improve code and add comments

Co-authored-by: Simon Meng <simon.meng@portainer.io>

api/bolt/migrate_data.go

@@ -18,13 +18,16 @@ const beforePortainerVersionUpgradeBackup = "portainer.db.bak"
 var migrateLog = plog.NewScopedLog("bolt, migrate")
 
 // FailSafeMigrate backup and restore DB if migration fail
-func (store *Store) FailSafeMigrate(migrator *migrator.Migrator) error {
+func (store *Store) FailSafeMigrate(migrator *migrator.Migrator) (err error) {
 	defer func() {
-		if err := recover(); err != nil {
-			migrateLog.Info(fmt.Sprintf("Error during migration, recovering [%v]", err))
+		if e := recover(); e != nil {
 			store.Rollback(true)
+			err = fmt.Errorf("%v", e)
 		}
 	}()
+
+	// !Important: we must use a named return value in the function definition and not a local
+	// !variable referenced from the closure or else the return value will be incorrectly set
 	return migrator.Migrate()
 }
 

api/chisel/service.go

@@ -3,7 +3,6 @@ package chisel
 import (
 	"context"
 	"fmt"
-	"github.com/portainer/portainer/api/http/proxy"
 	"log"
 	"net/http"
 	"strconv"
@@ -33,7 +32,6 @@ type Service struct {
 	snapshotService   portainer.SnapshotService
 	chiselServer      *chserver.Server
 	shutdownCtx       context.Context
-	ProxyManager      *proxy.Manager
 }
 
 // NewService returns a pointer to a new instance of Service
@@ -217,13 +215,18 @@ func (service *Service) checkTunnels() {
 			}
 		}
 
-		endpointID, err := strconv.Atoi(item.Key)
-		if err != nil {
-			log.Printf("[ERROR] [chisel,conversion] Invalid environment identifier (id: %s): %s", item.Key, err)
-			continue
+		if len(tunnel.Jobs) > 0 {
+			endpointID, err := strconv.Atoi(item.Key)
+			if err != nil {
+				log.Printf("[ERROR] [chisel,conversion] Invalid environment identifier (id: %s): %s", item.Key, err)
+				continue
+			}
+
+			service.SetTunnelStatusToIdle(portainer.EndpointID(endpointID))
+		} else {
+			service.tunnelDetailsMap.Remove(item.Key)
 		}
 
-		service.SetTunnelStatusToIdle(portainer.EndpointID(endpointID))
 	}
 }
 

api/chisel/tunnel.go

@@ -59,12 +59,6 @@ func (service *Service) GetTunnelDetails(endpointID portainer.EndpointID) *porta
 // GetActiveTunnel retrieves an active tunnel which allows communicating with edge agent
 func (service *Service) GetActiveTunnel(endpoint *portainer.Endpoint) (*portainer.TunnelDetails, error) {
 	tunnel := service.GetTunnelDetails(endpoint.ID)
-
-	if tunnel.Status == portainer.EdgeAgentActive {
-		// update the LastActivity
-		service.SetTunnelStatusToActive(endpoint.ID)
-	}
-
 	if tunnel.Status == portainer.EdgeAgentIdle || tunnel.Status == portainer.EdgeAgentManagementRequired {
 		err := service.SetTunnelStatusToRequired(endpoint.ID)
 		if err != nil {
@@ -80,18 +74,9 @@ func (service *Service) GetActiveTunnel(endpoint *portainer.Endpoint) (*portaine
 			endpoint.EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
 		}
 
-		waitForAgentToConnect := 2 * time.Duration(endpoint.EdgeCheckinInterval)
-
-		for waitForAgentToConnect >= 0 {
-			waitForAgentToConnect--
-			time.Sleep(time.Second)
-			tunnel = service.GetTunnelDetails(endpoint.ID)
-			if tunnel.Status == portainer.EdgeAgentActive {
-				break
-			}
-		}
+		waitForAgentToConnect := time.Duration(endpoint.EdgeCheckinInterval) * time.Second
+		time.Sleep(waitForAgentToConnect * 2)
 	}
-
 	tunnel = service.GetTunnelDetails(endpoint.ID)
 
 	return tunnel, nil
@@ -127,8 +112,6 @@ func (service *Service) SetTunnelStatusToIdle(endpointID portainer.EndpointID) {
 
 	key := strconv.Itoa(int(endpointID))
 	service.tunnelDetailsMap.Set(key, tunnel)
-
-	service.ProxyManager.DeleteEndpointProxy(endpointID)
 }
 
 // SetTunnelStatusToRequired update the status of the tunnel associated to the specified environment(endpoint).

api/cmd/portainer/main.go

@@ -467,8 +467,6 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	proxyManager := proxy.NewManager(dataStore, digitalSignatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager)
 
-	reverseTunnelService.ProxyManager = proxyManager
-
 	dockerConfigPath := fileService.GetDockerConfigPath()
 
 	composeStackManager := initComposeStackManager(*flags.Assets, dockerConfigPath, reverseTunnelService, proxyManager)
@@ -506,7 +504,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	adminPasswordHash := ""
 	if *flags.AdminPasswordFile != "" {
-		content, err := fileService.GetFileContent(*flags.AdminPasswordFile, "")
+		content, err := fileService.GetFileContent(*flags.AdminPasswordFile)
 		if err != nil {
 			log.Fatalf("failed getting admin password file: %v", err)
 		}

api/docker/client.go

@@ -91,11 +91,7 @@ func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.D
 		headers[portainer.PortainerAgentTargetHeader] = nodeName
 	}
 
-	tunnel, err := reverseTunnelService.GetActiveTunnel(endpoint)
-	if err != nil {
-		return nil, err
-	}
-	
+	tunnel := reverseTunnelService.GetTunnelDetails(endpoint.ID)
 	endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
 
 	return client.NewClientWithOpts(

api/exec/compose_stack.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -15,7 +16,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory"
-	"github.com/portainer/portainer/api/internal/stackutils"
 )
 
 // ComposeStackManager is a wrapper for docker-compose binary
@@ -58,7 +58,7 @@ func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Sta
 		return errors.Wrap(err, "failed to create env file")
 	}
 
-	filePaths := stackutils.GetStackFilePaths(stack)
+	filePaths := getStackFiles(stack)
 	err = manager.deployer.Deploy(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFilePath)
 	return errors.Wrap(err, "failed to deploy a stack")
 }
@@ -73,7 +73,7 @@ func (manager *ComposeStackManager) Down(ctx context.Context, stack *portainer.S
 		defer proxy.Close()
 	}
 
-	filePaths := stackutils.GetStackFilePaths(stack)
+	filePaths := getStackFiles(stack)
 	err = manager.deployer.Remove(ctx, stack.ProjectPath, url, stack.Name, filePaths)
 	return errors.Wrap(err, "failed to remove a stack")
 }
@@ -115,3 +115,27 @@ func createEnvFile(stack *portainer.Stack) (string, error) {
 
 	return "stack.env", nil
 }
+
+// getStackFiles returns list of stack's confile file paths.
+// items in the list would be sanitized according to following criterias:
+// 1. no empty paths
+// 2. no "../xxx" paths that are trying to escape stack folder
+// 3. no dir paths
+// 4. root paths would be made relative
+func getStackFiles(stack *portainer.Stack) []string {
+	paths := make([]string, 0, len(stack.AdditionalFiles)+1)
+
+	for _, p := range append([]string{stack.EntryPoint}, stack.AdditionalFiles...) {
+		if strings.HasPrefix(p, "/") {
+			p = `.` + p
+		}
+
+		if p == `` || p == `.` || strings.HasPrefix(p, `..`) || strings.HasSuffix(p, string(filepath.Separator)) {
+			continue
+		}
+
+		paths = append(paths, p)
+	}
+
+	return paths
+}

api/exec/compose_stack_test.go

@@ -64,3 +64,21 @@ func Test_createEnvFile(t *testing.T) {
 		})
 	}
 }
+
+func Test_getStackFiles(t *testing.T) {
+	stack := &portainer.Stack{
+		EntryPoint: "./file", // picks entry point
+		AdditionalFiles: []string{
+			``,                  // ignores empty string
+			`.`,                 // ignores .
+			`..`,                // ignores ..
+			`./dir/`,            // ignrores paths that end with trailing /
+			`/with-root-prefix`, // replaces "root" based paths with relative
+			`./relative`,        // keeps relative paths
+			`../escape`,         // prevents dir escape
+		},
+	}
+
+	filePaths := getStackFiles(stack)
+	assert.ElementsMatch(t, filePaths, []string{`./file`, `./with-root-prefix`, `./relative`})
+}

api/exec/swarm_stack.go

@@ -44,26 +44,19 @@ func NewSwarmStackManager(binaryPath, configPath string, signatureService portai
 }
 
 // Login executes the docker login command against a list of registries (including DockerHub).
-func (manager *SwarmStackManager) Login(registries []portainer.Registry, endpoint *portainer.Endpoint) error {
-	command, args, err := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.configPath, endpoint)
-	if err != nil {
-		return err
-	}
+func (manager *SwarmStackManager) Login(registries []portainer.Registry, endpoint *portainer.Endpoint) {
+	command, args := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.configPath, endpoint)
 	for _, registry := range registries {
 		if registry.Authentication {
 			registryArgs := append(args, "login", "--username", registry.Username, "--password", registry.Password, registry.URL)
 			runCommandAndCaptureStdErr(command, registryArgs, nil, "")
 		}
 	}
-	return nil
 }
 
 // Logout executes the docker logout command.
 func (manager *SwarmStackManager) Logout(endpoint *portainer.Endpoint) error {
-	command, args, err := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.configPath, endpoint)
-	if err != nil {
-		return err
-	}
+	command, args := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.configPath, endpoint)
 	args = append(args, "logout")
 	return runCommandAndCaptureStdErr(command, args, nil, "")
 }
@@ -71,10 +64,7 @@ func (manager *SwarmStackManager) Logout(endpoint *portainer.Endpoint) error {
 // Deploy executes the docker stack deploy command.
 func (manager *SwarmStackManager) Deploy(stack *portainer.Stack, prune bool, endpoint *portainer.Endpoint) error {
 	filePaths := stackutils.GetStackFilePaths(stack)
-	command, args, err := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.configPath, endpoint)
-	if err != nil {
-		return err
-	}
+	command, args := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.configPath, endpoint)
 
 	if prune {
 		args = append(args, "stack", "deploy", "--prune", "--with-registry-auth")
@@ -94,10 +84,7 @@ func (manager *SwarmStackManager) Deploy(stack *portainer.Stack, prune bool, end
 
 // Remove executes the docker stack rm command.
 func (manager *SwarmStackManager) Remove(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
-	command, args, err := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.configPath, endpoint)
-	if err != nil {
-		return err
-	}
+	command, args := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.configPath, endpoint)
 	args = append(args, "stack", "rm", stack.Name)
 	return runCommandAndCaptureStdErr(command, args, nil, "")
 }
@@ -121,7 +108,7 @@ func runCommandAndCaptureStdErr(command string, args []string, env []string, wor
 	return nil
 }
 
-func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, configPath string, endpoint *portainer.Endpoint) (string, []string, error) {
+func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, configPath string, endpoint *portainer.Endpoint) (string, []string) {
 	// Assume Linux as a default
 	command := path.Join(binaryPath, "docker")
 
@@ -134,10 +121,7 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, config
 
 	endpointURL := endpoint.URL
 	if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
-		tunnel, err := manager.reverseTunnelService.GetActiveTunnel(endpoint)
-		if err != nil {
-			return "", nil, err
-		}
+		tunnel := manager.reverseTunnelService.GetTunnelDetails(endpoint.ID)
 		endpointURL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnel.Port)
 	}
 
@@ -157,7 +141,7 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, config
 		}
 	}
 
-	return command, args, nil
+	return command, args
 }
 
 func (manager *SwarmStackManager) updateDockerCLIConfiguration(configPath string) error {
@@ -191,7 +175,7 @@ func (manager *SwarmStackManager) updateDockerCLIConfiguration(configPath string
 func (manager *SwarmStackManager) retrieveConfigurationFromDisk(path string) (map[string]interface{}, error) {
 	var config map[string]interface{}
 
-	raw, err := manager.fileService.GetFileContent(path, "")
+	raw, err := manager.fileService.GetFileContent(path)
 	if err != nil {
 		return make(map[string]interface{}), nil
 	}

api/filesystem/filesystem.go

@@ -6,14 +6,14 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"path/filepath"
-	"strings"
+	"io/ioutil"
 
 	"github.com/gofrs/uuid"
 	portainer "github.com/portainer/portainer/api"
 
 	"io"
 	"os"
+	"path"
 )
 
 const (
@@ -69,31 +69,12 @@ type Service struct {
 	fileStorePath string
 }
 
-// JoinPaths takes a trusted root path and a list of untrusted paths and joins
-// them together using directory separators while enforcing that the untrusted
-// paths cannot go higher up than the trusted root
-func JoinPaths(trustedRoot string, untrustedPaths ...string) string {
-	if trustedRoot == "" {
-		trustedRoot = "."
-	}
-
-	p := filepath.Join(trustedRoot, filepath.Join(append([]string{"/"}, untrustedPaths...)...))
-
-	// avoid setting a volume name from the untrusted paths
-	vnp := filepath.VolumeName(p)
-	if filepath.VolumeName(trustedRoot) == "" && vnp != "" {
-		return strings.TrimPrefix(strings.TrimPrefix(p, vnp), `\`)
-	}
-
-	return p
-}
-
 // NewService initializes a new service. It creates a data directory and a directory to store files
 // inside this directory if they don't exist.
 func NewService(dataStorePath, fileStorePath string) (*Service, error) {
 	service := &Service{
 		dataStorePath: dataStorePath,
-		fileStorePath: JoinPaths(dataStorePath, fileStorePath),
+		fileStorePath: path.Join(dataStorePath, fileStorePath),
 	}
 
 	err := os.MkdirAll(dataStorePath, 0755)
@@ -131,12 +112,12 @@ func NewService(dataStorePath, fileStorePath string) (*Service, error) {
 
 // GetBinaryFolder returns the full path to the binary store on the filesystem
 func (service *Service) GetBinaryFolder() string {
-	return JoinPaths(service.fileStorePath, BinaryStorePath)
+	return path.Join(service.fileStorePath, BinaryStorePath)
 }
 
 // GetDockerConfigPath returns the full path to the docker config store on the filesystem
 func (service *Service) GetDockerConfigPath() string {
-	return JoinPaths(service.fileStorePath, DockerConfigPath)
+	return path.Join(service.fileStorePath, DockerConfigPath)
 }
 
 // RemoveDirectory removes a directory on the filesystem.
@@ -147,7 +128,7 @@ func (service *Service) RemoveDirectory(directoryPath string) error {
 // GetStackProjectPath returns the absolute path on the FS for a stack based
 // on its identifier.
 func (service *Service) GetStackProjectPath(stackIdentifier string) string {
-	return JoinPaths(service.wrapFileStore(ComposeStorePath), stackIdentifier)
+	return path.Join(service.fileStorePath, ComposeStorePath, stackIdentifier)
 }
 
 // Copy copies the file on fromFilePath to toFilePath
@@ -213,13 +194,13 @@ func (service *Service) Copy(fromFilePath string, toFilePath string, deleteIfExi
 // StoreStackFileFromBytes creates a subfolder in the ComposeStorePath and stores a new file from bytes.
 // It returns the path to the folder where the file is stored.
 func (service *Service) StoreStackFileFromBytes(stackIdentifier, fileName string, data []byte) (string, error) {
-	stackStorePath := JoinPaths(ComposeStorePath, stackIdentifier)
+	stackStorePath := path.Join(ComposeStorePath, stackIdentifier)
 	err := service.createDirectoryInStore(stackStorePath)
 	if err != nil {
 		return "", err
 	}
 
-	composeFilePath := JoinPaths(stackStorePath, fileName)
+	composeFilePath := path.Join(stackStorePath, fileName)
 	r := bytes.NewReader(data)
 
 	err = service.createFileInStore(composeFilePath, r)
@@ -227,25 +208,25 @@ func (service *Service) StoreStackFileFromBytes(stackIdentifier, fileName string
 		return "", err
 	}
 
-	return service.wrapFileStore(stackStorePath), nil
+	return path.Join(service.fileStorePath, stackStorePath), nil
 }
 
 // GetEdgeStackProjectPath returns the absolute path on the FS for a edge stack based
 // on its identifier.
 func (service *Service) GetEdgeStackProjectPath(edgeStackIdentifier string) string {
-	return JoinPaths(service.wrapFileStore(EdgeStackStorePath), edgeStackIdentifier)
+	return path.Join(service.fileStorePath, EdgeStackStorePath, edgeStackIdentifier)
 }
 
 // StoreEdgeStackFileFromBytes creates a subfolder in the EdgeStackStorePath and stores a new file from bytes.
 // It returns the path to the folder where the file is stored.
 func (service *Service) StoreEdgeStackFileFromBytes(edgeStackIdentifier, fileName string, data []byte) (string, error) {
-	stackStorePath := JoinPaths(EdgeStackStorePath, edgeStackIdentifier)
+	stackStorePath := path.Join(EdgeStackStorePath, edgeStackIdentifier)
 	err := service.createDirectoryInStore(stackStorePath)
 	if err != nil {
 		return "", err
 	}
 
-	composeFilePath := JoinPaths(stackStorePath, fileName)
+	composeFilePath := path.Join(stackStorePath, fileName)
 	r := bytes.NewReader(data)
 
 	err = service.createFileInStore(composeFilePath, r)
@@ -253,20 +234,20 @@ func (service *Service) StoreEdgeStackFileFromBytes(edgeStackIdentifier, fileNam
 		return "", err
 	}
 
-	return service.wrapFileStore(stackStorePath), nil
+	return path.Join(service.fileStorePath, stackStorePath), nil
 }
 
 // StoreRegistryManagementFileFromBytes creates a subfolder in the
 // ExtensionRegistryManagementStorePath and stores a new file from bytes.
 // It returns the path to the folder where the file is stored.
 func (service *Service) StoreRegistryManagementFileFromBytes(folder, fileName string, data []byte) (string, error) {
-	extensionStorePath := JoinPaths(ExtensionRegistryManagementStorePath, folder)
+	extensionStorePath := path.Join(ExtensionRegistryManagementStorePath, folder)
 	err := service.createDirectoryInStore(extensionStorePath)
 	if err != nil {
 		return "", err
 	}
 
-	file := JoinPaths(extensionStorePath, fileName)
+	file := path.Join(extensionStorePath, fileName)
 	r := bytes.NewReader(data)
 
 	err = service.createFileInStore(file, r)
@@ -274,13 +255,13 @@ func (service *Service) StoreRegistryManagementFileFromBytes(folder, fileName st
 		return "", err
 	}
 
-	return service.wrapFileStore(file), nil
+	return path.Join(service.fileStorePath, file), nil
 }
 
 // StoreTLSFileFromBytes creates a folder in the TLSStorePath and stores a new file from bytes.
 // It returns the path to the newly created file.
 func (service *Service) StoreTLSFileFromBytes(folder string, fileType portainer.TLSFileType, data []byte) (string, error) {
-	storePath := JoinPaths(TLSStorePath, folder)
+	storePath := path.Join(TLSStorePath, folder)
 	err := service.createDirectoryInStore(storePath)
 	if err != nil {
 		return "", err
@@ -298,13 +279,13 @@ func (service *Service) StoreTLSFileFromBytes(folder string, fileType portainer.
 		return "", ErrUndefinedTLSFileType
 	}
 
-	tlsFilePath := JoinPaths(storePath, fileName)
+	tlsFilePath := path.Join(storePath, fileName)
 	r := bytes.NewReader(data)
 	err = service.createFileInStore(tlsFilePath, r)
 	if err != nil {
 		return "", err
 	}
-	return service.wrapFileStore(tlsFilePath), nil
+	return path.Join(service.fileStorePath, tlsFilePath), nil
 }
 
 // GetPathForTLSFile returns the absolute path to a specific TLS file for an environment(endpoint).
@@ -320,13 +301,17 @@ func (service *Service) GetPathForTLSFile(folder string, fileType portainer.TLSF
 	default:
 		return "", ErrUndefinedTLSFileType
 	}
-	return JoinPaths(service.wrapFileStore(TLSStorePath), folder, fileName), nil
+	return path.Join(service.fileStorePath, TLSStorePath, folder, fileName), nil
 }
 
 // DeleteTLSFiles deletes a folder in the TLS store path.
 func (service *Service) DeleteTLSFiles(folder string) error {
-	storePath := JoinPaths(service.wrapFileStore(TLSStorePath), folder)
-	return os.RemoveAll(storePath)
+	storePath := path.Join(service.fileStorePath, TLSStorePath, folder)
+	err := os.RemoveAll(storePath)
+	if err != nil {
+		return err
+	}
+	return nil
 }
 
 // DeleteTLSFile deletes a specific TLS file from a folder.
@@ -343,19 +328,20 @@ func (service *Service) DeleteTLSFile(folder string, fileType portainer.TLSFileT
 		return ErrUndefinedTLSFileType
 	}
 
-	filePath := JoinPaths(service.wrapFileStore(TLSStorePath), folder, fileName)
+	filePath := path.Join(service.fileStorePath, TLSStorePath, folder, fileName)
 
-	return os.Remove(filePath)
+	err := os.Remove(filePath)
+	if err != nil {
+		return err
+	}
+	return nil
 }
 
 // GetFileContent returns the content of a file as bytes.
-func (service *Service) GetFileContent(trustedRoot, filePath string) ([]byte, error) {
-	content, err := os.ReadFile(JoinPaths(trustedRoot, filePath))
+func (service *Service) GetFileContent(filePath string) ([]byte, error) {
+	content, err := ioutil.ReadFile(filePath)
 	if err != nil {
-		if filePath == "" {
-			filePath = trustedRoot
-		}
-		return nil, fmt.Errorf("could not get the contents of the file '%s'", filePath)
+		return nil, err
 	}
 
 	return content, nil
@@ -373,7 +359,7 @@ func (service *Service) WriteJSONToFile(path string, content interface{}) error
 		return err
 	}
 
-	return os.WriteFile(path, jsonContent, 0644)
+	return ioutil.WriteFile(path, jsonContent, 0644)
 }
 
 // FileExists checks for the existence of the specified file.
@@ -383,17 +369,23 @@ func (service *Service) FileExists(filePath string) (bool, error) {
 
 // KeyPairFilesExist checks for the existence of the key files.
 func (service *Service) KeyPairFilesExist() (bool, error) {
-	privateKeyPath := JoinPaths(service.dataStorePath, PrivateKeyFile)
+	privateKeyPath := path.Join(service.dataStorePath, PrivateKeyFile)
 	exists, err := service.FileExists(privateKeyPath)
-	if err != nil || !exists {
+	if err != nil {
 		return false, err
 	}
+	if !exists {
+		return false, nil
+	}
 
-	publicKeyPath := JoinPaths(service.dataStorePath, PublicKeyFile)
+	publicKeyPath := path.Join(service.dataStorePath, PublicKeyFile)
 	exists, err = service.FileExists(publicKeyPath)
-	if err != nil || !exists {
+	if err != nil {
 		return false, err
 	}
+	if !exists {
+		return false, nil
+	}
 
 	return true, nil
 }
@@ -405,7 +397,12 @@ func (service *Service) StoreKeyPair(private, public []byte, privatePEMHeader, p
 		return err
 	}
 
-	return service.createPEMFileInStore(public, publicPEMHeader, PublicKeyFile)
+	err = service.createPEMFileInStore(public, publicPEMHeader, PublicKeyFile)
+	if err != nil {
+		return err
+	}
+
+	return nil
 }
 
 // LoadKeyPair retrieve the content of both key files on disk.
@@ -425,13 +422,13 @@ func (service *Service) LoadKeyPair() ([]byte, []byte, error) {
 
 // createDirectoryInStore creates a new directory in the file store
 func (service *Service) createDirectoryInStore(name string) error {
-	path := service.wrapFileStore(name)
+	path := path.Join(service.fileStorePath, name)
 	return os.MkdirAll(path, 0700)
 }
 
 // createFile creates a new file in the file store with the content from r.
 func (service *Service) createFileInStore(filePath string, r io.Reader) error {
-	path := service.wrapFileStore(filePath)
+	path := path.Join(service.fileStorePath, filePath)
 
 	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
@@ -440,11 +437,15 @@ func (service *Service) createFileInStore(filePath string, r io.Reader) error {
 	defer out.Close()
 
 	_, err = io.Copy(out, r)
-	return err
+	if err != nil {
+		return err
+	}
+
+	return nil
 }
 
 func (service *Service) createPEMFileInStore(content []byte, fileType, filePath string) error {
-	path := service.wrapFileStore(filePath)
+	path := path.Join(service.fileStorePath, filePath)
 	block := &pem.Block{Type: fileType, Bytes: content}
 
 	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
@@ -453,13 +454,18 @@ func (service *Service) createPEMFileInStore(content []byte, fileType, filePath
 	}
 	defer out.Close()
 
-	return pem.Encode(out, block)
+	err = pem.Encode(out, block)
+	if err != nil {
+		return err
+	}
+
+	return nil
 }
 
 func (service *Service) getContentFromPEMFile(filePath string) ([]byte, error) {
-	path := service.wrapFileStore(filePath)
+	path := path.Join(service.fileStorePath, filePath)
 
-	fileContent, err := os.ReadFile(path)
+	fileContent, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}
@@ -471,19 +477,19 @@ func (service *Service) getContentFromPEMFile(filePath string) ([]byte, error) {
 // GetCustomTemplateProjectPath returns the absolute path on the FS for a custom template based
 // on its identifier.
 func (service *Service) GetCustomTemplateProjectPath(identifier string) string {
-	return JoinPaths(service.wrapFileStore(CustomTemplateStorePath), identifier)
+	return path.Join(service.fileStorePath, CustomTemplateStorePath, identifier)
 }
 
 // StoreCustomTemplateFileFromBytes creates a subfolder in the CustomTemplateStorePath and stores a new file from bytes.
 // It returns the path to the folder where the file is stored.
 func (service *Service) StoreCustomTemplateFileFromBytes(identifier, fileName string, data []byte) (string, error) {
-	customTemplateStorePath := JoinPaths(CustomTemplateStorePath, identifier)
+	customTemplateStorePath := path.Join(CustomTemplateStorePath, identifier)
 	err := service.createDirectoryInStore(customTemplateStorePath)
 	if err != nil {
 		return "", err
 	}
 
-	templateFilePath := JoinPaths(customTemplateStorePath, fileName)
+	templateFilePath := path.Join(customTemplateStorePath, fileName)
 	r := bytes.NewReader(data)
 
 	err = service.createFileInStore(templateFilePath, r)
@@ -491,32 +497,32 @@ func (service *Service) StoreCustomTemplateFileFromBytes(identifier, fileName st
 		return "", err
 	}
 
-	return service.wrapFileStore(customTemplateStorePath), nil
+	return path.Join(service.fileStorePath, customTemplateStorePath), nil
 }
 
 // GetEdgeJobFolder returns the absolute path on the filesystem for an Edge job based
 // on its identifier.
 func (service *Service) GetEdgeJobFolder(identifier string) string {
-	return JoinPaths(service.wrapFileStore(EdgeJobStorePath), identifier)
+	return path.Join(service.fileStorePath, EdgeJobStorePath, identifier)
 }
 
 // StoreEdgeJobFileFromBytes creates a subfolder in the EdgeJobStorePath and stores a new file from bytes.
 // It returns the path to the folder where the file is stored.
 func (service *Service) StoreEdgeJobFileFromBytes(identifier string, data []byte) (string, error) {
-	edgeJobStorePath := JoinPaths(EdgeJobStorePath, identifier)
+	edgeJobStorePath := path.Join(EdgeJobStorePath, identifier)
 	err := service.createDirectoryInStore(edgeJobStorePath)
 	if err != nil {
 		return "", err
 	}
 
-	filePath := JoinPaths(edgeJobStorePath, createEdgeJobFileName(identifier))
+	filePath := path.Join(edgeJobStorePath, createEdgeJobFileName(identifier))
 	r := bytes.NewReader(data)
 	err = service.createFileInStore(filePath, r)
 	if err != nil {
 		return "", err
 	}
 
-	return service.wrapFileStore(filePath), nil
+	return path.Join(service.fileStorePath, filePath), nil
 }
 
 func createEdgeJobFileName(identifier string) string {
@@ -526,14 +532,20 @@ func createEdgeJobFileName(identifier string) string {
 // ClearEdgeJobTaskLogs clears the Edge job task logs
 func (service *Service) ClearEdgeJobTaskLogs(edgeJobID string, taskID string) error {
 	path := service.getEdgeJobTaskLogPath(edgeJobID, taskID)
-	return os.Remove(path)
+
+	err := os.Remove(path)
+	if err != nil {
+		return err
+	}
+
+	return nil
 }
 
 // GetEdgeJobTaskLogFileContent fetches the Edge job task logs
 func (service *Service) GetEdgeJobTaskLogFileContent(edgeJobID string, taskID string) (string, error) {
 	path := service.getEdgeJobTaskLogPath(edgeJobID, taskID)
 
-	fileContent, err := os.ReadFile(path)
+	fileContent, err := ioutil.ReadFile(path)
 	if err != nil {
 		return "", err
 	}
@@ -543,15 +555,20 @@ func (service *Service) GetEdgeJobTaskLogFileContent(edgeJobID string, taskID st
 
 // StoreEdgeJobTaskLogFileFromBytes stores the log file
 func (service *Service) StoreEdgeJobTaskLogFileFromBytes(edgeJobID, taskID string, data []byte) error {
-	edgeJobStorePath := JoinPaths(EdgeJobStorePath, edgeJobID)
+	edgeJobStorePath := path.Join(EdgeJobStorePath, edgeJobID)
 	err := service.createDirectoryInStore(edgeJobStorePath)
 	if err != nil {
 		return err
 	}
 
-	filePath := JoinPaths(edgeJobStorePath, fmt.Sprintf("logs_%s", taskID))
+	filePath := path.Join(edgeJobStorePath, fmt.Sprintf("logs_%s", taskID))
 	r := bytes.NewReader(data)
-	return service.createFileInStore(filePath, r)
+	err = service.createFileInStore(filePath, r)
+	if err != nil {
+		return err
+	}
+
+	return nil
 }
 
 func (service *Service) getEdgeJobTaskLogPath(edgeJobID string, taskID string) string {
@@ -565,7 +582,7 @@ func (service *Service) GetTemporaryPath() (string, error) {
 		return "", err
 	}
 
-	return JoinPaths(service.wrapFileStore(TempPath), uid.String()), nil
+	return path.Join(service.fileStorePath, TempPath, uid.String()), nil
 }
 
 // GetDataStorePath returns path to data folder
@@ -574,12 +591,12 @@ func (service *Service) GetDatastorePath() string {
 }
 
 func (service *Service) wrapFileStore(filepath string) string {
-	return JoinPaths(service.fileStorePath, filepath)
+	return path.Join(service.fileStorePath, filepath)
 }
 
 func defaultCertPathUnderFileStore() (string, string) {
-	certPath := JoinPaths(SSLCertPath, DefaultSSLCertFilename)
-	keyPath := JoinPaths(SSLCertPath, DefaultSSLKeyFilename)
+	certPath := path.Join(SSLCertPath, DefaultSSLCertFilename)
+	keyPath := path.Join(SSLCertPath, DefaultSSLKeyFilename)
 	return certPath, keyPath
 }
 

api/filesystem/filesystem_linux_test.go

@@ -1,70 +0,0 @@
-package filesystem
-
-import "testing"
-
-func TestJoinPaths(t *testing.T) {
-	var ts = []struct {
-		trusted   string
-		untrusted string
-		expected  string
-	}{
-		{"", "", "."},
-		{"", ".", "."},
-		{"", "d/e/f", "d/e/f"},
-		{"", "./d/e/f", "d/e/f"},
-		{"", "../d/e/f", "d/e/f"},
-		{"", "/d/e/f", "d/e/f"},
-		{"", "../../../etc/shadow", "etc/shadow"},
-
-		{".", "", "."},
-		{".", ".", "."},
-		{".", "d/e/f", "d/e/f"},
-		{".", "./d/e/f", "d/e/f"},
-		{".", "../d/e/f", "d/e/f"},
-		{".", "/d/e/f", "d/e/f"},
-		{".", "../../../etc/shadow", "etc/shadow"},
-
-		{"./", "", "."},
-		{"./", ".", "."},
-		{"./", "d/e/f", "d/e/f"},
-		{"./", "./d/e/f", "d/e/f"},
-		{"./", "../d/e/f", "d/e/f"},
-		{"./", "/d/e/f", "d/e/f"},
-		{"./", "../../../etc/shadow", "etc/shadow"},
-
-		{"a/b/c", "", "a/b/c"},
-		{"a/b/c", ".", "a/b/c"},
-		{"a/b/c", "d/e/f", "a/b/c/d/e/f"},
-		{"a/b/c", "./d/e/f", "a/b/c/d/e/f"},
-		{"a/b/c", "../d/e/f", "a/b/c/d/e/f"},
-		{"a/b/c", "../../../etc/shadow", "a/b/c/etc/shadow"},
-
-		{"/a/b/c", "", "/a/b/c"},
-		{"/a/b/c", ".", "/a/b/c"},
-		{"/a/b/c", "d/e/f", "/a/b/c/d/e/f"},
-		{"/a/b/c", "./d/e/f", "/a/b/c/d/e/f"},
-		{"/a/b/c", "../d/e/f", "/a/b/c/d/e/f"},
-		{"/a/b/c", "../../../etc/shadow", "/a/b/c/etc/shadow"},
-
-		{"./a/b/c", "", "a/b/c"},
-		{"./a/b/c", ".", "a/b/c"},
-		{"./a/b/c", "d/e/f", "a/b/c/d/e/f"},
-		{"./a/b/c", "./d/e/f", "a/b/c/d/e/f"},
-		{"./a/b/c", "../d/e/f", "a/b/c/d/e/f"},
-		{"./a/b/c", "../../../etc/shadow", "a/b/c/etc/shadow"},
-
-		{"../a/b/c", "", "../a/b/c"},
-		{"../a/b/c", ".", "../a/b/c"},
-		{"../a/b/c", "d/e/f", "../a/b/c/d/e/f"},
-		{"../a/b/c", "./d/e/f", "../a/b/c/d/e/f"},
-		{"../a/b/c", "../d/e/f", "../a/b/c/d/e/f"},
-		{"../a/b/c", "../../../etc/shadow", "../a/b/c/etc/shadow"},
-	}
-
-	for _, c := range ts {
-		r := JoinPaths(c.trusted, c.untrusted)
-		if r != c.expected {
-			t.Fatalf("expected '%s', got '%s'. Inputs = '%s', '%s'", c.expected, r, c.trusted, c.untrusted)
-		}
-	}
-}

api/filesystem/filesystem_windows_test.go

@@ -1,120 +0,0 @@
-package filesystem
-
-import "testing"
-
-func TestJoinPaths(t *testing.T) {
-	var ts = []struct {
-		trusted   string
-		untrusted string
-		expected  string
-	}{
-		{"", "", "."},
-		{"", ".", "."},
-		{"", "d/e/f", `d\e\f`},
-		{"", "./d/e/f", `d\e\f`},
-		{"", "../d/e/f", `d\e\f`},
-		{"", "/d/e/f", `d\e\f`},
-		{"", "../../../windows/system.ini", `windows\system.ini`},
-		{"", `C:\windows\system.ini`, `windows\system.ini`},
-		{"", `..\..\..\..\C:\windows\system.ini`, `windows\system.ini`},
-		{"", `\\server\a\b\c`, `server\a\b\c`},
-		{"", `..\..\..\..\\server\a\b\c`, `server\a\b\c`},
-
-		{".", "", "."},
-		{".", ".", "."},
-		{".", "d/e/f", `d\e\f`},
-		{".", "./d/e/f", `d\e\f`},
-		{".", "../d/e/f", `d\e\f`},
-		{".", "/d/e/f", `d\e\f`},
-		{".", "../../../windows/system.ini", `windows\system.ini`},
-		{".", `C:\windows\system.ini`, `windows\system.ini`},
-		{".", `..\..\..\..\C:\windows\system.ini`, `windows\system.ini`},
-		{".", `\\server\a\b\c`, `server\a\b\c`},
-		{".", `..\..\..\..\\server\a\b\c`, `server\a\b\c`},
-
-		{"./", "", "."},
-		{"./", ".", "."},
-		{"./", "d/e/f", `d\e\f`},
-		{"./", "./d/e/f", `d\e\f`},
-		{"./", "../d/e/f", `d\e\f`},
-		{"./", "/d/e/f", `d\e\f`},
-		{"./", "../../../windows/system.ini", `windows\system.ini`},
-		{"./", `C:\windows\system.ini`, `windows\system.ini`},
-		{"./", `..\..\..\..\C:\windows\system.ini`, `windows\system.ini`},
-		{"./", `\\server\a\b\c`, `server\a\b\c`},
-		{"./", `..\..\..\..\\server\a\b\c`, `server\a\b\c`},
-
-		{"a/b/c", "", `a\b\c`},
-		{"a/b/c", ".", `a\b\c`},
-		{"a/b/c", "d/e/f", `a\b\c\d\e\f`},
-		{"a/b/c", "./d/e/f", `a\b\c\d\e\f`},
-		{"a/b/c", "../d/e/f", `a\b\c\d\e\f`},
-		{"a/b/c", "../../../windows/system.ini", `a\b\c\windows\system.ini`},
-		{"a/b/c", `C:\windows\system.ini`, `a\b\c\C:\windows\system.ini`},
-		{"a/b/c", `..\..\..\..\C:\windows\system.ini`, `a\b\c\C:\windows\system.ini`},
-		{"a/b/c", `\\server\a\b\c`, `a\b\c\server\a\b\c`},
-		{"a/b/c", `..\..\..\..\\server\a\b\c`, `a\b\c\server\a\b\c`},
-
-		{"/a/b/c", "", `\a\b\c`},
-		{"/a/b/c", ".", `\a\b\c`},
-		{"/a/b/c", "d/e/f", `\a\b\c\d\e\f`},
-		{"/a/b/c", "./d/e/f", `\a\b\c\d\e\f`},
-		{"/a/b/c", "../d/e/f", `\a\b\c\d\e\f`},
-		{"/a/b/c", "../../../windows/system.ini", `\a\b\c\windows\system.ini`},
-		{"/a/b/c", `C:\windows\system.ini`, `\a\b\c\C:\windows\system.ini`},
-		{"/a/b/c", `..\..\..\..\C:\windows\system.ini`, `\a\b\c\C:\windows\system.ini`},
-		{"/a/b/c", `\\server\a\b\c`, `\a\b\c\server\a\b\c`},
-		{"/a/b/c", `..\..\..\..\\server\a\b\c`, `\a\b\c\server\a\b\c`},
-
-		{"./a/b/c", "", `a\b\c`},
-		{"./a/b/c", ".", `a\b\c`},
-		{"./a/b/c", "d/e/f", `a\b\c\d\e\f`},
-		{"./a/b/c", "./d/e/f", `a\b\c\d\e\f`},
-		{"./a/b/c", "../d/e/f", `a\b\c\d\e\f`},
-		{"./a/b/c", "../../../windows/system.ini", `a\b\c\windows\system.ini`},
-		{"./a/b/c", `C:\windows\system.ini`, `a\b\c\C:\windows\system.ini`},
-		{"./a/b/c", `..\..\..\..\C:\windows\system.ini`, `a\b\c\C:\windows\system.ini`},
-		{"./a/b/c", `\\server\a\b\c`, `a\b\c\server\a\b\c`},
-		{"./a/b/c", `..\..\..\..\\server\a\b\c`, `a\b\c\server\a\b\c`},
-
-		{"../a/b/c", "", `..\a\b\c`},
-		{"../a/b/c", ".", `..\a\b\c`},
-		{"../a/b/c", "d/e/f", `..\a\b\c\d\e\f`},
-		{"../a/b/c", "./d/e/f", `..\a\b\c\d\e\f`},
-		{"../a/b/c", "../d/e/f", `..\a\b\c\d\e\f`},
-		{"../a/b/c", "../../../windows/system.ini", `..\a\b\c\windows\system.ini`},
-		{"../a/b/c", `C:\windows\system.ini`, `..\a\b\c\C:\windows\system.ini`},
-		{"../a/b/c", `..\..\..\..\C:\windows\system.ini`, `..\a\b\c\C:\windows\system.ini`},
-		{"../a/b/c", `\\server\a\b\c`, `..\a\b\c\server\a\b\c`},
-		{"../a/b/c", `..\..\..\..\\server\a\b\c`, `..\a\b\c\server\a\b\c`},
-
-		{"C:/a/b/c", "", `C:\a\b\c`},
-		{"C:/a/b/c", ".", `C:\a\b\c`},
-		{"C:/a/b/c", "d/e/f", `C:\a\b\c\d\e\f`},
-		{"C:/a/b/c", "./d/e/f", `C:\a\b\c\d\e\f`},
-		{"C:/a/b/c", "../d/e/f", `C:\a\b\c\d\e\f`},
-		{"C:/a/b/c", "../../../windows/system.ini", `C:\a\b\c\windows\system.ini`},
-		{"C:/a/b/c", `C:\windows\system.ini`, `C:\a\b\c\C:\windows\system.ini`},
-		{"C:/a/b/c", `..\..\..\..\C:\windows\system.ini`, `C:\a\b\c\C:\windows\system.ini`},
-		{"C:/a/b/c", `\\server\a\b\c`, `C:\a\b\c\server\a\b\c`},
-		{"C:/a/b/c", `..\..\..\..\\server\a\b\c`, `C:\a\b\c\server\a\b\c`},
-
-		{`\\server\a\b\c`, "", `\\server\a\b\c`},
-		{`\\server\a\b\c`, ".", `\\server\a\b\c`},
-		{`\\server\a\b\c`, "d/e/f", `\\server\a\b\c\d\e\f`},
-		{`\\server\a\b\c`, "./d/e/f", `\\server\a\b\c\d\e\f`},
-		{`\\server\a\b\c`, "../d/e/f", `\\server\a\b\c\d\e\f`},
-		{`\\server\a\b\c`, "../../../windows/system.ini", `\\server\a\b\c\windows\system.ini`},
-		{`\\server\a\b\c`, `C:\windows\system.ini`, `\\server\a\b\c\C:\windows\system.ini`},
-		{`\\server\a\b\c`, `..\..\..\C:\windows\system.ini`, `\\server\a\b\c\C:\windows\system.ini`},
-		{`\\server\a\b\c`, `\\server\a\b\c`, `\\server\a\b\c\server\a\b\c`},
-		{`\\server\a\b\c`, `..\..\..\\server\a\b\c`, `\\server\a\b\c\server\a\b\c`},
-	}
-
-	for _, c := range ts {
-		r := JoinPaths(c.trusted, c.untrusted)
-		if r != c.expected {
-			t.Fatalf("expected '%s', got '%s'. Inputs = '%s', '%s'", c.expected, r, c.trusted, c.untrusted)
-		}
-	}
-}

api/go.mod

@@ -3,48 +3,58 @@ module github.com/portainer/portainer/api
 go 1.16
 
 require (
-	github.com/Microsoft/go-winio v0.4.17
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Microsoft/go-winio v0.4.16
+	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535
 	github.com/boltdb/bolt v1.3.1
-	github.com/containerd/containerd v1.5.7 // indirect
+	github.com/containerd/containerd v1.3.1 // indirect
 	github.com/coreos/go-semver v0.3.0
 	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/docker/cli v20.10.9+incompatible
-	github.com/docker/docker v20.10.9+incompatible
+	github.com/docker/cli v0.0.0-20191126203649-54d085b857e9
+	github.com/docker/distribution v2.7.1+incompatible // indirect
+	github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0
 	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-units v0.4.0 // indirect
 	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
 	github.com/go-git/go-git/v5 v5.3.0
 	github.com/go-ldap/ldap/v3 v3.1.8
-	github.com/gofrs/uuid v4.0.0+incompatible
-	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/gofrs/uuid v3.2.0+incompatible
 	github.com/gorilla/mux v1.7.3
 	github.com/gorilla/securecookie v1.1.1
-	github.com/gorilla/websocket v1.4.2
+	github.com/gorilla/websocket v1.4.1
 	github.com/joho/godotenv v1.3.0
 	github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389
-	github.com/json-iterator/go v1.1.11
+	github.com/json-iterator/go v1.1.10
 	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/mattn/go-shellwords v1.0.6 // indirect
+	github.com/mitchellh/mapstructure v1.1.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.0.1 // indirect
 	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
 	github.com/pkg/errors v0.9.1
-	github.com/portainer/docker-compose-wrapper v0.0.0-20211018221743-10a04c9d4f19
+	github.com/portainer/docker-compose-wrapper v0.0.0-20210909083948-8be0d98451a1
 	github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a
 	github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108
 	github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.0
-	github.com/swaggo/swag v1.7.3
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
-	k8s.io/api v0.22.2
-	k8s.io/apimachinery v0.22.2
-	k8s.io/client-go v0.22.2
+	gotest.tools v2.2.0+incompatible // indirect
+	k8s.io/api v0.17.2
+	k8s.io/apimachinery v0.17.2
+	k8s.io/client-go v0.17.2
 )
+
+replace github.com/docker/docker => github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203
+
+replace golang.org/x/sys => golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456

api/http/handler/auth/authenticate.go

@@ -39,7 +39,6 @@ func (payload *authenticatePayload) Validate(r *http.Request) error {
 
 // @id AuthenticateUser
 // @summary Authenticate
-// @description **Access policy**: public
 // @description Use this environment(endpoint) to authenticate against Portainer using a username and password.
 // @tags auth
 // @accept json

api/http/handler/auth/authenticate_oauth.go

@@ -44,7 +44,6 @@ func (handler *Handler) authenticateOAuth(code string, settings *portainer.OAuth
 
 // @id ValidateOAuth
 // @summary Authenticate with OAuth
-// @description **Access policy**: public
 // @tags auth
 // @accept json
 // @produce json

api/http/handler/auth/logout.go

@@ -10,7 +10,6 @@ import (
 
 // @id Logout
 // @summary Logout
-// @description **Access policy**: authenticated
 // @security jwt
 // @tags auth
 // @success 204 "Success"

api/http/handler/backup/backup.go

@@ -27,9 +27,8 @@ func (p *backupPayload) Validate(r *http.Request) error {
 // @description **Access policy**: admin
 // @tags backup
 // @security jwt
-// @accept json
 // @produce octet-stream
-// @param body body backupPayload false "An object contains the password to encrypt the backup with"
+// @param Password body string false "Password to encrypt the backup with"
 // @success 200 "Success"
 // @failure 400 "Invalid request"
 // @failure 500 "Server error"

api/http/handler/backup/restore.go

@@ -22,9 +22,10 @@ type restorePayload struct {
 // @description Triggers a system restore using provided backup file
 // @description **Access policy**: public
 // @tags backup
-// @accept json
-// @param restorePayload body restorePayload true "Restore request payload"
-// @success 200 "Success"
+// @param FileContent body []byte true "Content of the backup"
+// @param FileName body string true "File name"
+// @param Password body string false "Password to decrypt the backup with"
+// @success 200  "Success"
 // @failure 400 "Invalid request"
 // @failure 500 "Server error"
 // @router /restore [post]

api/http/handler/customtemplates/customtemplate_delete.go

@@ -16,7 +16,7 @@ import (
 // @id CustomTemplateDelete
 // @summary Remove a template
 // @description Remove a template.
-// @description **Access policy**: authenticated
+// @description **Access policy**: authorized
 // @tags custom_templates
 // @security jwt
 // @param id path int true "Template identifier"

api/http/handler/customtemplates/customtemplate_file.go

@@ -2,6 +2,7 @@ package customtemplates
 
 import (
 	"net/http"
+	"path"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
@@ -17,7 +18,7 @@ type fileResponse struct {
 // @id CustomTemplateFile
 // @summary Get Template stack file content.
 // @description Retrieve the content of the Stack file for the specified custom template
-// @description **Access policy**: authenticated
+// @description **Access policy**: authorized
 // @tags custom_templates
 // @security jwt
 // @produce json
@@ -40,7 +41,7 @@ func (handler *Handler) customTemplateFile(w http.ResponseWriter, r *http.Reques
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a custom template with the specified identifier inside the database", err}
 	}
 
-	fileContent, err := handler.FileService.GetFileContent(customTemplate.ProjectPath, customTemplate.EntryPoint)
+	fileContent, err := handler.FileService.GetFileContent(path.Join(customTemplate.ProjectPath, customTemplate.EntryPoint))
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve custom template file from disk", err}
 	}

api/http/handler/customtemplates/customtemplate_inspect.go

@@ -19,6 +19,7 @@ import (
 // @description **Access policy**: authenticated
 // @tags custom_templates
 // @security jwt
+// @accept json
 // @produce json
 // @param id path int true "Template identifier"
 // @success 200 {object} portainer.CustomTemplate "Success"

api/http/handler/edgegroups/edgegroup_create.go

@@ -34,7 +34,7 @@ func (payload *edgeGroupCreatePayload) Validate(r *http.Request) error {
 
 // @id EdgeGroupCreate
 // @summary Create an EdgeGroup
-// @description **Access policy**: administrator
+// @description
 // @tags edge_groups
 // @security jwt
 // @accept json

api/http/handler/edgegroups/edgegroup_delete.go

@@ -13,9 +13,11 @@ import (
 
 // @id EdgeGroupDelete
 // @summary Deletes an EdgeGroup
-// @description **Access policy**: administrator
+// @description
 // @tags edge_groups
 // @security jwt
+// @accept json
+// @produce json
 // @param id path int true "EdgeGroup Id"
 // @success 204
 // @failure 503 "Edge compute features are disabled"

api/http/handler/edgegroups/edgegroup_inspect.go

@@ -12,9 +12,10 @@ import (
 
 // @id EdgeGroupInspect
 // @summary Inspects an EdgeGroup
-// @description **Access policy**: administrator
+// @description
 // @tags edge_groups
 // @security jwt
+// @accept json
 // @produce json
 // @param id path int true "EdgeGroup Id"
 // @success 200 {object} portainer.EdgeGroup

api/http/handler/edgegroups/edgegroup_list.go

@@ -17,9 +17,10 @@ type decoratedEdgeGroup struct {
 
 // @id EdgeGroupList
 // @summary list EdgeGroups
-// @description **Access policy**: administrator
+// @description
 // @tags edge_groups
 // @security jwt
+// @accept json
 // @produce json
 // @success 200 {array} portainer.EdgeGroup{HasEdgeStack=bool} "EdgeGroups"
 // @failure 500

api/http/handler/edgegroups/edgegroup_update.go

@@ -36,7 +36,7 @@ func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
 
 // @id EgeGroupUpdate
 // @summary Updates an EdgeGroup
-// @description **Access policy**: administrator
+// @description
 // @tags edge_groups
 // @security jwt
 // @accept json

api/http/handler/edgejobs/edgejob_create.go

@@ -16,9 +16,10 @@ import (
 
 // @id EdgeJobCreate
 // @summary Create an EdgeJob
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
+// @accept json
 // @produce json
 // @param method query string true "Creation Method" Enums(file, string)
 // @param body_string body edgeJobCreateFromFileContentPayload true "EdgeGroup data when method is string"

api/http/handler/edgejobs/edgejob_delete.go

@@ -13,9 +13,11 @@ import (
 
 // @id EdgeJobDelete
 // @summary Delete an EdgeJob
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
+// @accept json
+// @produce json
 // @param id path string true "EdgeJob Id"
 // @success 204
 // @failure 500

api/http/handler/edgejobs/edgejob_file.go

@@ -16,9 +16,10 @@ type edgeJobFileResponse struct {
 
 // @id EdgeJobFile
 // @summary Fetch a file of an EdgeJob
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
+// @accept json
 // @produce json
 // @param id path string true "EdgeJob Id"
 // @success 200 {object} edgeJobFileResponse
@@ -39,7 +40,7 @@ func (handler *Handler) edgeJobFile(w http.ResponseWriter, r *http.Request) *htt
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge job with the specified identifier inside the database", err}
 	}
 
-	edgeJobFileContent, err := handler.FileService.GetFileContent("", edgeJob.ScriptPath)
+	edgeJobFileContent, err := handler.FileService.GetFileContent(edgeJob.ScriptPath)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge job script file from disk", err}
 	}

api/http/handler/edgejobs/edgejob_inspect.go

@@ -17,9 +17,10 @@ type edgeJobInspectResponse struct {
 
 // @id EdgeJobInspect
 // @summary Inspect an EdgeJob
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
+// @accept json
 // @produce json
 // @param id path string true "EdgeJob Id"
 // @success 200 {object} portainer.EdgeJob

api/http/handler/edgejobs/edgejob_list.go

@@ -9,9 +9,10 @@ import (
 
 // @id EdgeJobList
 // @summary Fetch EdgeJobs list
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
+// @accept json
 // @produce json
 // @success 200 {array} portainer.EdgeJob
 // @failure 500

api/http/handler/edgejobs/edgejob_tasklogs_clear.go

@@ -13,9 +13,10 @@ import (
 
 // @id EdgeJobTasksClear
 // @summary Clear the log for a specifc task on an EdgeJob
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
+// @accept json
 // @produce json
 // @param id path string true "EdgeJob Id"
 // @param taskID path string true "Task Id"

api/http/handler/edgejobs/edgejob_tasklogs_collect.go

@@ -12,9 +12,10 @@ import (
 
 // @id EdgeJobTasksCollect
 // @summary Collect the log for a specifc task on an EdgeJob
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
+// @accept json
 // @produce json
 // @param id path string true "EdgeJob Id"
 // @param taskID path string true "Task Id"

api/http/handler/edgejobs/edgejob_tasklogs_inspect.go

@@ -15,9 +15,10 @@ type fileResponse struct {
 
 // @id EdgeJobTaskLogsInspect
 // @summary Fetch the log for a specifc task on an EdgeJob
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
+// @accept json
 // @produce json
 // @param id path string true "EdgeJob Id"
 // @param taskID path string true "Task Id"

api/http/handler/edgejobs/edgejob_tasks_list.go

@@ -19,9 +19,10 @@ type taskContainer struct {
 
 // @id EdgeJobTasksList
 // @summary Fetch the list of tasks on an EdgeJob
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
+// @accept json
 // @produce json
 // @param id path string true "EdgeJob Id"
 // @success 200 {array} taskContainer

api/http/handler/edgejobs/edgejob_update.go

@@ -30,7 +30,7 @@ func (payload *edgeJobUpdatePayload) Validate(r *http.Request) error {
 
 // @id EdgeJobUpdate
 // @summary Update an EdgeJob
-// @description **Access policy**: administrator
+// @description
 // @tags edge_jobs
 // @security jwt
 // @accept json

api/http/handler/edgestacks/edgestack_create.go

@@ -19,9 +19,10 @@ import (
 
 // @id EdgeStackCreate
 // @summary Create an EdgeStack
-// @description **Access policy**: administrator
+// @description
 // @tags edge_stacks
 // @security jwt
+// @accept json
 // @produce json
 // @param method query string true "Creation Method" Enums(file,string,repository)
 // @param body_string body swarmStackFromFileContentPayload true "Required when using method=string"

api/http/handler/edgestacks/edgestack_delete.go

@@ -13,9 +13,11 @@ import (
 
 // @id EdgeStackDelete
 // @summary Delete an EdgeStack
-// @description **Access policy**: administrator
+// @description
 // @tags edge_stacks
 // @security jwt
+// @accept json
+// @produce json
 // @param id path string true "EdgeStack Id"
 // @success 204
 // @failure 500

api/http/handler/edgestacks/edgestack_file.go

@@ -2,6 +2,7 @@ package edgestacks
 
 import (
 	"net/http"
+	"path"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
@@ -16,9 +17,10 @@ type stackFileResponse struct {
 
 // @id EdgeStackFile
 // @summary Fetches the stack file for an EdgeStack
-// @description **Access policy**: administrator
+// @description
 // @tags edge_stacks
 // @security jwt
+// @accept json
 // @produce json
 // @param id path string true "EdgeStack Id"
 // @success 200 {object} stackFileResponse
@@ -44,7 +46,7 @@ func (handler *Handler) edgeStackFile(w http.ResponseWriter, r *http.Request) *h
 		fileName = stack.ManifestPath
 	}
 
-	stackFileContent, err := handler.FileService.GetFileContent(stack.ProjectPath, fileName)
+	stackFileContent, err := handler.FileService.GetFileContent(path.Join(stack.ProjectPath, fileName))
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Compose file from disk", err}
 	}

api/http/handler/edgestacks/edgestack_inspect.go

@@ -12,9 +12,10 @@ import (
 
 // @id EdgeStackInspect
 // @summary Inspect an EdgeStack
-// @description **Access policy**: administrator
+// @description
 // @tags edge_stacks
 // @security jwt
+// @accept json
 // @produce json
 // @param id path string true "EdgeStack Id"
 // @success 200 {object} portainer.EdgeStack

api/http/handler/edgestacks/edgestack_list.go

@@ -9,9 +9,10 @@ import (
 
 // @id EdgeStackList
 // @summary Fetches the list of EdgeStacks
-// @description **Access policy**: administrator
+// @description
 // @tags edge_stacks
 // @security jwt
+// @accept json
 // @produce json
 // @success 200 {array} portainer.EdgeStack
 // @failure 500

api/http/handler/edgestacks/edgestack_update.go

@@ -33,7 +33,7 @@ func (payload *updateEdgeStackPayload) Validate(r *http.Request) error {
 
 // @id EdgeStackUpdate
 // @summary Update an EdgeStack
-// @description **Access policy**: administrator
+// @description
 // @tags edge_stacks
 // @security jwt
 // @accept json

api/http/handler/edgestacks/handler.go

@@ -3,6 +3,7 @@ package edgestacks
 import (
 	"fmt"
 	"net/http"
+	"path"
 	"strconv"
 
 	"github.com/gorilla/mux"
@@ -55,7 +56,7 @@ func (handler *Handler) convertAndStoreKubeManifestIfNeeded(edgeStack *portainer
 		return nil
 	}
 
-	composeConfig, err := handler.FileService.GetFileContent(edgeStack.ProjectPath, edgeStack.EntryPoint)
+	composeConfig, err := handler.FileService.GetFileContent(path.Join(edgeStack.ProjectPath, edgeStack.EntryPoint))
 	if err != nil {
 		return fmt.Errorf("unable to retrieve Compose file from disk: %w", err)
 	}

api/http/handler/edgetemplates/edgetemplate_list.go

@@ -17,7 +17,7 @@ type templateFileFormat struct {
 
 // @id EdgeTemplateList
 // @summary Fetches the list of Edge Templates
-// @description **Access policy**: administrator
+// @description
 // @tags edge_templates
 // @security jwt
 // @accept json

api/http/handler/endpointedge/endpoint_edgejob_logs.go

@@ -21,7 +21,7 @@ func (payload *logsPayload) Validate(r *http.Request) error {
 
 // endpointEdgeJobsLogs
 // @summary Inspect an EdgeJob Log
-// @description **Access policy**: public
+// @description
 // @tags edge, endpoints
 // @accept json
 // @produce json

api/http/handler/endpointedge/endpoint_edgestack_inspect.go

@@ -3,6 +3,7 @@ package endpointedge
 import (
 	"errors"
 	"net/http"
+	"path"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
@@ -18,7 +19,7 @@ type configResponse struct {
 }
 
 // @summary Inspect an Edge Stack for an Environment(Endpoint)
-// @description **Access policy**: public
+// @description
 // @tags edge, endpoints, edge_stacks
 // @accept json
 // @produce json
@@ -74,7 +75,7 @@ func (handler *Handler) endpointEdgeStackInspect(w http.ResponseWriter, r *http.
 		}
 	}
 
-	stackFileContent, err := handler.FileService.GetFileContent(edgeStack.ProjectPath, fileName)
+	stackFileContent, err := handler.FileService.GetFileContent(path.Join(edgeStack.ProjectPath, fileName))
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Compose file from disk", err}
 	}

api/http/handler/endpointgroups/endpointgroup_delete.go

@@ -17,6 +17,8 @@ import (
 // @description **Access policy**: administrator
 // @tags endpoint_groups
 // @security jwt
+// @accept json
+// @produce json
 // @param id path int true "EndpointGroup identifier"
 // @success 204 "Success"
 // @failure 400 "Invalid request"

api/http/handler/endpointproxy/proxy_docker.go

@@ -2,12 +2,14 @@ package endpointproxy
 
 import (
 	"errors"
+	"strconv"
+	"strings"
+	"time"
+
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-	"strconv"
-	"strings"
 
 	"net/http"
 )
@@ -35,9 +37,22 @@ func (handler *Handler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.
 			return &httperror.HandlerError{http.StatusInternalServerError, "No Edge agent registered with the environment", errors.New("No agent available")}
 		}
 
-		_, err := handler.ReverseTunnelService.GetActiveTunnel(endpoint)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to get the active tunnel", err}
+		tunnel := handler.ReverseTunnelService.GetTunnelDetails(endpoint.ID)
+		if tunnel.Status == portainer.EdgeAgentIdle {
+			handler.ProxyManager.DeleteEndpointProxy(endpoint)
+
+			err := handler.ReverseTunnelService.SetTunnelStatusToRequired(endpoint.ID)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update tunnel status", err}
+			}
+
+			settings, err := handler.DataStore.Settings().Settings()
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+			}
+
+			waitForAgentToConnect := time.Duration(settings.EdgeAgentCheckinInterval) * time.Second
+			time.Sleep(waitForAgentToConnect * 2)
 		}
 	}
 

api/http/handler/endpointproxy/proxy_kubernetes.go

@@ -3,11 +3,13 @@ package endpointproxy
 import (
 	"errors"
 	"fmt"
+	"strings"
+	"time"
+
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-	"strings"
 
 	"net/http"
 )
@@ -35,9 +37,22 @@ func (handler *Handler) proxyRequestsToKubernetesAPI(w http.ResponseWriter, r *h
 			return &httperror.HandlerError{http.StatusInternalServerError, "No Edge agent registered with the environment", errors.New("No agent available")}
 		}
 
-		_, err := handler.ReverseTunnelService.GetActiveTunnel(endpoint)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to get the active tunnel", err}
+		tunnel := handler.ReverseTunnelService.GetTunnelDetails(endpoint.ID)
+		if tunnel.Status == portainer.EdgeAgentIdle {
+			handler.ProxyManager.DeleteEndpointProxy(endpoint)
+
+			err := handler.ReverseTunnelService.SetTunnelStatusToRequired(endpoint.ID)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update tunnel status", err}
+			}
+
+			settings, err := handler.DataStore.Settings().Settings()
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+			}
+
+			waitForAgentToConnect := time.Duration(settings.EdgeAgentCheckinInterval) * time.Second
+			time.Sleep(waitForAgentToConnect * 2)
 		}
 	}
 

api/http/handler/endpoints/endpoint_association_delete.go

@@ -27,7 +27,7 @@ import (
 // @failure 400 "Invalid request"
 // @failure 404 "Environment(Endpoint) not found"
 // @failure 500 "Server error"
-// @router /endpoints/{id}/association [put]
+// @router /api/endpoints/{id}/association [put]
 func (handler *Handler) endpointAssociationDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_delete.go

@@ -49,7 +49,7 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove environment from the database", err}
 	}
 
-	handler.ProxyManager.DeleteEndpointProxy(endpoint.ID)
+	handler.ProxyManager.DeleteEndpointProxy(endpoint)
 
 	err = handler.DataStore.EndpointRelation().DeleteEndpointRelation(endpoint.ID)
 	if err != nil {

api/http/handler/endpoints/endpoint_dockerhub_status.go

@@ -18,27 +18,11 @@ import (
 )
 
 type dockerhubStatusResponse struct {
-	// Remaiming images to pull
 	Remaining int `json:"remaining"`
-	// Daily limit
-	Limit int `json:"limit"`
+	Limit     int `json:"limit"`
 }
 
-// @id endpointDockerhubStatus
-// @summary fetch docker pull limits
-// @description get docker pull limits for a docker hub registry in the environment
-// @description **Access policy**:
-// @tags endpoints
-// @security jwt
-// @produce json
-// @param id path int true "endpoint ID"
-// @param registryId path int true "registry ID"
-// @success 200 {object} dockerhubStatusResponse "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 404 "registry or endpoint not found"
-// @failure 500 "Server error"
-// @router /endpoints/{id}/dockerhub/{registryId} [get]
+// GET request on /api/endpoints/{id}/dockerhub/{registryId}
 func (handler *Handler) endpointDockerhubStatus(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_extension_add.go

@@ -29,12 +29,6 @@ func (payload *endpointExtensionAddPayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// @id endpointExtensionAdd
-// @tags endpoints
-// @deprecated
-// @param id path int true "Environment(Endpoint) identifier"
-// @success 204 "Success"
-// @router /endpoints/{id}/extensions [post]
 func (handler *Handler) endpointExtensionAdd(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_extension_remove.go

@@ -12,13 +12,6 @@ import (
 	"github.com/portainer/portainer/api/bolt/errors"
 )
 
-// @id endpointExtensionRemove
-// @tags endpoints
-// @deprecated
-// @param id path int true "Environment(Endpoint) identifier"
-// @param extensionType path string true "Extension Type"
-// @success 204 "Success"
-// @router /endpoints/{id}/extensions/{extensionType} [delete]
 func (handler *Handler) endpointExtensionRemove(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_registries_inspect.go

@@ -12,20 +12,7 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 )
 
-// @id endpointRegistryInspect
-// @summary get registry for environment
-// @description **Access policy**: authenticated
-// @tags endpoints
-// @security jwt
-// @produce json
-// @param id path int true "identifier"
-// @param registryId path int true "Registry identifier"
-// @success 200 {object} portainer.Registry "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 404 "Registry not found"
-// @failure 500 "Server error"
-// @router /endpoints/{id}/registries/{registryId} [get]
+// GET request on /endpoints/{id}/registries/{registryId}
 func (handler *Handler) endpointRegistryInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_registries_list.go

@@ -13,18 +13,7 @@ import (
 	"github.com/portainer/portainer/api/internal/endpointutils"
 )
 
-// @id endpointRegistriesList
-// @summary List Registries on environment
-// @description List all registries based on the current user authorizations in current environment.
-// @description **Access policy**: authenticated
-// @tags endpoints
-// @param namespace query string false "required if kubernetes environment, will show registries by namespace"
-// @security jwt
-// @produce json
-// @param id path int true "Environment(Endpoint) identifier"
-// @success 200 {array} portainer.Registry "Success"
-// @failure 500 "Server error"
-// @router /endpoints/{id}/registries [get]
+// GET request on /endpoints/{id}/registries?namespace
 func (handler *Handler) endpointRegistriesList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
 	if err != nil {

api/http/handler/endpoints/endpoint_registry_access.go

@@ -21,22 +21,7 @@ func (payload *registryAccessPayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// @id endpointRegistryAccess
-// @summary update registry access for environment
-// @description **Access policy**: authenticated
-// @tags endpoints
-// @security jwt
-// @accept json
-// @produce json
-// @param id path int true "Environment(Endpoint) identifier"
-// @param registryId path int true "Registry identifier"
-// @param body body registryAccessPayload true "details"
-// @success 204 "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 404 "Endpoint not found"
-// @failure 500 "Server error"
-// @router /endpoints/{id}/registries/{registryId} [put]
+// PUT request on /endpoints/{id}/registries/{registryId}
 func (handler *Handler) endpointRegistryAccess(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_settings_update.go

@@ -36,9 +36,9 @@ func (payload *endpointSettingsUpdatePayload) Validate(r *http.Request) error {
 }
 
 // @id EndpointSettingsUpdate
-// @summary Update settings for an environment(endpoint)
-// @description Update settings for an environment(endpoint).
-// @description **Access policy**: authenticated
+// @summary Update settings for an environments(endpoints)
+// @description Update settings for an environments(endpoints).
+// @description **Access policy**: administrator
 // @security jwt
 // @tags endpoints
 // @accept json
@@ -49,7 +49,7 @@ func (payload *endpointSettingsUpdatePayload) Validate(r *http.Request) error {
 // @failure 400 "Invalid request"
 // @failure 404 "Environment(Endpoint) not found"
 // @failure 500 "Server error"
-// @router /endpoints/{id}/settings [put]
+// @router /api/endpoints/{id}/settings [put]
 func (handler *Handler) endpointSettingsUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/endpoints/endpoint_snapshot.go

@@ -12,9 +12,9 @@ import (
 )
 
 // @id EndpointSnapshot
-// @summary Snapshots an environment(endpoint)
-// @description Snapshots an environment(endpoint)
-// @description **Access policy**: administrator
+// @summary Snapshots an environments(endpoints)
+// @description Snapshots an environments(endpoints)
+// @description **Access policy**: restricted
 // @tags endpoints
 // @security jwt
 // @param id path int true "Environment(Endpoint) identifier"

api/http/handler/endpoints/endpoint_status_inspect.go

@@ -131,7 +131,7 @@ func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Req
 			Version:        job.Version,
 		}
 
-		file, err := handler.FileService.GetFileContent("", job.ScriptPath)
+		file, err := handler.FileService.GetFileContent(job.ScriptPath)
 
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge job script file", err}

api/http/handler/endpoints/endpoint_update.go

@@ -56,7 +56,7 @@ func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
 // @id EndpointUpdate
 // @summary Update an environment(endpoint)
 // @description Update an environment(endpoint).
-// @description **Access policy**: authenticated
+// @description **Access policy**: administrator
 // @security jwt
 // @tags endpoints
 // @accept json

api/http/handler/handler.go

@@ -74,7 +74,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.9.1
+// @version 2.9.2
 // @description.markdown api-description.md
 // @termsOfService
 

api/http/handler/helm/helm_delete.go

@@ -12,9 +12,11 @@ import (
 // @id HelmDelete
 // @summary Delete Helm Release
 // @description
-// @description **Access policy**: authenticated
+// @description **Access policy**: authorized
 // @tags helm
 // @security jwt
+// @accept json
+// @produce json
 // @param id path int true "Environment(Endpoint) identifier"
 // @param release path string true "The name of the release/application to uninstall"
 // @param namespace query string true "An optional namespace"

api/http/handler/helm/helm_install.go

@@ -36,7 +36,7 @@ var errChartNameInvalid = errors.New("invalid chart name. " +
 // @id HelmInstall
 // @summary Install Helm Chart
 // @description
-// @description **Access policy**: authenticated
+// @description **Access policy**: authorized
 // @tags helm
 // @security jwt
 // @accept json

api/http/handler/helm/helm_list.go

@@ -12,7 +12,7 @@ import (
 // @id HelmList
 // @summary List Helm Releases
 // @description
-// @description **Access policy**: authenticated
+// @description **Access policy**: authorized
 // @tags helm
 // @security jwt
 // @accept json

api/http/handler/helm/helm_repo_search.go

@@ -13,7 +13,7 @@ import (
 // @id HelmRepoSearch
 // @summary Search Helm Charts
 // @description
-// @description **Access policy**: authenticated
+// @description **Access policy**: authorized
 // @tags helm
 // @param repo query string true "Helm repository URL"
 // @security jwt

api/http/handler/helm/helm_show.go

@@ -15,8 +15,8 @@ import (
 // @id HelmShow
 // @summary Show Helm Chart Information
 // @description
-// @description **Access policy**: authenticated
-// @tags helm
+// @description **Access policy**: authorized
+// @tags helm_chart
 // @param repo query string true "Helm repository URL"
 // @param chart query string true "Chart name"
 // @param command path string true "chart/values/readme"

api/http/handler/kubernetes/kubernetes_config.go

@@ -17,7 +17,7 @@ import (
 // @id GetKubernetesConfig
 // @summary Generates kubeconfig file enabling client communication with k8s api server
 // @description Generates kubeconfig file enabling client communication with k8s api server
-// @description **Access policy**: authenticated
+// @description **Access policy**: authorized
 // @tags kubernetes
 // @security jwt
 // @accept json

api/http/handler/kubernetes/kubernetes_nodes_limits.go

@@ -13,7 +13,7 @@ import (
 // @id getKubernetesNodesLimits
 // @summary Get CPU and memory limits of all nodes within k8s cluster
 // @description Get CPU and memory limits of all nodes within k8s cluster
-// @description **Access policy**: authenticated
+// @description **Access policy**: authorized
 // @tags kubernetes
 // @security jwt
 // @accept json

api/http/handler/motd/motd.go

@@ -26,9 +26,7 @@ type motdData struct {
 	Style         string            `json:"style"`
 }
 
-// @id MOTD
 // @summary fetches the message of the day
-// @description **Access policy**: restricted
 // @tags motd
 // @security jwt
 // @produce json

api/http/handler/registries/registry_configure.go

@@ -81,7 +81,7 @@ func (payload *registryConfigurePayload) Validate(r *http.Request) error {
 // @id RegistryConfigure
 // @summary Configures a registry
 // @description Configures a registry.
-// @description **Access policy**: restricted
+// @description **Access policy**: admin
 // @tags registries
 // @security jwt
 // @accept json

api/http/handler/registries/registry_create.go

@@ -62,7 +62,7 @@ func (payload *registryCreatePayload) Validate(_ *http.Request) error {
 // @id RegistryCreate
 // @summary Create a new registry
 // @description Create a new registry.
-// @description **Access policy**: restricted
+// @description **Access policy**: administrator
 // @tags registries
 // @security jwt
 // @accept json

api/http/handler/registries/registry_delete.go

@@ -15,7 +15,7 @@ import (
 // @id RegistryDelete
 // @summary Remove a registry
 // @description Remove a registry
-// @description **Access policy**: restricted
+// @description **Access policy**: administrator
 // @tags registries
 // @security jwt
 // @param id path int true "Registry identifier"

api/http/handler/registries/registry_inspect.go

@@ -14,7 +14,7 @@ import (
 // @id RegistryInspect
 // @summary Inspect a registry
 // @description Retrieve details about a registry.
-// @description **Access policy**: restricted
+// @description **Access policy**: administrator
 // @tags registries
 // @security jwt
 // @produce json

api/http/handler/registries/registry_update.go

@@ -37,7 +37,7 @@ func (payload *registryUpdatePayload) Validate(r *http.Request) error {
 // @id RegistryUpdate
 // @summary Update a registry
 // @description Update a registry
-// @description **Access policy**: restricted
+// @description **Access policy**: administrator
 // @tags registries
 // @security jwt
 // @accept json

api/http/handler/resourcecontrols/resourcecontrol_update.go

@@ -38,7 +38,7 @@ func (payload *resourceControlUpdatePayload) Validate(r *http.Request) error {
 // @id ResourceControlUpdate
 // @summary Update a resource control
 // @description Update a resource control
-// @description **Access policy**: authenticated
+// @description **Access policy**: restricted
 // @tags resource_controls
 // @security jwt
 // @accept json

api/http/handler/stacks/create_compose_stack.go

@@ -3,6 +3,7 @@ package stacks
 import (
 	"fmt"
 	"net/http"
+	"path"
 	"strconv"
 	"time"
 
@@ -388,9 +389,10 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
 		!isAdminOrEndpointAdmin {
 
 		for _, file := range append([]string{config.stack.EntryPoint}, config.stack.AdditionalFiles...) {
-			stackContent, err := handler.FileService.GetFileContent(config.stack.ProjectPath, file)
+			path := path.Join(config.stack.ProjectPath, file)
+			stackContent, err := handler.FileService.GetFileContent(path)
 			if err != nil {
-				return errors.Wrapf(err, "failed to get stack file content `%q`", file)
+				return errors.Wrapf(err, "failed to get stack file content `%q`", path)
 			}
 
 			err = handler.isValidStackFile(stackContent, securitySettings)

api/http/handler/stacks/create_swarm_stack.go

@@ -3,6 +3,7 @@ package stacks
 import (
 	"fmt"
 	"net/http"
+	"path"
 	"strconv"
 	"time"
 
@@ -398,7 +399,8 @@ func (handler *Handler) deploySwarmStack(config *swarmStackDeploymentConfig) err
 
 	if !settings.AllowBindMountsForRegularUsers && !isAdminOrEndpointAdmin {
 		for _, file := range append([]string{config.stack.EntryPoint}, config.stack.AdditionalFiles...) {
-			stackContent, err := handler.FileService.GetFileContent(config.stack.ProjectPath, file)
+			path := path.Join(config.stack.ProjectPath, file)
+			stackContent, err := handler.FileService.GetFileContent(path)
 			if err != nil {
 				return errors.WithMessage(err, "failed to get stack file content")
 			}

api/http/handler/stacks/stack_associate.go

@@ -14,22 +14,7 @@ import (
 	"github.com/portainer/portainer/api/internal/stackutils"
 )
 
-// @id StackAssociate
-// @summary Associate an orphaned stack to a new environment(endpoint)
-// @description **Access policy**: administrator
-// @tags stacks
-// @security jwt
-// @produce json
-// @param id path int true "Stack identifier"
-// @param endpointId query int true "Stacks created before version 1.18.0 might not have an associated environment(endpoint) identifier. Use this optional parameter to set the environment(endpoint) identifier used by the stack."
-// @param swarmId query int true "Swarm identifier"
-// @param orphanedRunning query boolean true "Indicates whether the stack is orphaned"
-// @success 200 {object} portainer.Stack "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 404 "Stack not found"
-// @failure 500 "Server error"
-// @router /stacks/{id}/associate [put]
+// PUT request on /api/stacks/:id/associate?endpointId=<endpointId>&swarmId=<swarmId>&orphanedRunning=<orphanedRunning>
 func (handler *Handler) stackAssociate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {

api/http/handler/stacks/stack_create.go

@@ -33,7 +33,7 @@ func (handler *Handler) cleanUp(stack *portainer.Stack, doCleanUp *bool) error {
 // @id StackCreate
 // @summary Deploy a new stack
 // @description Deploy a new stack into a Docker environment(endpoint) specified via the environment(endpoint) identifier.
-// @description **Access policy**: authenticated
+// @description **Access policy**: restricted
 // @tags stacks
 // @security jwt
 // @accept json,multipart/form-data

api/http/handler/stacks/stack_delete.go

@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
+	"path"
 	"strconv"
 
 	"github.com/pkg/errors"
@@ -197,8 +198,8 @@ func (handler *Handler) deleteStack(userID portainer.UserID, stack *portainer.St
 			defer os.RemoveAll(tmpDir)
 
 			for _, fileName := range fileNames {
-				manifestFilePath := filesystem.JoinPaths(tmpDir, fileName)
-				manifestContent, err := handler.FileService.GetFileContent(stack.ProjectPath, fileName)
+				manifestFilePath := path.Join(tmpDir, fileName)
+				manifestContent, err := ioutil.ReadFile(path.Join(stack.ProjectPath, fileName))
 				if err != nil {
 					return errors.Wrap(err, "failed to read manifest file")
 				}

api/http/handler/stacks/stack_file.go

@@ -2,6 +2,7 @@ package stacks
 
 import (
 	"net/http"
+	"path"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
@@ -81,7 +82,7 @@ func (handler *Handler) stackFile(w http.ResponseWriter, r *http.Request) *httpe
 		}
 	}
 
-	stackFileContent, err := handler.FileService.GetFileContent(stack.ProjectPath, stack.EntryPoint)
+	stackFileContent, err := handler.FileService.GetFileContent(path.Join(stack.ProjectPath, stack.EntryPoint))
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Compose file from disk", err}
 	}

api/http/handler/stacks/stack_list.go

@@ -24,10 +24,10 @@ type stackListOperationFilters struct {
 // @description List all stacks based on the current user authorizations.
 // @description Will return all stacks if using an administrator account otherwise it
 // @description will only return the list of stacks the user have access to.
-// @description **Access policy**: authenticated
+// @description **Access policy**: restricted
 // @tags stacks
 // @security jwt
-// @param filters query string false "Filters to process on the stack list. Encoded as JSON (a map[string]string). For example, {'SwarmID': 'jpofkc0i9uo9wtx1zesuk649w'} will only return stacks that are part of the specified Swarm cluster. Available filters: EndpointID, SwarmID."
+// @param filters query string false "Filters to process on the stack list. Encoded as JSON (a map[string]string). For example, {"SwarmID": "jpofkc0i9uo9wtx1zesuk649w"} will only return stacks that are part of the specified Swarm cluster. Available filters: EndpointID, SwarmID."
 // @success 200 {array} portainer.Stack "Success"
 // @success 204 "Success"
 // @failure 400 "Invalid request"

api/http/handler/stacks/stack_migrate.go

@@ -34,7 +34,7 @@ func (payload *stackMigratePayload) Validate(r *http.Request) error {
 // @id StackMigrate
 // @summary Migrate a stack to another environment(endpoint)
 // @description  Migrate a stack from an environment(endpoint) to another environment(endpoint). It will re-create the stack inside the target environment(endpoint) before removing the original stack.
-// @description **Access policy**: authenticated
+// @description **Access policy**: restricted
 // @tags stacks
 // @security jwt
 // @produce json
@@ -143,14 +143,12 @@ func (handler *Handler) stackMigrate(w http.ResponseWriter, r *http.Request) *ht
 		return migrationError
 	}
 
-	newName := stack.Name
 	stack.Name = oldName
 	err = handler.deleteStack(securityContext.UserID, stack, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
 	}
 
-	stack.Name = newName
 	err = handler.DataStore.Stack().UpdateStack(stack.ID, stack)
 	if err != nil {
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the stack changes inside the database", Err: err}

api/http/handler/stacks/stack_start.go

@@ -20,7 +20,7 @@ import (
 // @id StackStart
 // @summary Starts a stopped Stack
 // @description Starts a stopped Stack.
-// @description **Access policy**: authenticated
+// @description **Access policy**: restricted
 // @tags stacks
 // @security jwt
 // @param id path int true "Stack identifier"

api/http/handler/stacks/stack_stop.go

@@ -18,7 +18,7 @@ import (
 // @id StackStop
 // @summary Stops a stopped Stack
 // @description Stops a stopped Stack.
-// @description **Access policy**: authenticated
+// @description **Access policy**: restricted
 // @tags stacks
 // @security jwt
 // @param id path int true "Stack identifier"

api/http/handler/stacks/stack_update.go

@@ -51,7 +51,7 @@ func (payload *updateSwarmStackPayload) Validate(r *http.Request) error {
 // @id StackUpdate
 // @summary Update a stack
 // @description Update a stack.
-// @description **Access policy**: authenticated
+// @description **Access policy**: restricted
 // @tags stacks
 // @security jwt
 // @accept json

api/http/handler/stacks/stack_update_git.go

@@ -40,7 +40,7 @@ func (payload *stackGitUpdatePayload) Validate(r *http.Request) error {
 // @id StackUpdateGit
 // @summary Update a stack's Git configs
 // @description Update the Git settings in a stack, e.g., RepositoryReferenceName and AutoUpdate
-// @description **Access policy**: authenticated
+// @description **Access policy**: restricted
 // @tags stacks
 // @security jwt
 // @accept json

api/http/handler/stacks/stack_update_git_redeploy.go

@@ -38,7 +38,7 @@ func (payload *stackGitRedployPayload) Validate(r *http.Request) error {
 // @id StackGitRedeploy
 // @summary Redeploy a stack
 // @description Pull and redeploy a stack via Git
-// @description **Access policy**: authenticated
+// @description **Access policy**: restricted
 // @tags stacks
 // @security jwt
 // @accept json

api/http/handler/stacks/update_kubernetes_stack.go

@@ -5,6 +5,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
+	"path"
 	"strconv"
 
 	"github.com/asaskevich/govalidator"
@@ -103,7 +104,7 @@ func (handler *Handler) updateKubernetesStack(r *http.Request, stack *portainer.
 	tempFileDir, _ := ioutil.TempDir("", "kub_file_content")
 	defer os.RemoveAll(tempFileDir)
 
-	if err := filesystem.WriteToFile(filesystem.JoinPaths(tempFileDir, stack.EntryPoint), []byte(payload.StackFileContent)); err != nil {
+	if err := filesystem.WriteToFile(path.Join(tempFileDir, stack.EntryPoint), []byte(payload.StackFileContent)); err != nil {
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Failed to persist deployment file in a temp directory", Err: err}
 	}
 

api/http/handler/stacks/webhook_invoke.go

@@ -15,16 +15,6 @@ import (
 	"github.com/portainer/libhttp/request"
 )
 
-// @id WebhookInvoke
-// @summary Webhook for triggering stack updates from git
-// @description **Access policy**: public
-// @tags stacks
-// @param webhookID path string true "Stack identifier"
-// @success 200 "Success"
-// @failure 400 "Invalid request"
-// @failure 409 "Conflict"
-// @failure 500 "Server error"
-// @router /stacks/webhooks/{webhookID} [post]
 func (handler *Handler) webhookInvoke(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	webhookID, err := retrieveUUIDRouteVariableValue(r, "webhookID")
 	if err != nil {

api/http/handler/tags/tag_create.go

@@ -29,7 +29,6 @@ func (payload *tagCreatePayload) Validate(r *http.Request) error {
 // @description **Access policy**: administrator
 // @tags tags
 // @security jwt
-// @accept json
 // @produce json
 // @param body body tagCreatePayload true "Tag details"
 // @success 200 {object} portainer.Tag "Success"

api/http/handler/tags/tag_delete.go

@@ -17,6 +17,8 @@ import (
 // @description **Access policy**: administrator
 // @tags tags
 // @security jwt
+// @accept json
+// @produce json
 // @param id path int true "Tag identifier"
 // @success 204 "Success"
 // @failure 400 "Invalid request"

api/http/handler/tags/tag_list.go

@@ -10,7 +10,7 @@ import (
 // @id TagList
 // @summary List tags
 // @description List tags.
-// @description **Access policy**: authenticated
+// @description **Access policy**: administrator
 // @tags tags
 // @security jwt
 // @produce json

api/http/handler/teammemberships/teammembership_create.go

@@ -37,7 +37,7 @@ func (payload *teamMembershipCreatePayload) Validate(r *http.Request) error {
 // @id TeamMembershipCreate
 // @summary Create a new team membership
 // @description Create a new team memberships. Access is only available to administrators leaders of the associated team.
-// @description **Access policy**: administrator
+// @description **Access policy**: admin
 // @tags team_memberships
 // @security jwt
 // @accept json

api/http/handler/teammemberships/teammembership_delete.go

@@ -15,7 +15,7 @@ import (
 // @id TeamMembershipDelete
 // @summary Remove a team membership
 // @description Remove a team membership. Access is only available to administrators leaders of the associated team.
-// @description **Access policy**: administrator
+// @description **Access policy**: restricted
 // @tags team_memberships
 // @security jwt
 // @param id path int true "TeamMembership identifier"

api/http/handler/teammemberships/teammembership_list.go

@@ -12,7 +12,7 @@ import (
 // @id TeamMembershipList
 // @summary List team memberships
 // @description  List team memberships. Access is only available to administrators and team leaders.
-// @description **Access policy**: administrator
+// @description **Access policy**: admin
 // @tags team_memberships
 // @security jwt
 // @produce json

api/http/handler/teammemberships/teammembership_update.go

@@ -38,7 +38,7 @@ func (payload *teamMembershipUpdatePayload) Validate(r *http.Request) error {
 // @id TeamMembershipUpdate
 // @summary Update a team membership
 // @description Update a team membership. Access is only available to administrators leaders of the associated team.
-// @description **Access policy**: administrator
+// @description **Access policy**: restricted
 // @tags team_memberships
 // @security jwt
 // @accept json

api/http/handler/teams/team_inspect.go

@@ -15,7 +15,7 @@ import (
 // @id TeamInspect
 // @summary Inspect a team
 // @description Retrieve details about a team. Access is only available for administrator and leaders of that team.
-// @description **Access policy**: administrator
+// @description **Access policy**: restricted
 // @tags teams
 // @security jwt
 // @produce json

api/http/handler/teams/team_update.go

@@ -23,7 +23,7 @@ func (payload *teamUpdatePayload) Validate(r *http.Request) error {
 // @summary Update a team
 // @description Update a team.
 // @description **Access policy**: administrator
-// @tags teams
+// @tags
 // @security jwt
 // @accept json
 // @produce json