler.userIsAdminOrEndpointAdmin(user, endpointID)
 }
 
+func (handler *Handler) userIsAdmin(userID portainer.UserID) (bool, error) {
+	user, err := handler.DataStore.User().User(userID)
+	if err != nil {
+		return false, err
+	}
+
+	isAdmin := user.Role == portainer.AdministratorRole
+
+	return isAdmin, nil
+}
+
 func (handler *Handler) userIsAdminOrEndpointAdmin(user *portainer.User, endpointID portainer.EndpointID) (bool, error) {
 	isAdmin := user.Role == portainer.AdministratorRole
 

api/http/handler/stacks/stack_create.go

@@ -29,7 +29,29 @@ func (handler *Handler) cleanUp(stack *portainer.Stack, doCleanUp *bool) error {
 	return nil
 }
 
-// POST request on /api/stacks?type=<type>&method=<method>&endpointId=<endpointId>
+// @id StackCreate
+// @summary Deploy a new stack
+// @description Deploy a new stack into a Docker environment specified via the endpoint identifier.
+// @description **Access policy**: restricted
+// @tags stacks
+// @security jwt
+// @accept json, multipart/form-data
+// @produce json
+// @param type query int true "Stack deployment type. Possible values: 1 (Swarm stack) or 2 (Compose stack)." Enums(1,2)
+// @param method query string true "Stack deployment method. Possible values: file, string or repository." Enums(string, file, repository)
+// @param endpointId query int true "Identifier of the endpoint that will be used to deploy the stack"
+// @param body_swarm_string body swarmStackFromFileContentPayload false "Required when using method=string and type=1"
+// @param body_swarm_repository body swarmStackFromGitRepositoryPayload false "Required when using method=repository and type=1"
+// @param body_compose_string body composeStackFromFileContentPayload false "Required when using method=string and type=2"
+// @param body_compose_repository body composeStackFromGitRepositoryPayload false "Required when using method=repository and type=2"
+// @param Name formData string false "Name of the stack. required when method is file"
+// @param SwarmID formData string false "Swarm cluster identifier. Required when method equals file and type equals 1. required when method is file"
+// @param Env formData string false "Environment variables passed during deployment, represented as a JSON array [{'name': 'name', 'value': 'value'}]. Optional, used when method equals file and type equals 1."
+// @param file formData file false "Stack file. required when method is file"
+// @success 200 {object} portainer.CustomTemplate
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /stacks [post]
 func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	stackType, err := request.RetrieveNumericQueryParameter(r, "type", false)
 	if err != nil {
@@ -46,12 +68,14 @@ func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *htt
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: endpointId", err}
 	}
 
-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	if err == bolterrors.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
 	}
 
-	if !settings.AllowStackManagementForRegularUsers {
+	if !endpoint.SecuritySettings.AllowStackManagementForRegularUsers {
 		securityContext, err := security.RetrieveRestrictedRequestContext(r)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user info from request context", err}
@@ -69,13 +93,6 @@ func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *htt
 		}
 	}
 
-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
-	}
-
 	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
@@ -129,7 +146,7 @@ func (handler *Handler) createSwarmStack(w http.ResponseWriter, r *http.Request,
 	return &httperror.HandlerError{http.StatusBadRequest, "Invalid value for query parameter: method. Value must be one of: string, repository or file", errors.New(request.ErrInvalidQueryParameter)}
 }
 
-func (handler *Handler) isValidStackFile(stackFileContent []byte, settings *portainer.Settings) error {
+func (handler *Handler) isValidStackFile(stackFileContent []byte, securitySettings *portainer.EndpointSecuritySettings) error {
 	composeConfigYAML, err := loader.ParseYAML(stackFileContent)
 	if err != nil {
 		return err
@@ -154,7 +171,7 @@ func (handler *Handler) isValidStackFile(stackFileContent []byte, settings *port
 
 	for key := range composeConfig.Services {
 		service := composeConfig.Services[key]
-		if !settings.AllowBindMountsForRegularUsers {
+		if !securitySettings.AllowBindMountsForRegularUsers {
 			for _, volume := range service.Volumes {
 				if volume.Type == "bind" {
 					return errors.New("bind-mount disabled for non administrator users")
@@ -162,19 +179,19 @@ func (handler *Handler) isValidStackFile(stackFileContent []byte, settings *port
 			}
 		}
 
-		if !settings.AllowPrivilegedModeForRegularUsers && service.Privileged == true {
+		if !securitySettings.AllowPrivilegedModeForRegularUsers && service.Privileged == true {
 			return errors.New("privileged mode disabled for non administrator users")
 		}
 
-		if !settings.AllowHostNamespaceForRegularUsers && service.Pid == "host" {
+		if !securitySettings.AllowHostNamespaceForRegularUsers && service.Pid == "host" {
 			return errors.New("pid host disabled for non administrator users")
 		}
 
-		if !settings.AllowDeviceMappingForRegularUsers && service.Devices != nil && len(service.Devices) > 0 {
+		if !securitySettings.AllowDeviceMappingForRegularUsers && service.Devices != nil && len(service.Devices) > 0 {
 			return errors.New("device mapping disabled for non administrator users")
 		}
 
-		if !settings.AllowContainerCapabilitiesForRegularUsers && (len(service.CapAdd) > 0 || len(service.CapDrop) > 0) {
+		if !securitySettings.AllowContainerCapabilitiesForRegularUsers && (len(service.CapAdd) > 0 || len(service.CapDrop) > 0) {
 			return errors.New("container capabilities disabled for non administrator users")
 		}
 	}
@@ -183,9 +200,20 @@ func (handler *Handler) isValidStackFile(stackFileContent []byte, settings *port
 }
 
 func (handler *Handler) decorateStackResponse(w http.ResponseWriter, stack *portainer.Stack, userID portainer.UserID) *httperror.HandlerError {
-	resourceControl := authorization.NewPrivateResourceControl(stack.Name, portainer.StackResourceControl, userID)
+	var resourceControl *portainer.ResourceControl
 
-	err := handler.DataStore.ResourceControl().CreateResourceControl(resourceControl)
+	isAdmin, err := handler.userIsAdmin(userID)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to load user information from the database", err}
+	}
+
+	if isAdmin {
+		resourceControl = authorization.NewAdministratorsOnlyResourceControl(stack.Name, portainer.StackResourceControl)
+	} else {
+		resourceControl = authorization.NewPrivateResourceControl(stack.Name, portainer.StackResourceControl, userID)
+	}
+
+	err = handler.DataStore.ResourceControl().CreateResourceControl(resourceControl)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist resource control inside the database", err}
 	}

api/http/handler/stacks/stack_delete.go

@@ -14,9 +14,21 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 )
 
-// DELETE request on /api/stacks/:id?external=<external>&endpointId=<endpointId>
-// If the external query parameter is set to true, the id route variable is expected to be
-// the name of an external stack as a string.
+// @id StackDelete
+// @summary Remove a stack
+// @description Remove a stack.
+// @description **Access policy**: restricted
+// @tags stacks
+// @security jwt
+// @param id path int true "Stack identifier"
+// @param external query boolean false "Set to true to delete an external stack. Only external Swarm stacks are supported"
+// @param endpointId query int false "Endpoint identifier used to remove an external stack (required when external is set to true)"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied"
+// @failure 404 " not found"
+// @failure 500 "Server error"
+// @router /stacks/{id} [delete]
 func (handler *Handler) stackDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	stackID, err := request.RetrieveRouteVariableValue(r, "id")
 	if err != nil {