feat/ee-1977/rollup-duplicated-volumes

feat(stack): make stack from app template editable

.vscode.example/portainer.code-snippets

@@ -150,6 +150,7 @@
       "// @description ",
       "// @description **Access policy**: ",
       "// @tags ",
+      "// @security ApiKeyAuth",
       "// @security jwt",
       "// @accept json",
       "// @produce json",

CONTRIBUTING.md

@@ -120,6 +120,7 @@ When adding a new route to an existing handler use the following as a template (
 // @description
 // @description **Access policy**:
 // @tags
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/apikey/apikey.go

@@ -0,0 +1,30 @@
+package apikey
+
+import (
+	"crypto/rand"
+	"io"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+// APIKeyService represents a service for managing API keys.
+type APIKeyService interface {
+	HashRaw(rawKey string) []byte
+	GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error)
+	GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error)
+	GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error)
+	GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error)
+	UpdateAPIKey(apiKey *portainer.APIKey) error
+	DeleteAPIKey(apiKeyID portainer.APIKeyID) error
+	InvalidateUserKeyCache(userId portainer.UserID) bool
+}
+
+// generateRandomKey generates a random key of specified length
+// source: https://github.com/gorilla/securecookie/blob/master/securecookie.go#L515
+func generateRandomKey(length int) []byte {
+	k := make([]byte, length)
+	if _, err := io.ReadFull(rand.Reader, k); err != nil {
+		return nil
+	}
+	return k
+}

api/apikey/apikey_test.go

@@ -0,0 +1,50 @@
+package apikey
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_generateRandomKey(t *testing.T) {
+	is := assert.New(t)
+
+	tests := []struct {
+		name      string
+		wantLenth int
+	}{
+		{
+			name:      "Generate a random key of length 16",
+			wantLenth: 16,
+		},
+		{
+			name:      "Generate a random key of length 32",
+			wantLenth: 32,
+		},
+		{
+			name:      "Generate a random key of length 64",
+			wantLenth: 64,
+		},
+		{
+			name:      "Generate a random key of length 128",
+			wantLenth: 128,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := generateRandomKey(tt.wantLenth)
+			is.Equal(tt.wantLenth, len(got))
+		})
+	}
+
+	t.Run("Generated keys are unique", func(t *testing.T) {
+		keys := make(map[string]bool)
+		for i := 0; i < 100; i++ {
+			key := generateRandomKey(8)
+			_, ok := keys[string(key)]
+			is.False(ok)
+			keys[string(key)] = true
+		}
+	})
+}

api/apikey/cache.go

@@ -0,0 +1,69 @@
+package apikey
+
+import (
+	lru "github.com/hashicorp/golang-lru"
+	portainer "github.com/portainer/portainer/api"
+)
+
+const defaultAPIKeyCacheSize = 1024
+
+// entry is a tuple containing the user and API key associated to an API key digest
+type entry struct {
+	user   portainer.User
+	apiKey portainer.APIKey
+}
+
+// apiKeyCache is a concurrency-safe, in-memory cache which primarily exists for to reduce database roundtrips.
+// We store the api-key digest (keys) and the associated user and key-data (values) in the cache.
+// This is required because HTTP requests will contain only the api-key digest in the x-api-key request header;
+// digest value must be mapped to a portainer user (and respective key data) for validation.
+// This cache is used to avoid multiple database queries to retrieve these user/key associated to the digest.
+type apiKeyCache struct {
+	// cache type [string]entry cache (key: string(digest), value: user/key entry)
+	// note: []byte keys are not supported by golang-lru Cache
+	cache *lru.Cache
+}
+
+// NewAPIKeyCache creates a new cache for API keys
+func NewAPIKeyCache(cacheSize int) *apiKeyCache {
+	cache, _ := lru.New(cacheSize)
+	return &apiKeyCache{cache: cache}
+}
+
+// Get returns the user/key associated to an api-key's digest
+// This is required because HTTP requests will contain the digest of the API key in header,
+// the digest value must be mapped to a portainer user.
+func (c *apiKeyCache) Get(digest []byte) (portainer.User, portainer.APIKey, bool) {
+	val, ok := c.cache.Get(string(digest))
+	if !ok {
+		return portainer.User{}, portainer.APIKey{}, false
+	}
+	tuple := val.(entry)
+
+	return tuple.user, tuple.apiKey, true
+}
+
+// Set persists a user/key entry to the cache
+func (c *apiKeyCache) Set(digest []byte, user portainer.User, apiKey portainer.APIKey) {
+	c.cache.Add(string(digest), entry{
+		user:   user,
+		apiKey: apiKey,
+	})
+}
+
+// Delete evicts a digest's user/key entry key from the cache
+func (c *apiKeyCache) Delete(digest []byte) {
+	c.cache.Remove(string(digest))
+}
+
+// InvalidateUserKeyCache loops through all the api-keys associated to a user and removes them from the cache
+func (c *apiKeyCache) InvalidateUserKeyCache(userId portainer.UserID) bool {
+	present := false
+	for _, k := range c.cache.Keys() {
+		user, _, _ := c.Get([]byte(k.(string)))
+		if user.ID == userId {
+			present = c.cache.Remove(k)
+		}
+	}
+	return present
+}

api/apikey/cache_test.go

@@ -0,0 +1,181 @@
+package apikey
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_apiKeyCacheGet(t *testing.T) {
+	is := assert.New(t)
+
+	keyCache := NewAPIKeyCache(10)
+
+	// pre-populate cache
+	keyCache.cache.Add(string("foo"), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
+	keyCache.cache.Add(string(""), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
+
+	tests := []struct {
+		digest []byte
+		found  bool
+	}{
+		{
+			digest: []byte("foo"),
+			found:  true,
+		},
+		{
+			digest: []byte(""),
+			found:  true,
+		},
+		{
+			digest: []byte("bar"),
+			found:  false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(string(test.digest), func(t *testing.T) {
+			_, _, found := keyCache.Get(test.digest)
+			is.Equal(test.found, found)
+		})
+	}
+}
+
+func Test_apiKeyCacheSet(t *testing.T) {
+	is := assert.New(t)
+
+	keyCache := NewAPIKeyCache(10)
+
+	// pre-populate cache
+	keyCache.Set([]byte("bar"), portainer.User{ID: 2}, portainer.APIKey{})
+	keyCache.Set([]byte("foo"), portainer.User{ID: 1}, portainer.APIKey{})
+
+	// overwrite existing entry
+	keyCache.Set([]byte("foo"), portainer.User{ID: 3}, portainer.APIKey{})
+
+	val, ok := keyCache.cache.Get(string("bar"))
+	is.True(ok)
+
+	tuple := val.(entry)
+	is.Equal(portainer.User{ID: 2}, tuple.user)
+
+	val, ok = keyCache.cache.Get(string("foo"))
+	is.True(ok)
+
+	tuple = val.(entry)
+	is.Equal(portainer.User{ID: 3}, tuple.user)
+}
+
+func Test_apiKeyCacheDelete(t *testing.T) {
+	is := assert.New(t)
+
+	keyCache := NewAPIKeyCache(10)
+
+	t.Run("Delete an existing entry", func(t *testing.T) {
+		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.Delete([]byte("foo"))
+
+		_, ok := keyCache.cache.Get(string("foo"))
+		is.False(ok)
+	})
+
+	t.Run("Delete a non-existing entry", func(t *testing.T) {
+		nonPanicFunc := func() { keyCache.Delete([]byte("non-existent-key")) }
+		is.NotPanics(nonPanicFunc)
+	})
+}
+
+func Test_apiKeyCacheLRU(t *testing.T) {
+	is := assert.New(t)
+
+	tests := []struct {
+		name        string
+		cacheLen    int
+		key         []string
+		foundKeys   []string
+		evictedKeys []string
+	}{
+		{
+			name:        "Cache length is 1, add 2 keys",
+			cacheLen:    1,
+			key:         []string{"foo", "bar"},
+			foundKeys:   []string{"bar"},
+			evictedKeys: []string{"foo"},
+		},
+		{
+			name:        "Cache length is 1, add 3 keys",
+			cacheLen:    1,
+			key:         []string{"foo", "bar", "baz"},
+			foundKeys:   []string{"baz"},
+			evictedKeys: []string{"foo", "bar"},
+		},
+		{
+			name:        "Cache length is 2, add 3 keys",
+			cacheLen:    2,
+			key:         []string{"foo", "bar", "baz"},
+			foundKeys:   []string{"bar", "baz"},
+			evictedKeys: []string{"foo"},
+		},
+		{
+			name:        "Cache length is 2, add 4 keys",
+			cacheLen:    2,
+			key:         []string{"foo", "bar", "baz", "qux"},
+			foundKeys:   []string{"baz", "qux"},
+			evictedKeys: []string{"foo", "bar"},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			keyCache := NewAPIKeyCache(test.cacheLen)
+
+			for _, key := range test.key {
+				keyCache.Set([]byte(key), portainer.User{ID: 1}, portainer.APIKey{})
+			}
+
+			for _, key := range test.foundKeys {
+				_, _, found := keyCache.Get([]byte(key))
+				is.True(found, "Key %s not found", key)
+			}
+
+			for _, key := range test.evictedKeys {
+				_, _, found := keyCache.Get([]byte(key))
+				is.False(found, "key %s should have been evicted", key)
+			}
+		})
+	}
+}
+
+func Test_apiKeyCacheInvalidateUserKeyCache(t *testing.T) {
+	is := assert.New(t)
+
+	keyCache := NewAPIKeyCache(10)
+
+	t.Run("Removes users keys from cache", func(t *testing.T) {
+		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+
+		ok := keyCache.InvalidateUserKeyCache(1)
+		is.True(ok)
+
+		_, ok = keyCache.cache.Get(string("foo"))
+		is.False(ok)
+	})
+
+	t.Run("Does not affect other keys", func(t *testing.T) {
+		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("bar"), entry{user: portainer.User{ID: 2}, apiKey: portainer.APIKey{}})
+
+		ok := keyCache.InvalidateUserKeyCache(1)
+		is.True(ok)
+
+		ok = keyCache.InvalidateUserKeyCache(1)
+		is.False(ok)
+
+		_, ok = keyCache.cache.Get(string("foo"))
+		is.False(ok)
+
+		_, ok = keyCache.cache.Get(string("bar"))
+		is.True(ok)
+	})
+}

api/apikey/service.go

@@ -0,0 +1,126 @@
+package apikey
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/pkg/errors"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+const portainerAPIKeyPrefix = "ptr_"
+
+var ErrInvalidAPIKey = errors.New("Invalid API key")
+
+type apiKeyService struct {
+	apiKeyRepository portainer.APIKeyRepository
+	userRepository   portainer.UserService
+	cache            *apiKeyCache
+}
+
+func NewAPIKeyService(apiKeyRepository portainer.APIKeyRepository, userRepository portainer.UserService) *apiKeyService {
+	return &apiKeyService{
+		apiKeyRepository: apiKeyRepository,
+		userRepository:   userRepository,
+		cache:            NewAPIKeyCache(defaultAPIKeyCacheSize),
+	}
+}
+
+// HashRaw computes a hash digest of provided raw API key.
+func (a *apiKeyService) HashRaw(rawKey string) []byte {
+	hashDigest := sha256.Sum256([]byte(rawKey))
+	return hashDigest[:]
+}
+
+// GenerateApiKey generates a raw API key for a user (for one-time display).
+// The generated API key is stored in the cache and database.
+func (a *apiKeyService) GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error) {
+	randKey := generateRandomKey(32)
+	encodedRawAPIKey := base64.StdEncoding.EncodeToString(randKey)
+	prefixedAPIKey := portainerAPIKeyPrefix + encodedRawAPIKey
+
+	hashDigest := a.HashRaw(prefixedAPIKey)
+
+	apiKey := &portainer.APIKey{
+		UserID:      user.ID,
+		Description: description,
+		Prefix:      prefixedAPIKey[:7],
+		DateCreated: time.Now().Unix(),
+		Digest:      hashDigest,
+	}
+
+	err := a.apiKeyRepository.CreateAPIKey(apiKey)
+	if err != nil {
+		return "", nil, errors.Wrap(err, "Unable to create API key")
+	}
+
+	// persist api-key to cache
+	a.cache.Set(apiKey.Digest, user, *apiKey)
+
+	return prefixedAPIKey, apiKey, nil
+}
+
+// GetAPIKey returns an API key by its ID.
+func (a *apiKeyService) GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error) {
+	return a.apiKeyRepository.GetAPIKey(apiKeyID)
+}
+
+// GetAPIKeys returns all the API keys associated to a user.
+func (a *apiKeyService) GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error) {
+	return a.apiKeyRepository.GetAPIKeysByUserID(userID)
+}
+
+// GetDigestUserAndKey returns the user and api-key associated to a specified hash digest.
+// A cache lookup is performed first; if the user/api-key is not found in the cache, respective database lookups are performed.
+func (a *apiKeyService) GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error) {
+	// get api key from cache if possible
+	cachedUser, cachedKey, ok := a.cache.Get(digest)
+	if ok {
+		return cachedUser, cachedKey, nil
+	}
+
+	apiKey, err := a.apiKeyRepository.GetAPIKeyByDigest(digest)
+	if err != nil {
+		return portainer.User{}, portainer.APIKey{}, errors.Wrap(err, "Unable to retrieve API key")
+	}
+
+	user, err := a.userRepository.User(apiKey.UserID)
+	if err != nil {
+		return portainer.User{}, portainer.APIKey{}, errors.Wrap(err, "Unable to retrieve digest user")
+	}
+
+	// persist api-key to cache - for quicker future lookups
+	a.cache.Set(apiKey.Digest, *user, *apiKey)
+
+	return *user, *apiKey, nil
+}
+
+// UpdateAPIKey updates an API key and in cache and database.
+func (a *apiKeyService) UpdateAPIKey(apiKey *portainer.APIKey) error {
+	user, _, err := a.GetDigestUserAndKey(apiKey.Digest)
+	if err != nil {
+		return errors.Wrap(err, "Unable to retrieve API key")
+	}
+	a.cache.Set(apiKey.Digest, user, *apiKey)
+	return a.apiKeyRepository.UpdateAPIKey(apiKey)
+}
+
+// DeleteAPIKey deletes an API key and removes the digest/api-key entry from the cache.
+func (a *apiKeyService) DeleteAPIKey(apiKeyID portainer.APIKeyID) error {
+	// get api-key digest to remove from cache
+	apiKey, err := a.apiKeyRepository.GetAPIKey(apiKeyID)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("Unable to retrieve API key: %d", apiKeyID))
+	}
+
+	// delete the user/api-key from cache
+	a.cache.Delete(apiKey.Digest)
+	return a.apiKeyRepository.DeleteAPIKey(apiKeyID)
+}
+
+func (a *apiKeyService) InvalidateUserKeyCache(userId portainer.UserID) bool {
+	return a.cache.InvalidateUserKeyCache(userId)
+}

api/apikey/service_test.go

@@ -0,0 +1,309 @@
+package apikey
+
+import (
+	"crypto/sha256"
+	"log"
+	"strings"
+	"testing"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_SatisfiesAPIKeyServiceInterface(t *testing.T) {
+	is := assert.New(t)
+	is.Implements((*APIKeyService)(nil), NewAPIKeyService(nil, nil))
+}
+
+func Test_GenerateApiKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully generates API key", func(t *testing.T) {
+		desc := "test-1"
+		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, desc)
+		is.NoError(err)
+		is.NotEmpty(rawKey)
+		is.NotEmpty(apiKey)
+		is.Equal(desc, apiKey.Description)
+	})
+
+	t.Run("Api key prefix is 7 chars", func(t *testing.T) {
+		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-2")
+		is.NoError(err)
+
+		is.Equal(rawKey[:7], apiKey.Prefix)
+		is.Len(apiKey.Prefix, 7)
+	})
+
+	t.Run("Api key has 'ptr_' as prefix", func(t *testing.T) {
+		rawKey, _, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x")
+		is.NoError(err)
+
+		is.Equal(portainerAPIKeyPrefix, "ptr_")
+		is.True(strings.HasPrefix(rawKey, "ptr_"))
+	})
+
+	t.Run("Successfully caches API key", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-3")
+		is.NoError(err)
+
+		userFromCache, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(user, userFromCache)
+		is.Equal(apiKey, &apiKeyFromCache)
+	})
+
+	t.Run("Decoded raw api-key digest matches generated digest", func(t *testing.T) {
+		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-4")
+		is.NoError(err)
+
+		generatedDigest := sha256.Sum256([]byte(rawKey))
+
+		is.Equal(apiKey.Digest, generatedDigest[:])
+	})
+}
+
+func Test_GetAPIKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully returns all API keys", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		apiKeyGot, err := service.GetAPIKey(apiKey.ID)
+		is.NoError(err)
+
+		is.Equal(apiKey, apiKeyGot)
+	})
+}
+
+func Test_GetAPIKeys(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully returns all API keys", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, _, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+		_, _, err = service.GenerateApiKey(user, "test-2")
+		is.NoError(err)
+
+		keys, err := service.GetAPIKeys(user.ID)
+		is.NoError(err)
+		is.Len(keys, 2)
+	})
+}
+
+func Test_GetDigestUserAndKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully returns user and api key associated to digest", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
+		is.NoError(err)
+		is.Equal(user, userGot)
+		is.Equal(*apiKey, apiKeyGot)
+	})
+
+	t.Run("Successfully caches user and api key associated to digest", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
+		is.NoError(err)
+		is.Equal(user, userGot)
+		is.Equal(*apiKey, apiKeyGot)
+
+		userFromCache, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(userGot, userFromCache)
+		is.Equal(apiKeyGot, apiKeyFromCache)
+	})
+}
+
+func Test_UpdateAPIKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully updates the api-key LastUsed time", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		store.User().CreateUser(&user)
+		_, apiKey, err := service.GenerateApiKey(user, "test-x")
+		is.NoError(err)
+
+		apiKey.LastUsed = time.Now().UTC().Unix()
+		err = service.UpdateAPIKey(apiKey)
+		is.NoError(err)
+
+		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
+		is.NoError(err)
+
+		log.Println(apiKey)
+		log.Println(apiKeyGot)
+
+		is.Equal(apiKey.LastUsed, apiKeyGot.LastUsed)
+
+	})
+
+	t.Run("Successfully updates api-key in cache upon api-key update", func(t *testing.T) {
+		_, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x2")
+		is.NoError(err)
+
+		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(*apiKey, apiKeyFromCache)
+
+		apiKey.LastUsed = time.Now().UTC().Unix()
+		is.NotEqual(*apiKey, apiKeyFromCache)
+
+		err = service.UpdateAPIKey(apiKey)
+		is.NoError(err)
+
+		_, updatedAPIKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(*apiKey, updatedAPIKeyFromCache)
+	})
+}
+
+func Test_DeleteAPIKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully updates the api-key", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
+		is.NoError(err)
+		is.Equal(*apiKey, apiKeyGot)
+
+		err = service.DeleteAPIKey(apiKey.ID)
+		is.NoError(err)
+
+		_, _, err = service.GetDigestUserAndKey(apiKey.Digest)
+		is.Error(err)
+	})
+
+	t.Run("Successfully removes api-key from cache upon deletion", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(*apiKey, apiKeyFromCache)
+
+		err = service.DeleteAPIKey(apiKey.ID)
+		is.NoError(err)
+
+		_, _, ok = service.cache.Get(apiKey.Digest)
+		is.False(ok)
+	})
+}
+
+func Test_InvalidateUserKeyCache(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully updates evicts keys from cache", func(t *testing.T) {
+		// generate api keys
+		user := portainer.User{ID: 1}
+		_, apiKey1, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		_, apiKey2, err := service.GenerateApiKey(user, "test-2")
+		is.NoError(err)
+
+		// verify api keys are present in cache
+		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
+		is.True(ok)
+		is.Equal(*apiKey1, apiKeyFromCache)
+
+		_, apiKeyFromCache, ok = service.cache.Get(apiKey2.Digest)
+		is.True(ok)
+		is.Equal(*apiKey2, apiKeyFromCache)
+
+		// evict cache
+		ok = service.InvalidateUserKeyCache(user.ID)
+		is.True(ok)
+
+		// verify users keys have been flushed from cache
+		_, _, ok = service.cache.Get(apiKey1.Digest)
+		is.False(ok)
+
+		_, _, ok = service.cache.Get(apiKey2.Digest)
+		is.False(ok)
+	})
+
+	t.Run("User key eviction does not affect other users keys", func(t *testing.T) {
+		// generate keys for 2 users
+		user1 := portainer.User{ID: 1}
+		_, apiKey1, err := service.GenerateApiKey(user1, "test-1")
+		is.NoError(err)
+
+		user2 := portainer.User{ID: 2}
+		_, apiKey2, err := service.GenerateApiKey(user2, "test-2")
+		is.NoError(err)
+
+		// verify keys in cache
+		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
+		is.True(ok)
+		is.Equal(*apiKey1, apiKeyFromCache)
+
+		_, apiKeyFromCache, ok = service.cache.Get(apiKey2.Digest)
+		is.True(ok)
+		is.Equal(*apiKey2, apiKeyFromCache)
+
+		// evict key of single user from cache
+		ok = service.cache.InvalidateUserKeyCache(user1.ID)
+		is.True(ok)
+
+		// verify user1 key has been flushed from cache
+		_, _, ok = service.cache.Get(apiKey1.Digest)
+		is.False(ok)
+
+		// verify user2 key is still in cache
+		_, _, ok = service.cache.Get(apiKey2.Digest)
+		is.True(ok)
+	})
+}

api/aws/ecr/authorization_token.go

@@ -0,0 +1,61 @@
+package ecr
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"strings"
+	"time"
+)
+
+func (s *Service) GetEncodedAuthorizationToken() (token *string, expiry *time.Time, err error) {
+	getAuthorizationTokenOutput, err := s.client.GetAuthorizationToken(context.TODO(), nil)
+	if err != nil {
+		return
+	}
+
+	if len(getAuthorizationTokenOutput.AuthorizationData) == 0 {
+		err = fmt.Errorf("AuthorizationData is empty")
+		return
+	}
+
+	authData := getAuthorizationTokenOutput.AuthorizationData[0]
+
+	token = authData.AuthorizationToken
+	expiry = authData.ExpiresAt
+
+	return
+}
+
+func (s *Service) GetAuthorizationToken() (token *string, expiry *time.Time, err error) {
+	tokenEncodedStr, expiry, err := s.GetEncodedAuthorizationToken()
+	if err != nil {
+		return
+	}
+
+	tokenByte, err := base64.StdEncoding.DecodeString(*tokenEncodedStr)
+	if err != nil {
+		return
+	}
+	tokenStr := string(tokenByte)
+	token = &tokenStr
+
+	return
+}
+
+func (s *Service) ParseAuthorizationToken(token string) (username string, password string, err error) {
+	if len(token) == 0 {
+		return
+	}
+
+	splitToken := strings.Split(token, ":")
+	if len(splitToken) < 2 {
+		err = fmt.Errorf("invalid ECR authorization token")
+		return
+	}
+
+	username = splitToken[0]
+	password = splitToken[1]
+
+	return
+}

api/aws/ecr/ecr.go

@@ -0,0 +1,32 @@
+package ecr
+
+import (
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/ecr"
+)
+
+type (
+	Service struct {
+		accessKey string
+		secretKey string
+		region    string
+		client    *ecr.Client
+	}
+)
+
+func NewService(accessKey, secretKey, region string) *Service {
+	options := ecr.Options{
+		Region:      region,
+		Credentials: aws.NewCredentialsCache(credentials.NewStaticCredentialsProvider(accessKey, secretKey, "")),
+	}
+
+	client := ecr.New(options)
+
+	return &Service{
+		accessKey: accessKey,
+		secretKey: secretKey,
+		region:    region,
+		client:    client,
+	}
+}

api/bolt/apikeyrepository/apikeyrepository.go

@@ -0,0 +1,137 @@
+package apikeyrepository
+
+import (
+	"bytes"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
+	"github.com/portainer/portainer/api/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "api_key"
+)
+
+// Service represents a service for managing api-key data.
+type Service struct {
+	connection *internal.DbConnection
+}
+
+// NewService creates a new instance of a service.
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		connection: connection,
+	}, nil
+}
+
+// GetAPIKeysByUserID returns a slice containing all the APIKeys a user has access to.
+func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer.APIKey, error) {
+	var result = make([]portainer.APIKey, 0)
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var record portainer.APIKey
+			err := internal.UnmarshalObject(v, &record)
+			if err != nil {
+				return err
+			}
+
+			if record.UserID == userID {
+				result = append(result, record)
+			}
+		}
+		return nil
+	})
+
+	return result, err
+}
+
+// GetAPIKeyByDigest returns the API key for the associated digest.
+// Note: there is a 1-to-1 mapping of api-key and digest
+func (service *Service) GetAPIKeyByDigest(digest []byte) (*portainer.APIKey, error) {
+	var result portainer.APIKey
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var record portainer.APIKey
+			err := internal.UnmarshalObject(v, &record)
+			if err != nil {
+				return err
+			}
+
+			if bytes.Equal(record.Digest, digest) {
+				result = record
+				return nil
+			}
+		}
+		return nil
+	})
+
+	return &result, err
+}
+
+// CreateAPIKey creates a new APIKey object.
+func (service *Service) CreateAPIKey(record *portainer.APIKey) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		record.ID = portainer.APIKeyID(id)
+
+		data, err := internal.MarshalObject(record)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(record.ID)), data)
+	})
+}
+
+// GetAPIKey retrieves an existing APIKey object by api key ID.
+func (service *Service) GetAPIKey(keyID portainer.APIKeyID) (*portainer.APIKey, error) {
+	var apiKey *portainer.APIKey
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+		item := bucket.Get(internal.Itob(int(keyID)))
+		if item == nil {
+			return errors.ErrObjectNotFound
+		}
+
+		err := internal.UnmarshalObject(item, &apiKey)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+
+	return apiKey, err
+}
+
+func (service *Service) UpdateAPIKey(key *portainer.APIKey) error {
+	identifier := internal.Itob(int(key.ID))
+	return internal.UpdateObject(service.connection, BucketName, identifier, key)
+}
+
+func (service *Service) DeleteAPIKey(ID portainer.APIKeyID) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		return bucket.Delete(internal.Itob(int(ID)))
+	})
+}

api/bolt/datastore.go

@@ -5,6 +5,7 @@ import (
 	"path"
 	"time"
 
+	"github.com/portainer/portainer/api/bolt/apikeyrepository"
 	"github.com/portainer/portainer/api/bolt/helmuserrepository"
 
 	"github.com/boltdb/bolt"
@@ -60,6 +61,7 @@ type Store struct {
 	RegistryService           *registry.Service
 	ResourceControlService    *resourcecontrol.Service
 	RoleService               *role.Service
+	APIKeyRepositoryService   *apikeyrepository.Service
 	ScheduleService           *schedule.Service
 	SettingsService           *settings.Service
 	SSLSettingsService        *ssl.Service

api/bolt/services.go

@@ -2,6 +2,7 @@ package bolt
 
 import (
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/apikeyrepository"
 	"github.com/portainer/portainer/api/bolt/customtemplate"
 	"github.com/portainer/portainer/api/bolt/dockerhub"
 	"github.com/portainer/portainer/api/bolt/edgegroup"
@@ -155,6 +156,12 @@ func (store *Store) initServices() error {
 	}
 	store.UserService = userService
 
+	apiKeyService, err := apikeyrepository.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.APIKeyRepositoryService = apiKeyService
+
 	versionService, err := version.NewService(store.connection)
 	if err != nil {
 		return err
@@ -231,6 +238,11 @@ func (store *Store) Role() portainer.RoleService {
 	return store.RoleService
 }
 
+// APIKeyRepository gives access to the api-key data management layer
+func (store *Store) APIKeyRepository() portainer.APIKeyRepository {
+	return store.APIKeyRepositoryService
+}
+
 // Settings gives access to the Settings data management layer
 func (store *Store) Settings() portainer.SettingsService {
 	return store.SettingsService

api/bolt/settings/settings.go

@@ -44,3 +44,17 @@ func (service *Service) Settings() (*portainer.Settings, error) {
 func (service *Service) UpdateSettings(settings *portainer.Settings) error {
 	return internal.UpdateObject(service.connection, BucketName, []byte(settingsKey), settings)
 }
+
+func (service *Service) IsFeatureFlagEnabled(feature portainer.Feature) bool {
+	settings, err := service.Settings()
+	if err != nil {
+		return false
+	}
+
+	featureFlagSetting, ok := settings.FeatureFlagSettings[feature]
+	if ok {
+		return featureFlagSetting
+	}
+
+	return false
+}

api/bolt/webhook/webhook.go

@@ -150,3 +150,9 @@ func (service *Service) CreateWebhook(webhook *portainer.Webhook) error {
 		return bucket.Put(internal.Itob(int(webhook.ID)), data)
 	})
 }
+
+// UpdateWebhook update a webhook.
+func (service *Service) UpdateWebhook(ID portainer.WebhookID, webhook *portainer.Webhook) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.connection, BucketName, identifier, webhook)
+}

api/cli/cli.go

@@ -55,6 +55,7 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		Labels:                    pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
 		Logo:                      kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
 		Templates:                 kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
+		BaseURL:                   kingpin.Flag("base-url", "Base URL parameter such as portainer if running portainer as http://yourdomain.com/portainer/.").Short('b').Default(defaultBaseURL).String(),
 	}
 
 	kingpin.Parse()

api/cli/defaults.go

@@ -19,4 +19,5 @@ const (
 	defaultSSLCertPath         = "/certs/portainer.crt"
 	defaultSSLKeyPath          = "/certs/portainer.key"
 	defaultSnapshotInterval    = "5m"
+	defaultBaseURL             = "/"
 )

api/cli/defaults_windows.go

@@ -17,4 +17,5 @@ const (
 	defaultSSLCertPath         = "C:\\certs\\portainer.crt"
 	defaultSSLKeyPath          = "C:\\certs\\portainer.key"
 	defaultSnapshotInterval    = "5m"
+	defaultBaseURL             = "/"
 )

api/cmd/portainer/main.go

@@ -8,17 +8,18 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/portainer/libhelm"
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/apikey"
 	"github.com/portainer/portainer/api/bolt"
 	"github.com/portainer/portainer/api/chisel"
 	"github.com/portainer/portainer/api/cli"
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/docker"
-
-	"github.com/portainer/libhelm"
 	"github.com/portainer/portainer/api/exec"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/git"
+	"github.com/portainer/portainer/api/hostmanagement/openamt"
 	"github.com/portainer/portainer/api/http"
 	"github.com/portainer/portainer/api/http/client"
 	"github.com/portainer/portainer/api/http/proxy"
@@ -104,8 +105,15 @@ func initComposeStackManager(assetsPath string, configPath string, reverseTunnel
 	return composeWrapper
 }
 
-func initSwarmStackManager(assetsPath string, configPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) (portainer.SwarmStackManager, error) {
-	return exec.NewSwarmStackManager(assetsPath, configPath, signatureService, fileService, reverseTunnelService)
+func initSwarmStackManager(
+	assetsPath string,
+	configPath string,
+	signatureService portainer.DigitalSignatureService,
+	fileService portainer.FileService,
+	reverseTunnelService portainer.ReverseTunnelService,
+	dataStore portainer.DataStore,
+) (portainer.SwarmStackManager, error) {
+	return exec.NewSwarmStackManager(assetsPath, configPath, signatureService, fileService, reverseTunnelService, dataStore)
 }
 
 func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore portainer.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, assetsPath string) portainer.KubernetesDeployer {
@@ -116,6 +124,10 @@ func initHelmPackageManager(assetsPath string) (libhelm.HelmPackageManager, erro
 	return libhelm.NewHelmPackageManager(libhelm.HelmConfig{BinaryPath: assetsPath})
 }
 
+func initAPIKeyService(datastore portainer.DataStore) apikey.APIKeyService {
+	return apikey.NewAPIKeyService(datastore.APIKeyRepository(), datastore.User())
+}
+
 func initJWTService(dataStore portainer.DataStore) (portainer.JWTService, error) {
 	settings, err := dataStore.Settings().Settings()
 	if err != nil {
@@ -457,17 +469,26 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal(err)
 	}
 
+	apiKeyService := initAPIKeyService(dataStore)
+
 	jwtService, err := initJWTService(dataStore)
 	if err != nil {
 		log.Fatalf("failed initializing JWT service: %v", err)
 	}
 
+	err = enableFeaturesFromFlags(dataStore, flags)
+	if err != nil {
+		log.Fatalf("failed enabling feature flag: %v", err)
+	}
+
 	ldapService := initLDAPService()
 
 	oauthService := initOAuthService()
 
 	gitService := initGitService()
 
+	openAMTService := openamt.NewService(dataStore)
+
 	cryptoService := initCryptoService()
 
 	digitalSignatureService := initDigitalSignatureService()
@@ -518,7 +539,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	composeStackManager := initComposeStackManager(*flags.Assets, dockerConfigPath, reverseTunnelService, proxyManager)
 
-	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, digitalSignatureService, fileService, reverseTunnelService)
+	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, digitalSignatureService, fileService, reverseTunnelService, dataStore)
 	if err != nil {
 		log.Fatalf("failed initializing swarm stack manager: %s", err)
 	}
@@ -537,11 +558,6 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		}
 	}
 
-	err = enableFeaturesFromFlags(dataStore, flags)
-	if err != nil {
-		log.Fatalf("failed enabling feature flag: %v", err)
-	}
-
 	err = edge.LoadEdgeJobs(dataStore, reverseTunnelService)
 	if err != nil {
 		log.Fatalf("failed loading edge jobs from database: %v", err)
@@ -618,11 +634,13 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		KubernetesDeployer:          kubernetesDeployer,
 		HelmPackageManager:          helmPackageManager,
 		CryptoService:               cryptoService,
+		APIKeyService:               apiKeyService,
 		JWTService:                  jwtService,
 		FileService:                 fileService,
 		LDAPService:                 ldapService,
 		OAuthService:                oauthService,
 		GitService:                  gitService,
+		OpenAMTService:              openAMTService,
 		ProxyManager:                proxyManager,
 		KubernetesTokenCacheManager: kubernetesTokenCacheManager,
 		KubeConfigService:           kubeConfigService,
@@ -635,6 +653,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		ShutdownCtx:                 shutdownCtx,
 		ShutdownTrigger:             shutdownTrigger,
 		StackDeployer:               stackDeployer,
+		BaseURL:                     *flags.BaseURL,
 	}
 }
 

api/exec/swarm_stack.go

@@ -12,6 +12,7 @@ import (
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/internal/registryutils"
 	"github.com/portainer/portainer/api/internal/stackutils"
 )
 
@@ -22,17 +23,25 @@ type SwarmStackManager struct {
 	signatureService     portainer.DigitalSignatureService
 	fileService          portainer.FileService
 	reverseTunnelService portainer.ReverseTunnelService
+	dataStore            portainer.DataStore
 }
 
 // NewSwarmStackManager initializes a new SwarmStackManager service.
 // It also updates the configuration of the Docker CLI binary.
-func NewSwarmStackManager(binaryPath, configPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) (*SwarmStackManager, error) {
+func NewSwarmStackManager(
+	binaryPath, configPath string,
+	signatureService portainer.DigitalSignatureService,
+	fileService portainer.FileService,
+	reverseTunnelService portainer.ReverseTunnelService,
+	datastore portainer.DataStore,
+) (*SwarmStackManager, error) {
 	manager := &SwarmStackManager{
 		binaryPath:           binaryPath,
 		configPath:           configPath,
 		signatureService:     signatureService,
 		fileService:          fileService,
 		reverseTunnelService: reverseTunnelService,
+		dataStore:            datastore,
 	}
 
 	err := manager.updateDockerCLIConfiguration(manager.configPath)
@@ -51,7 +60,17 @@ func (manager *SwarmStackManager) Login(registries []portainer.Registry, endpoin
 	}
 	for _, registry := range registries {
 		if registry.Authentication {
-			registryArgs := append(args, "login", "--username", registry.Username, "--password", registry.Password, registry.URL)
+			err = registryutils.EnsureRegTokenValid(manager.dataStore, &registry)
+			if err != nil {
+				return err
+			}
+
+			username, password, err := registryutils.GetRegEffectiveCredential(&registry)
+			if err != nil {
+				return err
+			}
+
+			registryArgs := append(args, "login", "--username", username, "--password", password, registry.URL)
 			runCommandAndCaptureStdErr(command, registryArgs, nil, "")
 		}
 	}

api/go.mod

@@ -6,6 +6,9 @@ require (
 	github.com/Microsoft/go-winio v0.4.17
 	github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535
+	github.com/aws/aws-sdk-go-v2 v1.11.1
+	github.com/aws/aws-sdk-go-v2/credentials v1.6.2
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.10.1
 	github.com/boltdb/bolt v1.3.1
 	github.com/containerd/containerd v1.5.7 // indirect
 	github.com/coreos/go-semver v0.3.0
@@ -22,6 +25,7 @@ require (
 	github.com/gorilla/mux v1.7.3
 	github.com/gorilla/securecookie v1.1.1
 	github.com/gorilla/websocket v1.4.2
+	github.com/hashicorp/golang-lru v0.5.4
 	github.com/joho/godotenv v1.3.0
 	github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389
 	github.com/json-iterator/go v1.1.11
@@ -46,4 +50,5 @@ require (
 	k8s.io/api v0.22.2
 	k8s.io/apimachinery v0.22.2
 	k8s.io/client-go v0.22.2
+	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
 )

api/go.sum

@@ -86,6 +86,22 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l
 github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0S6Vi7/lbWECcX0j45yZReDZ56BQsrVBOEEY=
 github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
+github.com/aws/aws-sdk-go-v2 v1.11.1 h1:GzvOVAdTbWxhEMRK4FfiblkGverOkAT0UodDxC1jHQM=
+github.com/aws/aws-sdk-go-v2 v1.11.1/go.mod h1:SQfA+m2ltnu1cA0soUkj4dRSsmITiVQUJvBIZjzfPyQ=
+github.com/aws/aws-sdk-go-v2/credentials v1.6.2 h1:2faRNX8JgZVy7dDxERkaGBqb/xo5Rgmc8JMPL5j1o58=
+github.com/aws/aws-sdk-go-v2/credentials v1.6.2/go.mod h1:8kRH9fthlxHEeNJ3g1N3NTSUMBba+KtTM8hp6SvUWn8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.8.1/go.mod h1:MYiG3oeEcmrdBOV7JOIWhionzyRZJWCnByS5FmvhAoU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.1 h1:LZwqhOyqQ2w64PZk04V0Om9AEExtW8WMkCRoE1h9/94=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.1/go.mod h1:22SEiBSQm5AyKEjoPcG1hzpeTI+m9CXfE6yt1h49wBE=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.1 h1:ObMfGNk0xjOWduPxsrRWVwZZia3e9fOcO6zlKCkt38s=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.1/go.mod h1:1xvCD+I5BcDuQUc+psZr7LI1a9pclAWZs3S3Gce5+lg=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.10.1 h1:onTF83DG9dsRv6UzuhYb7phiktjwQ++s/n+ZtNlTQnM=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.10.1/go.mod h1:9RH1zeu1Ls3x2EQew/eCDuq2AlC0M8RzYfYy5+5gSLc=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.5.1/go.mod h1:fEaHB2bi+wVZw4uKMHEXTL9LwtT4EL//DOhTeflqIVo=
+github.com/aws/aws-sdk-go-v2/service/sso v1.6.1/go.mod h1:/73aFBwUl60wKBKhdth2pEOkut5ZNjVHGF9hjXz0bM0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.10.1/go.mod h1:+BmlPeQ1Y+PuIho93MMKDby12PoUnt1SZXQdEHCzSlw=
+github.com/aws/smithy-go v1.9.0 h1:c7FUdEqrQA1/UVKKCNDFQPNKGp4FQg3YW4Ck5SLTG58=
+github.com/aws/smithy-go v1.9.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -380,6 +396,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -425,6 +443,8 @@ github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
+github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -441,6 +461,9 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
 github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
@@ -1124,3 +1147,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZa
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 h1:SqYE5+A2qvRhErbsXFfUEUmpWEKxxRSMgGLkvRAFOV4=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78/go.mod h1:B7Wf0Ya4DHF9Yw+qfZuJijQYkWicqDa+79Ytmmq3Kjg=

api/hostmanagement/openamt/authorization.go

@@ -0,0 +1,52 @@
+package openamt
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+type authenticationResponse struct {
+	Token string `json:"token"`
+}
+
+func (service *Service) executeAuthenticationRequest(configuration portainer.OpenAMTConfiguration) (*authenticationResponse, error) {
+	loginURL := fmt.Sprintf("https://%s/mps/login/api/v1/authorize", configuration.MPSServer)
+
+	payload := map[string]string{
+		"username": configuration.Credentials.MPSUser,
+		"password": configuration.Credentials.MPSPassword,
+	}
+	jsonValue, _ := json.Marshal(payload)
+
+	req, err := http.NewRequest(http.MethodPost, loginURL, bytes.NewBuffer(jsonValue))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	response, err := service.httpsClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	responseBody, readErr := ioutil.ReadAll(response.Body)
+	if readErr != nil {
+		return nil, readErr
+	}
+	errorResponse := parseError(responseBody)
+	if errorResponse != nil {
+		return nil, errorResponse
+	}
+
+	var token authenticationResponse
+	err = json.Unmarshal(responseBody, &token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &token, nil
+}

api/hostmanagement/openamt/configCIRA.go

@@ -0,0 +1,143 @@
+package openamt
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+type CIRAConfig struct {
+	ConfigName          string `json:"configName"`
+	MPSServerAddress    string `json:"mpsServerAddress"`
+	ServerAddressFormat int    `json:"serverAddressFormat"`
+	CommonName          string `json:"commonName"`
+	MPSPort             int    `json:"mpsPort"`
+	Username            string `json:"username"`
+	MPSRootCertificate  string `json:"mpsRootCertificate"`
+	RegeneratePassword  bool   `json:"regeneratePassword"`
+	AuthMethod          int    `json:"authMethod"`
+}
+
+func (service *Service) createOrUpdateCIRAConfig(configuration portainer.OpenAMTConfiguration, configName string) (*CIRAConfig, error) {
+	ciraConfig, err := service.getCIRAConfig(configuration, configName)
+	if err != nil {
+		return nil, err
+	}
+
+	method := http.MethodPost
+	if ciraConfig != nil {
+		method = http.MethodPatch
+	}
+
+	ciraConfig, err = service.saveCIRAConfig(method, configuration, configName)
+	if err != nil {
+		return nil, err
+	}
+	return ciraConfig, nil
+}
+
+func (service *Service) getCIRAConfig(configuration portainer.OpenAMTConfiguration, configName string) (*CIRAConfig, error) {
+	url := fmt.Sprintf("https://%s/rps/api/v1/admin/ciraconfigs/%s", configuration.MPSServer, configName)
+
+	responseBody, err := service.executeGetRequest(url, configuration.Credentials.MPSToken)
+	if err != nil {
+		return nil, err
+	}
+	if responseBody == nil {
+		return nil, nil
+	}
+
+	var result CIRAConfig
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
+
+func (service *Service) saveCIRAConfig(method string, configuration portainer.OpenAMTConfiguration, configName string) (*CIRAConfig, error) {
+	url := fmt.Sprintf("https://%s/rps/api/v1/admin/ciraconfigs", configuration.MPSServer)
+
+	certificate, err := service.getCIRACertificate(configuration)
+	if err != nil {
+		return nil, err
+	}
+
+	addressFormat, err := addressFormat(configuration.MPSServer)
+	if err != nil {
+		return nil, err
+	}
+
+	config := CIRAConfig{
+		ConfigName:          configName,
+		MPSServerAddress:    configuration.MPSServer,
+		CommonName:          configuration.MPSServer,
+		ServerAddressFormat: addressFormat,
+		MPSPort:             4433,
+		Username:            "admin",
+		MPSRootCertificate:  certificate,
+		RegeneratePassword:  false,
+		AuthMethod:          2,
+	}
+	payload, _ := json.Marshal(config)
+
+	responseBody, err := service.executeSaveRequest(method, url, configuration.Credentials.MPSToken, payload)
+	if err != nil {
+		return nil, err
+	}
+
+	var result CIRAConfig
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
+
+func addressFormat(url string) (int, error) {
+	ip := net.ParseIP(url)
+	if ip == nil {
+		return 201, nil // FQDN
+	}
+	if strings.Contains(url, ".") {
+		return 3, nil // IPV4
+	}
+	if strings.Contains(url, ":") {
+		return 4, nil // IPV6
+	}
+	return 0, fmt.Errorf("could not determine server address format for %s", url)
+}
+
+func (service *Service) getCIRACertificate(configuration portainer.OpenAMTConfiguration) (string, error) {
+	loginURL := fmt.Sprintf("https://%s/mps/api/v1/ciracert", configuration.MPSServer)
+
+	req, err := http.NewRequest(http.MethodGet, loginURL, nil)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", configuration.Credentials.MPSToken))
+
+	response, err := service.httpsClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	if response.StatusCode != http.StatusOK {
+		return "", errors.New(fmt.Sprintf("unexpected status code %s", response.Status))
+	}
+
+	certificate, err := io.ReadAll(response.Body)
+	if err != nil {
+		return "", err
+	}
+	block, _ := pem.Decode(certificate)
+	return base64.StdEncoding.EncodeToString(block.Bytes), nil
+}

api/hostmanagement/openamt/configDomain.go

@@ -0,0 +1,81 @@
+package openamt
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+type (
+	Domain struct {
+		DomainName                    string `json:"profileName"`
+		DomainSuffix                  string `json:"domainSuffix"`
+		ProvisioningCert              string `json:"provisioningCert"`
+		ProvisioningCertPassword      string `json:"provisioningCertPassword"`
+		ProvisioningCertStorageFormat string `json:"provisioningCertStorageFormat"`
+	}
+)
+
+func (service *Service) createOrUpdateDomain(configuration portainer.OpenAMTConfiguration) (*Domain, error) {
+	domain, err := service.getDomain(configuration)
+	if err != nil {
+		return nil, err
+	}
+
+	method := http.MethodPost
+	if domain != nil {
+		method = http.MethodPatch
+	}
+
+	domain, err = service.saveDomain(method, configuration)
+	if err != nil {
+		return nil, err
+	}
+	return domain, nil
+}
+
+func (service *Service) getDomain(configuration portainer.OpenAMTConfiguration) (*Domain, error) {
+	url := fmt.Sprintf("https://%s/rps/api/v1/admin/domains/%s", configuration.MPSServer, configuration.DomainConfiguration.DomainName)
+
+	responseBody, err := service.executeGetRequest(url, configuration.Credentials.MPSToken)
+	if err != nil {
+		return nil, err
+	}
+	if responseBody == nil {
+		return nil, nil
+	}
+
+	var result Domain
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
+
+func (service *Service) saveDomain(method string, configuration portainer.OpenAMTConfiguration) (*Domain, error) {
+	url := fmt.Sprintf("https://%s/rps/api/v1/admin/domains", configuration.MPSServer)
+
+	profile := Domain{
+		DomainName:                    configuration.DomainConfiguration.DomainName,
+		DomainSuffix:                  configuration.DomainConfiguration.DomainName,
+		ProvisioningCert:              configuration.DomainConfiguration.CertFileText,
+		ProvisioningCertPassword:      configuration.DomainConfiguration.CertPassword,
+		ProvisioningCertStorageFormat: "string",
+	}
+	payload, _ := json.Marshal(profile)
+
+	responseBody, err := service.executeSaveRequest(method, url, configuration.Credentials.MPSToken, payload)
+	if err != nil {
+		return nil, err
+	}
+
+	var result Domain
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}

api/hostmanagement/openamt/configProfile.go

@@ -0,0 +1,104 @@
+package openamt
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+type (
+	Profile struct {
+		ProfileName                string              `json:"profileName"`
+		Activation                 string              `json:"activation"`
+		CIRAConfigName             *string             `json:"ciraConfigName"`
+		GenerateRandomAMTPassword  bool                `json:"generateRandomPassword"`
+		AMTPassword                string              `json:"amtPassword"`
+		GenerateRandomMEBxPassword bool                `json:"generateRandomMEBxPassword"`
+		MEBXPassword               string              `json:"mebxPassword"`
+		Tags                       []string            `json:"tags"`
+		DHCPEnabled                bool                `json:"dhcpEnabled"`
+		TenantId                   string              `json:"tenantId"`
+		WIFIConfigs                []ProfileWifiConfig `json:"wifiConfigs"`
+	}
+
+	ProfileWifiConfig struct {
+		Priority    int    `json:"priority"`
+		ProfileName string `json:"profileName"`
+	}
+)
+
+func (service *Service) createOrUpdateAMTProfile(configuration portainer.OpenAMTConfiguration, profileName string, ciraConfigName string, wirelessConfig string) (*Profile, error) {
+	profile, err := service.getAMTProfile(configuration, profileName)
+	if err != nil {
+		return nil, err
+	}
+
+	method := http.MethodPost
+	if profile != nil {
+		method = http.MethodPatch
+	}
+
+	profile, err = service.saveAMTProfile(method, configuration, profileName, ciraConfigName, wirelessConfig)
+	if err != nil {
+		return nil, err
+	}
+	return profile, nil
+}
+
+func (service *Service) getAMTProfile(configuration portainer.OpenAMTConfiguration, profileName string) (*Profile, error) {
+	url := fmt.Sprintf("https://%s/rps/api/v1/admin/profiles/%s", configuration.MPSServer, profileName)
+
+	responseBody, err := service.executeGetRequest(url, configuration.Credentials.MPSToken)
+	if err != nil {
+		return nil, err
+	}
+	if responseBody == nil {
+		return nil, nil
+	}
+
+	var result Profile
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
+
+func (service *Service) saveAMTProfile(method string, configuration portainer.OpenAMTConfiguration, profileName string, ciraConfigName string, wirelessConfig string) (*Profile, error) {
+	url := fmt.Sprintf("https://%s/rps/api/v1/admin/profiles", configuration.MPSServer)
+
+	profile := Profile{
+		ProfileName:                profileName,
+		Activation:                 "acmactivate",
+		GenerateRandomAMTPassword:  false,
+		GenerateRandomMEBxPassword: false,
+		AMTPassword:                configuration.Credentials.MPSPassword,
+		MEBXPassword:               configuration.Credentials.MPSPassword,
+		CIRAConfigName:             &ciraConfigName,
+		Tags:                       []string{},
+		DHCPEnabled:                true,
+	}
+	if wirelessConfig != "" {
+		profile.WIFIConfigs = []ProfileWifiConfig{
+			{
+				Priority:    1,
+				ProfileName: DefaultWirelessConfigName,
+			},
+		}
+	}
+	payload, _ := json.Marshal(profile)
+
+	responseBody, err := service.executeSaveRequest(method, url, configuration.Credentials.MPSToken, payload)
+	if err != nil {
+		return nil, err
+	}
+
+	var result Profile
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}

api/hostmanagement/openamt/configWireless.go

@@ -0,0 +1,91 @@
+package openamt
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+type (
+	WirelessProfile struct {
+		ProfileName          string `json:"profileName"`
+		AuthenticationMethod int    `json:"authenticationMethod"`
+		EncryptionMethod     int    `json:"encryptionMethod"`
+		SSID                 string `json:"ssid"`
+		PSKPassphrase        string `json:"pskPassphrase"`
+	}
+)
+
+func (service *Service) createOrUpdateWirelessConfig(configuration portainer.OpenAMTConfiguration, wirelessConfigName string) (*WirelessProfile, error) {
+	wirelessConfig, err := service.getWirelessConfig(configuration, wirelessConfigName)
+	if err != nil {
+		return nil, err
+	}
+
+	method := http.MethodPost
+	if wirelessConfig != nil {
+		method = http.MethodPatch
+	}
+
+	wirelessConfig, err = service.saveWirelessConfig(method, configuration, wirelessConfigName)
+	if err != nil {
+		return nil, err
+	}
+	return wirelessConfig, nil
+}
+
+func (service *Service) getWirelessConfig(configuration portainer.OpenAMTConfiguration, configName string) (*WirelessProfile, error) {
+	url := fmt.Sprintf("https://%s/rps/api/v1/admin/wirelessconfigs/%s", configuration.MPSServer, configName)
+
+	responseBody, err := service.executeGetRequest(url, configuration.Credentials.MPSToken)
+	if err != nil {
+		return nil, err
+	}
+	if responseBody == nil {
+		return nil, nil
+	}
+
+	var result WirelessProfile
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
+
+func (service *Service) saveWirelessConfig(method string, configuration portainer.OpenAMTConfiguration, configName string) (*WirelessProfile, error) {
+	parsedAuthenticationMethod, err := strconv.Atoi(configuration.WirelessConfiguration.AuthenticationMethod)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing wireless authentication method: %s", err.Error())
+	}
+	parsedEncryptionMethod, err := strconv.Atoi(configuration.WirelessConfiguration.EncryptionMethod)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing wireless encryption method: %s", err.Error())
+	}
+
+	url := fmt.Sprintf("https://%s/rps/api/v1/admin/wirelessconfigs", configuration.MPSServer)
+
+	config := WirelessProfile{
+		ProfileName:          configName,
+		AuthenticationMethod: parsedAuthenticationMethod,
+		EncryptionMethod:     parsedEncryptionMethod,
+		SSID:                 configuration.WirelessConfiguration.SSID,
+		PSKPassphrase:        configuration.WirelessConfiguration.PskPass,
+	}
+	payload, _ := json.Marshal(config)
+
+	responseBody, err := service.executeSaveRequest(method, url, configuration.Credentials.MPSToken, payload)
+	if err != nil {
+		return nil, err
+	}
+
+	var result WirelessProfile
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}

api/hostmanagement/openamt/openamt.go

@@ -0,0 +1,157 @@
+package openamt
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+const (
+	DefaultCIRAConfigName     = "ciraConfigDefault"
+	DefaultWirelessConfigName = "wirelessProfileDefault"
+	DefaultProfileName        = "profileAMTDefault"
+)
+
+// Service represents a service for managing an OpenAMT server.
+type Service struct {
+	httpsClient *http.Client
+}
+
+// NewService initializes a new service.
+func NewService(dataStore portainer.DataStore) *Service {
+	if !dataStore.Settings().IsFeatureFlagEnabled(portainer.FeatOpenAMT) {
+		return nil
+	}
+	return &Service{
+		httpsClient: &http.Client{
+			Timeout: time.Second * time.Duration(5),
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			},
+		},
+	}
+}
+
+type openAMTError struct {
+	ErrorMsg string `json:"message"`
+	Errors   []struct {
+		ErrorMsg string `json:"msg"`
+	} `json:"errors"`
+}
+
+func parseError(responseBody []byte) error {
+	var errorResponse openAMTError
+	err := json.Unmarshal(responseBody, &errorResponse)
+	if err != nil {
+		return err
+	}
+
+	if len(errorResponse.Errors) > 0 {
+		return errors.New(errorResponse.Errors[0].ErrorMsg)
+	}
+	if errorResponse.ErrorMsg != "" {
+		return errors.New(errorResponse.ErrorMsg)
+	}
+	return nil
+}
+
+func (service *Service) ConfigureDefault(configuration portainer.OpenAMTConfiguration) error {
+	token, err := service.executeAuthenticationRequest(configuration)
+	if err != nil {
+		return err
+	}
+	configuration.Credentials.MPSToken = token.Token
+
+	ciraConfig, err := service.createOrUpdateCIRAConfig(configuration, DefaultCIRAConfigName)
+	if err != nil {
+		return err
+	}
+
+	wirelessConfigName := ""
+	if configuration.WirelessConfiguration != nil {
+		wirelessConfig, err := service.createOrUpdateWirelessConfig(configuration, DefaultWirelessConfigName)
+		if err != nil {
+			return err
+		}
+		wirelessConfigName = wirelessConfig.ProfileName
+	}
+
+	_, err = service.createOrUpdateAMTProfile(configuration, DefaultProfileName, ciraConfig.ConfigName, wirelessConfigName)
+	if err != nil {
+		return err
+	}
+
+	_, err = service.createOrUpdateDomain(configuration)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) executeSaveRequest(method string, url string, token string, payload []byte) ([]byte, error) {
+	req, err := http.NewRequest(method, url, bytes.NewBuffer(payload))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+
+	response, err := service.httpsClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	responseBody, readErr := ioutil.ReadAll(response.Body)
+	if readErr != nil {
+		return nil, readErr
+	}
+
+	if response.StatusCode < 200 || response.StatusCode > 300 {
+		errorResponse := parseError(responseBody)
+		if errorResponse != nil {
+			return nil, errorResponse
+		}
+		return nil, errors.New(fmt.Sprintf("unexpected status code %s", response.Status))
+	}
+
+	return responseBody, nil
+}
+
+func (service *Service) executeGetRequest(url string, token string) ([]byte, error) {
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+
+	response, err := service.httpsClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	responseBody, readErr := ioutil.ReadAll(response.Body)
+	if readErr != nil {
+		return nil, readErr
+	}
+
+	if response.StatusCode < 200 || response.StatusCode > 300 {
+		if response.StatusCode == http.StatusNotFound {
+			return nil, nil
+		}
+		errorResponse := parseError(responseBody)
+		if errorResponse != nil {
+			return nil, errorResponse
+		}
+		return nil, errors.New(fmt.Sprintf("unexpected status code %s", response.Status))
+	}
+
+	return responseBody, nil
+}

api/http/handler/auth/logout.go

@@ -11,6 +11,7 @@ import (
 // @id Logout
 // @summary Logout
 // @description **Access policy**: authenticated
+// @security ApiKeyAuth
 // @security jwt
 // @tags auth
 // @success 204 "Success"

api/http/handler/backup/backup.go

@@ -26,6 +26,7 @@ func (p *backupPayload) Validate(r *http.Request) error {
 // @description  Creates an archive with a system data snapshot that could be used to restore the system.
 // @description **Access policy**: admin
 // @tags backup
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce octet-stream

api/http/handler/customtemplates/customtemplate_create.go

@@ -22,6 +22,7 @@ import (
 // @description Create a custom template.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @accept json,multipart/form-data
 // @produce json

api/http/handler/customtemplates/customtemplate_delete.go

@@ -18,6 +18,7 @@ import (
 // @description Remove a template.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Template identifier"
 // @success 204 "Success"

api/http/handler/customtemplates/customtemplate_file.go

@@ -19,6 +19,7 @@ type fileResponse struct {
 // @description Retrieve the content of the Stack file for the specified custom template
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "Template identifier"

api/http/handler/customtemplates/customtemplate_inspect.go

@@ -18,6 +18,7 @@ import (
 // @description Retrieve details about a template.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "Template identifier"

api/http/handler/customtemplates/customtemplate_list.go

@@ -17,6 +17,7 @@ import (
 // @description List available custom templates.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param type query []int true "Template types" Enums(1,2,3)

api/http/handler/customtemplates/customtemplate_update.go

@@ -62,6 +62,7 @@ func (payload *customTemplateUpdatePayload) Validate(r *http.Request) error {
 // @description Update a template.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgegroups/edgegroup_create.go

@@ -36,6 +36,7 @@ func (payload *edgeGroupCreatePayload) Validate(r *http.Request) error {
 // @summary Create an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgegroups/edgegroup_delete.go

@@ -15,6 +15,7 @@ import (
 // @summary Deletes an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "EdgeGroup Id"
 // @success 204

api/http/handler/edgegroups/edgegroup_inspect.go

@@ -14,6 +14,7 @@ import (
 // @summary Inspects an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "EdgeGroup Id"

api/http/handler/edgegroups/edgegroup_list.go

@@ -19,6 +19,7 @@ type decoratedEdgeGroup struct {
 // @summary list EdgeGroups
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} decoratedEdgeGroup "EdgeGroups"

api/http/handler/edgegroups/edgegroup_update.go

@@ -38,6 +38,7 @@ func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
 // @summary Updates an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgejobs/edgejob_create.go

@@ -18,6 +18,7 @@ import (
 // @summary Create an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param method query string true "Creation Method" Enums(file, string)

api/http/handler/edgejobs/edgejob_delete.go

@@ -15,6 +15,7 @@ import (
 // @summary Delete an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @param id path string true "EdgeJob Id"
 // @success 204

api/http/handler/edgejobs/edgejob_file.go

@@ -18,6 +18,7 @@ type edgeJobFileResponse struct {
 // @summary Fetch a file of an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_inspect.go

@@ -19,6 +19,7 @@ type edgeJobInspectResponse struct {
 // @summary Inspect an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_list.go

@@ -11,6 +11,7 @@ import (
 // @summary Fetch EdgeJobs list
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} portainer.EdgeJob

api/http/handler/edgejobs/edgejob_tasklogs_clear.go

@@ -15,6 +15,7 @@ import (
 // @summary Clear the log for a specifc task on an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_tasklogs_collect.go

@@ -14,6 +14,7 @@ import (
 // @summary Collect the log for a specifc task on an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_tasklogs_inspect.go

@@ -17,6 +17,7 @@ type fileResponse struct {
 // @summary Fetch the log for a specifc task on an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_tasks_list.go

@@ -21,6 +21,7 @@ type taskContainer struct {
 // @summary Fetch the list of tasks on an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_update.go

@@ -32,6 +32,7 @@ func (payload *edgeJobUpdatePayload) Validate(r *http.Request) error {
 // @summary Update an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgestacks/edgestack_create.go

@@ -21,6 +21,7 @@ import (
 // @summary Create an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param method query string true "Creation Method" Enums(file,string,repository)

api/http/handler/edgestacks/edgestack_delete.go

@@ -15,6 +15,7 @@ import (
 // @summary Delete an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @param id path string true "EdgeStack Id"
 // @success 204

api/http/handler/edgestacks/edgestack_file.go

@@ -18,6 +18,7 @@ type stackFileResponse struct {
 // @summary Fetches the stack file for an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeStack Id"

api/http/handler/edgestacks/edgestack_inspect.go

@@ -14,6 +14,7 @@ import (
 // @summary Inspect an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeStack Id"

api/http/handler/edgestacks/edgestack_list.go

@@ -11,6 +11,7 @@ import (
 // @summary Fetches the list of EdgeStacks
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} portainer.EdgeStack

api/http/handler/edgestacks/edgestack_update.go

@@ -35,6 +35,7 @@ func (payload *updateEdgeStackPayload) Validate(r *http.Request) error {
 // @summary Update an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgetemplates/edgetemplate_list.go

@@ -19,6 +19,7 @@ type templateFileFormat struct {
 // @summary Fetches the list of Edge Templates
 // @description **Access policy**: administrator
 // @tags edge_templates
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpointgroups/endpointgroup_create.go

@@ -36,6 +36,7 @@ func (payload *endpointGroupCreatePayload) Validate(r *http.Request) error {
 // @description Create a new environment(endpoint) group.
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpointgroups/endpointgroup_delete.go

@@ -16,6 +16,7 @@ import (
 // @description Remove an environment(endpoint) group.
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "EndpointGroup identifier"
 // @success 204 "Success"

api/http/handler/endpointgroups/endpointgroup_endpoint_add.go

@@ -15,6 +15,7 @@ import (
 // @description Add an environment(endpoint) to an environment(endpoint) group
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "EndpointGroup identifier"
 // @param endpointId path int true "Environment(Endpoint) identifier"

api/http/handler/endpointgroups/endpointgroup_endpoint_delete.go

@@ -14,6 +14,7 @@ import (
 // @summary Removes environment(endpoint) from an environment(endpoint) group
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "EndpointGroup identifier"
 // @param endpointId path int true "Environment(Endpoint) identifier"

api/http/handler/endpointgroups/endpointgroup_inspect.go

@@ -14,6 +14,7 @@ import (
 // @description Retrieve details abont an environment(endpoint) group.
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpointgroups/endpointgroup_list.go

@@ -15,6 +15,7 @@ import (
 // @description only return authorized environment(endpoint) groups.
 // @description **Access policy**: restricted
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} portainer.EndpointGroup "Environment(Endpoint) group"

api/http/handler/endpointgroups/endpointgroup_update.go

@@ -32,6 +32,7 @@ func (payload *endpointGroupUpdatePayload) Validate(r *http.Request) error {
 // @description Update an environment(endpoint) group.
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpointproxy/proxy_docker.go

@@ -52,9 +52,9 @@ func (handler *Handler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.
 
 	id := strconv.Itoa(endpointID)
 
-	prefix := "/" + id + "/agent/docker";
+	prefix := "/" + id + "/agent/docker"
 	if !strings.HasPrefix(r.URL.Path, prefix) {
-		prefix = "/" + id + "/docker";
+		prefix = "/" + id + "/docker"
 	}
 
 	http.StripPrefix(prefix, proxy).ServeHTTP(w, r)

api/http/handler/endpoints/endpoint_association_delete.go

@@ -19,6 +19,7 @@ import (
 // @summary De-association an edge environment(endpoint)
 // @description De-association an edge environment(endpoint).
 // @description **Access policy**: administrator
+// @security ApiKeyAuth
 // @security jwt
 // @tags endpoints
 // @produce json

api/http/handler/endpoints/endpoint_create.go

@@ -152,6 +152,7 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 // @description  Create a new environment(endpoint) that will be used to manage an environment(endpoint).
 // @description **Access policy**: administrator
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @accept multipart/form-data
 // @produce json

api/http/handler/endpoints/endpoint_delete.go

@@ -16,6 +16,7 @@ import (
 // @description Remove an environment(endpoint).
 // @description **Access policy**: administrator
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Environment(Endpoint) identifier"
 // @success 204 "Success"

api/http/handler/endpoints/endpoint_dockerhub_status.go

@@ -29,6 +29,7 @@ type dockerhubStatusResponse struct {
 // @description get docker pull limits for a docker hub registry in the environment
 // @description **Access policy**:
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "endpoint ID"

api/http/handler/endpoints/endpoint_inspect.go

@@ -15,6 +15,7 @@ import (
 // @description Retrieve details about an environment(endpoint).
 // @description **Access policy**: restricted
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"

api/http/handler/endpoints/endpoint_list.go

@@ -20,6 +20,7 @@ import (
 // @description only return authorized environments(endpoints).
 // @description **Access policy**: restricted
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param start query int false "Start searching from"

api/http/handler/endpoints/endpoint_registries_inspect.go

@@ -16,6 +16,7 @@ import (
 // @summary get registry for environment
 // @description **Access policy**: authenticated
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "identifier"

api/http/handler/endpoints/endpoint_registries_list.go

@@ -19,6 +19,7 @@ import (
 // @description **Access policy**: authenticated
 // @tags endpoints
 // @param namespace query string false "required if kubernetes environment, will show registries by namespace"
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"

api/http/handler/endpoints/endpoint_registry_access.go

@@ -25,6 +25,7 @@ func (payload *registryAccessPayload) Validate(r *http.Request) error {
 // @summary update registry access for environment
 // @description **Access policy**: authenticated
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpoints/endpoint_settings_update.go

@@ -39,6 +39,7 @@ func (payload *endpointSettingsUpdatePayload) Validate(r *http.Request) error {
 // @summary Update settings for an environment(endpoint)
 // @description Update settings for an environment(endpoint).
 // @description **Access policy**: authenticated
+// @security ApiKeyAuth
 // @security jwt
 // @tags endpoints
 // @accept json

api/http/handler/endpoints/endpoint_snapshot.go

@@ -16,6 +16,7 @@ import (
 // @description Snapshots an environment(endpoint)
 // @description **Access policy**: administrator
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Environment(Endpoint) identifier"
 // @success 204 "Success"

api/http/handler/endpoints/endpoint_snapshots.go

@@ -15,6 +15,7 @@ import (
 // @description Snapshot all environments(endpoints)
 // @description **Access policy**: administrator
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @success 204 "Success"
 // @failure 500 "Server Error"

api/http/handler/endpoints/endpoint_status_inspect.go

@@ -54,6 +54,7 @@ type endpointStatusInspectResponse struct {
 // @description Environment(Endpoint) for edge agent to check status of environment(endpoint)
 // @description **Access policy**: restricted only to Edge environments(endpoints)
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Environment(Endpoint) identifier"
 // @success 200 {object} endpointStatusInspectResponse "Success"

api/http/handler/endpoints/endpoint_update.go

@@ -57,6 +57,7 @@ func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
 // @summary Update an environment(endpoint)
 // @description Update an environment(endpoint).
 // @description **Access policy**: authenticated
+// @security ApiKeyAuth
 // @security jwt
 // @tags endpoints
 // @accept json

api/http/handler/handler.go

@@ -17,6 +17,7 @@ import (
 	"github.com/portainer/portainer/api/http/handler/endpoints"
 	"github.com/portainer/portainer/api/http/handler/file"
 	"github.com/portainer/portainer/api/http/handler/helm"
+	"github.com/portainer/portainer/api/http/handler/hostmanagement/openamt"
 	"github.com/portainer/portainer/api/http/handler/kubernetes"
 	"github.com/portainer/portainer/api/http/handler/ldap"
 	"github.com/portainer/portainer/api/http/handler/motd"
@@ -62,6 +63,7 @@ type Handler struct {
 	RoleHandler            *roles.Handler
 	SettingsHandler        *settings.Handler
 	SSLHandler             *ssl.Handler
+	OpenAMTHandler         *openamt.Handler
 	StackHandler           *stacks.Handler
 	StatusHandler          *status.Handler
 	StorybookHandler       *storybook.Handler
@@ -89,6 +91,10 @@ type Handler struct {
 // @BasePath /api
 // @schemes http https
 
+// @securitydefinitions.apikey ApiKeyAuth
+// @in header
+// @name Authorization
+
 // @securitydefinitions.apikey jwt
 // @in header
 // @name Authorization
@@ -221,6 +227,10 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.StripPrefix("/api", h.UserHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/ssl"):
 		http.StripPrefix("/api", h.SSLHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/open_amt"):
+		if h.OpenAMTHandler != nil {
+			http.StripPrefix("/api", h.OpenAMTHandler).ServeHTTP(w, r)
+		}
 	case strings.HasPrefix(r.URL.Path, "/api/teams"):
 		http.StripPrefix("/api", h.TeamHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/team_memberships"):

api/http/handler/helm/handler.go

@@ -26,17 +26,19 @@ type Handler struct {
 	*mux.Router
 	requestBouncer     requestBouncer
 	dataStore          portainer.DataStore
+	jwtService         portainer.JWTService
 	kubeConfigService  kubernetes.KubeConfigService
 	kubernetesDeployer portainer.KubernetesDeployer
 	helmPackageManager libhelm.HelmPackageManager
 }
 
 // NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer requestBouncer, dataStore portainer.DataStore, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeConfigService kubernetes.KubeConfigService) *Handler {
+func NewHandler(bouncer requestBouncer, dataStore portainer.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeConfigService kubernetes.KubeConfigService) *Handler {
 	h := &Handler{
 		Router:             mux.NewRouter(),
 		requestBouncer:     bouncer,
 		dataStore:          dataStore,
+		jwtService:         jwtService,
 		kubernetesDeployer: kubernetesDeployer,
 		helmPackageManager: helmPackageManager,
 		kubeConfigService:  kubeConfigService,
@@ -91,7 +93,12 @@ func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.Kubernet
 		return nil, &httperror.HandlerError{http.StatusNotFound, "Unable to find an environment on request context", err}
 	}
 
-	bearerToken, err := security.ExtractBearerToken(r)
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+	}
+
+	bearerToken, err := handler.jwtService.GenerateToken(tokenData)
 	if err != nil {
 		return nil, &httperror.HandlerError{http.StatusUnauthorized, "Unauthorized", err}
 	}

api/http/handler/helm/helm_delete.go

@@ -14,6 +14,7 @@ import (
 // @description
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Environment(Endpoint) identifier"
 // @param release path string true "The name of the release/application to uninstall"

api/http/handler/helm/helm_delete_test.go

@@ -11,6 +11,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/exec/exectest"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
 	"github.com/stretchr/testify/assert"
 
@@ -30,10 +31,13 @@ func Test_helmDelete(t *testing.T) {
 	err = store.User().CreateUser(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
 	is.NoError(err, "Error creating a user")
 
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
 	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
 	kubeConfigService := kubernetes.NewKubeConfigCAService("", "")
-	h := NewHandler(helper.NewTestRequestBouncer(), store, kubernetesDeployer, helmPackageManager, kubeConfigService)
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeConfigService)
 
 	is.NotNil(h, "Handler should not fail")
 

api/http/handler/helm/helm_install.go

@@ -38,6 +38,7 @@ var errChartNameInvalid = errors.New("invalid chart name. " +
 // @description
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/helm/helm_install_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/portainer/portainer/api/exec/exectest"
 	"github.com/portainer/portainer/api/http/security"
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
 	"github.com/stretchr/testify/assert"
 )
@@ -32,10 +33,13 @@ func Test_helmInstall(t *testing.T) {
 	err = store.User().CreateUser(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
 	is.NoError(err, "error creating a user")
 
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
 	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
 	kubeConfigService := kubernetes.NewKubeConfigCAService("", "")
-	h := NewHandler(helper.NewTestRequestBouncer(), store, kubernetesDeployer, helmPackageManager, kubeConfigService)
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeConfigService)
 
 	is.NotNil(h, "Handler should not fail")
 

api/http/handler/helm/helm_list.go

@@ -14,6 +14,7 @@ import (
 // @description
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/helm/helm_list_test.go

@@ -12,6 +12,8 @@ import (
 	"github.com/portainer/libhelm/release"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
 	"github.com/stretchr/testify/assert"
 
@@ -20,28 +22,33 @@ import (
 )
 
 func Test_helmList(t *testing.T) {
+	is := assert.New(t)
+
 	store, teardown := bolt.MustNewTestStore(true)
 	defer teardown()
 
 	err := store.Endpoint().CreateEndpoint(&portainer.Endpoint{ID: 1})
-	assert.NoError(t, err, "error creating environment")
+	is.NoError(err, "error creating environment")
 
 	err = store.User().CreateUser(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
-	assert.NoError(t, err, "error creating a user")
+	is.NoError(err, "error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initialising jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
 	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
 	kubeConfigService := kubernetes.NewKubeConfigCAService("", "")
-	h := NewHandler(helper.NewTestRequestBouncer(), store, kubernetesDeployer, helmPackageManager, kubeConfigService)
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeConfigService)
 
 	// Install a single chart.  We expect to get these values back
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
 	h.helmPackageManager.Install(options)
 
 	t.Run("helmList", func(t *testing.T) {
-		is := assert.New(t)
-
 		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm", nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
 		req.Header.Add("Authorization", "Bearer dummytoken")
 
 		rr := httptest.NewRecorder()

api/http/handler/helm/helm_repo_search.go

@@ -16,6 +16,7 @@ import (
 // @description **Access policy**: authenticated
 // @tags helm
 // @param repo query string true "Helm repository URL"
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {object} string "Success"

api/http/handler/helm/helm_show.go

@@ -20,6 +20,7 @@ import (
 // @param repo query string true "Helm repository URL"
 // @param chart query string true "Chart name"
 // @param command path string true "chart/values/readme"
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce text/plain

api/http/handler/helm/user_helm_repos.go

@@ -33,6 +33,7 @@ func (p *addHelmRepoUrlPayload) Validate(_ *http.Request) error {
 // @description Create a user helm repository.
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json
@@ -93,6 +94,7 @@ func (handler *Handler) userCreateHelmRepo(w http.ResponseWriter, r *http.Reques
 // @description Inspect a user helm repositories.
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "User identifier"

api/http/handler/hostmanagement/openamt/handler.go

@@ -0,0 +1,33 @@
+package openamt
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+
+	httperror "github.com/portainer/libhttp/error"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/security"
+)
+
+// Handler is the HTTP handler used to handle OpenAMT operations.
+type Handler struct {
+	*mux.Router
+	OpenAMTService portainer.OpenAMTService
+	DataStore      portainer.DataStore
+}
+
+// NewHandler returns a new Handler
+func NewHandler(bouncer *security.RequestBouncer, dataStore portainer.DataStore) (*Handler, error) {
+	if !dataStore.Settings().IsFeatureFlagEnabled(portainer.FeatOpenAMT) {
+		return nil, nil
+	}
+
+	h := &Handler{
+		Router: mux.NewRouter(),
+	}
+
+	h.Handle("/open_amt", bouncer.AdminAccess(httperror.LoggerHandler(h.openAMTConfigureDefault))).Methods(http.MethodPost)
+
+	return h, nil
+}

api/http/handler/hostmanagement/openamt/openamt.go

@@ -0,0 +1,218 @@
+package openamt
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	"software.sslmate.com/src/go-pkcs12"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+)
+
+type openAMTConfigureDefaultPayload struct {
+	EnableOpenAMT            bool
+	MPSServer                string
+	MPSUser                  string
+	MPSPassword              string
+	CertFileText             string
+	CertPassword             string
+	DomainName               string
+	UseWirelessConfig        bool
+	WifiAuthenticationMethod string
+	WifiEncryptionMethod     string
+	WifiSSID                 string
+	WifiPskPass              string
+}
+
+func (payload *openAMTConfigureDefaultPayload) Validate(r *http.Request) error {
+	if payload.EnableOpenAMT {
+		if payload.MPSServer == "" {
+			return errors.New("MPS Server must be provided")
+		}
+		if payload.MPSUser == "" {
+			return errors.New("MPS User must be provided")
+		}
+		if payload.MPSPassword == "" {
+			return errors.New("MPS Password must be provided")
+		}
+		if payload.DomainName == "" {
+			return errors.New("domain name must be provided")
+		}
+		if payload.CertFileText == "" {
+			return errors.New("certificate file must be provided")
+		}
+		if payload.CertPassword == "" {
+			return errors.New("certificate password must be provided")
+		}
+		if payload.UseWirelessConfig {
+			if payload.WifiAuthenticationMethod == "" {
+				return errors.New("wireless authentication method must be provided")
+			}
+			if payload.WifiEncryptionMethod == "" {
+				return errors.New("wireless encryption method must be provided")
+			}
+			if payload.WifiSSID == "" {
+				return errors.New("wireless config SSID must be provided")
+			}
+			if payload.WifiPskPass == "" {
+				return errors.New("wireless config PSK passphrase must be provided")
+			}
+		}
+	}
+
+	return nil
+}
+
+// @id OpenAMTConfigureDefault
+// @summary Enable Portainer's OpenAMT capabilities
+// @description Enable Portainer's OpenAMT capabilities
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @accept json
+// @produce json
+// @param body body openAMTConfigureDefaultPayload true "OpenAMT Settings"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @router /open_amt [post]
+func (handler *Handler) openAMTConfigureDefault(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload openAMTConfigureDefaultPayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		logrus.WithError(err).Error("Invalid request payload")
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
+	}
+
+	if payload.EnableOpenAMT {
+		certificateErr := validateCertificate(payload.CertFileText, payload.CertPassword)
+		if certificateErr != nil {
+			return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Error validating certificate", Err: certificateErr}
+		}
+
+		err = handler.enableOpenAMT(payload)
+		if err != nil {
+			return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Error enabling OpenAMT", Err: err}
+		}
+		return response.Empty(w)
+	}
+
+	err = handler.disableOpenAMT()
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Error disabling OpenAMT", Err: err}
+	}
+	return response.Empty(w)
+}
+
+func validateCertificate(certificateRaw string, certificatePassword string) error {
+	certificateData, err := base64.StdEncoding.Strict().DecodeString(certificateRaw)
+	if err != nil {
+		return err
+	}
+
+	_, certificate, _, err := pkcs12.DecodeChain(certificateData, certificatePassword)
+	if err != nil {
+		return err
+	}
+
+	if certificate == nil {
+		return errors.New("certificate could not be decoded")
+	}
+
+	issuer := certificate.Issuer.CommonName
+	if !isValidIssuer(issuer) {
+		return fmt.Errorf("certificate issuer is invalid: %v", issuer)
+	}
+
+	return nil
+}
+
+func isValidIssuer(issuer string) bool {
+	formattedIssuer := strings.ToLower(strings.ReplaceAll(issuer, " ", ""))
+	return strings.Contains(formattedIssuer, "comodo") ||
+		strings.Contains(formattedIssuer, "digicert") ||
+		strings.Contains(formattedIssuer, "entrust") ||
+		strings.Contains(formattedIssuer, "godaddy")
+}
+
+func (handler *Handler) enableOpenAMT(configurationPayload openAMTConfigureDefaultPayload) error {
+	configuration := portainer.OpenAMTConfiguration{
+		Enabled:   true,
+		MPSServer: configurationPayload.MPSServer,
+		Credentials: portainer.MPSCredentials{
+			MPSUser:     configurationPayload.MPSUser,
+			MPSPassword: configurationPayload.MPSPassword,
+		},
+		DomainConfiguration: portainer.DomainConfiguration{
+			CertFileText: configurationPayload.CertFileText,
+			CertPassword: configurationPayload.CertPassword,
+			DomainName:   configurationPayload.DomainName,
+		},
+	}
+
+	if configurationPayload.UseWirelessConfig {
+		configuration.WirelessConfiguration = &portainer.WirelessConfiguration{
+			AuthenticationMethod: configurationPayload.WifiAuthenticationMethod,
+			EncryptionMethod:     configurationPayload.WifiEncryptionMethod,
+			SSID:                 configurationPayload.WifiSSID,
+			PskPass:              configurationPayload.WifiPskPass,
+		}
+	}
+
+	err := handler.OpenAMTService.ConfigureDefault(configuration)
+	if err != nil {
+		logrus.WithError(err).Error("error configuring OpenAMT server")
+		return err
+	}
+
+	err = handler.saveConfiguration(configuration)
+	if err != nil {
+		logrus.WithError(err).Error("error updating OpenAMT configurations")
+		return err
+	}
+
+	logrus.Info("OpenAMT successfully enabled")
+	return nil
+}
+
+func (handler *Handler) saveConfiguration(configuration portainer.OpenAMTConfiguration) error {
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return err
+	}
+
+	configuration.Credentials.MPSToken = ""
+
+	settings.OpenAMTConfiguration = configuration
+	err = handler.DataStore.Settings().UpdateSettings(settings)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (handler *Handler) disableOpenAMT() error {
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return err
+	}
+
+	settings.OpenAMTConfiguration.Enabled = false
+
+	err = handler.DataStore.Settings().UpdateSettings(settings)
+	if err != nil {
+		return err
+	}
+
+	logrus.Info("OpenAMT successfully disabled")
+	return nil
+}

api/http/handler/kubernetes/handler.go

@@ -21,15 +21,17 @@ type Handler struct {
 	kubernetesClientFactory *cli.ClientFactory
 	authorizationService    *authorization.Service
 	JwtService              portainer.JWTService
+	BaseURL                 string
 }
 
 // NewHandler creates a handler to process pre-proxied requests to external APIs.
-func NewHandler(bouncer *security.RequestBouncer, authorizationService *authorization.Service, dataStore portainer.DataStore, kubernetesClientFactory *cli.ClientFactory) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, authorizationService *authorization.Service, dataStore portainer.DataStore, kubernetesClientFactory *cli.ClientFactory, baseURL string) *Handler {
 	h := &Handler{
 		Router:                  mux.NewRouter(),
 		dataStore:               dataStore,
 		kubernetesClientFactory: kubernetesClientFactory,
 		authorizationService:    authorizationService,
+		BaseURL:                 baseURL,
 	}
 
 	kubeRouter := h.PathPrefix("/kubernetes").Subrouter()

api/http/handler/kubernetes/kubernetes_config.go

@@ -4,8 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-
-	clientV1 "k8s.io/client-go/tools/clientcmd/api/v1"
+	"strings"
 
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
@@ -14,6 +13,7 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	kcli "github.com/portainer/portainer/api/kubernetes/cli"
+	clientV1 "k8s.io/client-go/tools/clientcmd/api/v1"
 )
 
 // @id GetKubernetesConfig
@@ -21,6 +21,7 @@ import (
 // @description Generates kubeconfig file enabling client communication with k8s api server
 // @description **Access policy**: authenticated
 // @tags kubernetes
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json
@@ -122,21 +123,14 @@ func (handler *Handler) buildConfig(r *http.Request, tokenData *portainer.TokenD
 	authInfosSet := make(map[string]bool)
 
 	for idx, endpoint := range endpoints {
-		cli, err := handler.kubernetesClientFactory.GetKubeClient(&endpoint)
-		if err != nil {
-			return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to create Kubernetes client", err}
-		}
+		instanceID := handler.kubernetesClientFactory.GetInstanceID()
+		serviceAccountName := kcli.UserServiceAccountName(int(tokenData.ID), instanceID)
 
-		serviceAccount, err := cli.GetServiceAccount(tokenData)
-		if err != nil {
-			return nil, &httperror.HandlerError{http.StatusInternalServerError, fmt.Sprintf("unable to find serviceaccount associated with user; username=%s", tokenData.Username), err}
-		}
-
-		configClusters[idx] = buildCluster(r, endpoint)
-		configContexts[idx] = buildContext(serviceAccount.Name, endpoint)
-		if !authInfosSet[serviceAccount.Name] {
-			configAuthInfos = append(configAuthInfos, buildAuthInfo(serviceAccount.Name, bearerToken))
-			authInfosSet[serviceAccount.Name] = true
+		configClusters[idx] = buildCluster(r, handler.BaseURL, endpoint)
+		configContexts[idx] = buildContext(serviceAccountName, endpoint)
+		if !authInfosSet[serviceAccountName] {
+			configAuthInfos = append(configAuthInfos, buildAuthInfo(serviceAccountName, bearerToken))
+			authInfosSet[serviceAccountName] = true
 		}
 	}
 
@@ -150,8 +144,11 @@ func (handler *Handler) buildConfig(r *http.Request, tokenData *portainer.TokenD
 	}, nil
 }
 
-func buildCluster(r *http.Request, endpoint portainer.Endpoint) clientV1.NamedCluster {
-	proxyURL := fmt.Sprintf("https://%s/api/endpoints/%d/kubernetes", r.Host, endpoint.ID)
+func buildCluster(r *http.Request, baseURL string, endpoint portainer.Endpoint) clientV1.NamedCluster {
+	if baseURL != "/" {
+		baseURL = fmt.Sprintf("/%s/", strings.Trim(baseURL, "/"))
+	}
+	proxyURL := fmt.Sprintf("https://%s%sapi/endpoints/%d/kubernetes", r.Host, baseURL, endpoint.ID)
 	return clientV1.NamedCluster{
 		Name: buildClusterName(endpoint.Name),
 		Cluster: clientV1.Cluster{

api/http/handler/kubernetes/kubernetes_nodes_limits.go

@@ -15,6 +15,7 @@ import (
 // @description Get CPU and memory limits of all nodes within k8s cluster
 // @description **Access policy**: authenticated
 // @tags kubernetes
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/kubernetes/namespaces_toggle_system.go

@@ -22,6 +22,7 @@ func (payload *namespacesToggleSystemPayload) Validate(r *http.Request) error {
 // @summary Toggle the system state for a namespace
 // @description  Toggle the system state for a namespace
 // @description **Access policy**: administrator or environment(endpoint) admin
+// @security ApiKeyAuth
 // @security jwt
 // @tags kubernetes
 // @accept json

api/http/handler/ldap/ldap_check.go

@@ -22,6 +22,7 @@ func (payload *checkPayload) Validate(r *http.Request) error {
 // @description Test LDAP connectivity using LDAP details
 // @description **Access policy**: administrator
 // @tags ldap
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @param body body checkPayload true "details"

api/http/handler/motd/motd.go

@@ -30,6 +30,7 @@ type motdData struct {
 // @summary fetches the message of the day
 // @description **Access policy**: restricted
 // @tags motd
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {object} motdResponse

api/http/handler/registries/registry_configure.go

@@ -21,7 +21,8 @@ type registryConfigurePayload struct {
 	Username string `example:"registry_user"`
 	// Password used to authenticate against this registry. required when Authentication is true
 	Password string `example:"registry_password"`
-
+	// ECR region
+	Region  string
 	// Use TLS
 	TLS bool `example:"true"`
 	// Skip the verification of the server TLS certificate
@@ -47,6 +48,9 @@ func (payload *registryConfigurePayload) Validate(r *http.Request) error {
 
 		password, _ := request.RetrieveMultiPartFormValue(r, "Password", true)
 		payload.Password = password
+
+		region, _ := request.RetrieveMultiPartFormValue(r, "Region", true)
+		payload.Region = region
 	}
 
 	useTLS, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLS", true)
@@ -83,6 +87,7 @@ func (payload *registryConfigurePayload) Validate(r *http.Request) error {
 // @description Configures a registry.
 // @description **Access policy**: restricted
 // @tags registries
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json
@@ -133,6 +138,10 @@ func (handler *Handler) registryConfigure(w http.ResponseWriter, r *http.Request
 		} else {
 			registry.ManagementConfiguration.Password = payload.Password
 		}
+
+		if payload.Region != "" {
+			registry.ManagementConfiguration.Ecr.Region = payload.Region
+		}
 	}
 
 	if payload.TLS {