fix(ui/forms): allow setFieldValue

.eslintrc.yml

@@ -10,7 +10,6 @@ globals:
 extends:
   - 'eslint:recommended'
   - 'plugin:storybook/recommended'
-  - 'plugin:import/typescript'
   - prettier
 
 plugins:
@@ -30,7 +29,6 @@ rules:
   no-empty: warn
   no-empty-function: warn
   no-useless-escape: 'off'
-  import/named: error
   import/order:
     [
       'error',
@@ -45,12 +43,6 @@ rules:
         pathGroupsExcludedImportTypes: ['internal'],
       },
     ]
-  no-restricted-imports:
-    - error
-    - patterns:
-        - group:
-            - '@/react/test-utils/*'
-          message: 'These utils are just for test files'
 
 settings:
   'import/resolver':
@@ -59,8 +51,6 @@ settings:
         - ['@@', './app/react/components']
         - ['@', './app']
       extensions: ['.js', '.ts', '.tsx']
-    typescript: true
-    node: true
 
 overrides:
   - files:
@@ -85,7 +75,6 @@ overrides:
     settings:
       react:
         version: 'detect'
-
     rules:
       import/order:
         [
@@ -119,12 +108,6 @@ overrides:
       'no-await-in-loop': 'off'
       'react/jsx-no-useless-fragment': ['error', { allowExpressions: true }]
       'regex/invalid': ['error', [{ 'regex': '<Icon icon="(.*)"', 'message': 'Please directly import the `lucide-react` icon instead of using the string' }]]
-      '@typescript-eslint/no-restricted-imports':
-        - error
-        - patterns:
-            - group:
-                - '@/react/test-utils/*'
-              message: 'These utils are just for test files'
     overrides: # allow props spreading for hoc files
       - files:
           - app/**/with*.ts{,x}
@@ -133,16 +116,13 @@ overrides:
   - files:
       - app/**/*.test.*
     extends:
-      - 'plugin:vitest/recommended'
+      - 'plugin:jest/recommended'
+      - 'plugin:jest/style'
     env:
-      'vitest/env': true
+      'jest/globals': true
     rules:
       'react/jsx-no-constructed-context-values': off
-      '@typescript-eslint/no-restricted-imports': off
-      no-restricted-imports: off
   - files:
       - app/**/*.stories.*
     rules:
       'no-alert': off
-      '@typescript-eslint/no-restricted-imports': off
-      no-restricted-imports: off

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -93,9 +93,6 @@ body:
       description: We only provide support for the most recent version of Portainer and the previous 3 versions. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
-        - '2.19.4'
-        - '2.19.3'
-        - '2.19.2'
         - '2.19.1'
         - '2.19.0'
         - '2.18.4'

.github/workflows/ci.yaml

@@ -5,7 +5,7 @@ on:
   push:
     branches:
       - 'develop'
-      - 'release/*'
+      - '!release/*'
   pull_request:
     branches:
       - 'develop'
@@ -13,16 +13,11 @@ on:
       - 'feat/*'
       - 'fix/*'
       - 'refactor/*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
 
 env:
-  DOCKER_HUB_REPO: portainerci/portainer-ce
-  EXTENSION_HUB_REPO: portainerci/portainer-docker-extension
-  GO_VERSION: 1.21.6
+  DOCKER_HUB_REPO: portainerci/portainer
+  NODE_ENV: testing
+  GO_VERSION: 1.21.3
   NODE_VERSION: 18.x
 
 jobs:
@@ -30,72 +25,85 @@ jobs:
     strategy:
       matrix:
         config:
-          - { platform: linux, arch: amd64, version: "" }
-          - { platform: linux, arch: arm64, version: "" }
-          - { platform: linux, arch: arm, version: "" }
-          - { platform: linux, arch: ppc64le, version: "" }
-          - { platform: linux, arch: s390x, version: "" }
+          - { platform: linux, arch: amd64 }
+          - { platform: linux, arch: arm64 }
           - { platform: windows, arch: amd64, version: 1809 }
           - { platform: windows, arch: amd64, version: ltsc2022 }
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
+    runs-on: arc-runner-set
     steps:
       - name: '[preparation] checkout the current branch'
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v3.5.3
         with:
           ref: ${{ github.event.inputs.branch }}
       - name: '[preparation] set up golang'
-        uses: actions/setup-go@v5.0.0
+        uses: actions/setup-go@v4.0.1
         with:
           go-version: ${{ env.GO_VERSION }}
+          cache: false
+      - name: '[preparation] cache paths'
+        id: cache-dir-path
+        run: |
+          echo "yarn-cache-dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT"
+          echo "go-build-dir=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
+          echo "go-mod-dir=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+      - name: '[preparation] cache go'
+        uses: actions/cache@v3
+        with:
+          path: |
+            ${{ steps.cache-dir-path.outputs.go-build-dir }}
+            ${{ steps.cache-dir-path.outputs.go-mod-dir }}
+          key: ${{ matrix.config.platform }}-${{ matrix.config.arch }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ matrix.config.platform }}-${{ matrix.config.arch }}-go-
+          enableCrossOsArchive: true
       - name: '[preparation] set up node.js'
-        uses: actions/setup-node@v4.0.1
+        uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
+          cache: ''
+      - name: '[preparation] cache yarn'
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            ${{ steps.cache-dir-path.outputs.yarn-cache-dir }}
+          key: ${{ matrix.config.platform }}-${{ matrix.config.arch }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ matrix.config.platform }}-${{ matrix.config.arch }}-yarn-
+          enableCrossOsArchive: true
       - name: '[preparation] set up qemu'
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v2
       - name: '[preparation] set up docker context for buildx'
         run: docker context create builders
       - name: '[preparation] set up docker buildx'
-        uses: docker/setup-buildx-action@v3.0.0
+        uses: docker/setup-buildx-action@v2
         with:
           endpoint: builders
       - name: '[preparation] docker login'
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@v2.2.0
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_PASSWORD }}
       - name: '[preparation] set the container image tag'
         run: |
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            # use the release branch name as the tag for release branches
-            # for instance, release/2.19 becomes 2.19
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
-          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
-            # use pr${{ github.event.number }} as the tag for pull requests
-            # for instance, pr123
+          if [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
             CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
           else
-            # replace / with - in the branch name
-            # for instance, feature/1.0.0 -> feature-1.0.0
             CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
           fi
-          
-          echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}-${{ matrix.config.platform }}${{ matrix.config.version }}-${{ matrix.config.arch }}" >> $GITHUB_ENV
+
+          if [ "${{ matrix.config.platform }}" == "windows" ]; then
+            CONTAINER_IMAGE_TAG="${CONTAINER_IMAGE_TAG}-${{ matrix.config.platform }}${{ matrix.config.version }}-${{ matrix.config.arch }}"
+          else 
+            CONTAINER_IMAGE_TAG="${CONTAINER_IMAGE_TAG}-${{ matrix.config.platform }}-${{ matrix.config.arch }}"
+          fi
+
+          echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}" >> $GITHUB_ENV
       - name: '[execution] build linux & windows portainer binaries'
         run: |
           export YARN_VERSION=$(yarn --version)
           export WEBPACK_VERSION=$(yarn list webpack --depth=0 | grep webpack | awk -F@ '{print $2}')
           export BUILDNUMBER=${GITHUB_RUN_NUMBER}
-          GIT_COMMIT_HASH_LONG=${{ github.sha }}
-          export GIT_COMMIT_HASH_SHORT={GIT_COMMIT_HASH_LONG:0:7}
-          
-          NODE_ENV="testing"
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            NODE_ENV="production"
-          fi
-          
           make build-all PLATFORM=${{ matrix.config.platform }} ARCH=${{ matrix.config.arch }} ENV=${NODE_ENV}
         env:
           CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
@@ -107,70 +115,34 @@ jobs:
           else 
             docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
             docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
-            
-            if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-              docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-              docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
-            fi
           fi
         env:
           CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
   build_manifests:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
+    runs-on: arc-runner-set
     needs: [build_images]
     steps:
       - name: '[preparation] docker login'
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@v2.2.0
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_PASSWORD }}
       - name: '[preparation] set up docker context for buildx'
         run: docker version && docker context create builders
       - name: '[preparation] set up docker buildx'
-        uses: docker/setup-buildx-action@v3.0.0
+        uses: docker/setup-buildx-action@v2
         with:
           endpoint: builders
       - name: '[execution] build and push manifests'
         run: |
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            # use the release branch name as the tag for release branches
-            # for instance, release/2.19 becomes 2.19
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
-          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
-            # use pr${{ github.event.number }} as the tag for pull requests
-            # for instance, pr123
+          if [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
             CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
           else
-            # replace / with - in the branch name
-            # for instance, feature/1.0.0 -> feature-1.0.0
             CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
           fi
 
           docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
             "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
             "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-s390x" \
             "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windows1809-amd64" \
             "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windowsltsc2022-amd64"
-          
-          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine"
-            
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-s390x"
-            
-            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine"
-          fi

.github/workflows/lint.yml

@@ -11,27 +11,20 @@ on:
       - master
       - develop
       - release/*
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
 
 env:
-  GO_VERSION: 1.21.6
-  NODE_VERSION: 18.x
+  GO_VERSION: 1.21.3
 
 jobs:
   run-linters:
     name: Run linters
     runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
 
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2
         with:
-          node-version: ${{ env.NODE_VERSION }}
+          node-version: '18'
           cache: 'yarn'
       - uses: actions/setup-go@v4
         with:
@@ -51,5 +44,6 @@ jobs:
       - name: GolangCI-Lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.55.2
+          version: v1.54.1
+          working-directory: api
           args: --timeout=10m -c .golangci.yaml

.github/workflows/nightly-security-scan.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  GO_VERSION: 1.21.6
+  GO_VERSION: 1.21.3
 
 jobs:
   client-dependencies:
@@ -105,8 +105,7 @@ jobs:
     if: >-
       github.ref == 'refs/heads/develop'
     outputs:
-      image-trivy: ${{ steps.set-trivy-matrix.outputs.image_trivy_result }}
-      image-docker-scout: ${{ steps.set-docker-scout-matrix.outputs.image_docker_scout_result }}
+      image: ${{ steps.set-matrix.outputs.image_result }}
     steps:
       - name: scan vulnerabilities by Trivy
         uses: docker://docker.io/aquasec/trivy:latest
@@ -114,59 +113,27 @@ jobs:
         with:
           args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop
 
-      - name: upload Trivy image security scan result as artifact
+      - name: upload image security scan result as artifact
         uses: actions/upload-artifact@v3
         with:
           name: image-security-scan-develop-result
           path: image-trivy.json
 
-      - name: develop Trivy scan report export to html
+      - name: develop scan report export to html
         run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-trivy-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-result")
 
-      - name: upload html file as Trivy artifact
+      - name: upload html file as artifact
         uses: actions/upload-artifact@v3
         with:
           name: html-image-result-${{github.run_id}}
-          path: image-trivy-result.html
+          path: image-result.html
 
-      - name: analyse vulnerabilities from Trivy
-        id: set-trivy-matrix
+      - name: analyse vulnerabilities
+        id: set-matrix
         run: |
           result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix)
-          echo "image_trivy_result=${result}" >> $GITHUB_OUTPUT
-
-      - name: scan vulnerabilities by Docker Scout
-        uses: docker/scout-action@v1
-        continue-on-error: true
-        with:
-          command: cves
-          image: portainerci/portainer:develop
-          sarif-file: image-docker-scout.json
-          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
-          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: upload Docker Scout image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-develop-result
-          path: image-docker-scout.json
-
-      - name: develop Docker Scout scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
-
-      - name: upload html file as Docker Scout artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-${{github.run_id}}
-          path: image-docker-scout-result.html
-
-      - name: analyse vulnerabilities from Docker Scout
-        id: set-docker-scout-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=matrix)
-          echo "image_docker_scout_result=${result}" >> $GITHUB_OUTPUT
+          echo "image_result=${result}" >> $GITHUB_OUTPUT
 
   result-analysis:
     name: Analyse Scan Results
@@ -178,26 +145,22 @@ jobs:
       matrix:
         js: ${{fromJson(needs.client-dependencies.outputs.js)}}
         go: ${{fromJson(needs.server-dependencies.outputs.go)}}
-        image-trivy: ${{fromJson(needs.image-vulnerability.outputs.image-trivy)}}
-        image-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.image-docker-scout)}}
+        image: ${{fromJson(needs.image-vulnerability.outputs.image)}}
     steps:
       - name: display the results of js, Go, and image scan
         run: |
           echo "${{ matrix.js.status }}"
           echo "${{ matrix.go.status }}"
-          echo "${{ matrix.image-trivy.status }}"
-          echo "${{ matrix.image-docker-scout.status }}"
+          echo "${{ matrix.image.status }}"
           echo "${{ matrix.js.summary }}"
           echo "${{ matrix.go.summary }}"
-          echo "${{ matrix.image-trivy.summary }}"
-          echo "${{ matrix.image-docker-scout.summary }}"
+          echo "${{ matrix.image.summary }}"
 
       - name: send message to Slack
         if: >-
           matrix.js.status == 'failure' ||
           matrix.go.status == 'failure' || 
-          matrix.image-trivy.status == 'failure' || 
-          matrix.image-docker-scout.status == 'failure'
+          matrix.image.status == 'failure'
         uses: slackapi/slack-github-action@v1.23.0
         with:
           payload: |
@@ -233,14 +196,7 @@ jobs:
                       "type": "section",
                       "text": {
                         "type": "mrkdwn",
-                        "text": "*Image Trivy vulnerability check*: *${{ matrix.image-trivy.status }}*\n${{ matrix.image-trivy.summary }}\n"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Image Docker Scout vulnerability check*: *${{ matrix.image-docker-scout.status }}*\n${{ matrix.image-docker-scout.summary }}\n"
+                        "text": "*Image vulnerability check*: *${{ matrix.image.status }}*\n${{ matrix.image.summary }}\n"
                       }
                     }
                   ]

.github/workflows/pr-security.yml

@@ -8,13 +8,14 @@ on:
     paths:
       - 'package.json'
       - 'go.mod'
+      - 'gruntfile.js'
       - 'build/linux/Dockerfile'
       - 'build/linux/alpine.Dockerfile'
       - 'build/windows/Dockerfile'
       - '.github/workflows/pr-security.yml'
 
 env:
-  GO_VERSION: 1.21.6
+  GO_VERSION: 1.21.3
   NODE_VERSION: 18.x
 
 jobs:
@@ -23,8 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     if: >-
       github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
+      github.event.review.body == '/scan'
     outputs:
       jsdiff: ${{ steps.set-diff-matrix.outputs.js_diff_result }}
     steps:
@@ -78,8 +78,7 @@ jobs:
     runs-on: ubuntu-latest
     if: >-
       github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
+      github.event.review.body == '/scan'
     outputs:
       godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }}
     steps:
@@ -141,11 +140,9 @@ jobs:
     runs-on: ubuntu-latest
     if: >-
       github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
+      github.event.review.body == '/scan'
     outputs:
-      imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }}
-      imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }}
+      imagediff: ${{ steps.set-diff-matrix.outputs.image_diff_result }}
     steps:
       - name: checkout code
         uses: actions/checkout@master
@@ -174,26 +171,26 @@ jobs:
         with:
           context: .
           file: build/linux/Dockerfile
-          tags: local-portainer:${{ github.sha }}
-          outputs: type=docker,dest=/tmp/local-portainer-image.tar
+          tags: trivy-portainer:${{ github.sha }}
+          outputs: type=docker,dest=/tmp/trivy-portainer-image.tar
 
       - name: load docker image
         run: |
-          docker load --input /tmp/local-portainer-image.tar
+          docker load --input /tmp/trivy-portainer-image.tar
 
       - name: scan vulnerabilities by Trivy
         uses: docker://docker.io/aquasec/trivy:latest
         continue-on-error: true
         with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress local-portainer:${{ github.sha }}
+          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }}
 
-      - name: upload Trivy image security scan result as artifact
+      - name: upload image security scan result as artifact
         uses: actions/upload-artifact@v3
         with:
           name: image-security-scan-feature-result
           path: image-trivy.json
 
-      - name: download Trivy artifacts from develop branch built by nightly scan
+      - name: download artifacts from develop branch built by nightly scan
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -205,65 +202,21 @@ jobs:
             echo "null" > ./image-trivy-develop.json
           fi
 
-      - name: pr vs develop Trivy scan report comparison export to html
+      - name: pr vs develop scan report comparison export to html
         run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-trivy-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-result")
 
-      - name: upload html file as Trivy artifact
+      - name: upload html file as artifact
         uses: actions/upload-artifact@v3
         with:
           name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-trivy-result.html
+          path: image-result.html
 
-      - name: analyse different vulnerabilities against develop branch by Trivy
-        id: set-diff-trivy-matrix
+      - name: analyse different vulnerabilities against develop branch
+        id: set-diff-matrix
         run: |
           result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix)
-          echo "image_diff_trivy_result=${result}" >> $GITHUB_OUTPUT
-
-      - name: scan vulnerabilities by Docker Scout
-        uses: docker/scout-action@v1
-        continue-on-error: true
-        with:
-          command: cves
-          image: local-portainer:${{ github.sha }}
-          sarif-file: image-docker-scout.json
-          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
-          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: upload Docker Scout image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-feature-result
-          path: image-docker-scout.json
-
-      - name: download Docker Scout artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./image-docker-scout.json ./image-docker-scout-feature.json
-          (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./image-docker-scout.json ]]; then
-            mv ./image-docker-scout.json ./image-docker-scout-develop.json
-          else
-            echo "null" > ./image-docker-scout-develop.json
-          fi
-
-      - name: pr vs develop Docker Scout scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
-
-      - name: upload html file as Docker Scout artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-docker-scout-result.html
-
-      - name: analyse different vulnerabilities against develop branch by Docker Scout
-        id: set-diff-docker-scout-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=matrix)
-          echo "image_diff_docker_scout_result=${result}" >> $GITHUB_OUTPUT
+          echo "image_diff_result=${result}" >> $GITHUB_OUTPUT
 
   result-analysis:
     name: Analyse Scan Result Against develop Branch
@@ -271,28 +224,23 @@ jobs:
     runs-on: ubuntu-latest
     if: >-
       github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
+      github.event.review.body == '/scan'
     strategy:
       matrix:
         jsdiff: ${{fromJson(needs.client-dependencies.outputs.jsdiff)}}
         godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}}
-        imagediff-trivy: ${{fromJson(needs.image-vulnerability.outputs.imagediff-trivy)}}
-        imagediff-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.imagediff-docker-scout)}}
+        imagediff: ${{fromJson(needs.image-vulnerability.outputs.imagediff)}}
     steps:
       - name: check job status of diff result
         if: >-
           matrix.jsdiff.status == 'failure' ||
           matrix.godiff.status == 'failure' ||
-          matrix.imagediff-trivy.status == 'failure' ||
-          matrix.imagediff-docker-scout.status == 'failure'
+          matrix.imagediff.status == 'failure'
         run: |
           echo "${{ matrix.jsdiff.status }}"
           echo "${{ matrix.godiff.status }}"
-          echo "${{ matrix.imagediff-trivy.status }}"
-          echo "${{ matrix.imagediff-docker-scout.status }}"
+          echo "${{ matrix.imagediff.status }}"
           echo "${{ matrix.jsdiff.summary }}"
           echo "${{ matrix.godiff.summary }}"
-          echo "${{ matrix.imagediff-trivy.summary }}"
-          echo "${{ matrix.imagediff-docker-scout.summary }}"
+          echo "${{ matrix.imagediff.summary }}"
           exit 1

.github/workflows/test.yaml

@@ -1,30 +1,14 @@
 name: Test
 
-env:
-  GO_VERSION: 1.21.6
-  NODE_VERSION: 18.x
+on: push
 
-on:
-  pull_request:
-    branches:
-      - master
-      - develop
-      - release/*
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-  push:
-    branches:
-      - master
-      - develop
-      - release/*
+env:
+  GO_VERSION: 1.21.3
+  NODE_VERSION: 18.x
 
 jobs:
   test-client:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
 
     steps:
       - uses: actions/checkout@v2
@@ -35,7 +19,7 @@ jobs:
       - run: yarn --frozen-lockfile
 
       - name: Run tests
-        run: make test-client ARGS="--maxWorkers=2 --minWorkers=1"
+        run: make test-client ARGS="--maxWorkers=2"
   test-server:
     strategy:
       matrix:
@@ -45,8 +29,6 @@ jobs:
           - { platform: windows, arch: amd64, version: 1809 }
           - { platform: windows, arch: amd64, version: ltsc2022 }
     runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3

.github/workflows/validate-openapi-spec.yaml

@@ -6,20 +6,14 @@ on:
       - master
       - develop
       - 'release/*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
 
 env:
-  GO_VERSION: 1.21.6
+  GO_VERSION: 1.21.3
   NODE_VERSION: 18.x
 
 jobs:
   openapi-spec:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
     steps:
       - uses: actions/checkout@v3
 

.storybook/main.ts

@@ -3,7 +3,6 @@ import { StorybookConfig } from '@storybook/react-webpack5';
 import TsconfigPathsPlugin from 'tsconfig-paths-webpack-plugin';
 import { Configuration } from 'webpack';
 import postcss from 'postcss';
-
 const config: StorybookConfig = {
   stories: ['../app/**/*.stories.@(ts|tsx)'],
   addons: [
@@ -88,6 +87,9 @@ const config: StorybookConfig = {
     name: '@storybook/react-webpack5',
     options: {},
   },
+  docs: {
+    autodocs: true,
+  },
 };
 
 export default config;

.storybook/preview.js

@@ -1,26 +1,23 @@
 import '../app/assets/css';
-import React from 'react';
+
 import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
-import { initialize as initMSW, mswLoader } from 'msw-storybook-addon';
-import { handlers } from '../app/setup-tests/server-handlers';
+import { initialize as initMSW, mswDecorator } from 'msw-storybook-addon';
+import { handlers } from '@/setup-tests/server-handlers';
 import { QueryClient, QueryClientProvider } from 'react-query';
 
-initMSW(
-  {
-    onUnhandledRequest: ({ method, url }) => {
-      console.log(method, url);
-      if (url.startsWith('/api')) {
-        console.error(`Unhandled ${method} request to ${url}.
+// Initialize MSW
+initMSW({
+  onUnhandledRequest: ({ method, url }) => {
+    if (url.pathname.startsWith('/api')) {
+      console.error(`Unhandled ${method} request to ${url}.
 
         This exception has been only logged in the console, however, it's strongly recommended to resolve this error as you don't want unmocked data in Storybook stories.
 
         If you wish to mock an error response, please refer to this guide: https://mswjs.io/docs/recipes/mocking-error-responses
       `);
-      }
-    },
+    }
   },
-  handlers
-);
+});
 
 export const parameters = {
   actions: { argTypesRegex: '^on[A-Z].*' },
@@ -47,6 +44,5 @@ export const decorators = [
       </UIRouter>
     </QueryClientProvider>
   ),
+  mswDecorator,
 ];
-
-export const loaders = [mswLoader];

.storybook/public/mockServiceWorker.js

@@ -2,22 +2,22 @@
 /* tslint:disable */
 
 /**
- * Mock Service Worker (2.0.11).
+ * Mock Service Worker (0.36.3).
  * @see https://github.com/mswjs/msw
  * - Please do NOT modify this file.
  * - Please do NOT serve this file on production.
  */
 
-const INTEGRITY_CHECKSUM = 'c5f7f8e188b673ea4e677df7ea3c5a39';
-const IS_MOCKED_RESPONSE = Symbol('isMockedResponse');
+const INTEGRITY_CHECKSUM = '02f4ad4a2797f85668baf196e553d929';
+const bypassHeaderName = 'x-msw-bypass';
 const activeClientIds = new Set();
 
 self.addEventListener('install', function () {
-  self.skipWaiting();
+  return self.skipWaiting();
 });
 
-self.addEventListener('activate', function (event) {
-  event.waitUntil(self.clients.claim());
+self.addEventListener('activate', async function (event) {
+  return self.clients.claim();
 });
 
 self.addEventListener('message', async function (event) {
@@ -33,9 +33,7 @@ self.addEventListener('message', async function (event) {
     return;
   }
 
-  const allClients = await self.clients.matchAll({
-    type: 'window',
-  });
+  const allClients = await self.clients.matchAll();
 
   switch (event.data) {
     case 'KEEPALIVE_REQUEST': {
@@ -85,8 +83,165 @@ self.addEventListener('message', async function (event) {
   }
 });
 
+// Resolve the "main" client for the given event.
+// Client that issues a request doesn't necessarily equal the client
+// that registered the worker. It's with the latter the worker should
+// communicate with during the response resolving phase.
+async function resolveMainClient(event) {
+  const client = await self.clients.get(event.clientId);
+
+  if (client.frameType === 'top-level') {
+    return client;
+  }
+
+  const allClients = await self.clients.matchAll();
+
+  return allClients
+    .filter((client) => {
+      // Get only those clients that are currently visible.
+      return client.visibilityState === 'visible';
+    })
+    .find((client) => {
+      // Find the client ID that's recorded in the
+      // set of clients that have registered the worker.
+      return activeClientIds.has(client.id);
+    });
+}
+
+async function handleRequest(event, requestId) {
+  const client = await resolveMainClient(event);
+  const response = await getResponse(event, client, requestId);
+
+  // Send back the response clone for the "response:*" life-cycle events.
+  // Ensure MSW is active and ready to handle the message, otherwise
+  // this message will pend indefinitely.
+  if (client && activeClientIds.has(client.id)) {
+    (async function () {
+      const clonedResponse = response.clone();
+      sendToClient(client, {
+        type: 'RESPONSE',
+        payload: {
+          requestId,
+          type: clonedResponse.type,
+          ok: clonedResponse.ok,
+          status: clonedResponse.status,
+          statusText: clonedResponse.statusText,
+          body: clonedResponse.body === null ? null : await clonedResponse.text(),
+          headers: serializeHeaders(clonedResponse.headers),
+          redirected: clonedResponse.redirected,
+        },
+      });
+    })();
+  }
+
+  return response;
+}
+
+async function getResponse(event, client, requestId) {
+  const { request } = event;
+  const requestClone = request.clone();
+  const getOriginalResponse = () => fetch(requestClone);
+
+  // Bypass mocking when the request client is not active.
+  if (!client) {
+    return getOriginalResponse();
+  }
+
+  // Bypass initial page load requests (i.e. static assets).
+  // The absence of the immediate/parent client in the map of the active clients
+  // means that MSW hasn't dispatched the "MOCK_ACTIVATE" event yet
+  // and is not ready to handle requests.
+  if (!activeClientIds.has(client.id)) {
+    return await getOriginalResponse();
+  }
+
+  // Bypass requests with the explicit bypass header
+  if (requestClone.headers.get(bypassHeaderName) === 'true') {
+    const cleanRequestHeaders = serializeHeaders(requestClone.headers);
+
+    // Remove the bypass header to comply with the CORS preflight check.
+    delete cleanRequestHeaders[bypassHeaderName];
+
+    const originalRequest = new Request(requestClone, {
+      headers: new Headers(cleanRequestHeaders),
+    });
+
+    return fetch(originalRequest);
+  }
+
+  // Send the request to the client-side MSW.
+  const reqHeaders = serializeHeaders(request.headers);
+  const body = await request.text();
+
+  const clientMessage = await sendToClient(client, {
+    type: 'REQUEST',
+    payload: {
+      id: requestId,
+      url: request.url,
+      method: request.method,
+      headers: reqHeaders,
+      cache: request.cache,
+      mode: request.mode,
+      credentials: request.credentials,
+      destination: request.destination,
+      integrity: request.integrity,
+      redirect: request.redirect,
+      referrer: request.referrer,
+      referrerPolicy: request.referrerPolicy,
+      body,
+      bodyUsed: request.bodyUsed,
+      keepalive: request.keepalive,
+    },
+  });
+
+  switch (clientMessage.type) {
+    case 'MOCK_SUCCESS': {
+      return delayPromise(() => respondWithMock(clientMessage), clientMessage.payload.delay);
+    }
+
+    case 'MOCK_NOT_FOUND': {
+      return getOriginalResponse();
+    }
+
+    case 'NETWORK_ERROR': {
+      const { name, message } = clientMessage.payload;
+      const networkError = new Error(message);
+      networkError.name = name;
+
+      // Rejecting a request Promise emulates a network error.
+      throw networkError;
+    }
+
+    case 'INTERNAL_ERROR': {
+      const parsedBody = JSON.parse(clientMessage.payload.body);
+
+      console.error(
+        `\
+[MSW] Uncaught exception in the request handler for "%s %s":
+
+${parsedBody.location}
+
+This exception has been gracefully handled as a 500 response, however, it's strongly recommended to resolve this error, as it indicates a mistake in your code. If you wish to mock an error response, please see this guide: https://mswjs.io/docs/recipes/mocking-error-responses\
+`,
+        request.method,
+        request.url
+      );
+
+      return respondWithMock(clientMessage);
+    }
+  }
+
+  return getOriginalResponse();
+}
+
 self.addEventListener('fetch', function (event) {
   const { request } = event;
+  const accept = request.headers.get('accept') || '';
+
+  // Bypass server-sent events.
+  if (accept.includes('text/event-stream')) {
+    return;
+  }
 
   // Bypass navigation requests.
   if (request.mode === 'navigate') {
@@ -106,149 +261,36 @@ self.addEventListener('fetch', function (event) {
     return;
   }
 
-  // Generate unique request ID.
-  const requestId = crypto.randomUUID();
-  event.respondWith(handleRequest(event, requestId));
+  const requestId = uuidv4();
+
+  return event.respondWith(
+    handleRequest(event, requestId).catch((error) => {
+      if (error.name === 'NetworkError') {
+        console.warn('[MSW] Successfully emulated a network error for the "%s %s" request.', request.method, request.url);
+        return;
+      }
+
+      // At this point, any exception indicates an issue with the original request/response.
+      console.error(
+        `\
+[MSW] Caught an exception from the "%s %s" request (%s). This is probably not a problem with Mock Service Worker. There is likely an additional logging output above.`,
+        request.method,
+        request.url,
+        `${error.name}: ${error.message}`
+      );
+    })
+  );
 });
 
-async function handleRequest(event, requestId) {
-  const client = await resolveMainClient(event);
-  const response = await getResponse(event, client, requestId);
-
-  // Send back the response clone for the "response:*" life-cycle events.
-  // Ensure MSW is active and ready to handle the message, otherwise
-  // this message will pend indefinitely.
-  if (client && activeClientIds.has(client.id)) {
-    (async function () {
-      const responseClone = response.clone();
-
-      sendToClient(
-        client,
-        {
-          type: 'RESPONSE',
-          payload: {
-            requestId,
-            isMockedResponse: IS_MOCKED_RESPONSE in response,
-            type: responseClone.type,
-            status: responseClone.status,
-            statusText: responseClone.statusText,
-            body: responseClone.body,
-            headers: Object.fromEntries(responseClone.headers.entries()),
-          },
-        },
-        [responseClone.body]
-      );
-    })();
-  }
-
-  return response;
-}
-
-// Resolve the main client for the given event.
-// Client that issues a request doesn't necessarily equal the client
-// that registered the worker. It's with the latter the worker should
-// communicate with during the response resolving phase.
-async function resolveMainClient(event) {
-  const client = await self.clients.get(event.clientId);
-
-  if (client?.frameType === 'top-level') {
-    return client;
-  }
-
-  const allClients = await self.clients.matchAll({
-    type: 'window',
+function serializeHeaders(headers) {
+  const reqHeaders = {};
+  headers.forEach((value, name) => {
+    reqHeaders[name] = reqHeaders[name] ? [].concat(reqHeaders[name]).concat(value) : value;
   });
-
-  return allClients
-    .filter((client) => {
-      // Get only those clients that are currently visible.
-      return client.visibilityState === 'visible';
-    })
-    .find((client) => {
-      // Find the client ID that's recorded in the
-      // set of clients that have registered the worker.
-      return activeClientIds.has(client.id);
-    });
+  return reqHeaders;
 }
 
-async function getResponse(event, client, requestId) {
-  const { request } = event;
-
-  // Clone the request because it might've been already used
-  // (i.e. its body has been read and sent to the client).
-  const requestClone = request.clone();
-
-  function passthrough() {
-    const headers = Object.fromEntries(requestClone.headers.entries());
-
-    // Remove internal MSW request header so the passthrough request
-    // complies with any potential CORS preflight checks on the server.
-    // Some servers forbid unknown request headers.
-    delete headers['x-msw-intention'];
-
-    return fetch(requestClone, { headers });
-  }
-
-  // Bypass mocking when the client is not active.
-  if (!client) {
-    return passthrough();
-  }
-
-  // Bypass initial page load requests (i.e. static assets).
-  // The absence of the immediate/parent client in the map of the active clients
-  // means that MSW hasn't dispatched the "MOCK_ACTIVATE" event yet
-  // and is not ready to handle requests.
-  if (!activeClientIds.has(client.id)) {
-    return passthrough();
-  }
-
-  // Bypass requests with the explicit bypass header.
-  // Such requests can be issued by "ctx.fetch()".
-  const mswIntention = request.headers.get('x-msw-intention');
-  if (['bypass', 'passthrough'].includes(mswIntention)) {
-    return passthrough();
-  }
-
-  // Notify the client that a request has been intercepted.
-  const requestBuffer = await request.arrayBuffer();
-  const clientMessage = await sendToClient(
-    client,
-    {
-      type: 'REQUEST',
-      payload: {
-        id: requestId,
-        url: request.url,
-        mode: request.mode,
-        method: request.method,
-        headers: Object.fromEntries(request.headers.entries()),
-        cache: request.cache,
-        credentials: request.credentials,
-        destination: request.destination,
-        integrity: request.integrity,
-        redirect: request.redirect,
-        referrer: request.referrer,
-        referrerPolicy: request.referrerPolicy,
-        body: requestBuffer,
-        keepalive: request.keepalive,
-      },
-    },
-    [requestBuffer]
-  );
-
-  switch (clientMessage.type) {
-    case 'MOCK_RESPONSE': {
-      return respondWithMock(clientMessage.data);
-    }
-
-    case 'MOCK_NOT_FOUND': {
-      return passthrough();
-    }
-  }
-
-  return passthrough();
-}
-
-function sendToClient(client, message, transferrables = []) {
+function sendToClient(client, message) {
   return new Promise((resolve, reject) => {
     const channel = new MessageChannel();
 
@@ -260,25 +302,27 @@ function sendToClient(client, message, transferrables = []) {
       resolve(event.data);
     };
 
-    client.postMessage(message, [channel.port2].concat(transferrables.filter(Boolean)));
+    client.postMessage(JSON.stringify(message), [channel.port2]);
   });
 }
 
-async function respondWithMock(response) {
-  // Setting response status code to 0 is a no-op.
-  // However, when responding with a "Response.error()", the produced Response
-  // instance will have status code set to 0. Since it's not possible to create
-  // a Response instance with status code 0, handle that use-case separately.
-  if (response.status === 0) {
-    return Response.error();
-  }
-
-  const mockedResponse = new Response(response.body, response);
-
-  Reflect.defineProperty(mockedResponse, IS_MOCKED_RESPONSE, {
-    value: true,
-    enumerable: true,
+function delayPromise(cb, duration) {
+  return new Promise((resolve) => {
+    setTimeout(() => resolve(cb()), duration);
+  });
+}
+
+function respondWithMock(clientMessage) {
+  return new Response(clientMessage.payload.body, {
+    ...clientMessage.payload,
+    headers: clientMessage.payload.headers,
+  });
+}
+
+function uuidv4() {
+  return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
+    const r = (Math.random() * 16) | 0;
+    const v = c == 'x' ? r : (r & 0x3) | 0x8;
+    return v.toString(16);
   });
-
-  return mockedResponse;
 }

Makefile

@@ -7,9 +7,9 @@ ARCH=$(shell go env GOARCH)
 # build target, can be one of "production", "testing", "development"
 ENV=development
 WEBPACK_CONFIG=webpack/webpack.$(ENV).js
-TAG=local
+TAG=latest
 
-SWAG=go run github.com/swaggo/swag/cmd/swag@v1.16.2 
+SWAG=go run github.com/swaggo/swag/cmd/swag@v1.8.11 
 GOTESTSUM=go run gotest.tools/gotestsum@latest
 
 # Don't change anything below this line unless you know what you're doing
@@ -68,7 +68,7 @@ test-client: ## Run client tests
 	yarn test $(ARGS)
 
 test-server:	## Run server tests
-	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover  ./...
+	cd api && $(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover  ./...
 
 ##@ Dev
 .PHONY: dev dev-client dev-server
@@ -92,7 +92,7 @@ format-client: ## Format client code
 	yarn format
 
 format-server: ## Format server code
-	go fmt ./...
+	cd api && go fmt ./...
 
 ##@ Lint
 .PHONY: lint lint-client lint-server
@@ -102,7 +102,7 @@ lint-client: ## Lint client code
 	yarn lint
 
 lint-server: ## Lint server code
-	golangci-lint run --timeout=10m -c .golangci.yaml
+	cd api && go vet ./...
 
 
 ##@ Extension
@@ -114,7 +114,7 @@ dev-extension: build-server build-client ## Run the extension in development mod
 ##@ Docs
 .PHONY: docs-build docs-validate docs-clean docs-validate-clean
 docs-build: init-dist ## Build docs
-	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./ 
+	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 --markdownFiles ./
 
 docs-validate: docs-build ## Validate docs
 	yarn swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml

api/.golangci.yaml

@@ -4,13 +4,10 @@ linters:
 
   # Enable these for now
   enable:
-    - unused
     - depguard
-    - gosimple
     - govet
     - errorlint
     - exportloopref
-
 linters-settings:
   depguard:
     rules:

api/apikey/apikey.go

@@ -6,11 +6,11 @@ import (
 
 // APIKeyService represents a service for managing API keys.
 type APIKeyService interface {
-	HashRaw(rawKey string) string
+	HashRaw(rawKey string) []byte
 	GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error)
 	GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error)
 	GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error)
-	GetDigestUserAndKey(digest string) (portainer.User, portainer.APIKey, error)
+	GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error)
 	UpdateAPIKey(apiKey *portainer.APIKey) error
 	DeleteAPIKey(apiKeyID portainer.APIKeyID) error
 	InvalidateUserKeyCache(userId portainer.UserID) bool

api/apikey/cache.go

@@ -33,8 +33,8 @@ func NewAPIKeyCache(cacheSize int) *apiKeyCache {
 // Get returns the user/key associated to an api-key's digest
 // This is required because HTTP requests will contain the digest of the API key in header,
 // the digest value must be mapped to a portainer user.
-func (c *apiKeyCache) Get(digest string) (portainer.User, portainer.APIKey, bool) {
-	val, ok := c.cache.Get(digest)
+func (c *apiKeyCache) Get(digest []byte) (portainer.User, portainer.APIKey, bool) {
+	val, ok := c.cache.Get(string(digest))
 	if !ok {
 		return portainer.User{}, portainer.APIKey{}, false
 	}
@@ -44,23 +44,23 @@ func (c *apiKeyCache) Get(digest string) (portainer.User, portainer.APIKey, bool
 }
 
 // Set persists a user/key entry to the cache
-func (c *apiKeyCache) Set(digest string, user portainer.User, apiKey portainer.APIKey) {
-	c.cache.Add(digest, entry{
+func (c *apiKeyCache) Set(digest []byte, user portainer.User, apiKey portainer.APIKey) {
+	c.cache.Add(string(digest), entry{
 		user:   user,
 		apiKey: apiKey,
 	})
 }
 
 // Delete evicts a digest's user/key entry key from the cache
-func (c *apiKeyCache) Delete(digest string) {
-	c.cache.Remove(digest)
+func (c *apiKeyCache) Delete(digest []byte) {
+	c.cache.Remove(string(digest))
 }
 
 // InvalidateUserKeyCache loops through all the api-keys associated to a user and removes them from the cache
 func (c *apiKeyCache) InvalidateUserKeyCache(userId portainer.UserID) bool {
 	present := false
 	for _, k := range c.cache.Keys() {
-		user, _, _ := c.Get(k.(string))
+		user, _, _ := c.Get([]byte(k.(string)))
 		if user.ID == userId {
 			present = c.cache.Remove(k)
 		}

api/apikey/cache_test.go

@@ -17,19 +17,19 @@ func Test_apiKeyCacheGet(t *testing.T) {
 	keyCache.cache.Add(string(""), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
 
 	tests := []struct {
-		digest string
+		digest []byte
 		found  bool
 	}{
 		{
-			digest: "foo",
+			digest: []byte("foo"),
 			found:  true,
 		},
 		{
-			digest: "",
+			digest: []byte(""),
 			found:  true,
 		},
 		{
-			digest: "bar",
+			digest: []byte("bar"),
 			found:  false,
 		},
 	}
@@ -48,11 +48,11 @@ func Test_apiKeyCacheSet(t *testing.T) {
 	keyCache := NewAPIKeyCache(10)
 
 	// pre-populate cache
-	keyCache.Set("bar", portainer.User{ID: 2}, portainer.APIKey{})
-	keyCache.Set("foo", portainer.User{ID: 1}, portainer.APIKey{})
+	keyCache.Set([]byte("bar"), portainer.User{ID: 2}, portainer.APIKey{})
+	keyCache.Set([]byte("foo"), portainer.User{ID: 1}, portainer.APIKey{})
 
 	// overwrite existing entry
-	keyCache.Set("foo", portainer.User{ID: 3}, portainer.APIKey{})
+	keyCache.Set([]byte("foo"), portainer.User{ID: 3}, portainer.APIKey{})
 
 	val, ok := keyCache.cache.Get(string("bar"))
 	is.True(ok)
@@ -74,14 +74,14 @@ func Test_apiKeyCacheDelete(t *testing.T) {
 
 	t.Run("Delete an existing entry", func(t *testing.T) {
 		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
-		keyCache.Delete("foo")
+		keyCache.Delete([]byte("foo"))
 
 		_, ok := keyCache.cache.Get(string("foo"))
 		is.False(ok)
 	})
 
 	t.Run("Delete a non-existing entry", func(t *testing.T) {
-		nonPanicFunc := func() { keyCache.Delete("non-existent-key") }
+		nonPanicFunc := func() { keyCache.Delete([]byte("non-existent-key")) }
 		is.NotPanics(nonPanicFunc)
 	})
 }
@@ -131,16 +131,16 @@ func Test_apiKeyCacheLRU(t *testing.T) {
 			keyCache := NewAPIKeyCache(test.cacheLen)
 
 			for _, key := range test.key {
-				keyCache.Set(key, portainer.User{ID: 1}, portainer.APIKey{})
+				keyCache.Set([]byte(key), portainer.User{ID: 1}, portainer.APIKey{})
 			}
 
 			for _, key := range test.foundKeys {
-				_, _, found := keyCache.Get(key)
+				_, _, found := keyCache.Get([]byte(key))
 				is.True(found, "Key %s not found", key)
 			}
 
 			for _, key := range test.evictedKeys {
-				_, _, found := keyCache.Get(key)
+				_, _, found := keyCache.Get([]byte(key))
 				is.False(found, "key %s should have been evicted", key)
 			}
 		})

api/apikey/service.go

@@ -32,9 +32,9 @@ func NewAPIKeyService(apiKeyRepository dataservices.APIKeyRepository, userReposi
 }
 
 // HashRaw computes a hash digest of provided raw API key.
-func (a *apiKeyService) HashRaw(rawKey string) string {
+func (a *apiKeyService) HashRaw(rawKey string) []byte {
 	hashDigest := sha256.Sum256([]byte(rawKey))
-	return base64.StdEncoding.EncodeToString(hashDigest[:])
+	return hashDigest[:]
 }
 
 // GenerateApiKey generates a raw API key for a user (for one-time display).
@@ -77,7 +77,7 @@ func (a *apiKeyService) GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey,
 
 // GetDigestUserAndKey returns the user and api-key associated to a specified hash digest.
 // A cache lookup is performed first; if the user/api-key is not found in the cache, respective database lookups are performed.
-func (a *apiKeyService) GetDigestUserAndKey(digest string) (portainer.User, portainer.APIKey, error) {
+func (a *apiKeyService) GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error) {
 	// get api key from cache if possible
 	cachedUser, cachedKey, ok := a.cache.Get(digest)
 	if ok {

api/apikey/service_test.go

@@ -2,7 +2,6 @@ package apikey
 
 import (
 	"crypto/sha256"
-	"encoding/base64"
 	"fmt"
 	"strings"
 	"testing"
@@ -69,7 +68,7 @@ func Test_GenerateApiKey(t *testing.T) {
 
 		generatedDigest := sha256.Sum256([]byte(rawKey))
 
-		is.Equal(apiKey.Digest, base64.StdEncoding.EncodeToString(generatedDigest[:]))
+		is.Equal(apiKey.Digest, generatedDigest[:])
 	})
 }
 

api/archive/targz.go

@@ -48,6 +48,18 @@ func TarGzDir(absolutePath string) (string, error) {
 }
 
 func addToArchive(tarWriter *tar.Writer, pathInArchive string, path string, info os.FileInfo) error {
+	header, err := tar.FileInfoHeader(info, info.Name())
+	if err != nil {
+		return err
+	}
+
+	header.Name = pathInArchive // use relative paths in archive
+
+	err = tarWriter.WriteHeader(header)
+	if err != nil {
+		return err
+	}
+
 	if info.IsDir() {
 		return nil
 	}
@@ -56,26 +68,6 @@ func addToArchive(tarWriter *tar.Writer, pathInArchive string, path string, info
 	if err != nil {
 		return err
 	}
-
-	stat, err := file.Stat()
-	if err != nil {
-		return err
-	}
-
-	header, err := tar.FileInfoHeader(stat, stat.Name())
-	if err != nil {
-		return err
-	}
-	header.Name = pathInArchive // use relative paths in archive
-
-	err = tarWriter.WriteHeader(header)
-	if err != nil {
-		return err
-	}
-	if stat.IsDir() {
-		return nil
-	}
-
 	_, err = io.Copy(tarWriter, file)
 	return err
 }
@@ -106,7 +98,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 			// skip, dir will be created with a file
 		case tar.TypeReg:
 			p := filepath.Clean(filepath.Join(outputDirPath, header.Name))
-			if err := os.MkdirAll(filepath.Dir(p), 0o744); err != nil {
+			if err := os.MkdirAll(filepath.Dir(p), 0744); err != nil {
 				return fmt.Errorf("Failed to extract dir %s", filepath.Dir(p))
 			}
 			outFile, err := os.Create(p)

api/backup/backup.go

@@ -17,7 +17,7 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-const rwxr__r__ os.FileMode = 0o744
+const rwxr__r__ os.FileMode = 0744
 
 var filesToBackup = []string{
 	"certs",
@@ -82,8 +82,14 @@ func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datasto
 }
 
 func backupDb(backupDirPath string, datastore dataservices.DataStore) error {
-	_, err := datastore.Backup(filepath.Join(backupDirPath, "portainer.db"))
-	return err
+	backupWriter, err := os.Create(filepath.Join(backupDirPath, "portainer.db"))
+	if err != nil {
+		return err
+	}
+	if err = datastore.BackupTo(backupWriter); err != nil {
+		return err
+	}
+	return backupWriter.Close()
 }
 
 func encrypt(path string, passphrase string) (string, error) {

api/build/variables.go

@@ -1,12 +1,9 @@
 package build
 
-import "runtime"
-
 // Variables to be set during the build time
 var BuildNumber string
 var ImageTag string
 var NodejsVersion string
 var YarnVersion string
 var WebpackVersion string
-var GoVersion string = runtime.Version()
-var GitCommit string
+var GoVersion string

api/chisel/service.go

@@ -11,7 +11,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/proxy"
-	"github.com/portainer/portainer/api/internal/edge"
 
 	chserver "github.com/jpillora/chisel/server"
 	"github.com/jpillora/chisel/share/ccrypto"
@@ -20,9 +19,8 @@ import (
 
 const (
 	tunnelCleanupInterval = 10 * time.Second
-	requiredTimeoutFactor = 3
+	requiredTimeout       = 15 * time.Second
 	activeTimeout         = 4*time.Minute + 30*time.Second
-	pingTimeout           = 3 * time.Second
 )
 
 // Service represents a service to manage the state of multiple reverse tunnels.
@@ -61,18 +59,14 @@ func (service *Service) pingAgent(endpointID portainer.EndpointID) error {
 	}
 
 	httpClient := &http.Client{
-		Timeout: pingTimeout,
+		Timeout: 3 * time.Second,
 	}
 
 	resp, err := httpClient.Do(req)
-	if err != nil {
-		return err
-	}
-
 	io.Copy(io.Discard, resp.Body)
 	resp.Body.Close()
 
-	return nil
+	return err
 }
 
 // KeepTunnelAlive keeps the tunnel of the given environment for maxAlive duration, or until ctx is done
@@ -233,7 +227,6 @@ func (service *Service) startTunnelVerificationLoop() {
 
 func (service *Service) checkTunnels() {
 	tunnels := make(map[portainer.EndpointID]portainer.TunnelDetails)
-	envTimeout := make(map[portainer.EndpointID]time.Duration)
 
 	service.mu.Lock()
 	for key, tunnel := range service.tunnelDetailsMap {
@@ -241,30 +234,15 @@ func (service *Service) checkTunnels() {
 			continue
 		}
 
-		if tunnel.Status == portainer.EdgeAgentActive && time.Since(tunnel.LastActivity) < activeTimeout {
-			continue
-		}
-
-		endpoint, err := service.dataStore.Endpoint().Endpoint(key)
-		if err != nil {
-			log.Warn().Err(err).Int("endpoint_id", int(key)).Msg("unable to retrieve endpoint from database")
-			continue
-		}
-
-		checkinInterval, err := edge.GetEffectiveCheckinInterval(service.dataStore, endpoint)
-		if err != nil {
-			log.Warn().Err(err).Msg("unable to retrieve checking interval")
-			continue
-		}
-
-		requiredTimeout := requiredTimeoutFactor * time.Duration(checkinInterval) * time.Second
-
 		if tunnel.Status == portainer.EdgeAgentManagementRequired && time.Since(tunnel.LastActivity) < requiredTimeout {
 			continue
 		}
 
+		if tunnel.Status == portainer.EdgeAgentActive && time.Since(tunnel.LastActivity) < activeTimeout {
+			continue
+		}
+
 		tunnels[key] = *tunnel
-		envTimeout[key] = requiredTimeout
 	}
 	service.mu.Unlock()
 
@@ -276,12 +254,12 @@ func (service *Service) checkTunnels() {
 			Float64("status_time_seconds", elapsed.Seconds()).
 			Msg("environment tunnel monitoring")
 
-		if tunnel.Status == portainer.EdgeAgentManagementRequired && elapsed > envTimeout[endpointID] {
+		if tunnel.Status == portainer.EdgeAgentManagementRequired && elapsed > requiredTimeout {
 			log.Debug().
 				Int("endpoint_id", int(endpointID)).
 				Str("status", tunnel.Status).
 				Float64("status_time_seconds", elapsed.Seconds()).
-				Float64("timeout_seconds", envTimeout[endpointID].Seconds()).
+				Float64("timeout_seconds", requiredTimeout.Seconds()).
 				Msg("REQUIRED state timeout exceeded")
 		}
 

api/chisel/service_test.go

@@ -1,39 +0,0 @@
-package chisel
-
-import (
-	"net"
-	"net/http"
-	"testing"
-	"time"
-
-	portainer "github.com/portainer/portainer/api"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestPingAgentPanic(t *testing.T) {
-	endpointID := portainer.EndpointID(1)
-
-	s := NewService(nil, nil, nil)
-
-	defer func() {
-		require.Nil(t, recover())
-	}()
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("/ping", func(w http.ResponseWriter, r *http.Request) {
-		time.Sleep(pingTimeout + 1*time.Second)
-	})
-
-	ln, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
-	require.NoError(t, err)
-
-	go func() {
-		require.NoError(t, http.Serve(ln, mux))
-	}()
-
-	s.getTunnelDetails(endpointID)
-	s.tunnelDetailsMap[endpointID].Port = ln.Addr().(*net.TCPAddr).Port
-
-	require.Error(t, s.pingAgent(endpointID))
-}

api/chisel/tunnel.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/edge/cache"
 	"github.com/portainer/portainer/pkg/libcrypto"
 
@@ -74,22 +73,27 @@ func (service *Service) GetActiveTunnel(endpoint *portainer.Endpoint) (portainer
 
 	tunnel := service.GetTunnelDetails(endpoint.ID)
 
-	switch tunnel.Status {
-	case portainer.EdgeAgentActive:
+	if tunnel.Status == portainer.EdgeAgentActive {
 		// update the LastActivity
 		service.SetTunnelStatusToActive(endpoint.ID)
+	}
 
-	case portainer.EdgeAgentIdle, portainer.EdgeAgentManagementRequired:
-		if err := service.SetTunnelStatusToRequired(endpoint.ID); err != nil {
+	if tunnel.Status == portainer.EdgeAgentIdle || tunnel.Status == portainer.EdgeAgentManagementRequired {
+		err := service.SetTunnelStatusToRequired(endpoint.ID)
+		if err != nil {
 			return portainer.TunnelDetails{}, fmt.Errorf("failed opening tunnel to endpoint: %w", err)
 		}
 
-		checkinInterval, err := edge.GetEffectiveCheckinInterval(service.dataStore, endpoint)
-		if err != nil {
-			return portainer.TunnelDetails{}, fmt.Errorf("failed fetching checkin interval: %w", err)
+		if endpoint.EdgeCheckinInterval == 0 {
+			settings, err := service.dataStore.Settings().Settings()
+			if err != nil {
+				return portainer.TunnelDetails{}, fmt.Errorf("failed fetching settings from db: %w", err)
+			}
+
+			endpoint.EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
 		}
 
-		time.Sleep(2 * time.Duration(checkinInterval) * time.Second)
+		time.Sleep(2 * time.Duration(endpoint.EdgeCheckinInterval) * time.Second)
 	}
 
 	return service.GetTunnelDetails(endpoint.ID), nil
@@ -143,37 +147,37 @@ func (service *Service) SetTunnelStatusToIdle(endpointID portainer.EndpointID) {
 func (service *Service) SetTunnelStatusToRequired(endpointID portainer.EndpointID) error {
 	defer cache.Del(endpointID)
 
+	tunnel := service.getTunnelDetails(endpointID)
+
 	service.mu.Lock()
 	defer service.mu.Unlock()
 
-	tunnel := service.getTunnelDetails(endpointID)
-	if tunnel.Port != 0 {
-		return nil
-	}
-
-	endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
-	if err != nil {
-		return err
-	}
-
-	tunnel.Status = portainer.EdgeAgentManagementRequired
-	tunnel.Port = service.getUnusedPort()
-	tunnel.LastActivity = time.Now()
-
-	username, password := generateRandomCredentials()
-	authorizedRemote := fmt.Sprintf("^R:0.0.0.0:%d$", tunnel.Port)
-
-	if service.chiselServer != nil {
-		if err = service.chiselServer.AddUser(username, password, authorizedRemote); err != nil {
+	if tunnel.Port == 0 {
+		endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
+		if err != nil {
 			return err
 		}
-	}
 
-	credentials, err := encryptCredentials(username, password, endpoint.EdgeID)
-	if err != nil {
-		return err
+		tunnel.Status = portainer.EdgeAgentManagementRequired
+		tunnel.Port = service.getUnusedPort()
+		tunnel.LastActivity = time.Now()
+
+		username, password := generateRandomCredentials()
+		authorizedRemote := fmt.Sprintf("^R:0.0.0.0:%d$", tunnel.Port)
+
+		if service.chiselServer != nil {
+			err = service.chiselServer.AddUser(username, password, authorizedRemote)
+			if err != nil {
+				return err
+			}
+		}
+
+		credentials, err := encryptCredentials(username, password, endpoint.EdgeID)
+		if err != nil {
+			return err
+		}
+		tunnel.Credentials = credentials
 	}
-	tunnel.Credentials = credentials
 
 	return nil
 }

api/cli/cli.go

@@ -49,7 +49,7 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		SSL:                       kingpin.Flag("ssl", "Secure Portainer instance using SSL (deprecated)").Default(defaultSSL).Bool(),
 		SSLCert:                   kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").String(),
 		SSLKey:                    kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").String(),
-		Rollback:                  kingpin.Flag("rollback", "Rollback the database to the previous backup").Bool(),
+		Rollback:                  kingpin.Flag("rollback", "Rollback the database store to the previous version").Bool(),
 		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each environment snapshot job").String(),
 		AdminPassword:             kingpin.Flag("admin-password", "Set admin password with provided hash").String(),
 		AdminPasswordFile:         kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
@@ -62,7 +62,7 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		MaxBatchDelay:             kingpin.Flag("max-batch-delay", "Maximum delay before a batch starts").Duration(),
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
-		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
+		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("PRETTY", "JSON"),
 	}
 
 	kingpin.Parse()

api/cli/confirm.go

@@ -9,7 +9,7 @@ import (
 
 // Confirm starts a rollback db cli application
 func Confirm(message string) (bool, error) {
-	fmt.Printf("%s [y/N] ", message)
+	fmt.Printf("%s [y/N]", message)
 
 	reader := bufio.NewReader(os.Stdin)
 

api/cmd/portainer/log.go

@@ -42,13 +42,6 @@ func setLoggingMode(mode string) {
 			TimeFormat:    "2006/01/02 03:04PM",
 			FormatMessage: formatMessage,
 		})
-	case "NOCOLOR":
-		log.Logger = log.Output(zerolog.ConsoleWriter{
-			Out:           os.Stderr,
-			TimeFormat:    "2006/01/02 03:04PM",
-			FormatMessage: formatMessage,
-			NoColor:       true,
-		})
 	case "JSON":
 		log.Logger = log.Output(os.Stderr)
 	}

api/cmd/portainer/main.go

@@ -3,9 +3,11 @@ package main
 import (
 	"context"
 	"crypto/sha256"
+	"math/rand"
 	"os"
 	"path"
 	"strings"
+	"time"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/apikey"
@@ -198,7 +200,7 @@ func initAPIKeyService(datastore dataservices.DataStore) apikey.APIKeyService {
 	return apikey.NewAPIKeyService(datastore.APIKeyRepository(), datastore.User())
 }
 
-func initJWTService(userSessionTimeout string, dataStore dataservices.DataStore) (portainer.JWTService, error) {
+func initJWTService(userSessionTimeout string, dataStore dataservices.DataStore) (dataservices.JWTService, error) {
 	if userSessionTimeout == "" {
 		userSessionTimeout = portainer.DefaultUserSessionTimeout
 	}
@@ -629,6 +631,8 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 }
 
 func main() {
+	rand.Seed(time.Now().UnixNano())
+
 	configureLogger()
 	setLoggingMode("PRETTY")
 

api/database/boltdb/db.go

@@ -144,8 +144,6 @@ func (connection *DbConnection) Open() error {
 // Close closes the BoltDB database.
 // Safe to being called multiple times.
 func (connection *DbConnection) Close() error {
-	log.Info().Msg("closing PortainerDB")
-
 	if connection.DB != nil {
 		return connection.DB.Close()
 	}

api/dataservices/apikeyrepository/apikeyrepository.go

@@ -1,6 +1,7 @@
 package apikeyrepository
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
 
@@ -36,7 +37,7 @@ func NewService(connection portainer.Connection) (*Service, error) {
 
 // GetAPIKeysByUserID returns a slice containing all the APIKeys a user has access to.
 func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer.APIKey, error) {
-	result := make([]portainer.APIKey, 0)
+	var result = make([]portainer.APIKey, 0)
 
 	err := service.Connection.GetAll(
 		BucketName,
@@ -60,7 +61,7 @@ func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer
 
 // GetAPIKeyByDigest returns the API key for the associated digest.
 // Note: there is a 1-to-1 mapping of api-key and digest
-func (service *Service) GetAPIKeyByDigest(digest string) (*portainer.APIKey, error) {
+func (service *Service) GetAPIKeyByDigest(digest []byte) (*portainer.APIKey, error) {
 	var k *portainer.APIKey
 	stop := fmt.Errorf("ok")
 	err := service.Connection.GetAll(
@@ -72,7 +73,7 @@ func (service *Service) GetAPIKeyByDigest(digest string) (*portainer.APIKey, err
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to APIKey object")
 				return nil, fmt.Errorf("failed to convert to APIKey object: %s", obj)
 			}
-			if key.Digest == digest {
+			if bytes.Equal(key.Digest, digest) {
 				k = key
 				return nil, stop
 			}

api/dataservices/endpoint/endpoint.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
 )
 
 // BucketName represents the name of the bucket where this service stores data.
@@ -145,23 +144,6 @@ func (service *Service) Create(endpoint *portainer.Endpoint) error {
 	})
 }
 
-func (service *Service) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error) {
-	var endpoints = make([]portainer.Endpoint, 0)
-
-	return endpoints, service.connection.GetAll(
-		BucketName,
-		&portainer.Endpoint{},
-		dataservices.FilterFn(&endpoints, func(e portainer.Endpoint) bool {
-			for t := range e.TeamAccessPolicies {
-				if t == teamID {
-					return true
-				}
-			}
-			return false
-		}),
-	)
-}
-
 // GetNextIdentifier returns the next identifier for an environment(endpoint).
 func (service *Service) GetNextIdentifier() int {
 	var identifier int

api/dataservices/endpoint/tx.go

@@ -122,23 +122,6 @@ func (service ServiceTx) Create(endpoint *portainer.Endpoint) error {
 	return nil
 }
 
-func (service ServiceTx) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error) {
-	var endpoints = make([]portainer.Endpoint, 0)
-
-	return endpoints, service.tx.GetAll(
-		BucketName,
-		&portainer.Endpoint{},
-		dataservices.FilterFn(&endpoints, func(e portainer.Endpoint) bool {
-			for t := range e.TeamAccessPolicies {
-				if t == teamID {
-					return true
-				}
-			}
-			return false
-		}),
-	)
-}
-
 // GetNextIdentifier returns the next identifier for an environment(endpoint).
 func (service ServiceTx) GetNextIdentifier() int {
 	return service.tx.GetNextIdentifier(BucketName)

api/dataservices/interface.go

@@ -1,6 +1,9 @@
 package dataservices
 
 import (
+	"io"
+	"time"
+
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 )
@@ -44,7 +47,7 @@ type (
 		MigrateData() error
 		Rollback(force bool) error
 		CheckCurrentEdition() error
-		Backup(path string) (string, error)
+		BackupTo(w io.Writer) error
 		Export(filename string) (err error)
 
 		DataStoreTx
@@ -92,7 +95,6 @@ type (
 	EndpointService interface {
 		Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error)
 		EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool)
-		EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error)
 		Heartbeat(endpointID portainer.EndpointID) (int64, bool)
 		UpdateHeartbeat(endpointID portainer.EndpointID)
 		Endpoints() ([]portainer.Endpoint, error)
@@ -130,6 +132,15 @@ type (
 		HelmUserRepositoryByUserID(userID portainer.UserID) ([]portainer.HelmUserRepository, error)
 	}
 
+	// JWTService represents a service for managing JWT tokens
+	JWTService interface {
+		GenerateToken(data *portainer.TokenData) (string, error)
+		GenerateTokenForOAuth(data *portainer.TokenData, expiryTime *time.Time) (string, error)
+		GenerateTokenForKubeconfig(data *portainer.TokenData) (string, error)
+		ParseAndVerifyToken(token string) (*portainer.TokenData, error)
+		SetUserSessionDuration(userSessionDuration time.Duration)
+	}
+
 	// RegistryService represents a service for managing registry data
 	RegistryService interface {
 		BaseCRUD[portainer.Registry, portainer.RegistryID]
@@ -150,7 +161,7 @@ type (
 	APIKeyRepository interface {
 		BaseCRUD[portainer.APIKey, portainer.APIKeyID]
 		GetAPIKeysByUserID(userID portainer.UserID) ([]portainer.APIKey, error)
-		GetAPIKeyByDigest(digest string) (*portainer.APIKey, error)
+		GetAPIKeyByDigest(digest []byte) (*portainer.APIKey, error)
 	}
 
 	// SettingsService represents a service for managing application settings

api/datastore/backup.go

@@ -4,89 +4,186 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"time"
 
-	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/models"
 	"github.com/rs/zerolog/log"
 )
 
-// Backup takes an optional output path and creates a backup of the database.
-// The database connection is stopped before running the backup to avoid any
-// corruption and if a path is not given a default is used.
-// The path or an error are returned.
-func (store *Store) Backup(path string) (string, error) {
-	if err := store.createBackupPath(); err != nil {
-		return "", err
-	}
-
-	backupFilename := store.backupFilename()
-	if path != "" {
-		backupFilename = path
-	}
-	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msgf("Backing up database")
-
-	// Close the store before backing up
-	err := store.Close()
-	if err != nil {
-		return "", fmt.Errorf("failed to close store before backup: %w", err)
-	}
-
-	err = store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true)
-	if err != nil {
-		return "", fmt.Errorf("failed to create backup file: %w", err)
-	}
-
-	// reopen the store
-	_, err = store.Open()
-	if err != nil {
-		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
-	}
-
-	return backupFilename, nil
+var backupDefaults = struct {
+	backupDir string
+	commonDir string
+}{
+	"backups",
+	"common",
 }
 
-func (store *Store) Restore() error {
-	backupFilename := store.backupFilename()
-	return store.RestoreFromFile(backupFilename)
-}
+//
+// Backup Helpers
+//
 
-func (store *Store) RestoreFromFile(backupFilename string) error {
-	store.Close()
-	if err := store.fileService.Copy(backupFilename, store.connection.GetDatabaseFilePath(), true); err != nil {
-		return fmt.Errorf("unable to restore backup file %q. err: %w", backupFilename, err)
-	}
-
-	log.Info().Str("from", backupFilename).Str("to", store.connection.GetDatabaseFilePath()).Msgf("database restored")
-
-	_, err := store.Open()
-	if err != nil {
-		return fmt.Errorf("unable to determine version of restored portainer backup file: %w", err)
-	}
-
-	// determine the db version
-	version, err := store.VersionService.Version()
-	if err != nil {
-		return fmt.Errorf("unable to determine restored database version. err: %w", err)
-	}
-
-	editionLabel := portainer.SoftwareEdition(version.Edition).GetEditionLabel()
-	log.Info().Msgf("Restored database version: Portainer %s %s", editionLabel, version.SchemaVersion)
-	return nil
-}
-
-func (store *Store) createBackupPath() error {
-	backupDir := path.Join(store.connection.GetStorePath(), "backups")
-	if exists, _ := store.fileService.FileExists(backupDir); !exists {
-		if err := os.MkdirAll(backupDir, 0o700); err != nil {
-			return fmt.Errorf("unable to create backup folder: %w", err)
+// createBackupFolders create initial folders for backups
+func (store *Store) createBackupFolders() {
+	// create common dir
+	commonDir := store.commonBackupDir()
+	if exists, _ := store.fileService.FileExists(commonDir); !exists {
+		if err := os.MkdirAll(commonDir, 0700); err != nil {
+			log.Error().Err(err).Msg("error while creating common backup folder")
 		}
 	}
-	return nil
-}
-
-func (store *Store) backupFilename() string {
-	return path.Join(store.connection.GetStorePath(), "backups", store.connection.GetDatabaseFileName()+".bak")
 }
 
 func (store *Store) databasePath() string {
 	return store.connection.GetDatabaseFilePath()
 }
+
+func (store *Store) commonBackupDir() string {
+	return path.Join(store.connection.GetStorePath(), backupDefaults.backupDir, backupDefaults.commonDir)
+}
+
+func (store *Store) copyDBFile(from string, to string) error {
+	log.Info().Str("from", from).Str("to", to).Msg("copying DB file")
+
+	err := store.fileService.Copy(from, to, true)
+	if err != nil {
+		log.Error().Err(err).Msg("failed")
+	}
+
+	return err
+}
+
+// BackupOptions provide a helper to inject backup options
+type BackupOptions struct {
+	Version        string
+	BackupDir      string
+	BackupFileName string
+	BackupPath     string
+}
+
+// getBackupRestoreOptions returns options to store db at common backup dir location; used by:
+// - db backup prior to version upgrade
+// - db rollback
+func getBackupRestoreOptions(backupDir string) *BackupOptions {
+	return &BackupOptions{
+		BackupDir:      backupDir, //connection.commonBackupDir(),
+		BackupFileName: beforePortainerVersionUpgradeBackup,
+	}
+}
+
+// Backup current database with default options
+func (store *Store) Backup(version *models.Version) (string, error) {
+	if version == nil {
+		return store.backupWithOptions(nil)
+	}
+
+	return store.backupWithOptions(&BackupOptions{
+		Version: version.SchemaVersion,
+	})
+}
+
+func (store *Store) setupOptions(options *BackupOptions) *BackupOptions {
+	if options == nil {
+		options = &BackupOptions{}
+	}
+	if options.Version == "" {
+		v, err := store.VersionService.Version()
+		if err != nil {
+			options.Version = ""
+		}
+		options.Version = v.SchemaVersion
+	}
+	if options.BackupDir == "" {
+		options.BackupDir = store.commonBackupDir()
+	}
+	if options.BackupFileName == "" {
+		options.BackupFileName = fmt.Sprintf("%s.%s.%s", store.connection.GetDatabaseFileName(), options.Version, time.Now().Format("20060102150405"))
+	}
+	if options.BackupPath == "" {
+		options.BackupPath = path.Join(options.BackupDir, options.BackupFileName)
+	}
+	return options
+}
+
+// BackupWithOptions backup current database with options
+func (store *Store) backupWithOptions(options *BackupOptions) (string, error) {
+	log.Info().Msg("creating DB backup")
+
+	store.createBackupFolders()
+
+	options = store.setupOptions(options)
+	dbPath := store.databasePath()
+
+	if err := store.Close(); err != nil {
+		return options.BackupPath, fmt.Errorf(
+			"error closing datastore before creating backup: %w",
+			err,
+		)
+	}
+
+	if err := store.copyDBFile(dbPath, options.BackupPath); err != nil {
+		return options.BackupPath, err
+	}
+
+	if _, err := store.Open(); err != nil {
+		return options.BackupPath, fmt.Errorf(
+			"error opening datastore after creating backup: %w",
+			err,
+		)
+	}
+
+	return options.BackupPath, nil
+}
+
+// RestoreWithOptions previously saved backup for the current Edition  with options
+// Restore strategies:
+// - default: restore latest from current edition
+// - restore a specific
+func (store *Store) restoreWithOptions(options *BackupOptions) error {
+	options = store.setupOptions(options)
+
+	// Check if backup file exist before restoring
+	_, err := os.Stat(options.BackupPath)
+	if os.IsNotExist(err) {
+		log.Error().Str("path", options.BackupPath).Err(err).Msg("backup file to restore does not exist %s")
+
+		return err
+	}
+
+	err = store.Close()
+	if err != nil {
+		log.Error().Err(err).Msg("error while closing store before restore")
+
+		return err
+	}
+
+	log.Info().Msg("restoring DB backup")
+	err = store.copyDBFile(options.BackupPath, store.databasePath())
+	if err != nil {
+		return err
+	}
+
+	_, err = store.Open()
+	return err
+}
+
+// RemoveWithOptions removes backup database based on supplied options
+func (store *Store) removeWithOptions(options *BackupOptions) error {
+	log.Info().Msg("removing DB backup")
+
+	options = store.setupOptions(options)
+	_, err := os.Stat(options.BackupPath)
+
+	if os.IsNotExist(err) {
+		log.Error().Str("path", options.BackupPath).Err(err).Msg("backup file to remove does not exist")
+		return err
+	}
+
+	log.Info().Str("path", options.BackupPath).Msg("removing DB file")
+	err = os.Remove(options.BackupPath)
+	if err != nil {
+		log.Error().Err(err).Msg("failed")
+		return err
+	}
+
+	return nil
+}

api/datastore/backup_test.go

@@ -2,79 +2,106 @@ package datastore
 
 import (
 	"fmt"
+	"os"
+	"path"
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
-
-	"github.com/rs/zerolog/log"
 )
 
+func TestCreateBackupFolders(t *testing.T) {
+	_, store := MustNewTestStore(t, true, true)
+
+	connection := store.GetConnection()
+	backupPath := path.Join(connection.GetStorePath(), backupDefaults.backupDir)
+
+	if isFileExist(backupPath) {
+		t.Error("Expect backups folder to not exist")
+	}
+
+	store.createBackupFolders()
+	if !isFileExist(backupPath) {
+		t.Error("Expect backups folder to exist")
+	}
+}
+
 func TestStoreCreation(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)
 	if store == nil {
-		t.Fatal("Expect to create a store")
+		t.Error("Expect to create a store")
 	}
 
-	v, err := store.VersionService.Version()
-	if err != nil {
-		log.Fatal().Err(err).Msg("")
-	}
-
-	if portainer.SoftwareEdition(v.Edition) != portainer.PortainerCE {
+	if store.CheckCurrentEdition() != nil {
 		t.Error("Expect to get CE Edition")
 	}
-
-	if v.SchemaVersion != portainer.APIVersion {
-		t.Error("Expect to get APIVersion")
-	}
 }
 
 func TestBackup(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)
-	backupFileName := store.backupFilename()
-	t.Run(fmt.Sprintf("Backup should create %s", backupFileName), func(t *testing.T) {
+	connection := store.GetConnection()
+
+	t.Run("Backup should create default db backup", func(t *testing.T) {
 		v := models.Version{
-			Edition:       int(portainer.PortainerCE),
 			SchemaVersion: portainer.APIVersion,
 		}
 		store.VersionService.UpdateVersion(&v)
-		store.Backup("")
+		store.backupWithOptions(nil)
 
+		backupFileName := path.Join(connection.GetStorePath(), "backups", "common", fmt.Sprintf("portainer.edb.%s.*", portainer.APIVersion))
+		if !isFileExist(backupFileName) {
+			t.Errorf("Expect backup file to be created %s", backupFileName)
+		}
+	})
+
+	t.Run("BackupWithOption should create a name specific backup at common path", func(t *testing.T) {
+		store.backupWithOptions(&BackupOptions{
+			BackupFileName: beforePortainerVersionUpgradeBackup,
+			BackupDir:      store.commonBackupDir(),
+		})
+		backupFileName := path.Join(connection.GetStorePath(), "backups", "common", beforePortainerVersionUpgradeBackup)
 		if !isFileExist(backupFileName) {
 			t.Errorf("Expect backup file to be created %s", backupFileName)
 		}
 	})
 }
 
-func TestRestore(t *testing.T) {
-	_, store := MustNewTestStore(t, true, false)
+func TestRemoveWithOptions(t *testing.T) {
+	_, store := MustNewTestStore(t, true, true)
 
-	t.Run("Basic Restore", func(t *testing.T) {
-		// override and set initial db version and edition
-		updateEdition(store, portainer.PortainerCE)
-		updateVersion(store, "2.4")
+	t.Run("successfully removes file if existent", func(t *testing.T) {
+		store.createBackupFolders()
+		options := &BackupOptions{
+			BackupDir:      store.commonBackupDir(),
+			BackupFileName: "test.txt",
+		}
 
-		store.Backup("")
-		updateVersion(store, "2.16")
-		testVersion(store, "2.16", t)
-		store.Restore()
+		filePath := path.Join(options.BackupDir, options.BackupFileName)
+		f, err := os.Create(filePath)
+		if err != nil {
+			t.Fatalf("file should be created; err=%s", err)
+		}
+		f.Close()
 
-		// check if the restore is successful and the version is correct
-		testVersion(store, "2.4", t)
+		err = store.removeWithOptions(options)
+		if err != nil {
+			t.Errorf("RemoveWithOptions should successfully remove file; err=%v", err)
+		}
+
+		if isFileExist(f.Name()) {
+			t.Errorf("RemoveWithOptions should successfully remove file; file=%s", f.Name())
+		}
 	})
 
-	t.Run("Basic Restore After Multiple Backups", func(t *testing.T) {
-		// override and set initial db version and edition
-		updateEdition(store, portainer.PortainerCE)
-		updateVersion(store, "2.4")
-		store.Backup("")
-		updateVersion(store, "2.14")
-		updateVersion(store, "2.16")
-		testVersion(store, "2.16", t)
-		store.Restore()
+	t.Run("fails to removes file if non-existent", func(t *testing.T) {
+		options := &BackupOptions{
+			BackupDir:      store.commonBackupDir(),
+			BackupFileName: "test.txt",
+		}
 
-		// check if the restore is successful and the version is correct
-		testVersion(store, "2.4", t)
+		err := store.removeWithOptions(options)
+		if err == nil {
+			t.Error("RemoveWithOptions should fail for non-existent file")
+		}
 	})
 }

api/datastore/datastore.go

@@ -31,14 +31,8 @@ func (store *Store) Open() (newStore bool, err error) {
 	}
 
 	if encryptionReq {
-		backupFilename, err := store.Backup("")
-		if err != nil {
-			return false, fmt.Errorf("failed to backup database prior to encrypting: %w", err)
-		}
-
 		err = store.encryptDB()
 		if err != nil {
-			store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
 			return false, err
 		}
 	}

api/datastore/helpers_test.go

@@ -1,58 +0,0 @@
-package datastore
-
-import (
-	"path/filepath"
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-
-	"github.com/rs/zerolog/log"
-)
-
-// isFileExist is helper function to check for file existence
-func isFileExist(path string) bool {
-	matches, err := filepath.Glob(path)
-	if err != nil {
-		return false
-	}
-	return len(matches) > 0
-}
-
-func updateVersion(store *Store, v string) {
-	version, err := store.VersionService.Version()
-	if err != nil {
-		log.Fatal().Err(err).Msg("")
-	}
-
-	version.SchemaVersion = v
-
-	err = store.VersionService.UpdateVersion(version)
-	if err != nil {
-		log.Fatal().Err(err).Msg("")
-	}
-}
-
-func updateEdition(store *Store, edition portainer.SoftwareEdition) {
-	version, err := store.VersionService.Version()
-	if err != nil {
-		log.Fatal().Err(err).Msg("")
-	}
-
-	version.Edition = int(edition)
-
-	err = store.VersionService.UpdateVersion(version)
-	if err != nil {
-		log.Fatal().Err(err).Msg("")
-	}
-}
-
-// testVersion is a helper which tests current store version against wanted version
-func testVersion(store *Store, versionWant string, t *testing.T) {
-	v, err := store.VersionService.Version()
-	if err != nil {
-		log.Fatal().Err(err).Msg("")
-	}
-	if v.SchemaVersion != versionWant {
-		t.Errorf("Expect store version to be %s but was %s", versionWant, v.SchemaVersion)
-	}
-}

api/datastore/init.go

@@ -53,7 +53,7 @@ func (store *Store) checkOrCreateDefaultSettings() error {
 			},
 			SnapshotInterval:         portainer.DefaultSnapshotInterval,
 			EdgeAgentCheckinInterval: portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
-			TemplatesURL:             "",
+			TemplatesURL:             portainer.DefaultTemplatesURL,
 			HelmRepositoryURL:        portainer.DefaultHelmRepositoryURL,
 			UserSessionTimeout:       portainer.DefaultUserSessionTimeout,
 			KubeconfigExpiry:         portainer.DefaultKubeconfigExpiry,

api/datastore/migrate_data.go

@@ -2,7 +2,6 @@ package datastore
 
 import (
 	"fmt"
-	"os"
 	"runtime/debug"
 
 	portainer "github.com/portainer/portainer/api"
@@ -16,6 +15,8 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
+const beforePortainerVersionUpgradeBackup = "portainer.db.bak"
+
 func (store *Store) MigrateData() error {
 	updating, err := store.VersionService.IsUpdating()
 	if err != nil {
@@ -40,7 +41,7 @@ func (store *Store) MigrateData() error {
 	}
 
 	// before we alter anything in the DB, create a backup
-	_, err = store.Backup("")
+	backupPath, err := store.Backup(version)
 	if err != nil {
 		return errors.Wrap(err, "while backing up database")
 	}
@@ -50,9 +51,9 @@ func (store *Store) MigrateData() error {
 		err = errors.Wrap(err, "failed to migrate database")
 
 		log.Warn().Err(err).Msg("migration failed, restoring database to previous version")
-		restoreErr := store.Restore()
-		if restoreErr != nil {
-			return errors.Wrap(restoreErr, "failed to restore database")
+		restorErr := store.restoreWithOptions(&BackupOptions{BackupPath: backupPath})
+		if restorErr != nil {
+			return errors.Wrap(restorErr, "failed to restore database")
 		}
 
 		log.Info().Msg("database restored to previous version")
@@ -116,11 +117,6 @@ func (store *Store) FailSafeMigrate(migrator *migrator.Migrator, version *models
 		return err
 	}
 
-	// Special test code to simulate a failure (used by migrate_data_test.go).  Do not remove...
-	if os.Getenv("PORTAINER_TEST_MIGRATE_FAIL") == "FAIL" {
-		panic("test migration failure")
-	}
-
 	err = store.VersionService.StoreIsUpdating(false)
 	if err != nil {
 		return errors.Wrap(err, "failed to update the store")
@@ -131,6 +127,7 @@ func (store *Store) FailSafeMigrate(migrator *migrator.Migrator, version *models
 
 // Rollback to a pre-upgrade backup copy/snapshot of portainer.db
 func (store *Store) connectionRollback(force bool) error {
+
 	if !force {
 		confirmed, err := cli.Confirm("Are you sure you want to rollback your database to the previous backup?")
 		if err != nil || !confirmed {
@@ -138,7 +135,9 @@ func (store *Store) connectionRollback(force bool) error {
 		}
 	}
 
-	err := store.Restore()
+	options := getBackupRestoreOptions(store.commonBackupDir())
+
+	err := store.restoreWithOptions(options)
 	if err != nil {
 		return err
 	}

api/datastore/migrate_data_test.go

@@ -2,25 +2,34 @@ package datastore
 
 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
-	"github.com/Masterminds/semver"
-	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/database/models"
-	"github.com/portainer/portainer/api/datastore/migrator"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/rs/zerolog/log"
+	"github.com/segmentio/encoding/json"
 )
 
+// testVersion is a helper which tests current store version against wanted version
+func testVersion(store *Store, versionWant string, t *testing.T) {
+	v, err := store.VersionService.Version()
+	if err != nil {
+		t.Errorf("Expect store version to be %s but was %s with error: %s", versionWant, v.SchemaVersion, err)
+	}
+	if v.SchemaVersion != versionWant {
+		t.Errorf("Expect store version to be %s but was %s", versionWant, v.SchemaVersion)
+	}
+}
+
 func TestMigrateData(t *testing.T) {
-	tests := []struct {
+	snapshotTests := []struct {
 		testName           string
 		srcPath            string
 		wantPath           string
@@ -33,7 +42,7 @@ func TestMigrateData(t *testing.T) {
 			overrideInstanceId: true,
 		},
 	}
-	for _, test := range tests {
+	for _, test := range snapshotTests {
 		t.Run(test.testName, func(t *testing.T) {
 			err := migrateDBTestHelper(t, test.srcPath, test.wantPath, test.overrideInstanceId)
 			if err != nil {
@@ -46,167 +55,147 @@ func TestMigrateData(t *testing.T) {
 		})
 	}
 
-	t.Run("MigrateData for New Store & Re-Open Check", func(t *testing.T) {
-		newStore, store := MustNewTestStore(t, true, false)
-		if !newStore {
-			t.Error("Expect a new DB")
-		}
+	// t.Run("MigrateData for New Store & Re-Open Check", func(t *testing.T) {
+	// 	newStore, store, teardown := MustNewTestStore(t, true, false)
+	// 	defer teardown()
 
-		testVersion(store, portainer.APIVersion, t)
-		store.Close()
+	// 	if !newStore {
+	// 		t.Error("Expect a new DB")
+	// 	}
 
-		newStore, _ = store.Open()
-		if newStore {
-			t.Error("Expect store to NOT be new DB")
-		}
-	})
+	// 	testVersion(store, portainer.APIVersion, t)
+	// 	store.Close()
 
-	t.Run("MigrateData should create backup file upon update", func(t *testing.T) {
-		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "1.0", Edition: int(portainer.PortainerCE)})
-		store.MigrateData()
+	// 	newStore, _ = store.Open()
+	// 	if newStore {
+	// 		t.Error("Expect store to NOT be new DB")
+	// 	}
+	// })
 
-		backupfilename := store.backupFilename()
-		if exists, _ := store.fileService.FileExists(backupfilename); !exists {
-			t.Errorf("Expect backup file to be created %s", backupfilename)
-		}
-	})
+	// tests := []struct {
+	// 	version         string
+	// 	expectedVersion string
+	// }{
+	// 	{version: "1.24.1", expectedVersion: portainer.APIVersion},
+	// 	{version: "2.0.0", expectedVersion: portainer.APIVersion},
+	// }
+	// for _, tc := range tests {
+	// 	_, store, teardown := MustNewTestStore(t, true, true)
+	// 	defer teardown()
 
-	t.Run("MigrateData should recover and restore backup during migration critical failure", func(t *testing.T) {
-		os.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")
+	// 	// Setup data
+	// 	v := models.Version{SchemaVersion: tc.version}
+	// 	store.VersionService.UpdateVersion(&v)
 
-		version := "2.15"
-		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
-		store.MigrateData()
+	// 	// Required roles by migrations 22.2
+	// 	store.RoleService.Create(&portainer.Role{ID: 1})
+	// 	store.RoleService.Create(&portainer.Role{ID: 2})
+	// 	store.RoleService.Create(&portainer.Role{ID: 3})
+	// 	store.RoleService.Create(&portainer.Role{ID: 4})
 
-		store.Open()
-		testVersion(store, version, t)
-	})
+	// 	t.Run(fmt.Sprintf("MigrateData for version %s", tc.version), func(t *testing.T) {
+	// 		store.MigrateData()
+	// 		testVersion(store, tc.expectedVersion, t)
+	// 	})
 
-	t.Run("MigrateData should fail to create backup if database file is set to updating", func(t *testing.T) {
-		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.StoreIsUpdating(true)
-		store.MigrateData()
+	// 	t.Run(fmt.Sprintf("Restoring DB after migrateData for version %s", tc.version), func(t *testing.T) {
+	// 		store.Rollback(true)
+	// 		store.Open()
+	// 		testVersion(store, tc.version, t)
+	// 	})
+	// }
 
-		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
-		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
-		// only create a backup when the version changes.
-		backupfilename := store.backupFilename()
-		if exists, _ := store.fileService.FileExists(backupfilename); exists {
-			t.Errorf("Backup file should not exist for dirty database")
-		}
-	})
+	// t.Run("Error in MigrateData should restore backup before MigrateData", func(t *testing.T) {
+	// 	_, store, teardown := MustNewTestStore(t, false, true)
+	// 	defer teardown()
 
-	t.Run("MigrateData should not create backup on startup if portainer version matches db", func(t *testing.T) {
-		_, store := MustNewTestStore(t, true, false)
+	// 	v := models.Version{SchemaVersion: "1.24.1"}
+	// 	store.VersionService.UpdateVersion(&v)
 
-		// Set migrator the count to match our migrations array (simulate no changes).
-		// Should not create a backup
-		v, err := store.VersionService.Version()
-		if err != nil {
-			t.Errorf("Unable to read version from db: %s", err)
-			t.FailNow()
-		}
+	// 	store.MigrateData()
 
-		migratorParams := store.newMigratorParameters(v)
-		m := migrator.NewMigrator(migratorParams)
-		latestMigrations := m.LatestMigrations()
+	// 	testVersion(store, v.SchemaVersion, t)
+	// })
 
-		if latestMigrations.Version.Equal(semver.MustParse(portainer.APIVersion)) {
-			v.MigratorCount = len(latestMigrations.MigrationFuncs)
-			store.VersionService.UpdateVersion(v)
-		}
+	// t.Run("MigrateData should create backup file upon update", func(t *testing.T) {
+	// 	_, store, teardown := MustNewTestStore(t, false, true)
+	// 	defer teardown()
 
-		store.MigrateData()
+	// 	v := models.Version{SchemaVersion: "0.0.0"}
+	// 	store.VersionService.UpdateVersion(&v)
 
-		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
-		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
-		// only create a backup when the version changes.
-		backupfilename := store.backupFilename()
-		if exists, _ := store.fileService.FileExists(backupfilename); exists {
-			t.Errorf("Backup file should not exist for dirty database")
-		}
-	})
+	// 	store.MigrateData()
 
-	t.Run("MigrateData should create backup on startup if portainer version matches db and migrationFuncs counts differ", func(t *testing.T) {
-		_, store := MustNewTestStore(t, true, false)
+	// 	options := store.setupOptions(getBackupRestoreOptions(store.commonBackupDir()))
 
-		// Set migrator count very large to simulate changes
-		// Should not create a backup
-		v, err := store.VersionService.Version()
-		if err != nil {
-			t.Errorf("Unable to read version from db: %s", err)
-			t.FailNow()
-		}
+	// 	if !isFileExist(options.BackupPath) {
+	// 		t.Errorf("Backup file should exist; file=%s", options.BackupPath)
+	// 	}
+	// })
 
-		v.MigratorCount = 1000
-		store.VersionService.UpdateVersion(v)
-		store.MigrateData()
+	// t.Run("MigrateData should fail to create backup if database file is set to updating", func(t *testing.T) {
+	// 	_, store, teardown := MustNewTestStore(t, false, true)
+	// 	defer teardown()
 
-		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
-		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
-		// only create a backup when the version changes.
-		backupfilename := store.backupFilename()
-		if exists, _ := store.fileService.FileExists(backupfilename); !exists {
-			t.Errorf("DB backup should exist and there should be no error")
-		}
-	})
+	// 	store.VersionService.StoreIsUpdating(true)
+
+	// 	store.MigrateData()
+
+	// 	options := store.setupOptions(getBackupRestoreOptions(store.commonBackupDir()))
+
+	// 	if isFileExist(options.BackupPath) {
+	// 		t.Errorf("Backup file should not exist for dirty database; file=%s", options.BackupPath)
+	// 	}
+	// })
+
+	// t.Run("MigrateData should not create backup on startup if portainer version matches db", func(t *testing.T) {
+	// 	_, store, teardown := MustNewTestStore(t, false, true)
+	// 	defer teardown()
+
+	// 	store.MigrateData()
+
+	// 	options := store.setupOptions(getBackupRestoreOptions(store.commonBackupDir()))
+
+	// 	if isFileExist(options.BackupPath) {
+	// 		t.Errorf("Backup file should not exist for dirty database; file=%s", options.BackupPath)
+	// 	}
+	// })
+}
+
+func Test_getBackupRestoreOptions(t *testing.T) {
+	_, store := MustNewTestStore(t, false, true)
+
+	options := getBackupRestoreOptions(store.commonBackupDir())
+
+	wantDir := store.commonBackupDir()
+	if !strings.HasSuffix(options.BackupDir, wantDir) {
+		log.Fatal().Str("got", options.BackupDir).Str("want", wantDir).Msg("incorrect backup dir")
+	}
+
+	wantFilename := "portainer.db.bak"
+	if options.BackupFileName != wantFilename {
+		log.Fatal().Str("got", options.BackupFileName).Str("want", wantFilename).Msg("incorrect backup file")
+	}
 }
 
 func TestRollback(t *testing.T) {
 	t.Run("Rollback should restore upgrade after backup", func(t *testing.T) {
-		version := "2.11"
-
-		v := models.Version{
-			SchemaVersion: version,
-		}
-
-		_, store := MustNewTestStore(t, false, false)
-		store.VersionService.UpdateVersion(&v)
-
-		_, err := store.Backup("")
-		if err != nil {
-			log.Fatal().Err(err).Msg("")
-		}
-
-		v.SchemaVersion = "2.14"
-		// Change the current edition
-		err = store.VersionService.UpdateVersion(&v)
-		if err != nil {
-			log.Fatal().Err(err).Msg("")
-		}
-
-		err = store.Rollback(true)
-		if err != nil {
-			t.Logf("Rollback failed: %s", err)
-			t.Fail()
-			return
-		}
-
-		store.Open()
-		testVersion(store, version, t)
-	})
-
-	t.Run("Rollback should restore upgrade after backup", func(t *testing.T) {
-		version := "2.15"
-
-		v := models.Version{
-			SchemaVersion: version,
-			Edition:       int(portainer.PortainerCE),
-		}
-
+		version := models.Version{SchemaVersion: "2.4.0"}
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&v)
 
-		_, err := store.Backup("")
+		err := store.VersionService.UpdateVersion(&version)
+		if err != nil {
+			t.Errorf("Failed updating version: %v", err)
+		}
+
+		_, err = store.backupWithOptions(getBackupRestoreOptions(store.commonBackupDir()))
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
 
-		v.SchemaVersion = "2.14"
-		// Change the current edition
-		err = store.VersionService.UpdateVersion(&v)
+		// Change the current version
+		version2 := models.Version{SchemaVersion: "2.6.0"}
+		err = store.VersionService.UpdateVersion(&version2)
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -218,11 +207,26 @@ func TestRollback(t *testing.T) {
 			return
 		}
 
-		store.Open()
-		testVersion(store, version, t)
+		_, err = store.Open()
+		if err != nil {
+			t.Logf("Open failed: %s", err)
+			t.Fail()
+			return
+		}
+
+		testVersion(store, version.SchemaVersion, t)
 	})
 }
 
+// isFileExist is helper function to check for file existence
+func isFileExist(path string) bool {
+	matches, err := filepath.Glob(path)
+	if err != nil {
+		return false
+	}
+	return len(matches) > 0
+}
+
 // migrateDBTestHelper loads a json representation of a bolt database from srcPath,
 // parses it into a database, runs a migration on that database, and then
 // compares it with an expected output database.
@@ -305,7 +309,7 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 		os.WriteFile(
 			gotPath,
 			gotJSON,
-			0o600,
+			0600,
 		)
 		t.Errorf(
 			"migrate data from %s to %s failed\nwrote migrated input to %s\nmismatch (-want +got):\n%s",

api/datastore/migrator/migrate_dbversion100.go

@@ -10,8 +10,8 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-func (m *Migrator) migrateDockerDesktopExtensionSetting() error {
-	log.Info().Msg("updating docker desktop extension flag in settings")
+func (m *Migrator) migrateDockerDesktopExtentionSetting() error {
+	log.Info().Msg("updating docker desktop extention flag in settings")
 
 	isDDExtension := false
 	if _, ok := os.LookupEnv("DOCKER_EXTENSION"); ok {

api/datastore/migrator/migrate_dbversion110.go

@@ -1,51 +0,0 @@
-package migrator
-
-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/rs/zerolog/log"
-)
-
-// updateAppTemplatesVersionForDB110 changes the templates URL to be empty if it was never changed
-// from the default value (version 2.0 URL)
-func (migrator *Migrator) updateAppTemplatesVersionForDB110() error {
-	log.Info().Msg("updating app templates url to v3.0")
-
-	version2URL := "https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json"
-
-	settings, err := migrator.settingsService.Settings()
-	if err != nil {
-		return err
-	}
-
-	if settings.TemplatesURL == version2URL || settings.TemplatesURL == portainer.DefaultTemplatesURL {
-		settings.TemplatesURL = ""
-	}
-
-	return migrator.settingsService.UpdateSettings(settings)
-}
-
-// In PortainerCE the resource overcommit option should always be true across all endpoints
-func (migrator *Migrator) updateResourceOverCommitToDB110() error {
-	log.Info().Msg("updating resource overcommit setting to true")
-
-	endpoints, err := migrator.endpointService.Endpoints()
-	if err != nil {
-		return err
-	}
-
-	for _, endpoint := range endpoints {
-		if endpoint.Type == portainer.KubernetesLocalEnvironment ||
-			endpoint.Type == portainer.AgentOnKubernetesEnvironment ||
-			endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
-
-			endpoint.Kubernetes.Configuration.EnableResourceOverCommit = true
-
-			err = migrator.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}

api/datastore/migrator/migrate_dbversion24.go

@@ -14,10 +14,8 @@ func (m *Migrator) updateSettingsToDB25() error {
 		return err
 	}
 
-	// to keep the same migration functionality as before 2.20.0, we need to set the templates URL to v2
-	version2URL := "https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json"
 	if legacySettings.TemplatesURL == "" {
-		legacySettings.TemplatesURL = version2URL
+		legacySettings.TemplatesURL = portainer.DefaultTemplatesURL
 	}
 
 	legacySettings.UserSessionTimeout = portainer.DefaultUserSessionTimeout

api/datastore/migrator/migrator.go

@@ -225,13 +225,9 @@ func (m *Migrator) initMigrations() {
 	m.addMigrations("2.18", m.migrateDBVersionToDB90)
 	m.addMigrations("2.19",
 		m.convertSeedToPrivateKeyForDB100,
-		m.migrateDockerDesktopExtensionSetting,
+		m.migrateDockerDesktopExtentionSetting,
 		m.updateEdgeStackStatusForDB100,
 	)
-	m.addMigrations("2.20",
-		m.updateAppTemplatesVersionForDB110,
-		m.updateResourceOverCommitToDB110,
-	)
 
 	// Add new migrations below...
 	// One function per migration, each versions migration funcs in the same file.

api/datastore/test_data/output_24_to_latest.json

@@ -645,7 +645,7 @@
     },
     "ShowKomposeBuildOption": false,
     "SnapshotInterval": "5m",
-    "TemplatesURL": "",
+    "TemplatesURL": "https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json",
     "TrustOnFirstConnect": false,
     "UserSessionTimeout": "8h",
     "fdoConfiguration": {
@@ -669,7 +669,6 @@
   "snapshots": [
     {
       "Docker": {
-        "ContainerCount": 0,
         "DockerSnapshotRaw": {
           "Containers": null,
           "Images": null,
@@ -904,7 +903,6 @@
         "color": ""
       },
       "TokenIssueAt": 0,
-      "UseCache": false,
       "Username": "admin"
     },
     {
@@ -934,11 +932,10 @@
         "color": ""
       },
       "TokenIssueAt": 0,
-      "UseCache": false,
       "Username": "prabhat"
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.21.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.20.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   }
 }

api/docker/client/client.go

@@ -1,24 +1,18 @@
 package client
 
 import (
-	"bytes"
 	"errors"
 	"fmt"
-	"io"
-	"maps"
 	"net/http"
 	"strings"
 	"time"
 
+	"github.com/docker/docker/client"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/client"
-	"github.com/segmentio/encoding/json"
 )
 
-var errUnsupportedEnvironmentType = errors.New("environment not supported")
+var errUnsupportedEnvironmentType = errors.New("Environment not supported")
 
 const (
 	defaultDockerRequestTimeout = 60 * time.Second
@@ -48,16 +42,9 @@ func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeNam
 	case portainer.AzureEnvironment:
 		return nil, errUnsupportedEnvironmentType
 	case portainer.AgentOnDockerEnvironment:
-		return createAgentClient(endpoint, endpoint.URL, factory.signatureService, nodeName, timeout)
+		return createAgentClient(endpoint, factory.signatureService, nodeName, timeout)
 	case portainer.EdgeAgentOnDockerEnvironment:
-		tunnel, err := factory.reverseTunnelService.GetActiveTunnel(endpoint)
-		if err != nil {
-			return nil, err
-		}
-
-		endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
-
-		return createAgentClient(endpoint, endpointURL, factory.signatureService, nodeName, timeout)
+		return createEdgeClient(endpoint, factory.signatureService, factory.reverseTunnelService, nodeName, timeout)
 	}
 
 	if strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://") {
@@ -100,7 +87,7 @@ func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*cli
 	)
 }
 
-func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) {
+func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, nodeName string, timeout *time.Duration) (*client.Client, error) {
 	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
 		return nil, err
@@ -120,73 +107,51 @@ func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatu
 		headers[portainer.PortainerAgentTargetHeader] = nodeName
 	}
 
-	opts := []client.Opt{
+	tunnel, err := reverseTunnelService.GetActiveTunnel(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
+
+	return client.NewClientWithOpts(
 		client.WithHost(endpointURL),
 		client.WithAPIVersionNegotiation(),
 		client.WithHTTPClient(httpCli),
 		client.WithHTTPHeaders(headers),
-	}
-
-	if nnTransport, ok := httpCli.Transport.(*NodeNameTransport); ok && nnTransport.TLSClientConfig != nil {
-		opts = append(opts, client.WithScheme("https"))
-	}
-
-	return client.NewClientWithOpts(opts...)
+	)
 }
 
-type NodeNameTransport struct {
-	*http.Transport
-	nodeNames map[string]string
-}
-
-func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	resp, err := t.Transport.RoundTrip(req)
-	if err != nil ||
-		resp.StatusCode != http.StatusOK ||
-		resp.ContentLength == 0 ||
-		!strings.HasSuffix(req.URL.Path, "/images/json") {
-		return resp, err
-	}
-
-	body, err := io.ReadAll(resp.Body)
+func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) {
+	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
-		resp.Body.Close()
-		return resp, err
+		return nil, err
 	}
 
-	resp.Body.Close()
-
-	resp.Body = io.NopCloser(bytes.NewReader(body))
-
-	var rs []struct {
-		types.ImageSummary
-		Portainer struct {
-			Agent struct {
-				NodeName string
-			}
-		}
+	signature, err := signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return nil, err
 	}
 
-	if err = json.Unmarshal(body, &rs); err != nil {
-		return resp, nil
+	headers := map[string]string{
+		portainer.PortainerAgentPublicKeyHeader: signatureService.EncodedPublicKey(),
+		portainer.PortainerAgentSignatureHeader: signature,
 	}
 
-	t.nodeNames = make(map[string]string)
-	for _, r := range rs {
-		t.nodeNames[r.ID] = r.Portainer.Agent.NodeName
+	if nodeName != "" {
+		headers[portainer.PortainerAgentTargetHeader] = nodeName
 	}
 
-	return resp, err
-}
-
-func (t *NodeNameTransport) NodeNames() map[string]string {
-	return maps.Clone(t.nodeNames)
+	return client.NewClientWithOpts(
+		client.WithHost(endpoint.URL),
+		client.WithAPIVersionNegotiation(),
+		client.WithHTTPClient(httpCli),
+		client.WithHTTPHeaders(headers),
+	)
 }
 
 func httpClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*http.Client, error) {
-	transport := &NodeNameTransport{
-		Transport: &http.Transport{},
-	}
+	transport := &http.Transport{}
 
 	if endpoint.TLSConfig.TLS {
 		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)

api/docker/snapshot.go

@@ -174,12 +174,7 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 				if !snapshot.Swarm {
 					return err
 				} else {
-					if !strings.Contains(err.Error(), "No such container") {
-						return err
-					}
-					// It is common to have containers running on different Swarm nodes,
-					// so we just log the error in the debug level
-					log.Debug().Str("container", container.ID).Err(err).Msg("unable to inspect container in other Swarm nodes")
+					log.Info().Str("container", container.ID).Err(err).Msg("unable to inspect container in other Swarm nodes")
 				}
 			} else {
 				var gpuOptions *_container.DeviceRequest = nil
@@ -201,12 +196,9 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 			}
 		}
 
-		if container.State == "healthy" {
-			runningContainers++
+		if strings.Contains(container.Status, "(healthy)") {
 			healthyContainers++
-		}
-
-		if container.State == "unhealthy" {
+		} else if strings.Contains(container.Status, "(unhealthy)") {
 			unhealthyContainers++
 		}
 
@@ -225,7 +217,6 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 	snapshot.GpuUseAll = gpuUseAll
 	snapshot.GpuUseList = gpuUseList
 
-	snapshot.ContainerCount = len(containers)
 	snapshot.RunningContainerCount = runningContainers
 	snapshot.StoppedContainerCount = stoppedContainers
 	snapshot.HealthyContainerCount = healthyContainers

api/edge/edge.go

@@ -51,10 +51,6 @@ type (
 		// Used only for EE
 		// EnvVars is a list of environment variables to inject into the stack
 		EnvVars []portainer.Pair
-
-		// Used only for EE async edge agent
-		// ReadyRePullImage is a flag to indicate whether the auto update is trigger to re-pull image
-		ReadyRePullImage bool
 	}
 
 	// RegistryCredentials holds the credentials for a Docker registry.

api/exec/compose_stack_integration_test.go

@@ -10,8 +10,8 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/pkg/libstack/compose"
-	"github.com/portainer/portainer/pkg/testhelpers"
 
 	"github.com/rs/zerolog/log"
 )

api/filesystem/filesystem.go

@@ -173,7 +173,7 @@ func (service *Service) GetStackProjectPathByVersion(stackIdentifier string, ver
 	}
 
 	if commitHash != "" {
-		versionStr = commitHash
+		versionStr = fmt.Sprintf("%s", commitHash)
 	}
 	return JoinPaths(service.wrapFileStore(ComposeStorePath), stackIdentifier, versionStr)
 }

api/http/csrf/csrf.go

@@ -1,66 +0,0 @@
-package csrf
-
-import (
-	"crypto/rand"
-	"fmt"
-	"net/http"
-
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-
-	gorillacsrf "github.com/gorilla/csrf"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/urfave/negroni"
-)
-
-func WithProtect(handler http.Handler) (http.Handler, error) {
-	handler = withSendCSRFToken(handler)
-
-	token := make([]byte, 32)
-	_, err := rand.Read(token)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate CSRF token: %w", err)
-	}
-
-	handler = gorillacsrf.Protect(
-		[]byte(token),
-		gorillacsrf.Path("/"),
-		gorillacsrf.Secure(false),
-	)(handler)
-
-	return withSkipCSRF(handler), nil
-}
-
-func withSendCSRFToken(handler http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-
-		sw := negroni.NewResponseWriter(w)
-
-		sw.Before(func(sw negroni.ResponseWriter) {
-			statusCode := sw.Status()
-			if statusCode >= 200 && statusCode < 300 {
-				csrfToken := gorillacsrf.Token(r)
-				sw.Header().Set("X-CSRF-Token", csrfToken)
-			}
-		})
-
-		handler.ServeHTTP(sw, r)
-
-	})
-}
-
-func withSkipCSRF(handler http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-
-		skip, err := security.ShouldSkipCSRFCheck(r)
-		if err != nil {
-			httperror.WriteError(w, http.StatusForbidden, err.Error(), err)
-			return
-		}
-
-		if skip {
-			r = gorillacsrf.UnsafeSkipCheck(r)
-		}
-
-		handler.ServeHTTP(w, r)
-	})
-}

api/http/handler/auth/authenticate.go

@@ -6,7 +6,6 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
-	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
@@ -26,7 +25,7 @@ type authenticatePayload struct {
 
 type authenticateResponse struct {
 	// JWT token used to authenticate against the API
-	JWT string `json:"jwt" example:"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzAB"`
+	JWT string `json:"jwt" example:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTQ5OTM3NjE1NH0.NJ6vE8FY1WG6jsRQzfMqeatJ4vh2TWAeeYfDhP71YEE"`
 }
 
 func (payload *authenticatePayload) Validate(r *http.Request) error {
@@ -143,15 +142,12 @@ func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User,
 }
 
 func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
-	token, expirationTime, err := handler.JWTService.GenerateToken(tokenData)
+	token, err := handler.JWTService.GenerateToken(tokenData)
 	if err != nil {
 		return httperror.InternalServerError("Unable to generate JWT token", err)
 	}
 
-	security.AddAuthCookie(w, token, expirationTime)
-
 	return response.JSON(w, &authenticateResponse{JWT: token})
-
 }
 
 func (handler *Handler) syncUserTeamsWithLDAPGroups(user *portainer.User, settings *portainer.LDAPSettings) error {
@@ -200,7 +196,7 @@ func (handler *Handler) syncUserTeamsWithLDAPGroups(user *portainer.User, settin
 
 func teamExists(teamName string, ldapGroups []string) bool {
 	for _, group := range ldapGroups {
-		if strings.EqualFold(group, teamName) {
+		if strings.ToLower(group) == strings.ToLower(teamName) {
 			return true
 		}
 	}

api/http/handler/auth/handler.go

@@ -18,13 +18,12 @@ type Handler struct {
 	*mux.Router
 	DataStore                   dataservices.DataStore
 	CryptoService               portainer.CryptoService
-	JWTService                  portainer.JWTService
+	JWTService                  dataservices.JWTService
 	LDAPService                 portainer.LDAPService
 	OAuthService                portainer.OAuthService
 	ProxyManager                *proxy.Manager
 	KubernetesTokenCacheManager *kubernetes.TokenCacheManager
 	passwordStrengthChecker     security.PasswordStrengthChecker
-	bouncer                     security.BouncerService
 }
 
 // NewHandler creates a handler to manage authentication operations.
@@ -32,7 +31,6 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	h := &Handler{
 		Router:                  mux.NewRouter(),
 		passwordStrengthChecker: passwordStrengthChecker,
-		bouncer:                 bouncer,
 	}
 
 	h.Handle("/auth/oauth/validate",
@@ -41,5 +39,6 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
 	h.Handle("/auth/logout",
 		bouncer.PublicAccess(httperror.LoggerHandler(h.logout))).Methods(http.MethodPost)
+
 	return h
 }

api/http/handler/auth/logout.go

@@ -7,6 +7,7 @@ import (
 	"github.com/portainer/portainer/api/internal/logoutcontext"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/rs/zerolog/log"
 )
 
 // @id Logout
@@ -18,15 +19,17 @@ import (
 // @success 204 "Success"
 // @failure 500 "Server error"
 // @router /auth/logout [post]
+
 func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, _ := handler.bouncer.CookieAuthLookup(r)
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		log.Warn().Err(err).Msg("unable to retrieve user details from authentication token")
+	}
 
 	if tokenData != nil {
 		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
 		logoutcontext.Cancel(tokenData.Token)
 	}
 
-	security.RemoveAuthCookie(w)
-
 	return response.Empty(w)
 }

api/http/handler/customtemplates/customtemplate_create.go

@@ -103,8 +103,6 @@ type customTemplateFromFileContentPayload struct {
 	FileContent string `validate:"required"`
 	// Definitions of variables in the stack file
 	Variables []portainer.CustomTemplateVariableDefinition
-	// EdgeTemplate indicates if this template purpose for Edge Stack
-	EdgeTemplate bool `example:"false"`
 }
 
 func (payload *customTemplateFromFileContentPayload) Validate(r *http.Request) error {
@@ -152,7 +150,7 @@ func isValidNote(note string) bool {
 // @success 200 {object} portainer.CustomTemplate
 // @failure 400 "Invalid request"
 // @failure 500 "Server error"
-// @router /custom_templates/create/string [post]
+// @router /custom_templates/string [post]
 func (handler *Handler) createCustomTemplateFromFileContent(r *http.Request) (*portainer.CustomTemplate, error) {
 	var payload customTemplateFromFileContentPayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
@@ -162,16 +160,15 @@ func (handler *Handler) createCustomTemplateFromFileContent(r *http.Request) (*p
 
 	customTemplateID := handler.DataStore.CustomTemplate().GetNextIdentifier()
 	customTemplate := &portainer.CustomTemplate{
-		ID:           portainer.CustomTemplateID(customTemplateID),
-		Title:        payload.Title,
-		EntryPoint:   filesystem.ComposeFileDefaultName,
-		Description:  payload.Description,
-		Note:         payload.Note,
-		Platform:     (payload.Platform),
-		Type:         (payload.Type),
-		Logo:         payload.Logo,
-		Variables:    payload.Variables,
-		EdgeTemplate: payload.EdgeTemplate,
+		ID:          portainer.CustomTemplateID(customTemplateID),
+		Title:       payload.Title,
+		EntryPoint:  filesystem.ComposeFileDefaultName,
+		Description: payload.Description,
+		Note:        payload.Note,
+		Platform:    (payload.Platform),
+		Type:        (payload.Type),
+		Logo:        payload.Logo,
+		Variables:   payload.Variables,
 	}
 
 	templateFolder := strconv.Itoa(customTemplateID)
@@ -221,8 +218,6 @@ type customTemplateFromGitRepositoryPayload struct {
 	TLSSkipVerify bool `example:"false"`
 	// IsComposeFormat indicates if the Kubernetes template is created from a Docker Compose file
 	IsComposeFormat bool `example:"false"`
-	// EdgeTemplate indicates if this template purpose for Edge Stack
-	EdgeTemplate bool `example:"false"`
 }
 
 func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request) error {
@@ -269,7 +264,7 @@ func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request)
 // @success 200 {object} portainer.CustomTemplate
 // @failure 400 "Invalid request"
 // @failure 500 "Server error"
-// @router /custom_templates/create/repository [post]
+// @router /custom_templates/repository [post]
 func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (*portainer.CustomTemplate, error) {
 	var payload customTemplateFromGitRepositoryPayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
@@ -288,7 +283,6 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 		Logo:            payload.Logo,
 		Variables:       payload.Variables,
 		IsComposeFormat: payload.IsComposeFormat,
-		EdgeTemplate:    payload.EdgeTemplate,
 	}
 
 	getProjectPath := func() string {
@@ -373,8 +367,6 @@ type customTemplateFromFileUploadPayload struct {
 	FileContent []byte
 	// Definitions of variables in the stack file
 	Variables []portainer.CustomTemplateVariableDefinition
-	// EdgeTemplate indicates if this template purpose for Edge Stack
-	EdgeTemplate bool `example:"false"`
 }
 
 func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) error {
@@ -427,15 +419,8 @@ func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) er
 		if err != nil {
 			return errors.New("Invalid variables. Ensure that the variables are valid JSON")
 		}
-		err = validateVariablesDefinitions(payload.Variables)
-		if err != nil {
-			return err
-		}
+		return validateVariablesDefinitions(payload.Variables)
 	}
-
-	edgeTemplate, _ := request.RetrieveBooleanMultiPartFormValue(r, "EdgeTemplate", true)
-	payload.EdgeTemplate = edgeTemplate
-
 	return nil
 }
 
@@ -459,7 +444,7 @@ func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) er
 // @success 200 {object} portainer.CustomTemplate
 // @failure 400 "Invalid request"
 // @failure 500 "Server error"
-// @router /custom_templates/create/file [post]
+// @router /custom_templates/file [post]
 func (handler *Handler) createCustomTemplateFromFileUpload(r *http.Request) (*portainer.CustomTemplate, error) {
 	payload := &customTemplateFromFileUploadPayload{}
 	err := payload.Validate(r)
@@ -469,16 +454,15 @@ func (handler *Handler) createCustomTemplateFromFileUpload(r *http.Request) (*po
 
 	customTemplateID := handler.DataStore.CustomTemplate().GetNextIdentifier()
 	customTemplate := &portainer.CustomTemplate{
-		ID:           portainer.CustomTemplateID(customTemplateID),
-		Title:        payload.Title,
-		Description:  payload.Description,
-		Note:         payload.Note,
-		Platform:     payload.Platform,
-		Type:         payload.Type,
-		Logo:         payload.Logo,
-		EntryPoint:   filesystem.ComposeFileDefaultName,
-		Variables:    payload.Variables,
-		EdgeTemplate: payload.EdgeTemplate,
+		ID:          portainer.CustomTemplateID(customTemplateID),
+		Title:       payload.Title,
+		Description: payload.Description,
+		Note:        payload.Note,
+		Platform:    payload.Platform,
+		Type:        payload.Type,
+		Logo:        payload.Logo,
+		EntryPoint:  filesystem.ComposeFileDefaultName,
+		Variables:   payload.Variables,
 	}
 
 	templateFolder := strconv.Itoa(customTemplateID)

api/http/handler/customtemplates/customtemplate_git_fetch_test.go

@@ -2,6 +2,7 @@ package customtemplates
 
 import (
 	"bytes"
+	"fmt"
 	"io"
 	"io/fs"
 	"net/http"
@@ -17,7 +18,6 @@ import (
 	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
-	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 
 	"github.com/segmentio/encoding/json"
@@ -76,7 +76,7 @@ func singleAPIRequest(h *Handler, jwt string, is *assert.Assertions, expect stri
 	}
 
 	req := httptest.NewRequest(http.MethodPut, "/custom_templates/1/git_fetch", bytes.NewBuffer([]byte("{}")))
-	testhelpers.AddTestSecurityCookie(req, jwt)
+	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
 
 	rr := httptest.NewRecorder()
 	h.ServeHTTP(rr, req)
@@ -132,8 +132,8 @@ func Test_customTemplateGitFetch(t *testing.T) {
 	h := NewHandler(requestBouncer, store, fileService, gitService)
 
 	// generate two standard users' tokens
-	jwt1, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user1.ID, Username: user1.Username, Role: user1.Role})
-	jwt2, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user2.ID, Username: user2.Username, Role: user2.Role})
+	jwt1, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user1.ID, Username: user1.Username, Role: user1.Role})
+	jwt2, _ := jwtService.GenerateToken(&portainer.TokenData{ID: user2.ID, Username: user2.Username, Role: user2.Role})
 
 	t.Run("can return the expected file content by a single call from one user", func(t *testing.T) {
 		singleAPIRequest(h, jwt1, is, "abcdefg")

api/http/handler/customtemplates/customtemplate_list.go

@@ -8,11 +8,8 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
-	"github.com/portainer/portainer/api/internal/slices"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-	"github.com/rs/zerolog/log"
 )
 
 // @id CustomTemplateList
@@ -24,7 +21,6 @@ import (
 // @security jwt
 // @produce json
 // @param type query []int true "Template types" Enums(1,2,3)
-// @param edge query boolean false "Filter by edge templates"
 // @success 200 {array} portainer.CustomTemplate "Success"
 // @failure 500 "Server error"
 // @router /custom_templates [get]
@@ -34,8 +30,6 @@ func (handler *Handler) customTemplateList(w http.ResponseWriter, r *http.Reques
 		return httperror.BadRequest("Invalid Custom template type", err)
 	}
 
-	edge := retrieveEdgeParam(r)
-
 	customTemplates, err := handler.DataStore.CustomTemplate().ReadAll()
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve custom templates from the database", err)
@@ -69,37 +63,9 @@ func (handler *Handler) customTemplateList(w http.ResponseWriter, r *http.Reques
 
 	customTemplates = filterByType(customTemplates, templateTypes)
 
-	if edge != nil {
-		customTemplates = slices.Filter(customTemplates, func(customTemplate portainer.CustomTemplate) bool {
-			return customTemplate.EdgeTemplate == *edge
-		})
-	}
-
-	for i := range customTemplates {
-		customTemplate := &customTemplates[i]
-		if customTemplate.GitConfig != nil && customTemplate.GitConfig.Authentication != nil {
-			customTemplate.GitConfig.Authentication.Password = ""
-		}
-	}
-
 	return response.JSON(w, customTemplates)
 }
 
-func retrieveEdgeParam(r *http.Request) *bool {
-	var edge *bool
-	edgeParam, _ := request.RetrieveQueryParameter(r, "edge", true)
-	if edgeParam != "" {
-		edgeVal, err := strconv.ParseBool(edgeParam)
-		if err != nil {
-			log.Warn().Err(err).Msg("failed parsing edge param")
-			return nil
-		}
-
-		edge = &edgeVal
-	}
-	return edge
-}
-
 func parseTemplateTypes(r *http.Request) ([]portainer.StackType, error) {
 	err := r.ParseForm()
 	if err != nil {

api/http/handler/customtemplates/customtemplate_update.go

@@ -59,8 +59,6 @@ type customTemplateUpdatePayload struct {
 	TLSSkipVerify bool `example:"false"`
 	// IsComposeFormat indicates if the Kubernetes template is created from a Docker Compose file
 	IsComposeFormat bool `example:"false"`
-	// EdgeTemplate indicates if this template purpose for Edge Stack
-	EdgeTemplate bool `example:"false"`
 }
 
 func (payload *customTemplateUpdatePayload) Validate(r *http.Request) error {
@@ -163,7 +161,6 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 	customTemplate.Type = payload.Type
 	customTemplate.Variables = payload.Variables
 	customTemplate.IsComposeFormat = payload.IsComposeFormat
-	customTemplate.EdgeTemplate = payload.EdgeTemplate
 
 	if payload.RepositoryURL != "" {
 		if !govalidator.IsURL(payload.RepositoryURL) {
@@ -211,12 +208,10 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 		customTemplate.GitConfig = gitConfig
 	} else {
 		templateFolder := strconv.Itoa(customTemplateID)
-		projectPath, err := handler.FileService.StoreCustomTemplateFileFromBytes(templateFolder, customTemplate.EntryPoint, []byte(payload.FileContent))
+		_, err = handler.FileService.StoreCustomTemplateFileFromBytes(templateFolder, customTemplate.EntryPoint, []byte(payload.FileContent))
 		if err != nil {
 			return httperror.InternalServerError("Unable to persist updated custom template file on disk", err)
 		}
-
-		customTemplate.ProjectPath = projectPath
 	}
 
 	err = handler.DataStore.CustomTemplate().Update(customTemplate.ID, customTemplate)

api/http/handler/docker/images/images_list.go

@@ -2,16 +2,13 @@ package images
 
 import (
 	"net/http"
-	"strings"
 
-	"github.com/portainer/portainer/api/docker/client"
+	"github.com/docker/docker/api/types"
 	"github.com/portainer/portainer/api/http/handler/docker/utils"
 	"github.com/portainer/portainer/api/internal/set"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/docker/docker/api/types"
 )
 
 type ImageResponse struct {
@@ -50,12 +47,6 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http
 		return httperror.InternalServerError("Unable to retrieve Docker images", err)
 	}
 
-	// Extract the node name from the custom transport
-	nodeNames := make(map[string]string)
-	if t, ok := cli.HTTPClient().Transport.(*client.NodeNameTransport); ok {
-		nodeNames = t.NodeNames()
-	}
-
 	withUsage, err := request.RetrieveBooleanQueryParameter(r, "withUsage", true)
 	if err != nil {
 		return httperror.BadRequest("Invalid query parameter: withUsage", err)
@@ -75,19 +66,12 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http
 
 	imagesList := make([]ImageResponse, len(images))
 	for i, image := range images {
-		if (image.RepoTags == nil || len(image.RepoTags) == 0) && (image.RepoDigests != nil && len(image.RepoDigests) > 0) {
-			for _, repoDigest := range image.RepoDigests {
-				image.RepoTags = append(image.RepoTags, repoDigest[0:strings.Index(repoDigest, "@")]+":<none>")
-			}
-		}
-
 		imagesList[i] = ImageResponse{
-			Created:  image.Created,
-			NodeName: nodeNames[image.ID],
-			ID:       image.ID,
-			Size:     image.Size,
-			Tags:     image.RepoTags,
-			Used:     imageUsageSet.Contains(image.ID),
+			Created: image.Created,
+			ID:      image.ID,
+			Size:    image.Size,
+			Tags:    image.RepoTags,
+			Used:    imageUsageSet.Contains(image.ID),
 		}
 	}
 

api/http/handler/edgestacks/edgestack_create_git.go

@@ -31,7 +31,7 @@ type edgeStackFromGitRepositoryPayload struct {
 	// Path to the Stack file inside the Git repository
 	FilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
 	// List of identifiers of EdgeGroups
-	EdgeGroups []portainer.EdgeGroupID `example:"1" validate:"required"`
+	EdgeGroups []portainer.EdgeGroupID `example:"1"`
 	// Deployment type to deploy this stack
 	// Valid values are: 0 - 'compose', 1 - 'kubernetes'
 	// compose is enabled only for docker environments
@@ -85,6 +85,7 @@ func (payload *edgeStackFromGitRepositoryPayload) Validate(r *http.Request) erro
 // @security ApiKeyAuth
 // @security jwt
 // @produce json
+// @param method query string true "Creation Method" Enums(file,string,repository)
 // @param body body edgeStackFromGitRepositoryPayload true "stack config"
 // @param dryrun query string false "if true, will not create an edge stack, but just will check the settings and return a non-persisted edge stack object"
 // @success 200 {object} portainer.EdgeStack

api/http/handler/edgestacks/edgestack_status_update.go

@@ -135,11 +135,6 @@ func (handler *Handler) updateEdgeStackStatus(tx dataservices.DataStoreTx, r *ht
 }
 
 func updateEnvStatus(environmentId portainer.EndpointID, stack *portainer.EdgeStack, deploymentStatus portainer.EdgeStackDeploymentStatus) {
-	if deploymentStatus.Type == portainer.EdgeStackStatusRemoved {
-		delete(stack.Status, environmentId)
-		return
-	}
-
 	environmentStatus, ok := stack.Status[environmentId]
 	if !ok {
 		environmentStatus = portainer.EdgeStackStatus{

api/http/handler/edgestacks/edgestack_update.go

@@ -2,6 +2,7 @@ package edgestacks
 
 import (
 	"net/http"
+	"time"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -189,3 +190,26 @@ func (handler *Handler) handleChangeEdgeGroups(tx dataservices.DataStoreTx, edge
 
 	return newRelatedEnvironmentIDs, endpointsToAdd, nil
 }
+
+func newStatus(oldStatus map[portainer.EndpointID]portainer.EdgeStackStatus, relatedEnvironmentIds []portainer.EndpointID) map[portainer.EndpointID]portainer.EdgeStackStatus {
+	newStatus := make(map[portainer.EndpointID]portainer.EdgeStackStatus)
+	for _, endpointID := range relatedEnvironmentIds {
+		newEnvStatus := portainer.EdgeStackStatus{}
+
+		oldEnvStatus, ok := oldStatus[endpointID]
+		if ok {
+			newEnvStatus = oldEnvStatus
+		}
+
+		newEnvStatus.Status = []portainer.EdgeStackDeploymentStatus{
+			{
+				Time: time.Now().Unix(),
+				Type: portainer.EdgeStackStatusPending,
+			},
+		}
+
+		newStatus[endpointID] = newEnvStatus
+	}
+
+	return newStatus
+}

api/http/handler/edgestacks/handler.go

@@ -1,10 +1,12 @@
 package edgestacks
 
 import (
+	"fmt"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	edgestackservice "github.com/portainer/portainer/api/internal/edge/edgestacks"
@@ -24,6 +26,8 @@ type Handler struct {
 	KubernetesDeployer portainer.KubernetesDeployer
 }
 
+const contextKey = "edgeStack_item"
+
 // NewHandler creates a handler to manage environment(endpoint) group operations.
 func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, edgeStacksService *edgestackservice.Service) *Handler {
 	h := &Handler{
@@ -58,6 +62,35 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	return h
 }
 
+func (handler *Handler) convertAndStoreKubeManifestIfNeeded(stackFolder string, projectPath, composePath string, relatedEndpointIds []portainer.EndpointID) (manifestPath string, err error) {
+	hasKubeEndpoint, err := hasKubeEndpoint(handler.DataStore.Endpoint(), relatedEndpointIds)
+	if err != nil {
+		return "", fmt.Errorf("unable to check if edge stack has kube environments: %w", err)
+	}
+
+	if !hasKubeEndpoint {
+		return "", nil
+	}
+
+	composeConfig, err := handler.FileService.GetFileContent(projectPath, composePath)
+	if err != nil {
+		return "", fmt.Errorf("unable to retrieve Compose file from disk: %w", err)
+	}
+
+	kompose, err := handler.KubernetesDeployer.ConvertCompose(composeConfig)
+	if err != nil {
+		return "", fmt.Errorf("failed converting compose file to kubernetes manifest: %w", err)
+	}
+
+	komposeFileName := filesystem.ManifestFileDefaultName
+	_, err = handler.FileService.StoreEdgeStackFileFromBytes(stackFolder, komposeFileName, kompose)
+	if err != nil {
+		return "", fmt.Errorf("failed to store kube manifest file: %w", err)
+	}
+
+	return komposeFileName, nil
+}
+
 func (handler *Handler) handlerDBErr(err error, msg string) *httperror.HandlerError {
 	httpErr := httperror.InternalServerError(msg, err)
 

api/http/handler/edgetemplates/edgetemplate_list.go

@@ -2,7 +2,6 @@ package edgetemplates
 
 import (
 	"net/http"
-	"slices"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/client"
@@ -18,7 +17,6 @@ type templateFileFormat struct {
 }
 
 // @id EdgeTemplateList
-// @deprecated
 // @summary Fetches the list of Edge Templates
 // @description **Access policy**: administrator
 // @tags edge_templates
@@ -53,16 +51,10 @@ func (handler *Handler) edgeTemplateList(w http.ResponseWriter, r *http.Request)
 		return httperror.InternalServerError("Unable to parse template file", err)
 	}
 
-	// We only support version 3 of the template format
-	// this is only a temporary fix until we have custom edge templates
-	if templateFile.Version != "3" {
-		return httperror.InternalServerError("Unsupported template version", nil)
-	}
-
 	filteredTemplates := make([]portainer.Template, 0)
 
 	for _, template := range templateFile.Templates {
-		if slices.Contains(template.Categories, "edge") && slices.Contains([]portainer.TemplateType{portainer.ComposeStackTemplate, portainer.SwarmStackTemplate}, template.Type) {
+		if template.Type == portainer.EdgeStackTemplate {
 			filteredTemplates = append(filteredTemplates, template)
 		}
 	}

api/http/handler/edgetemplates/handler.go

@@ -4,7 +4,6 @@ import (
 	"net/http"
 
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
@@ -26,7 +25,7 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 	}
 
 	h.Handle("/edge_templates",
-		bouncer.AdminAccess(middlewares.Deprecated(httperror.LoggerHandler(h.edgeTemplateList), func(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) { return "", nil }))).Methods(http.MethodGet)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeTemplateList))).Methods(http.MethodGet)
 
 	return h
 }

api/http/handler/endpointedge/endpointedge_status_inspect.go

@@ -15,7 +15,6 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/edge/cache"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
@@ -154,9 +153,13 @@ func (handler *Handler) inspectStatus(tx dataservices.DataStoreTx, r *http.Reque
 		return nil, httperror.InternalServerError("Unable to persist environment changes inside the database", err)
 	}
 
-	checkinInterval, err := edge.GetEffectiveCheckinInterval(tx, endpoint)
-	if err != nil {
-		return nil, httperror.InternalServerError("Unable to retrieve the checkin interval", err)
+	checkinInterval := endpoint.EdgeCheckinInterval
+	if endpoint.EdgeCheckinInterval == 0 {
+		settings, err := tx.Settings().Settings()
+		if err != nil {
+			return nil, httperror.InternalServerError("Unable to retrieve settings from the database", err)
+		}
+		checkinInterval = settings.EdgeAgentCheckinInterval
 	}
 
 	tunnel := handler.ReverseTunnelService.GetTunnelDetails(endpoint.ID)

api/http/handler/endpoints/endpoint_agent_browse_docs.go

@@ -19,8 +19,6 @@ package endpoints
 // @failure 400 "Invalid request"
 // @failure 500 "Server error"
 // @router /endpoints/{id}/docker/v2/browse/put [post]
-//
-//lint:ignore U1000 Ignore unused code, for documentation purposes
 func _fileBrowseFileUploadV2() {
 	// dummy function to make swag pick up the above docs for the following REST call
 	// POST request on /browse/put?volumeID=:id

api/http/handler/endpoints/endpoint_list.go

@@ -2,6 +2,7 @@ package endpoints
 
 import (
 	"net/http"
+	"sort"
 	"strconv"
 
 	portainer "github.com/portainer/portainer/api"
@@ -29,7 +30,7 @@ const (
 // @produce json
 // @param start query int false "Start searching from"
 // @param limit query int false "Limit results to this value"
-// @param sort query sortKey false "Sort results by this value" Enum("Name", "Group", "Status", "LastCheckIn", "EdgeID")
+// @param sort query int false "Sort results by this value"
 // @param order query int false "Order sorted results by desc/asc" Enum("asc", "desc")
 // @param search query string false "Search query"
 // @param groupIds query []int false "List environments(endpoints) of these groups"
@@ -97,7 +98,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 		return httperror.InternalServerError("Unable to filter endpoints", err)
 	}
 
-	sortEnvironmentsByField(filteredEndpoints, endpointGroups, getSortKey(sortField), sortOrder == "desc")
+	sortEndpointsByField(filteredEndpoints, endpointGroups, sortField, sortOrder == "desc")
 
 	filteredEndpointCount := len(filteredEndpoints)
 
@@ -146,6 +147,46 @@ func paginateEndpoints(endpoints []portainer.Endpoint, start, limit int) []porta
 	return endpoints[start:end]
 }
 
+func sortEndpointsByField(endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup, sortField string, isSortDesc bool) {
+
+	switch sortField {
+	case "Name":
+		if isSortDesc {
+			sort.Stable(sort.Reverse(EndpointsByName(endpoints)))
+		} else {
+			sort.Stable(EndpointsByName(endpoints))
+		}
+
+	case "Group":
+		endpointGroupNames := make(map[portainer.EndpointGroupID]string, 0)
+		for _, group := range endpointGroups {
+			endpointGroupNames[group.ID] = group.Name
+		}
+
+		endpointsByGroup := EndpointsByGroup{
+			endpointGroupNames: endpointGroupNames,
+			endpoints:          endpoints,
+		}
+
+		if isSortDesc {
+			sort.Stable(sort.Reverse(endpointsByGroup))
+		} else {
+			sort.Stable(endpointsByGroup)
+		}
+
+	case "Status":
+		if isSortDesc {
+			sort.Slice(endpoints, func(i, j int) bool {
+				return endpoints[i].Status > endpoints[j].Status
+			})
+		} else {
+			sort.Slice(endpoints, func(i, j int) bool {
+				return endpoints[i].Status < endpoints[j].Status
+			})
+		}
+	}
+}
+
 func getEndpointGroup(groupID portainer.EndpointGroupID, groups []portainer.EndpointGroup) portainer.EndpointGroup {
 	var endpointGroup portainer.EndpointGroup
 	for _, group := range groups {

api/http/handler/endpoints/endpoint_list_test.go

@@ -211,7 +211,7 @@ func buildEndpointListRequest(query string) *http.Request {
 	restrictedCtx := security.StoreRestrictedRequestContext(req, &security.RestrictedRequestContext{UserID: 1, IsAdmin: true})
 	req = req.WithContext(restrictedCtx)
 
-	testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+	req.Header.Add("Authorization", "Bearer dummytoken")
 
 	return req
 }

api/http/handler/endpoints/sort.go

@@ -1,94 +1,46 @@
 package endpoints
 
 import (
-	"slices"
+	"strings"
 
 	"github.com/fvbommel/sortorder"
 	portainer "github.com/portainer/portainer/api"
 )
 
-type comp[T any] func(a, b T) int
+type EndpointsByName []portainer.Endpoint
 
-func stringComp(a, b string) int {
-	if sortorder.NaturalLess(a, b) {
-		return -1
-	} else if sortorder.NaturalLess(b, a) {
-		return 1
-	} else {
-		return 0
-	}
+func (e EndpointsByName) Len() int {
+	return len(e)
 }
 
-func sortEnvironmentsByField(environments []portainer.Endpoint, environmentGroups []portainer.EndpointGroup, sortField sortKey, isSortDesc bool) {
-	if sortField == "" {
-		return
-	}
-
-	var less comp[portainer.Endpoint]
-	switch sortField {
-	case sortKeyName:
-		less = func(a, b portainer.Endpoint) int {
-			return stringComp(a.Name, b.Name)
-		}
-
-	case sortKeyGroup:
-		environmentGroupNames := make(map[portainer.EndpointGroupID]string, 0)
-		for _, group := range environmentGroups {
-			environmentGroupNames[group.ID] = group.Name
-		}
-
-		// set the "unassigned" group name to be empty string
-		environmentGroupNames[1] = ""
-
-		less = func(a, b portainer.Endpoint) int {
-			aGroup := environmentGroupNames[a.GroupID]
-			bGroup := environmentGroupNames[b.GroupID]
-
-			return stringComp(aGroup, bGroup)
-		}
-
-	case sortKeyStatus:
-		less = func(a, b portainer.Endpoint) int {
-			return int(a.Status - b.Status)
-		}
-
-	case sortKeyLastCheckInDate:
-		less = func(a, b portainer.Endpoint) int {
-			return int(a.LastCheckInDate - b.LastCheckInDate)
-		}
-	case sortKeyEdgeID:
-		less = func(a, b portainer.Endpoint) int {
-			return stringComp(a.EdgeID, b.EdgeID)
-		}
-
-	}
-
-	slices.SortStableFunc(environments, func(a, b portainer.Endpoint) int {
-		mul := 1
-		if isSortDesc {
-			mul = -1
-		}
-
-		return less(a, b) * mul
-	})
-
+func (e EndpointsByName) Swap(i, j int) {
+	e[i], e[j] = e[j], e[i]
 }
 
-type sortKey string
+func (e EndpointsByName) Less(i, j int) bool {
+	return sortorder.NaturalLess(strings.ToLower(e[i].Name), strings.ToLower(e[j].Name))
+}
 
-const (
-	sortKeyName            sortKey = "Name"
-	sortKeyGroup           sortKey = "Group"
-	sortKeyStatus          sortKey = "Status"
-	sortKeyLastCheckInDate sortKey = "LastCheckIn"
-	sortKeyEdgeID          sortKey = "EdgeID"
-)
+type EndpointsByGroup struct {
+	endpointGroupNames map[portainer.EndpointGroupID]string
+	endpoints          []portainer.Endpoint
+}
 
-func getSortKey(sortField string) sortKey {
-	fieldAsSortKey := sortKey(sortField)
-	if slices.Contains([]sortKey{sortKeyName, sortKeyGroup, sortKeyStatus, sortKeyLastCheckInDate, sortKeyEdgeID}, fieldAsSortKey) {
-		return fieldAsSortKey
+func (e EndpointsByGroup) Len() int {
+	return len(e.endpoints)
+}
+
+func (e EndpointsByGroup) Swap(i, j int) {
+	e.endpoints[i], e.endpoints[j] = e.endpoints[j], e.endpoints[i]
+}
+
+func (e EndpointsByGroup) Less(i, j int) bool {
+	if e.endpoints[i].GroupID == e.endpoints[j].GroupID {
+		return false
 	}
 
-	return ""
+	groupA := e.endpointGroupNames[e.endpoints[i].GroupID]
+	groupB := e.endpointGroupNames[e.endpoints[j].GroupID]
+
+	return sortorder.NaturalLess(strings.ToLower(groupA), strings.ToLower(groupB))
 }

api/http/handler/endpoints/sort_test.go

@@ -1,168 +0,0 @@
-package endpoints
-
-import (
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/internal/slices"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestSortEndpointsByField(t *testing.T) {
-	environments := []portainer.Endpoint{
-		{ID: 0, Name: "Environment 1", GroupID: 1, Status: 1, LastCheckInDate: 3, EdgeID: "edge32"},
-		{ID: 1, Name: "Environment 2", GroupID: 2, Status: 2, LastCheckInDate: 6, EdgeID: "edge57"},
-		{ID: 2, Name: "Environment 3", GroupID: 1, Status: 3, LastCheckInDate: 2, EdgeID: "test87"},
-		{ID: 3, Name: "Environment 4", GroupID: 2, Status: 4, LastCheckInDate: 1, EdgeID: "abc123"},
-	}
-
-	environmentGroups := []portainer.EndpointGroup{
-		{ID: 1, Name: "Group 1"},
-		{ID: 2, Name: "Group 2"},
-	}
-
-	tests := []struct {
-		name       string
-		sortField  sortKey
-		isSortDesc bool
-		expected   []portainer.EndpointID
-	}{
-		{
-			name:      "sort without value",
-			sortField: "",
-			expected: []portainer.EndpointID{
-				environments[0].ID,
-				environments[1].ID,
-				environments[2].ID,
-				environments[3].ID,
-			},
-		},
-		{
-			name:       "sort by name ascending",
-			sortField:  "Name",
-			isSortDesc: false,
-			expected: []portainer.EndpointID{
-				environments[0].ID,
-				environments[1].ID,
-				environments[2].ID,
-				environments[3].ID,
-			},
-		},
-		{
-			name:       "sort by name descending",
-			sortField:  "Name",
-			isSortDesc: true,
-			expected: []portainer.EndpointID{
-				environments[3].ID,
-				environments[2].ID,
-				environments[1].ID,
-				environments[0].ID,
-			},
-		},
-		{
-			name:       "sort by group name ascending",
-			sortField:  "Group",
-			isSortDesc: false,
-			expected: []portainer.EndpointID{
-				environments[0].ID,
-				environments[2].ID,
-				environments[1].ID,
-				environments[3].ID,
-			},
-		},
-		{
-			name:       "sort by group name descending",
-			sortField:  "Group",
-			isSortDesc: true,
-			expected: []portainer.EndpointID{
-				environments[1].ID,
-				environments[3].ID,
-				environments[0].ID,
-				environments[2].ID,
-			},
-		},
-
-		{
-			name:       "sort by status ascending",
-			sortField:  "Status",
-			isSortDesc: false,
-			expected: []portainer.EndpointID{
-				environments[0].ID,
-				environments[1].ID,
-				environments[2].ID,
-				environments[3].ID,
-			},
-		},
-		{
-			name:       "sort by status descending",
-			sortField:  "Status",
-			isSortDesc: true,
-			expected: []portainer.EndpointID{
-				environments[3].ID,
-				environments[2].ID,
-				environments[1].ID,
-				environments[0].ID,
-			},
-		},
-		{
-			name:       "sort by last check-in ascending",
-			sortField:  "LastCheckIn",
-			isSortDesc: false,
-			expected: []portainer.EndpointID{
-				environments[3].ID,
-				environments[2].ID,
-				environments[0].ID,
-				environments[1].ID,
-			},
-		},
-		{
-			name:       "sort by last check-in descending",
-			sortField:  "LastCheckIn",
-			isSortDesc: true,
-			expected: []portainer.EndpointID{
-				environments[1].ID,
-				environments[0].ID,
-				environments[2].ID,
-				environments[3].ID,
-			},
-		},
-		{
-			name:      "sort by edge ID ascending",
-			sortField: "EdgeID",
-			expected: []portainer.EndpointID{
-				environments[3].ID,
-				environments[0].ID,
-				environments[1].ID,
-				environments[2].ID,
-			},
-		},
-		{
-			name:       "sort by edge ID descending",
-			sortField:  "EdgeID",
-			isSortDesc: true,
-			expected: []portainer.EndpointID{
-				environments[2].ID,
-				environments[1].ID,
-				environments[0].ID,
-				environments[3].ID,
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			is := assert.New(t)
-			sortEnvironmentsByField(environments, environmentGroups, "Name", false) // reset to default sort order
-
-			sortEnvironmentsByField(environments, environmentGroups, tt.sortField, tt.isSortDesc)
-
-			is.Equal(tt.expected, getEndpointIDs(environments))
-		})
-	}
-}
-
-func getEndpointIDs(environments []portainer.Endpoint) []portainer.EndpointID {
-	return slices.Map(environments, func(environment portainer.Endpoint) portainer.EndpointID {
-		return environment.ID
-	})
-}

api/http/handler/handler.go

@@ -85,7 +85,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.21.0
+// @version 2.20.0
 // @description.markdown api-description.md
 // @termsOfService
 

api/http/handler/helm/handler.go

@@ -20,14 +20,14 @@ type Handler struct {
 	*mux.Router
 	requestBouncer           security.BouncerService
 	dataStore                dataservices.DataStore
-	jwtService               portainer.JWTService
+	jwtService               dataservices.JWTService
 	kubeClusterAccessService kubernetes.KubeClusterAccessService
 	kubernetesDeployer       portainer.KubernetesDeployer
 	helmPackageManager       libhelm.HelmPackageManager
 }
 
 // NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
+func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService dataservices.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
 	h := &Handler{
 		Router:                   mux.NewRouter(),
 		requestBouncer:           bouncer,
@@ -38,20 +38,19 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 		kubeClusterAccessService: kubeClusterAccessService,
 	}
 
-	h.Use(middlewares.WithEndpoint(dataStore.Endpoint(), "id"),
-		bouncer.AuthenticatedAccess)
+	h.Use(middlewares.WithEndpoint(dataStore.Endpoint(), "id"))
 
 	// `helm list -o json`
 	h.Handle("/{id}/kubernetes/helm",
-		httperror.LoggerHandler(h.helmList)).Methods(http.MethodGet)
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.helmList))).Methods(http.MethodGet)
 
 	// `helm delete RELEASE_NAME`
 	h.Handle("/{id}/kubernetes/helm/{release}",
-		httperror.LoggerHandler(h.helmDelete)).Methods(http.MethodDelete)
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.helmDelete))).Methods(http.MethodDelete)
 
 	// `helm install [NAME] [CHART] flags`
 	h.Handle("/{id}/kubernetes/helm",
-		httperror.LoggerHandler(h.helmInstall)).Methods(http.MethodPost)
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.helmInstall))).Methods(http.MethodPost)
 
 	// Deprecated
 	h.Handle("/{id}/kubernetes/helm/repositories",
@@ -70,14 +69,12 @@ func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libh
 		requestBouncer:     bouncer,
 	}
 
-	h.Use(bouncer.AuthenticatedAccess)
-
 	h.Handle("/templates/helm",
-		httperror.LoggerHandler(h.helmRepoSearch)).Methods(http.MethodGet)
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.helmRepoSearch))).Methods(http.MethodGet)
 
 	// helm show [COMMAND] [CHART] [REPO] flags
 	h.Handle("/templates/helm/{command:chart|values|readme}",
-		httperror.LoggerHandler(h.helmShow)).Methods(http.MethodGet)
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.helmShow))).Methods(http.MethodGet)
 
 	return h
 }
@@ -96,7 +93,7 @@ func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.Kubernet
 		return nil, httperror.InternalServerError("Unable to retrieve user authentication token", err)
 	}
 
-	bearerToken, _, err := handler.jwtService.GenerateToken(tokenData)
+	bearerToken, err := handler.jwtService.GenerateToken(tokenData)
 	if err != nil {
 		return nil, httperror.Unauthorized("Unauthorized", err)
 	}

api/http/handler/helm/helm_delete_test.go

@@ -16,7 +16,6 @@ import (
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/portainer/portainer/api/internal/testhelpers"
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 )
 
@@ -49,7 +48,7 @@ func Test_helmDelete(t *testing.T) {
 		req := httptest.NewRequest(http.MethodDelete, fmt.Sprintf("/1/kubernetes/helm/%s", options.Name), nil)
 		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
 		req = req.WithContext(ctx)
-		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+		req.Header.Add("Authorization", "Bearer dummytoken")
 
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)

api/http/handler/helm/helm_install_test.go

@@ -11,7 +11,6 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/exec/exectest"
 	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/testhelpers"
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
@@ -53,7 +52,7 @@ func Test_helmInstall(t *testing.T) {
 		req := httptest.NewRequest(http.MethodPost, "/1/kubernetes/helm", bytes.NewBuffer(optdata))
 		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
 		req = req.WithContext(ctx)
-		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+		req.Header.Add("Authorization", "Bearer dummytoken")
 
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)

api/http/handler/helm/helm_list_test.go

@@ -10,7 +10,6 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/exec/exectest"
 	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/testhelpers"
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
@@ -49,7 +48,7 @@ func Test_helmList(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm", nil)
 		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
 		req = req.WithContext(ctx)
-		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+		req.Header.Add("Authorization", "Bearer dummytoken")
 
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)

api/http/handler/kubernetes/configmaps_and_secrets.go

@@ -8,22 +8,6 @@ import (
 	"github.com/portainer/portainer/pkg/libhttp/response"
 )
 
-// @id getKubernetesConfigMapsAndSecrets
-// @summary Get ConfigMaps and Secrets
-// @description Get all ConfigMaps and Secrets for a given namespace
-// @description **Access policy**: authenticated
-// @tags kubernetes
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @param id path int true "Environment (Endpoint) identifier"
-// @param namespace path string true "Namespace name"
-// @success 200 {array} []kubernetes.K8sConfigMapOrSecret "Success"
-// @failure 400 "Invalid request"
-// @failure 500 "Server error"
-// @deprecated
-// @router /kubernetes/{id}/namespaces/{namespace}/configuration [get]
 func (handler *Handler) getKubernetesConfigMapsAndSecrets(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	namespace, err := request.RetrieveRouteVariableValue(r, "namespace")
 	if err != nil {

api/http/handler/kubernetes/handler.go

@@ -26,12 +26,12 @@ type Handler struct {
 	authorizationService     *authorization.Service
 	DataStore                dataservices.DataStore
 	KubernetesClientFactory  *cli.ClientFactory
-	JwtService               portainer.JWTService
+	JwtService               dataservices.JWTService
 	kubeClusterAccessService kubernetes.KubeClusterAccessService
 }
 
 // NewHandler creates a handler to process pre-proxied requests to external APIs.
-func NewHandler(bouncer security.BouncerService, authorizationService *authorization.Service, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubeClusterAccessService kubernetes.KubeClusterAccessService, kubernetesClientFactory *cli.ClientFactory, kubernetesClient portainer.KubeClient) *Handler {
+func NewHandler(bouncer security.BouncerService, authorizationService *authorization.Service, dataStore dataservices.DataStore, jwtService dataservices.JWTService, kubeClusterAccessService kubernetes.KubeClusterAccessService, kubernetesClientFactory *cli.ClientFactory, kubernetesClient portainer.KubeClient) *Handler {
 	h := &Handler{
 		Router:                   mux.NewRouter(),
 		authorizationService:     authorizationService,
@@ -107,7 +107,6 @@ func kubeOnlyMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		rw.Header().Set(portainer.PortainerCacheHeader, "true")
 		next.ServeHTTP(rw, request)
 	})
 }
@@ -121,12 +120,7 @@ func (h *Handler) getProxyKubeClient(r *http.Request) (*cli.KubeClient, *httperr
 		return nil, httperror.BadRequest("Invalid environment identifier route variable", err)
 	}
 
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return nil, httperror.Forbidden("Permission denied to access environment", err)
-	}
-
-	cli, ok := h.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), tokenData.Token)
+	cli, ok := h.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), r.Header.Get("Authorization"))
 	if !ok {
 		return nil, httperror.InternalServerError("Failed to lookup KubeClient", nil)
 	}
@@ -147,13 +141,8 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		tokenData, err := security.RetrieveTokenData(r)
-		if err != nil {
-			httperror.WriteError(w, http.StatusForbidden, "Permission denied to access environment", err)
-		}
-
 		// Check if we have a kubeclient against this auth token already, otherwise generate a new one
-		_, ok := handler.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), tokenData.Token)
+		_, ok := handler.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), r.Header.Get("Authorization"))
 		if ok {
 			next.ServeHTTP(w, r)
 			return
@@ -175,6 +164,12 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
+		// Generate a proxied kubeconfig, then create a kubeclient using it.
+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			httperror.WriteError(w, http.StatusForbidden, "Permission denied to access environment", err)
+			return
+		}
 		bearerToken, err := handler.JwtService.GenerateTokenForKubeconfig(tokenData)
 		if err != nil {
 			httperror.WriteError(w, http.StatusInternalServerError, "Unable to create JWT token", err)
@@ -213,7 +208,7 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		handler.KubernetesClientFactory.SetProxyKubeClient(strconv.Itoa(int(endpoint.ID)), tokenData.Token, kubeCli)
+		handler.KubernetesClientFactory.SetProxyKubeClient(strconv.Itoa(int(endpoint.ID)), r.Header.Get("Authorization"), kubeCli)
 		next.ServeHTTP(w, r)
 	})
 }

api/http/handler/kubernetes/ingresses.go

@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"net/http"
+	"strconv"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/middlewares"
@@ -177,9 +178,14 @@ func (handler *Handler) getKubernetesIngressControllersByNamespace(w http.Respon
 		)
 	}
 
-	cli, handlerErr := handler.getProxyKubeClient(r)
-	if handlerErr != nil {
-		return handlerErr
+	cli, ok := handler.KubernetesClientFactory.GetProxyKubeClient(
+		strconv.Itoa(endpointID), r.Header.Get("Authorization"),
+	)
+	if !ok {
+		return httperror.InternalServerError(
+			"Failed to lookup KubeClient",
+			nil,
+		)
 	}
 
 	currentControllers, err := cli.GetIngressControllers()

api/http/handler/kubernetes/namespaces.go

@@ -84,6 +84,7 @@ func (handler *Handler) getKubernetesNamespace(w http.ResponseWriter, r *http.Re
 // @accept json
 // @produce json
 // @param id path int true "Environment (Endpoint) identifier"
+// @param namespace path string true "Namespace"
 // @param body body models.K8sNamespaceDetails true "Namespace configuration details"
 // @success 200 {string} string "Success"
 // @failure 400 "Invalid request"

api/http/handler/settings/handler.go

@@ -23,7 +23,7 @@ type Handler struct {
 	*mux.Router
 	DataStore       dataservices.DataStore
 	FileService     portainer.FileService
-	JWTService      portainer.JWTService
+	JWTService      dataservices.JWTService
 	LDAPService     portainer.LDAPService
 	SnapshotService portainer.SnapshotService
 	demoService     *demo.Service

api/http/handler/stacks/stack_list.go

@@ -91,55 +91,25 @@ func (handler *Handler) stackList(w http.ResponseWriter, r *http.Request) *httpe
 	return response.JSON(w, stacks)
 }
 
-// filterStacks refines a collection of Stack instances using specified criteria.
-// This function examines the provided filters: EndpointID, SwarmID, and IncludeOrphanedStacks.
-// - If both EndpointID is zero and SwarmID is an empty string, the function directly returns the original stack list without any modifications.
-// - If either filter is specified, it proceeds to selectively include stacks that match the criteria.
-
-// Key Points on Business Logic:
-// 1. Determining Inclusion of Orphaned Stacks:
-//    - The decision to include orphaned stacks is influenced by the user's role and usually set by the client (UI).
-//    - Administrators or environment administrators can include orphaned stacks by setting IncludeOrphanedStacks to true, reflecting their broader access rights.
-//    - For non-administrative users, this is typically set to false, limiting their visibility to only stacks within their purview.
-
-// 2. Inclusion Criteria for Orphaned Stacks:
-//    - When IncludeOrphanedStacks is true and an EndpointID is specified (not zero), the function selects:
-//      a) Stacks linked to the specified EndpointID.
-//      b) Orphaned stacks that don't have a naming conflict with any stack associated with the EndpointID.
-//    - This approach is designed to avoid name conflicts within Docker Compose, which restricts the creation of multiple stacks with the same name.
-
-// 3. Type Matching for Orphaned Stacks:
-//    - The function ensures that orphaned stacks are compatible with the environment's stack type (compose or swarm).
-//    - It filters out orphaned swarm stacks in Docker standalone environments
-//    - It filters out orphaned standalone stack in Docker swarm environments
-//    - This ensures that re-association respects the constraints of the environment and stack type.
-
-// The outcome is a new list of stacks that align with these filtering and business logic criteria.
 func filterStacks(stacks []portainer.Stack, filters *stackListOperationFilters, endpoints []portainer.Endpoint) []portainer.Stack {
 	if filters.EndpointID == 0 && filters.SwarmID == "" {
 		return stacks
 	}
 
 	filteredStacks := make([]portainer.Stack, 0, len(stacks))
-	uniqueStackNames := make(map[string]struct{})
-	for _, stack := range stacks {
-		if stack.Type == portainer.DockerComposeStack && stack.EndpointID == portainer.EndpointID(filters.EndpointID) {
-			filteredStacks = append(filteredStacks, stack)
-			uniqueStackNames[stack.Name] = struct{}{}
-		}
-		if stack.Type == portainer.DockerSwarmStack && stack.SwarmID == filters.SwarmID {
-			filteredStacks = append(filteredStacks, stack)
-			uniqueStackNames[stack.Name] = struct{}{}
-		}
-	}
-
 	for _, stack := range stacks {
 		if filters.IncludeOrphanedStacks && isOrphanedStack(stack, endpoints) {
 			if (stack.Type == portainer.DockerComposeStack && filters.SwarmID == "") || (stack.Type == portainer.DockerSwarmStack && filters.SwarmID != "") {
-				if _, exists := uniqueStackNames[stack.Name]; !exists {
-					filteredStacks = append(filteredStacks, stack)
-				}
+				filteredStacks = append(filteredStacks, stack)
 			}
+			continue
+		}
+
+		if stack.Type == portainer.DockerComposeStack && stack.EndpointID == portainer.EndpointID(filters.EndpointID) {
+			filteredStacks = append(filteredStacks, stack)
+		}
+		if stack.Type == portainer.DockerSwarmStack && stack.SwarmID == filters.SwarmID {
+			filteredStacks = append(filteredStacks, stack)
 		}
 	}
 

api/http/handler/stacks/stack_list_test.go

@@ -1,74 +0,0 @@
-package stacks
-
-import (
-	"sort"
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestFilterStacks(t *testing.T) {
-	t.Run("filter stacks against particular endpoint and all orphaned stacks", func(t *testing.T) {
-		stacks := []portainer.Stack{
-			{ID: 1, EndpointID: 3, Name: "normal_stack", Type: portainer.DockerComposeStack},
-			{ID: 2, EndpointID: 4, Name: "orphaned_stack", Type: portainer.DockerComposeStack},
-			{ID: 3, EndpointID: 5, Name: "other_stack", Type: portainer.DockerComposeStack},
-		}
-		filters := &stackListOperationFilters{EndpointID: 3, IncludeOrphanedStacks: true}
-		endpoints := []portainer.Endpoint{{ID: 3}, {ID: 5}}
-
-		expectStacks := []portainer.Stack{{ID: 1}, {ID: 2}}
-		actualStacks := filterStacks(stacks, filters, endpoints)
-
-		isEqualStacks(t, expectStacks, actualStacks)
-	})
-
-	t.Run("filter unique stacks against particular endpoint and all orphaned stacks and an orphaned stack has the same name with normal stack", func(t *testing.T) {
-		stacks := []portainer.Stack{
-			{ID: 1, EndpointID: 3, Name: "normal_stack", Type: portainer.DockerComposeStack},
-			{ID: 2, EndpointID: 4, Name: "orphaned_stack", Type: portainer.DockerComposeStack},
-			{ID: 3, EndpointID: 5, Name: "other_stack", Type: portainer.DockerComposeStack},
-			{ID: 4, EndpointID: 4, Name: "normal_stack", Type: portainer.DockerComposeStack},
-		}
-		filters := &stackListOperationFilters{EndpointID: 3, IncludeOrphanedStacks: true}
-		endpoints := []portainer.Endpoint{{ID: 3}, {ID: 5}}
-
-		expectStacks := []portainer.Stack{{ID: 1}, {ID: 2}}
-		actualStacks := filterStacks(stacks, filters, endpoints)
-
-		isEqualStacks(t, expectStacks, actualStacks)
-	})
-
-	t.Run("only filter stacks against particular endpoint and no orphaned stacks", func(t *testing.T) {
-		stacks := []portainer.Stack{
-			{ID: 1, EndpointID: 3, Name: "normal_stack", Type: portainer.DockerComposeStack},
-			{ID: 2, EndpointID: 4, Name: "orphaned_stack", Type: portainer.DockerComposeStack},
-			{ID: 3, EndpointID: 5, Name: "other_stack", Type: portainer.DockerComposeStack},
-			{ID: 4, EndpointID: 4, Name: "normal_stack", Type: portainer.DockerComposeStack},
-		}
-		filters := &stackListOperationFilters{EndpointID: 3, IncludeOrphanedStacks: false}
-		endpoints := []portainer.Endpoint{{ID: 3}, {ID: 5}}
-
-		expectStacks := []portainer.Stack{{ID: 1}}
-		actualStacks := filterStacks(stacks, filters, endpoints)
-
-		isEqualStacks(t, expectStacks, actualStacks)
-	})
-}
-
-func isEqualStacks(t *testing.T, expectStacks, actualStacks []portainer.Stack) {
-	expectStackIDs := make([]int, len(expectStacks))
-	for i, stack := range expectStacks {
-		expectStackIDs[i] = int(stack.ID)
-	}
-	sort.Ints(expectStackIDs)
-
-	actualStackIDs := make([]int, len(actualStacks))
-	for i, stack := range actualStacks {
-		actualStackIDs[i] = int(stack.ID)
-	}
-	sort.Ints(actualStackIDs)
-
-	assert.Equal(t, expectStackIDs, actualStackIDs)
-}

api/http/handler/stacks/stack_update_git_redeploy.go

@@ -27,8 +27,6 @@ type stackGitRedployPayload struct {
 	Prune                    bool
 	// Force a pulling to current image with the original tag though the image is already the latest
 	PullImage bool `example:"false"`
-
-	StackName string
 }
 
 func (payload *stackGitRedployPayload) Validate(r *http.Request) error {
@@ -46,7 +44,7 @@ func (payload *stackGitRedployPayload) Validate(r *http.Request) error {
 // @produce json
 // @param id path int true "Stack identifier"
 // @param endpointId query int false "Stacks created before version 1.18.0 might not have an associated environment(endpoint) identifier. Use this optional parameter to set the environment(endpoint) identifier used by the stack."
-// @param body body stackGitRedployPayload true "Git configs for pull and redeploy of a stack. **StackName** may only be populated for Kuberenetes stacks, and if specified with a blank string, it will be set to blank"
+// @param body body stackGitRedployPayload true "Git configs for pull and redeploy a stack"
 // @success 200 {object} portainer.Stack "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied"
@@ -138,10 +136,6 @@ func (handler *Handler) stackGitRedeploy(w http.ResponseWriter, r *http.Request)
 		}
 	}
 
-	if stack.Type == portainer.KubernetesStack {
-		stack.Name = payload.StackName
-	}
-
 	repositoryUsername := ""
 	repositoryPassword := ""
 	if payload.RepositoryAuthentication {

api/http/handler/stacks/update_kubernetes_stack.go

@@ -41,6 +41,9 @@ func (payload *kubernetesFileStackUpdatePayload) Validate(r *http.Request) error
 	if govalidator.IsNull(payload.StackFileContent) {
 		return errors.New("Invalid stack file content")
 	}
+	if govalidator.IsNull(payload.StackName) {
+		return errors.New("Invalid stack name")
+	}
 	return nil
 }
 

api/http/handler/system/handler.go

@@ -47,7 +47,7 @@ func NewHandler(bouncer security.BouncerService,
 	authenticatedRouter := router.PathPrefix("/").Subrouter()
 	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
 
-	authenticatedRouter.Handle("/version", httperror.LoggerHandler(h.version)).Methods(http.MethodGet)
+	authenticatedRouter.Handle("/version", http.HandlerFunc(h.version)).Methods(http.MethodGet)
 	authenticatedRouter.Handle("/nodes", httperror.LoggerHandler(h.systemNodesCount)).Methods(http.MethodGet)
 	authenticatedRouter.Handle("/info", httperror.LoggerHandler(h.systemInfo)).Methods(http.MethodGet)
 

api/http/handler/system/version.go

@@ -2,13 +2,10 @@ package system
 
 import (
 	"net/http"
-	"os"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/build"
 	"github.com/portainer/portainer/api/http/client"
-	"github.com/portainer/portainer/api/http/security"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
 
 	"github.com/coreos/go-semver/semver"
@@ -35,8 +32,6 @@ type BuildInfo struct {
 	YarnVersion    string
 	WebpackVersion string
 	GoVersion      string
-	GitCommit      string
-	Env            []string `json:",omitempty"`
 }
 
 // @id systemVersion
@@ -49,11 +44,7 @@ type BuildInfo struct {
 // @produce json
 // @success 200 {object} versionResponse "Success"
 // @router /system/version [get]
-func (handler *Handler) version(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	isAdmin, err := security.IsAdmin(r)
-	if err != nil {
-		return httperror.Forbidden("Permission denied to access Portainer", err)
-	}
+func (handler *Handler) version(w http.ResponseWriter, r *http.Request) {
 
 	result := &versionResponse{
 		ServerVersion:   portainer.APIVersion,
@@ -66,21 +57,16 @@ func (handler *Handler) version(w http.ResponseWriter, r *http.Request) *httperr
 			YarnVersion:    build.YarnVersion,
 			WebpackVersion: build.WebpackVersion,
 			GoVersion:      build.GoVersion,
-			GitCommit:      build.GitCommit,
 		},
 	}
 
-	if isAdmin {
-		result.Build.Env = os.Environ()
-	}
-
 	latestVersion := GetLatestVersion()
 	if HasNewerVersion(portainer.APIVersion, latestVersion) {
 		result.UpdateAvailable = true
 		result.LatestVersion = latestVersion
 	}
 
-	return response.JSON(w, &result)
+	response.JSON(w, &result)
 }
 
 func GetLatestVersion() string {

api/http/handler/system/version_test.go

@@ -1,6 +1,7 @@
 package system
 
 import (
+	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -12,7 +13,6 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 
 	"github.com/segmentio/encoding/json"
@@ -43,12 +43,12 @@ func Test_getSystemVersion(t *testing.T) {
 	h := NewHandler(requestBouncer, &portainer.Status{}, &demo.Service{}, store, nil)
 
 	// generate standard and admin user tokens
-	jwt, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
+	jwt, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
 
 	t.Run("Display Edition", func(t *testing.T) {
 
 		req := httptest.NewRequest(http.MethodGet, "/system/version", nil)
-		testhelpers.AddTestSecurityCookie(req, jwt)
+		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
 
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)

api/http/handler/teammemberships/handler.go

@@ -3,13 +3,9 @@ package teammemberships
 import (
 	"net/http"
 
-	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/endpointutils"
-	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/rs/zerolog/log"
 
 	"github.com/gorilla/mux"
 )
@@ -17,8 +13,7 @@ import (
 // Handler is the HTTP handler used to handle team membership operations.
 type Handler struct {
 	*mux.Router
-	DataStore        dataservices.DataStore
-	K8sClientFactory *cli.ClientFactory
+	DataStore dataservices.DataStore
 }
 
 // NewHandler creates a handler to manage team membership operations.
@@ -36,27 +31,3 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 
 	return h
 }
-
-func (handler *Handler) updateUserServiceAccounts(membership *portainer.TeamMembership) {
-	endpoints, err := handler.DataStore.Endpoint().EndpointsByTeamID(membership.TeamID)
-	if err != nil {
-		log.Error().Err(err).Msgf("failed fetching environments for team %d", membership.TeamID)
-		return
-	}
-	for _, endpoint := range endpoints {
-		restrictDefaultNamespace := endpoint.Kubernetes.Configuration.RestrictDefaultNamespace
-		// update kubernenets service accounts if the team is associated with a kubernetes environment
-		if endpointutils.IsKubernetesEndpoint(&endpoint) {
-			kubecli, err := handler.K8sClientFactory.GetKubeClient(&endpoint)
-			if err != nil {
-				log.Error().Err(err).Msgf("failed getting kube client for environment %d", endpoint.ID)
-				continue
-			}
-			teamIDs := []int{int(membership.TeamID)}
-			err = kubecli.SetupUserServiceAccount(int(membership.UserID), teamIDs, restrictDefaultNamespace)
-			if err != nil {
-				log.Error().Err(err).Msgf("failed setting-up service account for user %d", membership.UserID)
-			}
-		}
-	}
-}

api/http/handler/teammemberships/teammembership_create.go

@@ -91,7 +91,5 @@ func (handler *Handler) teamMembershipCreate(w http.ResponseWriter, r *http.Requ
 		return httperror.InternalServerError("Unable to persist team memberships inside the database", err)
 	}
 
-	defer handler.updateUserServiceAccounts(membership)
-
 	return response.JSON(w, membership)
 }

api/http/handler/teammemberships/teammembership_delete.go

@@ -52,7 +52,5 @@ func (handler *Handler) teamMembershipDelete(w http.ResponseWriter, r *http.Requ
 		return httperror.InternalServerError("Unable to remove the team membership from the database", err)
 	}
 
-	defer handler.updateUserServiceAccounts(membership)
-
 	return response.Empty(w)
 }

api/http/handler/teammemberships/teammembership_update.go

@@ -90,7 +90,5 @@ func (handler *Handler) teamMembershipUpdate(w http.ResponseWriter, r *http.Requ
 		return httperror.InternalServerError("Unable to persist membership changes inside the database", err)
 	}
 
-	defer handler.updateUserServiceAccounts(membership)
-
 	return response.JSON(w, membership)
 }

api/http/handler/teams/team_list_test.go

@@ -13,7 +13,6 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
-	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 
 	"github.com/segmentio/encoding/json"
@@ -40,7 +39,7 @@ func Test_teamList(t *testing.T) {
 	h.DataStore = store
 
 	// generate admin user tokens
-	adminJWT, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
+	adminJWT, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role})
 
 	// Case 1: the team is given the endpoint access directly
 	// create teams
@@ -78,11 +77,11 @@ func Test_teamList(t *testing.T) {
 	err = store.Endpoint().Create(endpointWithTeamAccessPolicy)
 	is.NoError(err, "error creating endpoint")
 
-	jwt, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: userWithEndpointAccessByTeam.ID, Username: userWithEndpointAccessByTeam.Username, Role: userWithEndpointAccessByTeam.Role})
+	jwt, _ := jwtService.GenerateToken(&portainer.TokenData{ID: userWithEndpointAccessByTeam.ID, Username: userWithEndpointAccessByTeam.Username, Role: userWithEndpointAccessByTeam.Role})
 
 	t.Run("admin user can successfully list all teams", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/teams", nil)
-		testhelpers.AddTestSecurityCookie(req, adminJWT)
+		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
 
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@@ -103,7 +102,7 @@ func Test_teamList(t *testing.T) {
 		params := url.Values{}
 		params.Add("environmentId", fmt.Sprintf("%d", endpointWithTeamAccessPolicy.ID))
 		req := httptest.NewRequest(http.MethodGet, "/teams?"+params.Encode(), nil)
-		testhelpers.AddTestSecurityCookie(req, adminJWT)
+		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
 
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@@ -125,7 +124,7 @@ func Test_teamList(t *testing.T) {
 
 	t.Run("standard user only can list team where he belongs to", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/teams", nil)
-		testhelpers.AddTestSecurityCookie(req, jwt)
+		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt))
 
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
@@ -169,7 +168,7 @@ func Test_teamList(t *testing.T) {
 		params := url.Values{}
 		params.Add("environmentId", fmt.Sprintf("%d", endpointUnderGroupWithTeam.ID))
 		req := httptest.NewRequest(http.MethodGet, "/teams?"+params.Encode(), nil)
-		testhelpers.AddTestSecurityCookie(req, adminJWT)
+		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT))
 
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)

api/http/handler/templates/handler.go

@@ -26,10 +26,8 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 	}
 
 	h.Handle("/templates",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.templateList))).Methods(http.MethodGet)
-	h.Handle("/templates/{id}/file",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.templateFile))).Methods(http.MethodPost)
+		bouncer.RestrictedAccess(httperror.LoggerHandler(h.templateList))).Methods(http.MethodGet)
 	h.Handle("/templates/file",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.templateFileOld))).Methods(http.MethodPost)
+		bouncer.RestrictedAccess(httperror.LoggerHandler(h.templateFile))).Methods(http.MethodPost)
 	return h
 }

api/http/handler/templates/template_file.go

@@ -1,22 +1,72 @@
 package templates
 
 import (
+	"errors"
 	"net/http"
-	"slices"
 
 	portainer "github.com/portainer/portainer/api"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
 
+	"github.com/asaskevich/govalidator"
 	"github.com/rs/zerolog/log"
+	"github.com/segmentio/encoding/json"
 )
 
+type filePayload struct {
+	// URL of a git repository where the file is stored
+	RepositoryURL string `example:"https://github.com/portainer/portainer-compose" validate:"required"`
+	// Path to the file inside the git repository
+	ComposeFilePathInRepository string `example:"./subfolder/docker-compose.yml" validate:"required"`
+}
+
 type fileResponse struct {
 	// The requested file content
 	FileContent string `example:"version:2"`
 }
 
+func (payload *filePayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.RepositoryURL) {
+		return errors.New("Invalid repository url")
+	}
+
+	if govalidator.IsNull(payload.ComposeFilePathInRepository) {
+		return errors.New("Invalid file path")
+	}
+
+	return nil
+}
+
+func (handler *Handler) ifRequestedTemplateExists(payload *filePayload) *httperror.HandlerError {
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return httperror.InternalServerError("Unable to retrieve settings from the database", err)
+	}
+
+	resp, err := http.Get(settings.TemplatesURL)
+	if err != nil {
+		return httperror.InternalServerError("Unable to retrieve templates via the network", err)
+	}
+	defer resp.Body.Close()
+
+	var templates struct {
+		Templates []portainer.Template
+	}
+	err = json.NewDecoder(resp.Body).Decode(&templates)
+	if err != nil {
+		return httperror.InternalServerError("Unable to parse template file", err)
+	}
+
+	for _, t := range templates.Templates {
+		if t.Repository.URL == payload.RepositoryURL && t.Repository.StackFile == payload.ComposeFilePathInRepository {
+			return nil
+		}
+	}
+
+	return httperror.InternalServerError("Invalid template", errors.New("requested template does not exist"))
+}
+
 // @id TemplateFile
 // @summary Get a template's file
 // @description Get a template's file
@@ -26,42 +76,21 @@ type fileResponse struct {
 // @security jwt
 // @accept json
 // @produce json
-// @param id path int true "Template identifier"
+// @param body body filePayload true "File details"
 // @success 200 {object} fileResponse "Success"
 // @failure 400 "Invalid request"
 // @failure 500 "Server error"
-// @router /templates/{id}/file [post]
+// @router /templates/file [post]
 func (handler *Handler) templateFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	var payload filePayload
+
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
-		return httperror.BadRequest("Invalid template identifier", err)
+		return httperror.BadRequest("Invalid request payload", err)
 	}
 
-	templatesResponse, httpErr := handler.fetchTemplates()
-	if httpErr != nil {
-		return httpErr
-	}
-
-	templateIdx := slices.IndexFunc(templatesResponse.Templates, func(template portainer.Template) bool {
-		return template.ID == portainer.TemplateID(id)
-	})
-
-	if templateIdx == -1 {
-		return httperror.NotFound("Unable to find a template with the specified identifier", nil)
-	}
-
-	template := templatesResponse.Templates[templateIdx]
-
-	if template.Type == portainer.ContainerTemplate {
-		return httperror.BadRequest("Invalid template type", nil)
-	}
-
-	if template.StackFile != "" {
-		return response.JSON(w, fileResponse{FileContent: template.StackFile})
-	}
-
-	if template.Repository.StackFile == "" || template.Repository.URL == "" {
-		return httperror.BadRequest("Invalid template configuration", nil)
+	if err := handler.ifRequestedTemplateExists(&payload); err != nil {
+		return err
 	}
 
 	projectPath, err := handler.FileService.GetTemporaryPath()
@@ -71,12 +100,12 @@ func (handler *Handler) templateFile(w http.ResponseWriter, r *http.Request) *ht
 
 	defer handler.cleanUp(projectPath)
 
-	err = handler.GitService.CloneRepository(projectPath, template.Repository.URL, "", "", "", false)
+	err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, "", "", "", false)
 	if err != nil {
 		return httperror.InternalServerError("Unable to clone git repository", err)
 	}
 
-	fileContent, err := handler.FileService.GetFileContent(projectPath, template.Repository.StackFile)
+	fileContent, err := handler.FileService.GetFileContent(projectPath, payload.ComposeFilePathInRepository)
 	if err != nil {
 		return httperror.InternalServerError("Failed loading file content", err)
 	}

api/http/handler/templates/template_file_old.go

@@ -1,95 +0,0 @@
-package templates
-
-import (
-	"errors"
-	"net/http"
-
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-	"github.com/rs/zerolog/log"
-
-	"github.com/asaskevich/govalidator"
-)
-
-type filePayload struct {
-	// URL of a git repository where the file is stored
-	RepositoryURL string `example:"https://github.com/portainer/portainer-compose" validate:"required"`
-	// Path to the file inside the git repository
-	ComposeFilePathInRepository string `example:"./subfolder/docker-compose.yml" validate:"required"`
-}
-
-func (payload *filePayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.RepositoryURL) {
-		return errors.New("Invalid repository url")
-	}
-
-	if govalidator.IsNull(payload.ComposeFilePathInRepository) {
-		return errors.New("Invalid file path")
-	}
-
-	return nil
-}
-
-func (handler *Handler) ifRequestedTemplateExists(payload *filePayload) *httperror.HandlerError {
-	response, httpErr := handler.fetchTemplates()
-	if httpErr != nil {
-		return httpErr
-	}
-
-	for _, t := range response.Templates {
-		if t.Repository.URL == payload.RepositoryURL && t.Repository.StackFile == payload.ComposeFilePathInRepository {
-			return nil
-		}
-	}
-	return httperror.InternalServerError("Invalid template", errors.New("requested template does not exist"))
-}
-
-// @id TemplateFileOld
-// @summary Get a template's file
-// @deprecated
-// @description Get a template's file
-// @description **Access policy**: authenticated
-// @tags templates
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @param body body filePayload true "File details"
-// @success 200 {object} fileResponse "Success"
-// @failure 400 "Invalid request"
-// @failure 500 "Server error"
-// @router /templates/file [post]
-func (handler *Handler) templateFileOld(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	log.Warn().Msg("This api is deprecated. Please use /templates/{id}/file instead")
-
-	var payload filePayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return httperror.BadRequest("Invalid request payload", err)
-	}
-
-	if err := handler.ifRequestedTemplateExists(&payload); err != nil {
-		return err
-	}
-
-	projectPath, err := handler.FileService.GetTemporaryPath()
-	if err != nil {
-		return httperror.InternalServerError("Unable to create temporary folder", err)
-	}
-
-	defer handler.cleanUp(projectPath)
-
-	err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, "", "", "", false)
-	if err != nil {
-		return httperror.InternalServerError("Unable to clone git repository", err)
-	}
-
-	fileContent, err := handler.FileService.GetFileContent(projectPath, payload.ComposeFilePathInRepository)
-	if err != nil {
-		return httperror.InternalServerError("Failed loading file content", err)
-	}
-
-	return response.JSON(w, fileResponse{FileContent: string(fileContent)})
-
-}

api/http/handler/templates/template_list.go

@@ -1,12 +1,19 @@
 package templates
 
 import (
+	"io"
 	"net/http"
 
+	portainer "github.com/portainer/portainer/api"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/response"
 )
 
+// introduced for swagger
+type listResponse struct {
+	Version   string
+	Templates []portainer.Template
+}
+
 // @id TemplateList
 // @summary List available templates
 // @description List available templates.
@@ -19,10 +26,22 @@ import (
 // @failure 500 "Server error"
 // @router /templates [get]
 func (handler *Handler) templateList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	templates, httpErr := handler.fetchTemplates()
-	if httpErr != nil {
-		return httpErr
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return httperror.InternalServerError("Unable to retrieve settings from the database", err)
 	}
 
-	return response.JSON(w, templates)
+	resp, err := http.Get(settings.TemplatesURL)
+	if err != nil {
+		return httperror.InternalServerError("Unable to retrieve templates via the network", err)
+	}
+	defer resp.Body.Close()
+
+	w.Header().Set("Content-Type", "application/json")
+	_, err = io.Copy(w, resp.Body)
+	if err != nil {
+		return httperror.InternalServerError("Unable to write templates from templates URL", err)
+	}
+
+	return nil
 }

api/http/handler/templates/utils_fetch_templates.go

@@ -1,41 +0,0 @@
-package templates
-
-import (
-	"net/http"
-
-	portainer "github.com/portainer/portainer/api"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/segmentio/encoding/json"
-)
-
-type listResponse struct {
-	Version   string               `json:"version"`
-	Templates []portainer.Template `json:"templates"`
-}
-
-func (handler *Handler) fetchTemplates() (*listResponse, *httperror.HandlerError) {
-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return nil, httperror.InternalServerError("Unable to retrieve settings from the database", err)
-	}
-
-	templatesURL := settings.TemplatesURL
-	if templatesURL == "" {
-		templatesURL = portainer.DefaultTemplatesURL
-	}
-
-	resp, err := http.Get(templatesURL)
-	if err != nil {
-		return nil, httperror.InternalServerError("Unable to retrieve templates via the network", err)
-	}
-	defer resp.Body.Close()
-
-	var body *listResponse
-	err = json.NewDecoder(resp.Body).Decode(&body)
-	if err != nil {
-		return nil, httperror.InternalServerError("Unable to parse template file", err)
-	}
-
-	return body, nil
-
-}

api/http/handler/users/handler.go

@@ -20,6 +20,7 @@ var (
 	errAdminCannotRemoveSelf      = errors.New("Cannot remove your own user account. Contact another administrator")
 	errCannotRemoveLastLocalAdmin = errors.New("Cannot remove the last local administrator account")
 	errCryptoHashFailure          = errors.New("Unable to hash data")
+	errWrongPassword              = errors.New("Wrong password")
 )
 
 func hideFields(user *portainer.User) {
@@ -66,9 +67,6 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 
 	adminRouter.Handle("/users", httperror.LoggerHandler(h.userCreate)).Methods(http.MethodPost)
 	restrictedRouter.Handle("/users", httperror.LoggerHandler(h.userList)).Methods(http.MethodGet)
-
-	authenticatedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
-	restrictedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
 	restrictedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userInspect)).Methods(http.MethodGet)
 	authenticatedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userUpdate)).Methods(http.MethodPut)
 	adminRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userDelete)).Methods(http.MethodDelete)
@@ -77,7 +75,6 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	restrictedRouter.Handle("/users/{id}/tokens/{keyID}", httperror.LoggerHandler(h.userRemoveAccessToken)).Methods(http.MethodDelete)
 	restrictedRouter.Handle("/users/{id}/memberships", httperror.LoggerHandler(h.userMemberships)).Methods(http.MethodGet)
 	authenticatedRouter.Handle("/users/{id}/passwd", rateLimiter.LimitAccess(httperror.LoggerHandler(h.userUpdatePassword))).Methods(http.MethodPut)
-
 	publicRouter.Handle("/users/admin/check", httperror.LoggerHandler(h.adminCheck)).Methods(http.MethodGet)
 	publicRouter.Handle("/users/admin/init", httperror.LoggerHandler(h.adminInit)).Methods(http.MethodPost)