fix(frontend): When a docker endpoint is selected, configuring a newly added k8s agent fails EE-821 (#5115)

* fix(frontend): When a docker endpoint is selected, configuring a newly added k8s agent fails EE-821

* fix(frontend): restore endpointID in a finally block EE-821

Co-authored-by: Simon Meng <simon.meng@portainer.io>

.babelrc

@@ -5,7 +5,8 @@
       "@babel/preset-env",
       {
         "modules": false,
-        "useBuiltIns": "entry"
+        "useBuiltIns": "entry",
+        "corejs": "2"
       }
     ]
   ]

.codeclimate.yml

@@ -1,62 +1,44 @@
 version: "2"
 checks:
   argument-count:
-    enabled: true
-    config:
-      threshold: 4
+    enabled: false
   complex-logic:
-    enabled: true
-    config:
-      threshold: 4
+    enabled: false
   file-lines:
-    enabled: true
-    config:
-      threshold: 300
+    enabled: false
   method-complexity:
     enabled: false
   method-count:
-    enabled: true
-    config:
-      threshold: 20
+    enabled: false
   method-lines:
-    enabled: true
-    config:
-      threshold: 50
+    enabled: false
   nested-control-flow:
-    enabled: true
-    config:
-      threshold: 4
+    enabled: false
   return-statements:
     enabled: false
   similar-code:
-    enabled: true
-    config:
-      threshold: #language-specific defaults. overrides affect all languages.
+    enabled: false
   identical-code:
-    enabled: true
-    config:
-      threshold: #language-specific defaults. overrides affect all languages.
+    enabled: false
 plugins:
   gofmt:
     enabled: true
-  golint:
-    enabled: true
-  govet:
-    enabled: true
-  csslint:
-    enabled: true
-  duplication:
-    enabled: true
-    config:
-      languages:
-        javascript:
-          mass_threshold: 80
   eslint:
     enabled: true
     channel: "eslint-5"
     config:
       config: .eslintrc.yml
-  fixme:
-    enabled: true
 exclude_patterns:
+- assets/
+- build/
+- dist/
+- distribution/
+- node_modules
 - test/
+- webpack/
+- gruntfile.js
+- webpack.config.js
+- api/
+- "!app/kubernetes/**"
+- .github/
+- .tmp/

.eslintrc.yml

@@ -6,7 +6,6 @@ env:
 
 globals:
   angular: true
-  __CONFIG_GA_ID: true
 
 extends:
   - 'eslint:recommended'

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,47 +1,55 @@
----
-name: Bug report
-about: Create a bug report
-
----
-
-<!--
-
-Thanks for reporting a bug for Portainer !
-
-You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
-
-Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/.
-
-Before opening a new issue, make sure that we do not have any duplicates
-already open. You can ensure this by searching the issue list for this
-repository. If there is a duplicate, please close your issue and add a comment
-to the existing issue instead.
-
-Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
--->
-
-**Bug description**
-A clear and concise description of what the bug is.
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Portainer Logs**
-Provide the logs of your Portainer container or Service.
-You can see how [here](https://portainer.readthedocs.io/en/stable/faq.html#how-do-i-get-the-logs-from-portainer)
-
-**Steps to reproduce the issue:**
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Technical details:**
-* Portainer version:
-* Docker version (managed by Portainer):
-* Platform (windows/linux):
-* Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
-* Browser:
-
-**Additional context**
-Add any other context about the problem here.
+---
+name: Bug report
+about: Create a bug report
+title: ''
+labels: bug/need-confirmation, kind/bug
+assignees: ''
+
+---
+
+<!--
+
+Thanks for reporting a bug for Portainer !
+
+You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.slack.com/
+
+Before opening a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://documentation.portainer.io/
+-->
+
+**Bug description**
+A clear and concise description of what the bug is.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Portainer Logs**
+Provide the logs of your Portainer container or Service.
+You can see how [here](https://documentation.portainer.io/archive/1.23.2/faq/#how-do-i-get-the-logs-from-portainer)
+
+**Steps to reproduce the issue:**
+
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Technical details:**
+
+- Portainer version:
+- Docker version (managed by Portainer):
+- Kubernetes version (managed by Portainer):
+- Platform (windows/linux):
+- Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
+- Browser:
+- Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.
+- Have you reviewed our technical documentation and knowledge base? Yes/No
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/Custom.md

@@ -1,17 +1,25 @@
----
-name: Question
-about: Ask us a question about Portainer usage or deployment
-
----
-
-<!--
-
-You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
-
-Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/
-
-Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
--->
-
-**Question**:
-How can I deploy Portainer on... ?
+---
+name: Question
+about: Ask us a question about Portainer usage or deployment
+title: ''
+labels: ''
+assignees: ''
+
+---
+Before you start, we need a little bit more information from you:
+
+Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.
+
+Have you reviewed our technical documentation and knowledge base? Yes/No
+
+<!--
+
+You can find more information about Portainer support framework policy here: https://old.portainer.io/2019/04/portainer-support-policy/
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.slack.com/
+
+Also, be sure to check our FAQ and documentation first: https://documentation.portainer.io/
+-->
+
+**Question**:
+How can I deploy Portainer on... ?

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -1,31 +1,34 @@
----
-name: Feature request
-about: Suggest a feature/enhancement that should be added in Portainer
-
----
-
-<!--
-
-Thanks for opening a feature request for Portainer !
-
-Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/
-
-Before opening a new issue, make sure that we do not have any duplicates
-already open. You can ensure this by searching the issue list for this
-repository. If there is a duplicate, please close your issue and add a comment
-to the existing issue instead.
-
-Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
--->
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.
+---
+name: Feature request
+about: Suggest a feature/enhancement that should be added in Portainer
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!--
+
+Thanks for opening a feature request for Portainer !
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.slack.com/
+
+Before opening a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://documentation.portainer.io/
+-->
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/stale.yml

@@ -12,14 +12,14 @@ issues:
   # Issues with these labels will never be considered stale
   exemptLabels:
     - kind/enhancement
-    - kind/feature
     - kind/question
     - kind/style
     - kind/workaround
+    - kind/refactor
     - bug/need-confirmation
     - bug/confirmed
     - status/discuss
-  
+
   # Only issues with all of these labels are checked if stale. Defaults to `[]` (disabled)
   onlyLabels: []
 
@@ -35,9 +35,9 @@ issues:
 
   # Comment to post when marking an issue as stale. Set to `false` to disable
   markComment: >
-    This issue has been marked as stale as it has not had recent activity, 
+    This issue has been marked as stale as it has not had recent activity,
     it will be closed if no further activity occurs in the next 7 days.
-    If you believe that it has been incorrectly labelled as stale, 
+    If you believe that it has been incorrectly labelled as stale,
     leave a comment and the label will be removed.
 
   # Comment to post when removing the stale label.
@@ -48,8 +48,7 @@ issues:
   closeComment: >
     Since no further activity has appeared on this issue it will be closed.
     If you believe that it has been incorrectly closed, leave a comment
-    and mention @itsconquest. One of our staff will then review the issue.
-    
+    mentioning `ametdoohan`, `balasu` or `keverv` and one of our staff will then review the issue.
+
     Note - If it is an old bug report, make sure that it is reproduceable in the
     latest version of Portainer as it may have already been fixed.
-    

.github/workflows/rebase.yml

@@ -0,0 +1,19 @@
+name: Automatic Rebase
+on:
+  issue_comment:
+    types: [created]
+jobs:
+  rebase:
+    name: Rebase
+    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the latest code
+        uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
+      - name: Automatic Rebase
+        uses: cirrus-actions/rebase@1.4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -4,5 +4,10 @@ dist
 portainer-checksum.txt
 api/cmd/portainer/portainer*
 .tmp
-.vscode
-.eslintcache
+**/.vscode/settings.json
+**/.vscode/tasks.json
+
+.eslintcache
+__debug_bin
+
+api/docs

.vscode.example/launch.json

@@ -0,0 +1,19 @@
+{
+  // Use IntelliSense to learn about possible attributes.
+  // Hover to view descriptions of existing attributes.
+  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Launch",
+      "type": "go",
+      "request": "launch",
+      "mode": "debug",
+      "program": "${workspaceRoot}/api/cmd/portainer/main.go",
+      "cwd": "${workspaceRoot}",
+      "env": {},
+      "showLog": true,
+      "args": ["--data", "${env:HOME}/portainer-data", "--assets", "${workspaceRoot}/dist"]
+    }
+  ]
+}

.vscode.example/portainer.code-snippets

@@ -0,0 +1,167 @@
+{
+  // Place your portainer workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
+  // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
+  // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
+  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
+  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
+  // Placeholders with the same ids are connected.
+  // Example:
+  // "Print to console": {
+  // 	"scope": "javascript,typescript",
+  // 	"prefix": "log",
+  // 	"body": [
+  // 		"console.log('$1');",
+  // 		"$2"
+  // 	],
+  // 	"description": "Log output to console"
+  // }
+  "Component": {
+    "scope": "javascript",
+    "prefix": "mycomponent",
+    "description": "Dummy Angularjs Component",
+    "body": [
+      "import angular from 'angular';",
+      "import controller from './${TM_FILENAME_BASE}Controller'",
+      "",
+      "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').component('$TM_FILENAME_BASE', {",
+      "  templateUrl: './$TM_FILENAME_BASE.html',",
+      "  controller,",
+      "});",
+      ""
+    ]
+  },
+  "Controller": {
+    "scope": "javascript",
+    "prefix": "mycontroller",
+    "body": [
+      "class ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/} {",
+      "\t/* @ngInject */",
+      "\tconstructor($0) {",
+      "\t}",
+      "}",
+      "",
+      "export default ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/};"
+    ],
+    "description": "Dummy ES6+ controller"
+  },
+  "Service": {
+    "scope": "javascript",
+    "prefix": "myservice",
+    "description": "Dummy ES6+ service",
+    "body": [
+      "import angular from 'angular';",
+      "import PortainerError from 'Portainer/error';",
+      "",
+      "class $1 {",
+      "  /* @ngInject */",
+      "  constructor(\\$async, $0) {",
+      "    this.\\$async = \\$async;",
+      "",
+      "    this.getAsync = this.getAsync.bind(this);",
+      "    this.getAllAsync = this.getAllAsync.bind(this);",
+      "    this.createAsync = this.createAsync.bind(this);",
+      "    this.updateAsync = this.updateAsync.bind(this);",
+      "    this.deleteAsync = this.deleteAsync.bind(this);",
+      "  }",
+      "",
+      "  /**",
+      "   * GET",
+      "   */",
+      "  async getAsync() {",
+      "    try {",
+      "",
+      "    } catch (err) {",
+      "      throw new PortainerError('', err);",
+      "    }",
+      "  }",
+      "",
+      "  async getAllAsync() {",
+      "    try {",
+      "",
+      "    } catch (err) {",
+      "      throw new PortainerError('', err);",
+      "    }",
+      "  }",
+      "",
+      "  get() {",
+      "    if () {",
+      "      return this.\\$async(this.getAsync);",
+      "    }",
+      "    return this.\\$async(this.getAllAsync);",
+      "  }",
+      "",
+      "  /**",
+      "   * CREATE",
+      "   */",
+      "  async createAsync() {",
+      "    try {",
+      "",
+      "    } catch (err) {",
+      "      throw new PortainerError('', err);",
+      "    }",
+      "  }",
+      "",
+      "  create() {",
+      "    return this.\\$async(this.createAsync);",
+      "  }",
+      "",
+      "  /**",
+      "   * UPDATE",
+      "   */",
+      "  async updateAsync() {",
+      "    try {",
+      "",
+      "    } catch (err) {",
+      "      throw new PortainerError('', err);",
+      "    }",
+      "  }",
+      "",
+      "  update() {",
+      "    return this.\\$async(this.updateAsync);",
+      "  }",
+      "",
+      "  /**",
+      "   * DELETE",
+      "   */",
+      "  async deleteAsync() {",
+      "    try {",
+      "",
+      "    } catch (err) {",
+      "      throw new PortainerError('', err);",
+      "    }",
+      "  }",
+      "",
+      "  delete() {",
+      "    return this.\\$async(this.deleteAsync);",
+      "  }",
+      "}",
+      "",
+      "export default $1;",
+      "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').service('$1', $1);"
+    ]
+  },
+  "swagger-api-doc": {
+    "prefix": "swapi",
+    "scope": "go",
+    "description": "Snippet for a api doc",
+    "body": [
+      "// @id ",
+      "// @summary ",
+      "// @description ",
+      "// @description **Access policy**: ",
+      "// @tags ",
+      "// @security jwt",
+      "// @accept json",
+      "// @produce json",
+      "// @param id path int true \"identifier\"",
+      "// @param body body Object true \"details\"",
+      "// @success 200 {object} portainer. \"Success\"",
+      "// @success 204 \"Success\"",
+      "// @failure 400 \"Invalid request\"",
+      "// @failure 403 \"Permission denied\"",
+      "// @failure 404 \" not found\"",
+      "// @failure 500 \"Server error\"",
+      "// @router /{id} [get]"
+    ]
+  }
+}

ATTRIBUTIONS.md

@@ -0,0 +1,32 @@
+# Open Source License Attribution
+
+This application uses Open Source components. You can find the source
+code of their open source projects along with license information below.
+We acknowledge and are grateful to these developers for their contributions
+to open source.
+
+### [angular-json-tree](https://github.com/awendland/angular-json-tree)
+
+by [Alex Wendland](https://github.com/awendland) is licensed under [CC BY 4.0 License](https://creativecommons.org/licenses/by/4.0/)
+
+### [caniuse-db](https://github.com/Fyrd/caniuse)
+
+by [caniuse.com](caniuse.com) is licensed under [CC BY 4.0 License](https://creativecommons.org/licenses/by/4.0/)
+
+### [caniuse-lite](https://github.com/ben-eb/caniuse-lite)
+
+by [caniuse.com](caniuse.com) is licensed under [CC BY 4.0 License](https://creativecommons.org/licenses/by/4.0/)
+
+### [spdx-exceptions](https://github.com/jslicense/spdx-exceptions.json)
+
+by Kyle Mitchell using [SPDX](https://spdx.dev/) from Linux Foundation licensed under [CC BY 3.0 License](https://creativecommons.org/licenses/by/3.0/)
+
+### [fontawesome-free](https://github.com/FortAwesome/Font-Awesome) Icons
+
+by [Fort Awesome](https://fortawesome.com/) is licensed under [CC BY 4.0 License](https://creativecommons.org/licenses/by/4.0/)
+
+Portainer also contains the following code, which is licensed under the [MIT license](https://opensource.org/licenses/MIT):
+
+UI For Docker: Copyright (c) 2013-2016 Michael Crosby (crosbymichael.com), Kevan Ahlquist (kevanahlquist.com), Anthony Lapenna (portainer.io)
+
+rdash-angular: Copyright (c) [2014][elliot hesp]

CONTRIBUTING.md

@@ -6,10 +6,10 @@ Some basic conventions for contributing to this project.
 
 Please make sure that there aren't existing pull requests attempting to address the issue mentioned. Likewise, please check for issues related to update, as someone else may be working on the issue in a branch or fork.
 
-* Please open a discussion in a new issue / existing issue to talk about the changes you'd like to bring
-* Develop in a topic branch, not master/develop
+- Please open a discussion in a new issue / existing issue to talk about the changes you'd like to bring
+- Develop in a topic branch, not master/develop
 
-When creating a new branch, prefix it with the *type* of the change (see section **Commit Message Format** below), the associated opened issue number, a dash and some text describing the issue (using dash as a separator).
+When creating a new branch, prefix it with the _type_ of the change (see section **Commit Message Format** below), the associated opened issue number, a dash and some text describing the issue (using dash as a separator).
 
 For example, if you work on a bugfix for the issue #361, you could name the branch `fix361-template-selection`.
 
@@ -37,14 +37,14 @@ Lines should not exceed 100 characters. This allows the message to be easier to
 
 Must be one of the following:
 
-* **feat**: A new feature
-* **fix**: A bug fix
-* **docs**: Documentation only changes
-* **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing
+- **feat**: A new feature
+- **fix**: A bug fix
+- **docs**: Documentation only changes
+- **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing
   semi-colons, etc)
-* **refactor**: A code change that neither fixes a bug or adds a feature
-* **test**: Adding missing tests
-* **chore**: Changes to the build process or auxiliary tools and libraries such as documentation
+- **refactor**: A code change that neither fixes a bug or adds a feature
+- **test**: Adding missing tests
+- **chore**: Changes to the build process or auxiliary tools and libraries such as documentation
   generation
 
 ### Scope
@@ -57,9 +57,9 @@ You can use the **area** label tag associated on the issue here (for `area/conta
 
 The subject contains succinct description of the change:
 
-* use the imperative, present tense: "change" not "changed" nor "changes"
-* don't capitalize first letter
-* no dot (.) at the end
+- use the imperative, present tense: "change" not "changed" nor "changes"
+- don't capitalize first letter
+- no dot (.) at the end
 
 ## Contribution process
 
@@ -74,3 +74,62 @@ Our contribution process is described below. Some of the steps can be visualized
 The feature request process is similar to the bug report process but has an extra functional validation before the technical validation as well as a documentation validation before the testing phase.
 
 ![portainer_featurerequest_workflow](https://user-images.githubusercontent.com/5485061/45727229-5ad39f00-bbf5-11e8-9550-16ba66c50615.png)
+
+## Build Portainer locally
+
+Ensure you have Docker, Node.js, yarn, and Golang installed in the correct versions.
+
+Install dependencies with yarn:
+
+```sh
+$ yarn
+```
+
+Then build and run the project:
+
+```sh
+$ yarn start
+```
+
+Portainer can now be accessed at <http://localhost:9000>.
+
+Find more detailed steps at <https://documentation.portainer.io/contributing/instructions/>.
+
+## Adding api docs
+
+When adding a new resource (or a route handler), we should add a new tag to api/http/handler/handler.go#L136 like this:
+
+```
+// @tag.name <Name of resource>
+// @tag.description a short description
+```
+
+When adding a new route to an existing handler use the following as a template (you can use `swapi` snippet if you're using vscode):
+
+```
+// @id
+// @summary
+// @description
+// @description **Access policy**:
+// @tags
+// @security jwt
+// @accept json
+// @produce json
+// @param id path int true "identifier"
+// @param body body Object true "details"
+// @success 200 {object} portainer. "Success"
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied"
+// @failure 404 " not found"
+// @failure 500 "Server error"
+// @router /{id} [get]
+```
+
+explanation about each line can be found (here)[https://github.com/swaggo/swag#api-operation]
+
+## Licensing
+
+See the [LICENSE](https://github.com/portainer/portainer/blob/develop/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
+
+We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes.

README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <img title="portainer" src='https://github.com/portainer/portainer/blob/develop/assets/images/logo_alt.png?raw=true' />
+  <img title="portainer" src='https://github.com/portainer/portainer/blob/develop/app/assets/images/logo_alt.png?raw=true' />
 </p>
 
 [![Docker Pulls](https://img.shields.io/docker/pulls/portainer/portainer.svg)](https://hub.docker.com/r/portainer/portainer/)
@@ -10,7 +10,7 @@
 
 **_Portainer_** is a lightweight management UI which allows you to **easily** manage your different Docker environments (Docker hosts or Swarm clusters).
 **_Portainer_** is meant to be as **simple** to deploy as it is to use. It consists of a single container that can run on any Docker engine (can be deployed as Linux container or a Windows native container, supports other platforms too).
-**_Portainer_** allows you to manage all your Docker resources (containers, images, volumes, networks and more) ! It is compatible with the _standalone Docker_ engine and with _Docker Swarm mode_.
+**_Portainer_** allows you to manage all your Docker resources (containers, images, volumes, networks and more!) It is compatible with the _standalone Docker_ engine and with _Docker Swarm mode_.
 
 ## Demo
 
@@ -24,32 +24,39 @@ Alternatively, you can deploy a copy of the demo stack inside a [play-with-docke
 - Sign in with your [Docker ID](https://docs.docker.com/docker-id)
 - Follow [these](https://github.com/portainer/portainer-demo/blob/master/play-with-docker/docker-stack.yml#L5-L8) steps.
 
-Unlike the public demo, the playground sessions are deleted after 4 hours. Apart from that, all the settings are same, including default credentials.
+Unlike the public demo, the playground sessions are deleted after 4 hours. Apart from that, all the settings are the same, including default credentials.
 
 ## Getting started
 
-- [Deploy Portainer](https://www.portainer.io/installation/)
-- [Documentation](https://www.portainer.io/documentation/)
+- [Deploy Portainer](https://documentation.portainer.io/quickstart/)
+- [Documentation](https://documentation.portainer.io)
+- [Building Portainer](https://documentation.portainer.io/contributing/instructions/)
 
 ## Getting help
 
-For FORMAL Support, please purchase a support subscription from here: https://www.portainer.io/products-services/portainer-business-support/
+For FORMAL Support, please purchase a support subscription from here: https://www.portainer.io/products/portainer-business
 
-For community support: You can find more information about Portainer's community support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
+For community support: You can find more information about Portainer's community support framework policy here: https://www.portainer.io/products/community-edition/customer-success
 
 - Issues: https://github.com/portainer/portainer/issues
-- FAQ: https://www.portainer.io/documentation/faqs/
+- FAQ: https://documentation.portainer.io
 - Slack (chat): https://portainer.io/slack/
 
 ## Reporting bugs and contributing
 
 - Want to report a bug or request a feature? Please open [an issue](https://github.com/portainer/portainer/issues/new).
-- Want to help us build **_portainer_**? Follow our [contribution guidelines](https://www.portainer.io/documentation/how-to-contribute/) to build it locally and make a pull request. We need all the help we can get!
+- Want to help us build **_portainer_**? Follow our [contribution guidelines](https://documentation.portainer.io/contributing/instructions/) to build it locally and make a pull request. We need all the help we can get!
 
 ## Security
 
 - Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.
 
+## Privacy
+
+**To make sure we focus our development effort in the right places we need to know which features get used most often. To give us this information we use [Matomo Analytics](https://matomo.org/), which is hosted in Germany and is fully GDPR compliant.**
+
+When Portainer first starts, you are given the option to DISABLE analytics. If you **don't** choose to disable it, we collect anonymous usage as per [our privacy policy](https://www.portainer.io/documentation/in-app-analytics-and-privacy-policy/). **Please note**, there is no personally identifiable information sent or stored at any time and we only use the data to help us improve Portainer.
+
 ## Limitations
 
 Portainer supports "Current - 2 docker versions only. Prior versions may operate, however these are not supported.
@@ -58,8 +65,4 @@ Portainer supports "Current - 2 docker versions only. Prior versions may operate
 
 Portainer is licensed under the zlib license. See [LICENSE](./LICENSE) for reference.
 
-Portainer also contains the following code, which is licensed under the [MIT license](https://opensource.org/licenses/MIT):
-
-UI For Docker: Copyright (c) 2013-2016 Michael Crosby (crosbymichael.com), Kevan Ahlquist (kevanahlquist.com), Anthony Lapenna (portainer.io)
-
-rdash-angular: Copyright (c) [2014][elliot hesp]
+Portainer also contains code from open source projects. See [ATTRIBUTIONS.md](./ATTRIBUTIONS.md) for a list.

api/access_control.go

@@ -1,154 +0,0 @@
-package portainer
-
-// NewPrivateResourceControl will create a new private resource control associated to the resource specified by the
-// identifier and type parameters. It automatically assigns it to the user specified by the userID parameter.
-func NewPrivateResourceControl(resourceIdentifier string, resourceType ResourceControlType, userID UserID) *ResourceControl {
-	return &ResourceControl{
-		Type:           resourceType,
-		ResourceID:     resourceIdentifier,
-		SubResourceIDs: []string{},
-		UserAccesses: []UserResourceAccess{
-			{
-				UserID:      userID,
-				AccessLevel: ReadWriteAccessLevel,
-			},
-		},
-		TeamAccesses:       []TeamResourceAccess{},
-		AdministratorsOnly: false,
-		Public:             false,
-		System:             false,
-	}
-}
-
-// NewSystemResourceControl will create a new public resource control with the System flag set to true.
-// These kind of resource control are not persisted and are created on the fly by the Portainer API.
-func NewSystemResourceControl(resourceIdentifier string, resourceType ResourceControlType) *ResourceControl {
-	return &ResourceControl{
-		Type:               resourceType,
-		ResourceID:         resourceIdentifier,
-		SubResourceIDs:     []string{},
-		UserAccesses:       []UserResourceAccess{},
-		TeamAccesses:       []TeamResourceAccess{},
-		AdministratorsOnly: false,
-		Public:             true,
-		System:             true,
-	}
-}
-
-// NewPublicResourceControl will create a new public resource control.
-func NewPublicResourceControl(resourceIdentifier string, resourceType ResourceControlType) *ResourceControl {
-	return &ResourceControl{
-		Type:               resourceType,
-		ResourceID:         resourceIdentifier,
-		SubResourceIDs:     []string{},
-		UserAccesses:       []UserResourceAccess{},
-		TeamAccesses:       []TeamResourceAccess{},
-		AdministratorsOnly: false,
-		Public:             true,
-		System:             false,
-	}
-}
-
-// NewRestrictedResourceControl will create a new resource control with user and team accesses restrictions.
-func NewRestrictedResourceControl(resourceIdentifier string, resourceType ResourceControlType, userIDs []UserID, teamIDs []TeamID) *ResourceControl {
-	userAccesses := make([]UserResourceAccess, 0)
-	teamAccesses := make([]TeamResourceAccess, 0)
-
-	for _, id := range userIDs {
-		access := UserResourceAccess{
-			UserID:      id,
-			AccessLevel: ReadWriteAccessLevel,
-		}
-
-		userAccesses = append(userAccesses, access)
-	}
-
-	for _, id := range teamIDs {
-		access := TeamResourceAccess{
-			TeamID:      id,
-			AccessLevel: ReadWriteAccessLevel,
-		}
-
-		teamAccesses = append(teamAccesses, access)
-	}
-
-	return &ResourceControl{
-		Type:               resourceType,
-		ResourceID:         resourceIdentifier,
-		SubResourceIDs:     []string{},
-		UserAccesses:       userAccesses,
-		TeamAccesses:       teamAccesses,
-		AdministratorsOnly: false,
-		Public:             false,
-		System:             false,
-	}
-}
-
-// DecorateStacks will iterate through a list of stacks, check for an associated resource control for each
-// stack and decorate the stack element if a resource control is found.
-func DecorateStacks(stacks []Stack, resourceControls []ResourceControl) []Stack {
-	for idx, stack := range stacks {
-
-		resourceControl := GetResourceControlByResourceIDAndType(stack.Name, StackResourceControl, resourceControls)
-		if resourceControl != nil {
-			stacks[idx].ResourceControl = resourceControl
-		}
-	}
-
-	return stacks
-}
-
-// FilterAuthorizedStacks returns a list of decorated stacks filtered through resource control access checks.
-func FilterAuthorizedStacks(stacks []Stack, user *User, userTeamIDs []TeamID, rbacEnabled bool) []Stack {
-	authorizedStacks := make([]Stack, 0)
-
-	for _, stack := range stacks {
-		_, ok := user.EndpointAuthorizations[stack.EndpointID][EndpointResourcesAccess]
-		if rbacEnabled && ok {
-			authorizedStacks = append(authorizedStacks, stack)
-			continue
-		}
-
-		if stack.ResourceControl != nil && UserCanAccessResource(user.ID, userTeamIDs, stack.ResourceControl) {
-			authorizedStacks = append(authorizedStacks, stack)
-		}
-	}
-
-	return authorizedStacks
-}
-
-// UserCanAccessResource will valide that a user has permissions defined in the specified resource control
-// based on its identifier and the team(s) he is part of.
-func UserCanAccessResource(userID UserID, userTeamIDs []TeamID, resourceControl *ResourceControl) bool {
-	for _, authorizedUserAccess := range resourceControl.UserAccesses {
-		if userID == authorizedUserAccess.UserID {
-			return true
-		}
-	}
-
-	for _, authorizedTeamAccess := range resourceControl.TeamAccesses {
-		for _, userTeamID := range userTeamIDs {
-			if userTeamID == authorizedTeamAccess.TeamID {
-				return true
-			}
-		}
-	}
-
-	return resourceControl.Public
-}
-
-// GetResourceControlByResourceIDAndType retrieves the first matching resource control in a set of resource controls
-// based on the specified id and resource type parameters.
-func GetResourceControlByResourceIDAndType(resourceID string, resourceType ResourceControlType, resourceControls []ResourceControl) *ResourceControl {
-	for _, resourceControl := range resourceControls {
-		if resourceID == resourceControl.ResourceID && resourceType == resourceControl.Type {
-			return &resourceControl
-		}
-		for _, subResourceID := range resourceControl.SubResourceIDs {
-			if resourceID == subResourceID {
-				return &resourceControl
-			}
-		}
-	}
-	return nil
-}

api/adminmonitor/admin_monitor.go

@@ -0,0 +1,69 @@
+package adminmonitor
+
+import (
+	"context"
+	"log"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+var logFatalf = log.Fatalf
+
+type Monitor struct {
+	timeout          time.Duration
+	datastore        portainer.DataStore
+	shutdownCtx      context.Context
+	cancellationFunc context.CancelFunc
+}
+
+// New creates a monitor that when started will wait for the timeout duration and then shutdown the application unless it has been initialized.
+func New(timeout time.Duration, datastore portainer.DataStore, shutdownCtx context.Context) *Monitor {
+	return &Monitor{
+		timeout:     timeout,
+		datastore:   datastore,
+		shutdownCtx: shutdownCtx,
+	}
+}
+
+// Starts starts the monitor. Active monitor could be stopped or shuttted down by cancelling the shutdown context.
+func (m *Monitor) Start() {
+	cancellationCtx, cancellationFunc := context.WithCancel(context.Background())
+	m.cancellationFunc = cancellationFunc
+
+	go func() {
+		log.Println("[DEBUG] [internal,init] [message: start initialization monitor ]")
+		select {
+		case <-time.After(m.timeout):
+			initialized, err := m.WasInitialized()
+			if err != nil {
+				logFatalf("%s", err)
+			}
+			if !initialized {
+				logFatalf("[FATAL] [internal,init] No administrator account was created in %f mins. Shutting down the Portainer instance for security reasons", m.timeout.Minutes())
+			}
+		case <-cancellationCtx.Done():
+			log.Println("[DEBUG] [internal,init] [message: canceling initialization monitor]")
+		case <-m.shutdownCtx.Done():
+			log.Println("[DEBUG] [internal,init] [message: shutting down initialization monitor]")
+		}
+	}()
+}
+
+// Stop stops monitor. Safe to call even if monitor wasn't started.
+func (m *Monitor) Stop() {
+	if m.cancellationFunc == nil {
+		return
+	}
+	m.cancellationFunc()
+	m.cancellationFunc = nil
+}
+
+// WasInitialized is a system initialization check
+func (m *Monitor) WasInitialized() (bool, error) {
+	users, err := m.datastore.User().UsersByRole(portainer.AdministratorRole)
+	if err != nil {
+		return false, err
+	}
+	return len(users) > 0, nil
+}

api/adminmonitor/admin_monitor_test.go

@@ -0,0 +1,50 @@
+package adminmonitor
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+	i "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_stopWithoutStarting(t *testing.T) {
+	monitor := New(1*time.Minute, nil, nil)
+	monitor.Stop()
+}
+
+func Test_stopCouldBeCalledMultipleTimes(t *testing.T) {
+	monitor := New(1*time.Minute, nil, nil)
+	monitor.Stop()
+	monitor.Stop()
+}
+
+func Test_canStopStartedMonitor(t *testing.T) {
+	monitor := New(1*time.Minute, nil, context.Background())
+	monitor.Start()
+	assert.NotNil(t, monitor.cancellationFunc, "cancellation function is missing in started monitor")
+
+	monitor.Stop()
+	assert.Nil(t, monitor.cancellationFunc, "cancellation function should absent in stopped monitor")
+}
+
+func Test_start_shouldFatalAfterTimeout_ifNotInitialized(t *testing.T) {
+	timeout := 10 * time.Millisecond
+
+	datastore := i.NewDatastore(i.WithUsers([]portainer.User{}))
+
+	var fataled bool
+	origLogFatalf := logFatalf
+	logFatalf = func(s string, v ...interface{}) { fataled = true }
+	defer func() {
+		logFatalf = origLogFatalf
+	}()
+
+	monitor := New(timeout, datastore, context.Background())
+	monitor.Start()
+	<-time.After(2 * timeout)
+
+	assert.True(t, fataled, "monitor should been timeout and fatal")
+}

api/api-description.md

@@ -0,0 +1,53 @@
+Portainer API is an HTTP API served by Portainer. It is used by the Portainer UI and everything you can do with the UI can be done using the HTTP API.
+Examples are available at https://gist.github.com/deviantony/77026d402366b4b43fa5918d41bc42f8
+You can find out more about Portainer at [http://portainer.io](http://portainer.io) and get some support on [Slack](http://portainer.io/slack/).
+
+# Authentication
+
+Most of the API endpoints require to be authenticated as well as some level of authorization to be used.
+Portainer API uses JSON Web Token to manage authentication and thus requires you to provide a token in the **Authorization** header of each request
+with the **Bearer** authentication mechanism.
+
+Example:
+
+```
+Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTQ5OTM3NjE1NH0.NJ6vE8FY1WG6jsRQzfMqeatJ4vh2TWAeeYfDhP71YEE
+```
+
+# Security
+
+Each API endpoint has an associated access policy, it is documented in the description of each endpoint.
+
+Different access policies are available:
+
+- Public access
+- Authenticated access
+- Restricted access
+- Administrator access
+
+### Public access
+
+No authentication is required to access the endpoints with this access policy.
+
+### Authenticated access
+
+Authentication is required to access the endpoints with this access policy.
+
+### Restricted access
+
+Authentication is required to access the endpoints with this access policy.
+Extra-checks might be added to ensure access to the resource is granted. Returned data might also be filtered.
+
+### Administrator access
+
+Authentication as well as an administrator role are required to access the endpoints with this access policy.
+
+# Execute Docker requests
+
+Portainer **DO NOT** expose specific endpoints to manage your Docker resources (create a container, remove a volume, etc...).
+
+Instead, it acts as a reverse-proxy to the Docker HTTP API. This means that you can execute Docker requests **via** the Portainer HTTP API.
+
+To do so, you can use the `/endpoints/{id}/docker` Portainer API endpoint (which is not documented below due to Swagger limitations). This endpoint has a restricted access policy so you still need to be authenticated to be able to query this endpoint. Any query on this endpoint will be proxied to the Docker API of the associated endpoint (requests and responses objects are the same as documented in the Docker API).
+
+**NOTE**: You can find more information on how to query the Docker API in the [Docker official documentation](https://docs.docker.com/engine/api/v1.30/) as well as in [this Portainer example](https://gist.github.com/deviantony/77026d402366b4b43fa5918d41bc42f8).

api/archive/targz.go

@@ -0,0 +1,119 @@
+package archive
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// TarGzDir creates a tar.gz archive and returns it's path.
+// abosolutePath should be an absolute path to a directory.
+// Archive name will be <directoryName>.tar.gz and will be placed next to the directory.
+func TarGzDir(absolutePath string) (string, error) {
+	targzPath := filepath.Join(absolutePath, fmt.Sprintf("%s.tar.gz", filepath.Base(absolutePath)))
+	outFile, err := os.Create(targzPath)
+	if err != nil {
+		return "", err
+	}
+	defer outFile.Close()
+
+	zipWriter := gzip.NewWriter(outFile)
+	defer zipWriter.Close()
+	tarWriter := tar.NewWriter(zipWriter)
+	defer tarWriter.Close()
+
+	err = filepath.Walk(absolutePath, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if path == targzPath {
+			return nil // skip archive file
+		}
+
+		pathInArchive := filepath.Clean(strings.TrimPrefix(path, absolutePath))
+		if pathInArchive == "" {
+			return nil // skip root dir
+		}
+
+		return addToArchive(tarWriter, pathInArchive, path, info)
+	})
+
+	return targzPath, err
+}
+
+func addToArchive(tarWriter *tar.Writer, pathInArchive string, path string, info os.FileInfo) error {
+	header, err := tar.FileInfoHeader(info, info.Name())
+	if err != nil {
+		return err
+	}
+
+	header.Name = pathInArchive // use relative paths in archive
+
+	err = tarWriter.WriteHeader(header)
+	if err != nil {
+		return err
+	}
+
+	if info.IsDir() {
+		return nil
+	}
+
+	file, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	_, err = io.Copy(tarWriter, file)
+	return err
+}
+
+// ExtractTarGz reads a .tar.gz archive from the reader and extracts it into outputDirPath directory
+func ExtractTarGz(r io.Reader, outputDirPath string) error {
+	zipReader, err := gzip.NewReader(r)
+	if err != nil {
+		return err
+	}
+	defer zipReader.Close()
+
+	tarReader := tar.NewReader(zipReader)
+
+	for {
+		header, err := tarReader.Next()
+
+		if err == io.EOF {
+			break
+		}
+
+		if err != nil {
+			return err
+		}
+
+		switch header.Typeflag {
+		case tar.TypeDir:
+			// skip, dir will be created with a file
+		case tar.TypeReg:
+			p := filepath.Clean(filepath.Join(outputDirPath, header.Name))
+			if err := os.MkdirAll(filepath.Dir(p), 0744); err != nil {
+				return fmt.Errorf("Failed to extract dir %s", filepath.Dir(p))
+			}
+			outFile, err := os.Create(p)
+			if err != nil {
+				return fmt.Errorf("Failed to create file %s", header.Name)
+			}
+			if _, err := io.Copy(outFile, tarReader); err != nil {
+				return fmt.Errorf("Failed to extract file %s", header.Name)
+			}
+			outFile.Close()
+		default:
+			return fmt.Errorf("Tar: uknown type: %v in %s",
+				header.Typeflag,
+				header.Name)
+		}
+	}
+
+	return nil
+}

api/archive/targz_test.go

@@ -0,0 +1,99 @@
+package archive
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/stretchr/testify/assert"
+)
+
+func listFiles(dir string) []string {
+	items := make([]string, 0)
+	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+		if path == dir {
+			return nil
+		}
+		items = append(items, path)
+		return nil
+	})
+
+	return items
+}
+
+func Test_shouldCreateArhive(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	content := []byte("content")
+	ioutil.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
+	ioutil.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	ioutil.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+
+	gzPath, err := TarGzDir(tmpdir)
+	assert.Nil(t, err)
+	assert.Equal(t, filepath.Join(tmpdir, fmt.Sprintf("%s.tar.gz", filepath.Base(tmpdir))), gzPath)
+
+	extractionDir, _ := ioutils.TempDir("", "extract")
+	defer os.RemoveAll(extractionDir)
+
+	cmd := exec.Command("tar", "-xzf", gzPath, "-C", extractionDir)
+	err = cmd.Run()
+	if err != nil {
+		t.Fatal("Failed to extract archive: ", err)
+	}
+	extractedFiles := listFiles(extractionDir)
+
+	wasExtracted := func(p string) {
+		fullpath := path.Join(extractionDir, p)
+		assert.Contains(t, extractedFiles, fullpath)
+		copyContent, _ := ioutil.ReadFile(fullpath)
+		assert.Equal(t, content, copyContent)
+	}
+
+	wasExtracted("outer")
+	wasExtracted("dir/inner")
+	wasExtracted("dir/.dotfile")
+}
+
+func Test_shouldCreateArhiveXXXXX(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	content := []byte("content")
+	ioutil.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
+	ioutil.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	ioutil.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+
+	gzPath, err := TarGzDir(tmpdir)
+	assert.Nil(t, err)
+	assert.Equal(t, filepath.Join(tmpdir, fmt.Sprintf("%s.tar.gz", filepath.Base(tmpdir))), gzPath)
+
+	extractionDir, _ := ioutils.TempDir("", "extract")
+	defer os.RemoveAll(extractionDir)
+
+	r, _ := os.Open(gzPath)
+	ExtractTarGz(r, extractionDir)
+	if err != nil {
+		t.Fatal("Failed to extract archive: ", err)
+	}
+	extractedFiles := listFiles(extractionDir)
+
+	wasExtracted := func(p string) {
+		fullpath := path.Join(extractionDir, p)
+		assert.Contains(t, extractedFiles, fullpath)
+		copyContent, _ := ioutil.ReadFile(fullpath)
+		assert.Equal(t, content, copyContent)
+	}
+
+	wasExtracted("outer")
+	wasExtracted("dir/inner")
+	wasExtracted("dir/.dotfile")
+}

api/authorizations.go

@@ -1,774 +0,0 @@
-package portainer
-
-// AuthorizationService represents a service used to
-// update authorizations associated to a user or team.
-type AuthorizationService struct {
-	dataStore DataStore
-}
-
-// NewAuthorizationService returns a point to a new AuthorizationService instance.
-func NewAuthorizationService(dataStore DataStore) *AuthorizationService {
-	return &AuthorizationService{
-		dataStore: dataStore,
-	}
-}
-
-// DefaultEndpointAuthorizationsForEndpointAdministratorRole returns the default endpoint authorizations
-// associated to the endpoint administrator role.
-func DefaultEndpointAuthorizationsForEndpointAdministratorRole() Authorizations {
-	return map[Authorization]bool{
-		OperationDockerContainerArchiveInfo:         true,
-		OperationDockerContainerList:                true,
-		OperationDockerContainerExport:              true,
-		OperationDockerContainerChanges:             true,
-		OperationDockerContainerInspect:             true,
-		OperationDockerContainerTop:                 true,
-		OperationDockerContainerLogs:                true,
-		OperationDockerContainerStats:               true,
-		OperationDockerContainerAttachWebsocket:     true,
-		OperationDockerContainerArchive:             true,
-		OperationDockerContainerCreate:              true,
-		OperationDockerContainerPrune:               true,
-		OperationDockerContainerKill:                true,
-		OperationDockerContainerPause:               true,
-		OperationDockerContainerUnpause:             true,
-		OperationDockerContainerRestart:             true,
-		OperationDockerContainerStart:               true,
-		OperationDockerContainerStop:                true,
-		OperationDockerContainerWait:                true,
-		OperationDockerContainerResize:              true,
-		OperationDockerContainerAttach:              true,
-		OperationDockerContainerExec:                true,
-		OperationDockerContainerRename:              true,
-		OperationDockerContainerUpdate:              true,
-		OperationDockerContainerPutContainerArchive: true,
-		OperationDockerContainerDelete:              true,
-		OperationDockerImageList:                    true,
-		OperationDockerImageSearch:                  true,
-		OperationDockerImageGetAll:                  true,
-		OperationDockerImageGet:                     true,
-		OperationDockerImageHistory:                 true,
-		OperationDockerImageInspect:                 true,
-		OperationDockerImageLoad:                    true,
-		OperationDockerImageCreate:                  true,
-		OperationDockerImagePrune:                   true,
-		OperationDockerImagePush:                    true,
-		OperationDockerImageTag:                     true,
-		OperationDockerImageDelete:                  true,
-		OperationDockerImageCommit:                  true,
-		OperationDockerImageBuild:                   true,
-		OperationDockerNetworkList:                  true,
-		OperationDockerNetworkInspect:               true,
-		OperationDockerNetworkCreate:                true,
-		OperationDockerNetworkConnect:               true,
-		OperationDockerNetworkDisconnect:            true,
-		OperationDockerNetworkPrune:                 true,
-		OperationDockerNetworkDelete:                true,
-		OperationDockerVolumeList:                   true,
-		OperationDockerVolumeInspect:                true,
-		OperationDockerVolumeCreate:                 true,
-		OperationDockerVolumePrune:                  true,
-		OperationDockerVolumeDelete:                 true,
-		OperationDockerExecInspect:                  true,
-		OperationDockerExecStart:                    true,
-		OperationDockerExecResize:                   true,
-		OperationDockerSwarmInspect:                 true,
-		OperationDockerSwarmUnlockKey:               true,
-		OperationDockerSwarmInit:                    true,
-		OperationDockerSwarmJoin:                    true,
-		OperationDockerSwarmLeave:                   true,
-		OperationDockerSwarmUpdate:                  true,
-		OperationDockerSwarmUnlock:                  true,
-		OperationDockerNodeList:                     true,
-		OperationDockerNodeInspect:                  true,
-		OperationDockerNodeUpdate:                   true,
-		OperationDockerNodeDelete:                   true,
-		OperationDockerServiceList:                  true,
-		OperationDockerServiceInspect:               true,
-		OperationDockerServiceLogs:                  true,
-		OperationDockerServiceCreate:                true,
-		OperationDockerServiceUpdate:                true,
-		OperationDockerServiceDelete:                true,
-		OperationDockerSecretList:                   true,
-		OperationDockerSecretInspect:                true,
-		OperationDockerSecretCreate:                 true,
-		OperationDockerSecretUpdate:                 true,
-		OperationDockerSecretDelete:                 true,
-		OperationDockerConfigList:                   true,
-		OperationDockerConfigInspect:                true,
-		OperationDockerConfigCreate:                 true,
-		OperationDockerConfigUpdate:                 true,
-		OperationDockerConfigDelete:                 true,
-		OperationDockerTaskList:                     true,
-		OperationDockerTaskInspect:                  true,
-		OperationDockerTaskLogs:                     true,
-		OperationDockerPluginList:                   true,
-		OperationDockerPluginPrivileges:             true,
-		OperationDockerPluginInspect:                true,
-		OperationDockerPluginPull:                   true,
-		OperationDockerPluginCreate:                 true,
-		OperationDockerPluginEnable:                 true,
-		OperationDockerPluginDisable:                true,
-		OperationDockerPluginPush:                   true,
-		OperationDockerPluginUpgrade:                true,
-		OperationDockerPluginSet:                    true,
-		OperationDockerPluginDelete:                 true,
-		OperationDockerSessionStart:                 true,
-		OperationDockerDistributionInspect:          true,
-		OperationDockerBuildPrune:                   true,
-		OperationDockerBuildCancel:                  true,
-		OperationDockerPing:                         true,
-		OperationDockerInfo:                         true,
-		OperationDockerVersion:                      true,
-		OperationDockerEvents:                       true,
-		OperationDockerSystem:                       true,
-		OperationDockerUndefined:                    true,
-		OperationDockerAgentPing:                    true,
-		OperationDockerAgentList:                    true,
-		OperationDockerAgentHostInfo:                true,
-		OperationDockerAgentBrowseDelete:            true,
-		OperationDockerAgentBrowseGet:               true,
-		OperationDockerAgentBrowseList:              true,
-		OperationDockerAgentBrowsePut:               true,
-		OperationDockerAgentBrowseRename:            true,
-		OperationDockerAgentUndefined:               true,
-		OperationPortainerResourceControlCreate:     true,
-		OperationPortainerResourceControlUpdate:     true,
-		OperationPortainerStackList:                 true,
-		OperationPortainerStackInspect:              true,
-		OperationPortainerStackFile:                 true,
-		OperationPortainerStackCreate:               true,
-		OperationPortainerStackMigrate:              true,
-		OperationPortainerStackUpdate:               true,
-		OperationPortainerStackDelete:               true,
-		OperationPortainerWebsocketExec:             true,
-		OperationPortainerWebhookList:               true,
-		OperationPortainerWebhookCreate:             true,
-		OperationPortainerWebhookDelete:             true,
-		OperationIntegrationStoridgeAdmin:           true,
-		EndpointResourcesAccess:                     true,
-	}
-}
-
-// DefaultEndpointAuthorizationsForHelpDeskRole returns the default endpoint authorizations
-// associated to the helpdesk role.
-func DefaultEndpointAuthorizationsForHelpDeskRole(volumeBrowsingAuthorizations bool) Authorizations {
-	authorizations := map[Authorization]bool{
-		OperationDockerContainerArchiveInfo: true,
-		OperationDockerContainerList:        true,
-		OperationDockerContainerChanges:     true,
-		OperationDockerContainerInspect:     true,
-		OperationDockerContainerTop:         true,
-		OperationDockerContainerLogs:        true,
-		OperationDockerContainerStats:       true,
-		OperationDockerImageList:            true,
-		OperationDockerImageSearch:          true,
-		OperationDockerImageGetAll:          true,
-		OperationDockerImageGet:             true,
-		OperationDockerImageHistory:         true,
-		OperationDockerImageInspect:         true,
-		OperationDockerNetworkList:          true,
-		OperationDockerNetworkInspect:       true,
-		OperationDockerVolumeList:           true,
-		OperationDockerVolumeInspect:        true,
-		OperationDockerSwarmInspect:         true,
-		OperationDockerNodeList:             true,
-		OperationDockerNodeInspect:          true,
-		OperationDockerServiceList:          true,
-		OperationDockerServiceInspect:       true,
-		OperationDockerServiceLogs:          true,
-		OperationDockerSecretList:           true,
-		OperationDockerSecretInspect:        true,
-		OperationDockerConfigList:           true,
-		OperationDockerConfigInspect:        true,
-		OperationDockerTaskList:             true,
-		OperationDockerTaskInspect:          true,
-		OperationDockerTaskLogs:             true,
-		OperationDockerPluginList:           true,
-		OperationDockerDistributionInspect:  true,
-		OperationDockerPing:                 true,
-		OperationDockerInfo:                 true,
-		OperationDockerVersion:              true,
-		OperationDockerEvents:               true,
-		OperationDockerSystem:               true,
-		OperationDockerAgentPing:            true,
-		OperationDockerAgentList:            true,
-		OperationDockerAgentHostInfo:        true,
-		OperationPortainerStackList:         true,
-		OperationPortainerStackInspect:      true,
-		OperationPortainerStackFile:         true,
-		OperationPortainerWebhookList:       true,
-		EndpointResourcesAccess:             true,
-	}
-
-	if volumeBrowsingAuthorizations {
-		authorizations[OperationDockerAgentBrowseGet] = true
-		authorizations[OperationDockerAgentBrowseList] = true
-	}
-
-	return authorizations
-}
-
-// DefaultEndpointAuthorizationsForStandardUserRole returns the default endpoint authorizations
-// associated to the standard user role.
-func DefaultEndpointAuthorizationsForStandardUserRole(volumeBrowsingAuthorizations bool) Authorizations {
-	authorizations := map[Authorization]bool{
-		OperationDockerContainerArchiveInfo:         true,
-		OperationDockerContainerList:                true,
-		OperationDockerContainerExport:              true,
-		OperationDockerContainerChanges:             true,
-		OperationDockerContainerInspect:             true,
-		OperationDockerContainerTop:                 true,
-		OperationDockerContainerLogs:                true,
-		OperationDockerContainerStats:               true,
-		OperationDockerContainerAttachWebsocket:     true,
-		OperationDockerContainerArchive:             true,
-		OperationDockerContainerCreate:              true,
-		OperationDockerContainerKill:                true,
-		OperationDockerContainerPause:               true,
-		OperationDockerContainerUnpause:             true,
-		OperationDockerContainerRestart:             true,
-		OperationDockerContainerStart:               true,
-		OperationDockerContainerStop:                true,
-		OperationDockerContainerWait:                true,
-		OperationDockerContainerResize:              true,
-		OperationDockerContainerAttach:              true,
-		OperationDockerContainerExec:                true,
-		OperationDockerContainerRename:              true,
-		OperationDockerContainerUpdate:              true,
-		OperationDockerContainerPutContainerArchive: true,
-		OperationDockerContainerDelete:              true,
-		OperationDockerImageList:                    true,
-		OperationDockerImageSearch:                  true,
-		OperationDockerImageGetAll:                  true,
-		OperationDockerImageGet:                     true,
-		OperationDockerImageHistory:                 true,
-		OperationDockerImageInspect:                 true,
-		OperationDockerImageLoad:                    true,
-		OperationDockerImageCreate:                  true,
-		OperationDockerImagePush:                    true,
-		OperationDockerImageTag:                     true,
-		OperationDockerImageDelete:                  true,
-		OperationDockerImageCommit:                  true,
-		OperationDockerImageBuild:                   true,
-		OperationDockerNetworkList:                  true,
-		OperationDockerNetworkInspect:               true,
-		OperationDockerNetworkCreate:                true,
-		OperationDockerNetworkConnect:               true,
-		OperationDockerNetworkDisconnect:            true,
-		OperationDockerNetworkDelete:                true,
-		OperationDockerVolumeList:                   true,
-		OperationDockerVolumeInspect:                true,
-		OperationDockerVolumeCreate:                 true,
-		OperationDockerVolumeDelete:                 true,
-		OperationDockerExecInspect:                  true,
-		OperationDockerExecStart:                    true,
-		OperationDockerExecResize:                   true,
-		OperationDockerSwarmInspect:                 true,
-		OperationDockerSwarmUnlockKey:               true,
-		OperationDockerSwarmInit:                    true,
-		OperationDockerSwarmJoin:                    true,
-		OperationDockerSwarmLeave:                   true,
-		OperationDockerSwarmUpdate:                  true,
-		OperationDockerSwarmUnlock:                  true,
-		OperationDockerNodeList:                     true,
-		OperationDockerNodeInspect:                  true,
-		OperationDockerNodeUpdate:                   true,
-		OperationDockerNodeDelete:                   true,
-		OperationDockerServiceList:                  true,
-		OperationDockerServiceInspect:               true,
-		OperationDockerServiceLogs:                  true,
-		OperationDockerServiceCreate:                true,
-		OperationDockerServiceUpdate:                true,
-		OperationDockerServiceDelete:                true,
-		OperationDockerSecretList:                   true,
-		OperationDockerSecretInspect:                true,
-		OperationDockerSecretCreate:                 true,
-		OperationDockerSecretUpdate:                 true,
-		OperationDockerSecretDelete:                 true,
-		OperationDockerConfigList:                   true,
-		OperationDockerConfigInspect:                true,
-		OperationDockerConfigCreate:                 true,
-		OperationDockerConfigUpdate:                 true,
-		OperationDockerConfigDelete:                 true,
-		OperationDockerTaskList:                     true,
-		OperationDockerTaskInspect:                  true,
-		OperationDockerTaskLogs:                     true,
-		OperationDockerPluginList:                   true,
-		OperationDockerPluginPrivileges:             true,
-		OperationDockerPluginInspect:                true,
-		OperationDockerPluginPull:                   true,
-		OperationDockerPluginCreate:                 true,
-		OperationDockerPluginEnable:                 true,
-		OperationDockerPluginDisable:                true,
-		OperationDockerPluginPush:                   true,
-		OperationDockerPluginUpgrade:                true,
-		OperationDockerPluginSet:                    true,
-		OperationDockerPluginDelete:                 true,
-		OperationDockerSessionStart:                 true,
-		OperationDockerDistributionInspect:          true,
-		OperationDockerBuildPrune:                   true,
-		OperationDockerBuildCancel:                  true,
-		OperationDockerPing:                         true,
-		OperationDockerInfo:                         true,
-		OperationDockerVersion:                      true,
-		OperationDockerEvents:                       true,
-		OperationDockerSystem:                       true,
-		OperationDockerUndefined:                    true,
-		OperationDockerAgentPing:                    true,
-		OperationDockerAgentList:                    true,
-		OperationDockerAgentHostInfo:                true,
-		OperationDockerAgentUndefined:               true,
-		OperationPortainerResourceControlUpdate:     true,
-		OperationPortainerStackList:                 true,
-		OperationPortainerStackInspect:              true,
-		OperationPortainerStackFile:                 true,
-		OperationPortainerStackCreate:               true,
-		OperationPortainerStackMigrate:              true,
-		OperationPortainerStackUpdate:               true,
-		OperationPortainerStackDelete:               true,
-		OperationPortainerWebsocketExec:             true,
-		OperationPortainerWebhookList:               true,
-		OperationPortainerWebhookCreate:             true,
-	}
-
-	if volumeBrowsingAuthorizations {
-		authorizations[OperationDockerAgentBrowseGet] = true
-		authorizations[OperationDockerAgentBrowseList] = true
-		authorizations[OperationDockerAgentBrowseDelete] = true
-		authorizations[OperationDockerAgentBrowsePut] = true
-		authorizations[OperationDockerAgentBrowseRename] = true
-	}
-
-	return authorizations
-}
-
-// DefaultEndpointAuthorizationsForReadOnlyUserRole returns the default endpoint authorizations
-// associated to the readonly user role.
-func DefaultEndpointAuthorizationsForReadOnlyUserRole(volumeBrowsingAuthorizations bool) Authorizations {
-	authorizations := map[Authorization]bool{
-		OperationDockerContainerArchiveInfo: true,
-		OperationDockerContainerList:        true,
-		OperationDockerContainerChanges:     true,
-		OperationDockerContainerInspect:     true,
-		OperationDockerContainerTop:         true,
-		OperationDockerContainerLogs:        true,
-		OperationDockerContainerStats:       true,
-		OperationDockerImageList:            true,
-		OperationDockerImageSearch:          true,
-		OperationDockerImageGetAll:          true,
-		OperationDockerImageGet:             true,
-		OperationDockerImageHistory:         true,
-		OperationDockerImageInspect:         true,
-		OperationDockerNetworkList:          true,
-		OperationDockerNetworkInspect:       true,
-		OperationDockerVolumeList:           true,
-		OperationDockerVolumeInspect:        true,
-		OperationDockerSwarmInspect:         true,
-		OperationDockerNodeList:             true,
-		OperationDockerNodeInspect:          true,
-		OperationDockerServiceList:          true,
-		OperationDockerServiceInspect:       true,
-		OperationDockerServiceLogs:          true,
-		OperationDockerSecretList:           true,
-		OperationDockerSecretInspect:        true,
-		OperationDockerConfigList:           true,
-		OperationDockerConfigInspect:        true,
-		OperationDockerTaskList:             true,
-		OperationDockerTaskInspect:          true,
-		OperationDockerTaskLogs:             true,
-		OperationDockerPluginList:           true,
-		OperationDockerDistributionInspect:  true,
-		OperationDockerPing:                 true,
-		OperationDockerInfo:                 true,
-		OperationDockerVersion:              true,
-		OperationDockerEvents:               true,
-		OperationDockerSystem:               true,
-		OperationDockerAgentPing:            true,
-		OperationDockerAgentList:            true,
-		OperationDockerAgentHostInfo:        true,
-		OperationPortainerStackList:         true,
-		OperationPortainerStackInspect:      true,
-		OperationPortainerStackFile:         true,
-		OperationPortainerWebhookList:       true,
-	}
-
-	if volumeBrowsingAuthorizations {
-		authorizations[OperationDockerAgentBrowseGet] = true
-		authorizations[OperationDockerAgentBrowseList] = true
-	}
-
-	return authorizations
-}
-
-// DefaultPortainerAuthorizations returns the default Portainer authorizations used by non-admin users.
-func DefaultPortainerAuthorizations() Authorizations {
-	return map[Authorization]bool{
-		OperationPortainerDockerHubInspect:        true,
-		OperationPortainerEndpointGroupList:       true,
-		OperationPortainerEndpointList:            true,
-		OperationPortainerEndpointInspect:         true,
-		OperationPortainerEndpointExtensionAdd:    true,
-		OperationPortainerEndpointExtensionRemove: true,
-		OperationPortainerExtensionList:           true,
-		OperationPortainerMOTD:                    true,
-		OperationPortainerRegistryList:            true,
-		OperationPortainerRegistryInspect:         true,
-		OperationPortainerTeamList:                true,
-		OperationPortainerTemplateList:            true,
-		OperationPortainerTemplateInspect:         true,
-		OperationPortainerUserList:                true,
-		OperationPortainerUserInspect:             true,
-		OperationPortainerUserMemberships:         true,
-	}
-}
-
-// UpdateVolumeBrowsingAuthorizations will update all the volume browsing authorizations for each role (except endpoint administrator)
-// based on the specified removeAuthorizations parameter. If removeAuthorizations is set to true, all
-// the authorizations will be dropped for the each role. If removeAuthorizations is set to false, the authorizations
-// will be reset based for each role.
-func (service AuthorizationService) UpdateVolumeBrowsingAuthorizations(remove bool) error {
-	roles, err := service.dataStore.Role().Roles()
-	if err != nil {
-		return err
-	}
-
-	for _, role := range roles {
-		// all roles except endpoint administrator
-		if role.ID != RoleID(1) {
-			updateRoleVolumeBrowsingAuthorizations(&role, remove)
-
-			err := service.dataStore.Role().UpdateRole(role.ID, &role)
-			if err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}
-
-func updateRoleVolumeBrowsingAuthorizations(role *Role, removeAuthorizations bool) {
-	if !removeAuthorizations {
-		delete(role.Authorizations, OperationDockerAgentBrowseDelete)
-		delete(role.Authorizations, OperationDockerAgentBrowseGet)
-		delete(role.Authorizations, OperationDockerAgentBrowseList)
-		delete(role.Authorizations, OperationDockerAgentBrowsePut)
-		delete(role.Authorizations, OperationDockerAgentBrowseRename)
-		return
-	}
-
-	role.Authorizations[OperationDockerAgentBrowseGet] = true
-	role.Authorizations[OperationDockerAgentBrowseList] = true
-
-	// Standard-user
-	if role.ID == RoleID(3) {
-		role.Authorizations[OperationDockerAgentBrowseDelete] = true
-		role.Authorizations[OperationDockerAgentBrowsePut] = true
-		role.Authorizations[OperationDockerAgentBrowseRename] = true
-	}
-}
-
-// RemoveTeamAccessPolicies will remove all existing access policies associated to the specified team
-func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) error {
-	endpoints, err := service.dataStore.Endpoint().Endpoints()
-	if err != nil {
-		return err
-	}
-
-	for _, endpoint := range endpoints {
-		for policyTeamID := range endpoint.TeamAccessPolicies {
-			if policyTeamID == teamID {
-				delete(endpoint.TeamAccessPolicies, policyTeamID)
-
-				err := service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
-				if err != nil {
-					return err
-				}
-
-				break
-			}
-		}
-	}
-
-	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
-	if err != nil {
-		return err
-	}
-
-	for _, endpointGroup := range endpointGroups {
-		for policyTeamID := range endpointGroup.TeamAccessPolicies {
-			if policyTeamID == teamID {
-				delete(endpointGroup.TeamAccessPolicies, policyTeamID)
-
-				err := service.dataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
-				if err != nil {
-					return err
-				}
-
-				break
-			}
-		}
-	}
-
-	registries, err := service.dataStore.Registry().Registries()
-	if err != nil {
-		return err
-	}
-
-	for _, registry := range registries {
-		for policyTeamID := range registry.TeamAccessPolicies {
-			if policyTeamID == teamID {
-				delete(registry.TeamAccessPolicies, policyTeamID)
-
-				err := service.dataStore.Registry().UpdateRegistry(registry.ID, &registry)
-				if err != nil {
-					return err
-				}
-
-				break
-			}
-		}
-	}
-
-	return service.UpdateUsersAuthorizations()
-}
-
-// RemoveUserAccessPolicies will remove all existing access policies associated to the specified user
-func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) error {
-	endpoints, err := service.dataStore.Endpoint().Endpoints()
-	if err != nil {
-		return err
-	}
-
-	for _, endpoint := range endpoints {
-		for policyUserID := range endpoint.UserAccessPolicies {
-			if policyUserID == userID {
-				delete(endpoint.UserAccessPolicies, policyUserID)
-
-				err := service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
-				if err != nil {
-					return err
-				}
-
-				break
-			}
-		}
-	}
-
-	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
-	if err != nil {
-		return err
-	}
-
-	for _, endpointGroup := range endpointGroups {
-		for policyUserID := range endpointGroup.UserAccessPolicies {
-			if policyUserID == userID {
-				delete(endpointGroup.UserAccessPolicies, policyUserID)
-
-				err := service.dataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
-				if err != nil {
-					return err
-				}
-
-				break
-			}
-		}
-	}
-
-	registries, err := service.dataStore.Registry().Registries()
-	if err != nil {
-		return err
-	}
-
-	for _, registry := range registries {
-		for policyUserID := range registry.UserAccessPolicies {
-			if policyUserID == userID {
-				delete(registry.UserAccessPolicies, policyUserID)
-
-				err := service.dataStore.Registry().UpdateRegistry(registry.ID, &registry)
-				if err != nil {
-					return err
-				}
-
-				break
-			}
-		}
-	}
-
-	return nil
-}
-
-// UpdateUsersAuthorizations will trigger an update of the authorizations for all the users.
-func (service *AuthorizationService) UpdateUsersAuthorizations() error {
-	users, err := service.dataStore.User().Users()
-	if err != nil {
-		return err
-	}
-
-	for _, user := range users {
-		err := service.updateUserAuthorizations(user.ID)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (service *AuthorizationService) updateUserAuthorizations(userID UserID) error {
-	user, err := service.dataStore.User().User(userID)
-	if err != nil {
-		return err
-	}
-
-	endpointAuthorizations, err := service.getAuthorizations(user)
-	if err != nil {
-		return err
-	}
-
-	user.EndpointAuthorizations = endpointAuthorizations
-
-	return service.dataStore.User().UpdateUser(userID, user)
-}
-
-func (service *AuthorizationService) getAuthorizations(user *User) (EndpointAuthorizations, error) {
-	endpointAuthorizations := EndpointAuthorizations{}
-	if user.Role == AdministratorRole {
-		return endpointAuthorizations, nil
-	}
-
-	userMemberships, err := service.dataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
-	if err != nil {
-		return endpointAuthorizations, err
-	}
-
-	endpoints, err := service.dataStore.Endpoint().Endpoints()
-	if err != nil {
-		return endpointAuthorizations, err
-	}
-
-	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
-	if err != nil {
-		return endpointAuthorizations, err
-	}
-
-	roles, err := service.dataStore.Role().Roles()
-	if err != nil {
-		return endpointAuthorizations, err
-	}
-
-	endpointAuthorizations = getUserEndpointAuthorizations(user, endpoints, endpointGroups, roles, userMemberships)
-
-	return endpointAuthorizations, nil
-}
-
-func getUserEndpointAuthorizations(user *User, endpoints []Endpoint, endpointGroups []EndpointGroup, roles []Role, userMemberships []TeamMembership) EndpointAuthorizations {
-	endpointAuthorizations := make(EndpointAuthorizations)
-
-	groupUserAccessPolicies := map[EndpointGroupID]UserAccessPolicies{}
-	groupTeamAccessPolicies := map[EndpointGroupID]TeamAccessPolicies{}
-	for _, endpointGroup := range endpointGroups {
-		groupUserAccessPolicies[endpointGroup.ID] = endpointGroup.UserAccessPolicies
-		groupTeamAccessPolicies[endpointGroup.ID] = endpointGroup.TeamAccessPolicies
-	}
-
-	for _, endpoint := range endpoints {
-		authorizations := getAuthorizationsFromUserEndpointPolicy(user, &endpoint, roles)
-		if len(authorizations) > 0 {
-			endpointAuthorizations[endpoint.ID] = authorizations
-			continue
-		}
-
-		authorizations = getAuthorizationsFromUserEndpointGroupPolicy(user, &endpoint, roles, groupUserAccessPolicies)
-		if len(authorizations) > 0 {
-			endpointAuthorizations[endpoint.ID] = authorizations
-			continue
-		}
-
-		authorizations = getAuthorizationsFromTeamEndpointPolicies(userMemberships, &endpoint, roles)
-		if len(authorizations) > 0 {
-			endpointAuthorizations[endpoint.ID] = authorizations
-			continue
-		}
-
-		authorizations = getAuthorizationsFromTeamEndpointGroupPolicies(userMemberships, &endpoint, roles, groupTeamAccessPolicies)
-		if len(authorizations) > 0 {
-			endpointAuthorizations[endpoint.ID] = authorizations
-		}
-	}
-
-	return endpointAuthorizations
-}
-
-func getAuthorizationsFromUserEndpointPolicy(user *User, endpoint *Endpoint, roles []Role) Authorizations {
-	policyRoles := make([]RoleID, 0)
-
-	policy, ok := endpoint.UserAccessPolicies[user.ID]
-	if ok {
-		policyRoles = append(policyRoles, policy.RoleID)
-	}
-
-	return getAuthorizationsFromRoles(policyRoles, roles)
-}
-
-func getAuthorizationsFromUserEndpointGroupPolicy(user *User, endpoint *Endpoint, roles []Role, groupAccessPolicies map[EndpointGroupID]UserAccessPolicies) Authorizations {
-	policyRoles := make([]RoleID, 0)
-
-	policy, ok := groupAccessPolicies[endpoint.GroupID][user.ID]
-	if ok {
-		policyRoles = append(policyRoles, policy.RoleID)
-	}
-
-	return getAuthorizationsFromRoles(policyRoles, roles)
-}
-
-func getAuthorizationsFromTeamEndpointPolicies(memberships []TeamMembership, endpoint *Endpoint, roles []Role) Authorizations {
-	policyRoles := make([]RoleID, 0)
-
-	for _, membership := range memberships {
-		policy, ok := endpoint.TeamAccessPolicies[membership.TeamID]
-		if ok {
-			policyRoles = append(policyRoles, policy.RoleID)
-		}
-	}
-
-	return getAuthorizationsFromRoles(policyRoles, roles)
-}
-
-func getAuthorizationsFromTeamEndpointGroupPolicies(memberships []TeamMembership, endpoint *Endpoint, roles []Role, groupAccessPolicies map[EndpointGroupID]TeamAccessPolicies) Authorizations {
-	policyRoles := make([]RoleID, 0)
-
-	for _, membership := range memberships {
-		policy, ok := groupAccessPolicies[endpoint.GroupID][membership.TeamID]
-		if ok {
-			policyRoles = append(policyRoles, policy.RoleID)
-		}
-	}
-
-	return getAuthorizationsFromRoles(policyRoles, roles)
-}
-
-func getAuthorizationsFromRoles(roleIdentifiers []RoleID, roles []Role) Authorizations {
-	var associatedRoles []Role
-
-	for _, id := range roleIdentifiers {
-		for _, role := range roles {
-			if role.ID == id {
-				associatedRoles = append(associatedRoles, role)
-				break
-			}
-		}
-	}
-
-	var authorizations Authorizations
-	highestPriority := 0
-	for _, role := range associatedRoles {
-		if role.Priority > highestPriority {
-			highestPriority = role.Priority
-			authorizations = role.Authorizations
-		}
-	}
-
-	return authorizations
-}

api/backup/backup.go

@@ -0,0 +1,83 @@
+package backup
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/archive"
+	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/api/http/offlinegate"
+)
+
+const rwxr__r__ os.FileMode = 0744
+
+var filesToBackup = []string{"compose", "config.json", "custom_templates", "edge_jobs", "edge_stacks", "extensions", "portainer.key", "portainer.pub", "tls"}
+
+// Creates a tar.gz system archive and encrypts it if password is not empty. Returns a path to the archive file.
+func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datastore portainer.DataStore, filestorePath string) (string, error) {
+	unlock := gate.Lock()
+	defer unlock()
+
+	backupDirPath := filepath.Join(filestorePath, "backup", time.Now().Format("2006-01-02_15-04-05"))
+	if err := os.MkdirAll(backupDirPath, rwxr__r__); err != nil {
+		return "", errors.Wrap(err, "Failed to create backup dir")
+	}
+
+	if err := backupDb(backupDirPath, datastore); err != nil {
+		return "", errors.Wrap(err, "Failed to backup database")
+	}
+
+	for _, filename := range filesToBackup {
+		err := copyPath(filepath.Join(filestorePath, filename), backupDirPath)
+		if err != nil {
+			return "", errors.Wrap(err, "Failed to create backup file")
+		}
+	}
+
+	archivePath, err := archive.TarGzDir(backupDirPath)
+	if err != nil {
+		return "", errors.Wrap(err, "Failed to make an archive")
+	}
+
+	if password != "" {
+		archivePath, err = encrypt(archivePath, password)
+		if err != nil {
+			return "", errors.Wrap(err, "Failed to encrypt backup with the password")
+		}
+	}
+
+	return archivePath, nil
+}
+
+func backupDb(backupDirPath string, datastore portainer.DataStore) error {
+	backupWriter, err := os.Create(filepath.Join(backupDirPath, "portainer.db"))
+	if err != nil {
+		return err
+	}
+	if err = datastore.BackupTo(backupWriter); err != nil {
+		return err
+	}
+	return backupWriter.Close()
+}
+
+func encrypt(path string, passphrase string) (string, error) {
+	in, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer in.Close()
+
+	outFileName := fmt.Sprintf("%s.encrypted", path)
+	out, err := os.Create(outFileName)
+	if err != nil {
+		return "", err
+	}
+
+	err = crypto.AesEncrypt(in, out, []byte(passphrase))
+
+	return outFileName, err
+}

api/backup/copy.go

@@ -0,0 +1,68 @@
+package backup
+
+import (
+	"errors"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+func copyPath(path string, toDir string) error {
+	info, err := os.Stat(path)
+	if err != nil && errors.Is(err, os.ErrNotExist) {
+		// skip copy if file does not exist
+		return nil
+	}
+
+	if !info.IsDir() {
+		destination := filepath.Join(toDir, info.Name())
+		return copyFile(path, destination)
+	}
+
+	return copyDir(path, toDir)
+}
+
+func copyDir(fromDir, toDir string) error {
+	cleanedSourcePath := filepath.Clean(fromDir)
+	parentDirectory := filepath.Dir(cleanedSourcePath)
+	err := filepath.Walk(cleanedSourcePath, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		destination := filepath.Join(toDir, strings.TrimPrefix(path, parentDirectory))
+		if info.IsDir() {
+			return nil // skip directory creations
+		}
+
+		if info.Mode()&os.ModeSymlink != 0 { // entry is a symlink
+			return nil // don't copy symlinks
+		}
+
+		return copyFile(path, destination)
+	})
+
+	return err
+}
+
+// copies regular a file from src to dst
+func copyFile(src, dst string) error {
+	from, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer from.Close()
+
+	// has to include 'execute' bit, otherwise fails. MkdirAll follows `mkdir -m` restrictions
+	if err := os.MkdirAll(filepath.Dir(dst), 0744); err != nil {
+		return err
+	}
+	to, err := os.Create(dst)
+	if err != nil {
+		return err
+	}
+	defer to.Close()
+
+	_, err = io.Copy(to, from)
+	return err
+}

api/backup/copy_test.go

@@ -0,0 +1,105 @@
+package backup
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/stretchr/testify/assert"
+)
+
+func listFiles(dir string) []string {
+	items := make([]string, 0)
+	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+		if path == dir {
+			return nil
+		}
+		items = append(items, path)
+		return nil
+	})
+
+	return items
+}
+
+func contains(t *testing.T, list []string, path string) {
+	assert.Contains(t, list, path)
+	copyContent, _ := ioutil.ReadFile(path)
+	assert.Equal(t, "content\n", string(copyContent))
+}
+
+func Test_copyFile_returnsError_whenSourceDoesNotExist(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	err := copyFile("does-not-exist", tmpdir)
+	assert.NotNil(t, err)
+}
+
+func Test_copyFile_shouldMakeAbackup(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	content := []byte("content")
+	ioutil.WriteFile(path.Join(tmpdir, "origin"), content, 0600)
+
+	err := copyFile(path.Join(tmpdir, "origin"), path.Join(tmpdir, "copy"))
+	assert.Nil(t, err)
+
+	copyContent, _ := ioutil.ReadFile(path.Join(tmpdir, "copy"))
+	assert.Equal(t, content, copyContent)
+}
+
+func Test_copyDir_shouldCopyAllFilesAndDirectories(t *testing.T) {
+	destination, _ := ioutils.TempDir("", "destination")
+	defer os.RemoveAll(destination)
+	err := copyDir("./test_assets/copy_test", destination)
+	assert.Nil(t, err)
+
+	createdFiles := listFiles(destination)
+
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "outer"))
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "dir", ".dotfile"))
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "dir", "inner"))
+}
+
+func Test_backupPath_shouldSkipWhenNotExist(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	err := copyPath("does-not-exists", tmpdir)
+	assert.Nil(t, err)
+
+	assert.Empty(t, listFiles(tmpdir))
+}
+
+func Test_backupPath_shouldCopyFile(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "backup")
+	defer os.RemoveAll(tmpdir)
+
+	content := []byte("content")
+	ioutil.WriteFile(path.Join(tmpdir, "file"), content, 0600)
+
+	os.MkdirAll(path.Join(tmpdir, "backup"), 0700)
+	err := copyPath(path.Join(tmpdir, "file"), path.Join(tmpdir, "backup"))
+	assert.Nil(t, err)
+
+	copyContent, err := ioutil.ReadFile(path.Join(tmpdir, "backup", "file"))
+	assert.Nil(t, err)
+	assert.Equal(t, content, copyContent)
+}
+
+func Test_backupPath_shouldCopyDir(t *testing.T) {
+	destination, _ := ioutils.TempDir("", "destination")
+	defer os.RemoveAll(destination)
+	err := copyPath("./test_assets/copy_test", destination)
+	assert.Nil(t, err)
+
+	createdFiles := listFiles(destination)
+
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "outer"))
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "dir", ".dotfile"))
+	contains(t, createdFiles, filepath.Join(destination, "copy_test", "dir", "inner"))
+}

api/backup/restore.go

@@ -0,0 +1,68 @@
+package backup
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/archive"
+	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/api/http/offlinegate"
+)
+
+var filesToRestore = append(filesToBackup, "portainer.db")
+
+// Restores system state from backup archive, will trigger system shutdown, when finished.
+func RestoreArchive(archive io.Reader, password string, filestorePath string, gate *offlinegate.OfflineGate, datastore portainer.DataStore, shutdownTrigger context.CancelFunc) error {
+	var err error
+	if password != "" {
+		archive, err = decrypt(archive, password)
+		if err != nil {
+			return errors.Wrap(err, "failed to decrypt the archive")
+		}
+	}
+
+	restorePath := filepath.Join(filestorePath, "restore", time.Now().Format("20060102150405"))
+	defer os.RemoveAll(filepath.Dir(restorePath))
+
+	err = extractArchive(archive, restorePath)
+	if err != nil {
+		return errors.Wrap(err, "cannot extract files from the archive. Please ensure the password is correct and try again")
+	}
+
+	unlock := gate.Lock()
+	defer unlock()
+
+	if err = datastore.Close(); err != nil {
+		return errors.Wrap(err, "Failed to stop db")
+	}
+
+	if err = restoreFiles(restorePath, filestorePath); err != nil {
+		return errors.Wrap(err, "failed to restore the system state")
+	}
+
+	shutdownTrigger()
+	return nil
+}
+
+func decrypt(r io.Reader, password string) (io.Reader, error) {
+	return crypto.AesDecrypt(r, []byte(password))
+}
+
+func extractArchive(r io.Reader, destinationDirPath string) error {
+	return archive.ExtractTarGz(r, destinationDirPath)
+}
+
+func restoreFiles(srcDir string, destinationDir string) error {
+	for _, filename := range filesToRestore {
+		err := copyPath(filepath.Join(srcDir, filename), destinationDir)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

api/backup/test_assets/copy_test/dir/.dotfile

@@ -0,0 +1 @@
+content

api/backup/test_assets/copy_test/dir/inner

@@ -0,0 +1 @@
+content

api/backup/test_assets/copy_test/outer

@@ -0,0 +1 @@
+content

api/bolt/customtemplate/customtemplate.go

@@ -0,0 +1,96 @@
+package customtemplate
+
+import (
+	"github.com/boltdb/bolt"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "customtemplates"
+)
+
+// Service represents a service for managing custom template data.
+type Service struct {
+	connection *internal.DbConnection
+}
+
+// NewService creates a new instance of a service.
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		connection: connection,
+	}, nil
+}
+
+// CustomTemplates return an array containing all the custom templates.
+func (service *Service) CustomTemplates() ([]portainer.CustomTemplate, error) {
+	var customTemplates = make([]portainer.CustomTemplate, 0)
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var customTemplate portainer.CustomTemplate
+			err := internal.UnmarshalObjectWithJsoniter(v, &customTemplate)
+			if err != nil {
+				return err
+			}
+			customTemplates = append(customTemplates, customTemplate)
+		}
+
+		return nil
+	})
+
+	return customTemplates, err
+}
+
+// CustomTemplate returns an custom template by ID.
+func (service *Service) CustomTemplate(ID portainer.CustomTemplateID) (*portainer.CustomTemplate, error) {
+	var customTemplate portainer.CustomTemplate
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.connection, BucketName, identifier, &customTemplate)
+	if err != nil {
+		return nil, err
+	}
+
+	return &customTemplate, nil
+}
+
+// UpdateCustomTemplate updates an custom template.
+func (service *Service) UpdateCustomTemplate(ID portainer.CustomTemplateID, customTemplate *portainer.CustomTemplate) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.connection, BucketName, identifier, customTemplate)
+}
+
+// DeleteCustomTemplate deletes an custom template.
+func (service *Service) DeleteCustomTemplate(ID portainer.CustomTemplateID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.connection, BucketName, identifier)
+}
+
+// CreateCustomTemplate assign an ID to a new custom template and saves it.
+func (service *Service) CreateCustomTemplate(customTemplate *portainer.CustomTemplate) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		data, err := internal.MarshalObject(customTemplate)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(customTemplate.ID)), data)
+	})
+}
+
+// GetNextIdentifier returns the next identifier for a custom template.
+func (service *Service) GetNextIdentifier() int {
+	return internal.GetNextIdentifier(service.connection, BucketName)
+}

api/bolt/datastore.go

@@ -1,19 +1,24 @@
 package bolt
 
 import (
+	"io"
 	"log"
 	"path"
 	"time"
 
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/customtemplate"
 	"github.com/portainer/portainer/api/bolt/dockerhub"
 	"github.com/portainer/portainer/api/bolt/edgegroup"
+	"github.com/portainer/portainer/api/bolt/edgejob"
 	"github.com/portainer/portainer/api/bolt/edgestack"
 	"github.com/portainer/portainer/api/bolt/endpoint"
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
 	"github.com/portainer/portainer/api/bolt/endpointrelation"
+	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/extension"
+	"github.com/portainer/portainer/api/bolt/internal"
 	"github.com/portainer/portainer/api/bolt/migrator"
 	"github.com/portainer/portainer/api/bolt/registry"
 	"github.com/portainer/portainer/api/bolt/resourcecontrol"
@@ -28,6 +33,7 @@ import (
 	"github.com/portainer/portainer/api/bolt/user"
 	"github.com/portainer/portainer/api/bolt/version"
 	"github.com/portainer/portainer/api/bolt/webhook"
+	"github.com/portainer/portainer/api/internal/authorization"
 )
 
 const (
@@ -38,11 +44,13 @@ const (
 // BoltDB as the storage system.
 type Store struct {
 	path                    string
-	db                      *bolt.DB
+	connection              *internal.DbConnection
 	isNew                   bool
 	fileService             portainer.FileService
+	CustomTemplateService   *customtemplate.Service
 	DockerHubService        *dockerhub.Service
 	EdgeGroupService        *edgegroup.Service
+	EdgeJobService          *edgejob.Service
 	EdgeStackService        *edgestack.Service
 	EndpointGroupService    *endpointgroup.Service
 	EndpointService         *endpoint.Service
@@ -63,12 +71,21 @@ type Store struct {
 	WebhookService          *webhook.Service
 }
 
+func (store *Store) edition() portainer.SoftwareEdition {
+	edition, err := store.VersionService.Edition()
+	if err == errors.ErrObjectNotFound {
+		edition = portainer.PortainerCE
+	}
+	return edition
+}
+
 // NewStore initializes a new Store and the associated services
 func NewStore(storePath string, fileService portainer.FileService) (*Store, error) {
 	store := &Store{
 		path:        storePath,
 		fileService: fileService,
 		isNew:       true,
+		connection:  &internal.DbConnection{},
 	}
 
 	databasePath := path.Join(storePath, databaseFileName)
@@ -91,15 +108,15 @@ func (store *Store) Open() error {
 	if err != nil {
 		return err
 	}
-	store.db = db
+	store.connection.DB = db
 
 	return store.initServices()
 }
 
 // Close closes the BoltDB database.
 func (store *Store) Close() error {
-	if store.db != nil {
-		return store.db.Close()
+	if store.connection.DB != nil {
+		return store.connection.Close()
 	}
 	return nil
 }
@@ -110,15 +127,24 @@ func (store *Store) IsNew() bool {
 	return store.isNew
 }
 
+// CheckCurrentEdition checks if current edition is community edition
+func (store *Store) CheckCurrentEdition() error {
+	if store.edition() != portainer.PortainerCE {
+		return errors.ErrWrongDBEdition
+	}
+	return nil
+}
+
 // MigrateData automatically migrate the data based on the DBVersion.
 // This process is only triggered on an existing database, not if the database was just created.
-func (store *Store) MigrateData() error {
-	if store.isNew {
+// if force is true, then migrate regardless.
+func (store *Store) MigrateData(force bool) error {
+	if store.isNew && !force {
 		return store.VersionService.StoreDBVersion(portainer.DBVersion)
 	}
 
 	version, err := store.VersionService.DBVersion()
-	if err == portainer.ErrObjectNotFound {
+	if err == errors.ErrObjectNotFound {
 		version = 0
 	} else if err != nil {
 		return err
@@ -126,7 +152,7 @@ func (store *Store) MigrateData() error {
 
 	if version < portainer.DBVersion {
 		migratorParams := &migrator.Parameters{
-			DB:                      store.db,
+			DB:                      store.connection.DB,
 			DatabaseVersion:         version,
 			EndpointGroupService:    store.EndpointGroupService,
 			EndpointService:         store.EndpointService,
@@ -143,7 +169,7 @@ func (store *Store) MigrateData() error {
 			UserService:             store.UserService,
 			VersionService:          store.VersionService,
 			FileService:             store.fileService,
-			AuthorizationService:    portainer.NewAuthorizationService(store),
+			AuthorizationService:    authorization.NewService(store),
 		}
 		migrator := migrator.NewMigrator(migratorParams)
 
@@ -158,226 +184,11 @@ func (store *Store) MigrateData() error {
 	return nil
 }
 
-func (store *Store) initServices() error {
-	authorizationsetService, err := role.NewService(store.db)
-	if err != nil {
+// BackupTo backs up db to a provided writer.
+// It does hot backup and doesn't block other database reads and writes
+func (store *Store) BackupTo(w io.Writer) error {
+	return store.connection.View(func(tx *bolt.Tx) error {
+		_, err := tx.WriteTo(w)
 		return err
-	}
-	store.RoleService = authorizationsetService
-
-	dockerhubService, err := dockerhub.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.DockerHubService = dockerhubService
-
-	edgeStackService, err := edgestack.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.EdgeStackService = edgeStackService
-
-	edgeGroupService, err := edgegroup.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.EdgeGroupService = edgeGroupService
-
-	endpointgroupService, err := endpointgroup.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.EndpointGroupService = endpointgroupService
-
-	endpointService, err := endpoint.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.EndpointService = endpointService
-
-	endpointRelationService, err := endpointrelation.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.EndpointRelationService = endpointRelationService
-
-	extensionService, err := extension.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.ExtensionService = extensionService
-
-	registryService, err := registry.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.RegistryService = registryService
-
-	resourcecontrolService, err := resourcecontrol.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.ResourceControlService = resourcecontrolService
-
-	settingsService, err := settings.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.SettingsService = settingsService
-
-	stackService, err := stack.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.StackService = stackService
-
-	tagService, err := tag.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.TagService = tagService
-
-	teammembershipService, err := teammembership.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.TeamMembershipService = teammembershipService
-
-	teamService, err := team.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.TeamService = teamService
-
-	tunnelServerService, err := tunnelserver.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.TunnelServerService = tunnelServerService
-
-	userService, err := user.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.UserService = userService
-
-	versionService, err := version.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.VersionService = versionService
-
-	webhookService, err := webhook.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.WebhookService = webhookService
-
-	scheduleService, err := schedule.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.ScheduleService = scheduleService
-
-	return nil
-}
-
-// DockerHub gives access to the DockerHub data management layer
-func (store *Store) DockerHub() portainer.DockerHubService {
-	return store.DockerHubService
-}
-
-// EdgeGroup gives access to the EdgeGroup data management layer
-func (store *Store) EdgeGroup() portainer.EdgeGroupService {
-	return store.EdgeGroupService
-}
-
-// EdgeStack gives access to the EdgeStack data management layer
-func (store *Store) EdgeStack() portainer.EdgeStackService {
-	return store.EdgeStackService
-}
-
-// Endpoint gives access to the Endpoint data management layer
-func (store *Store) Endpoint() portainer.EndpointService {
-	return store.EndpointService
-}
-
-// EndpointGroup gives access to the EndpointGroup data management layer
-func (store *Store) EndpointGroup() portainer.EndpointGroupService {
-	return store.EndpointGroupService
-}
-
-// EndpointRelation gives access to the EndpointRelation data management layer
-func (store *Store) EndpointRelation() portainer.EndpointRelationService {
-	return store.EndpointRelationService
-}
-
-// Extension gives access to the Extension data management layer
-func (store *Store) Extension() portainer.ExtensionService {
-	return store.ExtensionService
-}
-
-// Registry gives access to the Registry data management layer
-func (store *Store) Registry() portainer.RegistryService {
-	return store.RegistryService
-}
-
-// ResourceControl gives access to the ResourceControl data management layer
-func (store *Store) ResourceControl() portainer.ResourceControlService {
-	return store.ResourceControlService
-}
-
-// Role gives access to the Role data management layer
-func (store *Store) Role() portainer.RoleService {
-	return store.RoleService
-}
-
-// Schedule gives access to the Schedule data management layer
-func (store *Store) Schedule() portainer.ScheduleService {
-	return store.ScheduleService
-}
-
-// Settings gives access to the Settings data management layer
-func (store *Store) Settings() portainer.SettingsService {
-	return store.SettingsService
-}
-
-// Stack gives access to the Stack data management layer
-func (store *Store) Stack() portainer.StackService {
-	return store.StackService
-}
-
-// Tag gives access to the Tag data management layer
-func (store *Store) Tag() portainer.TagService {
-	return store.TagService
-}
-
-// TeamMembership gives access to the TeamMembership data management layer
-func (store *Store) TeamMembership() portainer.TeamMembershipService {
-	return store.TeamMembershipService
-}
-
-// Team gives access to the Team data management layer
-func (store *Store) Team() portainer.TeamService {
-	return store.TeamService
-}
-
-// TunnelServer gives access to the TunnelServer data management layer
-func (store *Store) TunnelServer() portainer.TunnelServerService {
-	return store.TunnelServerService
-}
-
-// User gives access to the User data management layer
-func (store *Store) User() portainer.UserService {
-	return store.UserService
-}
-
-// Version gives access to the Version data management layer
-func (store *Store) Version() portainer.VersionService {
-	return store.VersionService
-}
-
-// Webhook gives access to the Webhook data management layer
-func (store *Store) Webhook() portainer.WebhookService {
-	return store.WebhookService
+	})
 }

api/bolt/dockerhub/dockerhub.go

@@ -1,10 +1,8 @@
 package dockerhub
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
-
-	"github.com/boltdb/bolt"
 )
 
 const (
@@ -15,18 +13,18 @@ const (
 
 // Service represents a service for managing Dockerhub data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +32,7 @@ func NewService(db *bolt.DB) (*Service, error) {
 func (service *Service) DockerHub() (*portainer.DockerHub, error) {
 	var dockerhub portainer.DockerHub
 
-	err := internal.GetObject(service.db, BucketName, []byte(dockerHubKey), &dockerhub)
+	err := internal.GetObject(service.connection, BucketName, []byte(dockerHubKey), &dockerhub)
 	if err != nil {
 		return nil, err
 	}
@@ -44,5 +42,5 @@ func (service *Service) DockerHub() (*portainer.DockerHub, error) {
 
 // UpdateDockerHub updates a DockerHub object.
 func (service *Service) UpdateDockerHub(dockerhub *portainer.DockerHub) error {
-	return internal.UpdateObject(service.db, BucketName, []byte(dockerHubKey), dockerhub)
+	return internal.UpdateObject(service.connection, BucketName, []byte(dockerHubKey), dockerhub)
 }

api/bolt/edgegroup/edgegroup.go

@@ -2,7 +2,7 @@ package edgegroup
 
 import (
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 )
 
@@ -13,18 +13,18 @@ const (
 
 // Service represents a service for managing Edge group data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -32,7 +32,7 @@ func NewService(db *bolt.DB) (*Service, error) {
 func (service *Service) EdgeGroups() ([]portainer.EdgeGroup, error) {
 	var groups = make([]portainer.EdgeGroup, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -56,7 +56,7 @@ func (service *Service) EdgeGroup(ID portainer.EdgeGroupID) (*portainer.EdgeGrou
 	var group portainer.EdgeGroup
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &group)
+	err := internal.GetObject(service.connection, BucketName, identifier, &group)
 	if err != nil {
 		return nil, err
 	}
@@ -67,18 +67,18 @@ func (service *Service) EdgeGroup(ID portainer.EdgeGroupID) (*portainer.EdgeGrou
 // UpdateEdgeGroup updates an Edge group.
 func (service *Service) UpdateEdgeGroup(ID portainer.EdgeGroupID, group *portainer.EdgeGroup) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, group)
+	return internal.UpdateObject(service.connection, BucketName, identifier, group)
 }
 
 // DeleteEdgeGroup deletes an Edge group.
 func (service *Service) DeleteEdgeGroup(ID portainer.EdgeGroupID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }
 
 // CreateEdgeGroup assign an ID to a new Edge group and saves it.
 func (service *Service) CreateEdgeGroup(group *portainer.EdgeGroup) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()

api/bolt/edgejob/edgejob.go

@@ -0,0 +1,101 @@
+package edgejob
+
+import (
+	"github.com/boltdb/bolt"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "edgejobs"
+)
+
+// Service represents a service for managing edge jobs data.
+type Service struct {
+	connection *internal.DbConnection
+}
+
+// NewService creates a new instance of a service.
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		connection: connection,
+	}, nil
+}
+
+// EdgeJobs returns a list of Edge jobs
+func (service *Service) EdgeJobs() ([]portainer.EdgeJob, error) {
+	var edgeJobs = make([]portainer.EdgeJob, 0)
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var edgeJob portainer.EdgeJob
+			err := internal.UnmarshalObject(v, &edgeJob)
+			if err != nil {
+				return err
+			}
+			edgeJobs = append(edgeJobs, edgeJob)
+		}
+
+		return nil
+	})
+
+	return edgeJobs, err
+}
+
+// EdgeJob returns an Edge job by ID
+func (service *Service) EdgeJob(ID portainer.EdgeJobID) (*portainer.EdgeJob, error) {
+	var edgeJob portainer.EdgeJob
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.connection, BucketName, identifier, &edgeJob)
+	if err != nil {
+		return nil, err
+	}
+
+	return &edgeJob, nil
+}
+
+// CreateEdgeJob creates a new Edge job
+func (service *Service) CreateEdgeJob(edgeJob *portainer.EdgeJob) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		if edgeJob.ID == 0 {
+			id, _ := bucket.NextSequence()
+			edgeJob.ID = portainer.EdgeJobID(id)
+		}
+
+		data, err := internal.MarshalObject(edgeJob)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(edgeJob.ID)), data)
+	})
+}
+
+// UpdateEdgeJob updates an Edge job by ID
+func (service *Service) UpdateEdgeJob(ID portainer.EdgeJobID, edgeJob *portainer.EdgeJob) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.connection, BucketName, identifier, edgeJob)
+}
+
+// DeleteEdgeJob deletes an Edge job
+func (service *Service) DeleteEdgeJob(ID portainer.EdgeJobID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.connection, BucketName, identifier)
+}
+
+// GetNextIdentifier returns the next identifier for an endpoint.
+func (service *Service) GetNextIdentifier() int {
+	return internal.GetNextIdentifier(service.connection, BucketName)
+}

api/bolt/edgestack/edgestack.go

@@ -2,7 +2,7 @@ package edgestack
 
 import (
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 )
 
@@ -13,18 +13,18 @@ const (
 
 // Service represents a service for managing Edge stack data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -32,7 +32,7 @@ func NewService(db *bolt.DB) (*Service, error) {
 func (service *Service) EdgeStacks() ([]portainer.EdgeStack, error) {
 	var stacks = make([]portainer.EdgeStack, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -56,7 +56,7 @@ func (service *Service) EdgeStack(ID portainer.EdgeStackID) (*portainer.EdgeStac
 	var stack portainer.EdgeStack
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &stack)
+	err := internal.GetObject(service.connection, BucketName, identifier, &stack)
 	if err != nil {
 		return nil, err
 	}
@@ -66,7 +66,7 @@ func (service *Service) EdgeStack(ID portainer.EdgeStackID) (*portainer.EdgeStac
 
 // CreateEdgeStack assign an ID to a new Edge stack and saves it.
 func (service *Service) CreateEdgeStack(edgeStack *portainer.EdgeStack) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		if edgeStack.ID == 0 {
@@ -86,16 +86,16 @@ func (service *Service) CreateEdgeStack(edgeStack *portainer.EdgeStack) error {
 // UpdateEdgeStack updates an Edge stack.
 func (service *Service) UpdateEdgeStack(ID portainer.EdgeStackID, edgeStack *portainer.EdgeStack) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, edgeStack)
+	return internal.UpdateObject(service.connection, BucketName, identifier, edgeStack)
 }
 
 // DeleteEdgeStack deletes an Edge stack.
 func (service *Service) DeleteEdgeStack(ID portainer.EdgeStackID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }
 
 // GetNextIdentifier returns the next identifier for an endpoint.
 func (service *Service) GetNextIdentifier() int {
-	return internal.GetNextIdentifier(service.db, BucketName)
+	return internal.GetNextIdentifier(service.connection, BucketName)
 }

api/bolt/endpoint/endpoint.go

@@ -2,7 +2,7 @@ package endpoint
 
 import (
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 )
 
@@ -13,18 +13,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -33,7 +33,7 @@ func (service *Service) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint,
 	var endpoint portainer.Endpoint
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &endpoint)
+	err := internal.GetObject(service.connection, BucketName, identifier, &endpoint)
 	if err != nil {
 		return nil, err
 	}
@@ -44,20 +44,20 @@ func (service *Service) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint,
 // UpdateEndpoint updates an endpoint.
 func (service *Service) UpdateEndpoint(ID portainer.EndpointID, endpoint *portainer.Endpoint) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, endpoint)
+	return internal.UpdateObject(service.connection, BucketName, identifier, endpoint)
 }
 
 // DeleteEndpoint deletes an endpoint.
 func (service *Service) DeleteEndpoint(ID portainer.EndpointID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }
 
 // Endpoints return an array containing all the endpoints.
 func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 	var endpoints = make([]portainer.Endpoint, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -78,7 +78,7 @@ func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 
 // CreateEndpoint assign an ID to a new endpoint and saves it.
 func (service *Service) CreateEndpoint(endpoint *portainer.Endpoint) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		// We manually manage sequences for endpoints
@@ -98,12 +98,12 @@ func (service *Service) CreateEndpoint(endpoint *portainer.Endpoint) error {
 
 // GetNextIdentifier returns the next identifier for an endpoint.
 func (service *Service) GetNextIdentifier() int {
-	return internal.GetNextIdentifier(service.db, BucketName)
+	return internal.GetNextIdentifier(service.connection, BucketName)
 }
 
 // Synchronize creates, updates and deletes endpoints inside a single transaction.
 func (service *Service) Synchronize(toCreate, toUpdate, toDelete []*portainer.Endpoint) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		for _, endpoint := range toCreate {

api/bolt/endpointgroup/endpointgroup.go

@@ -1,7 +1,7 @@
 package endpointgroup
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +14,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +34,7 @@ func (service *Service) EndpointGroup(ID portainer.EndpointGroupID) (*portainer.
 	var endpointGroup portainer.EndpointGroup
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &endpointGroup)
+	err := internal.GetObject(service.connection, BucketName, identifier, &endpointGroup)
 	if err != nil {
 		return nil, err
 	}
@@ -45,20 +45,20 @@ func (service *Service) EndpointGroup(ID portainer.EndpointGroupID) (*portainer.
 // UpdateEndpointGroup updates an endpoint group.
 func (service *Service) UpdateEndpointGroup(ID portainer.EndpointGroupID, endpointGroup *portainer.EndpointGroup) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, endpointGroup)
+	return internal.UpdateObject(service.connection, BucketName, identifier, endpointGroup)
 }
 
 // DeleteEndpointGroup deletes an endpoint group.
 func (service *Service) DeleteEndpointGroup(ID portainer.EndpointGroupID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }
 
 // EndpointGroups return an array containing all the endpoint groups.
 func (service *Service) EndpointGroups() ([]portainer.EndpointGroup, error) {
 	var endpointGroups = make([]portainer.EndpointGroup, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -79,7 +79,7 @@ func (service *Service) EndpointGroups() ([]portainer.EndpointGroup, error) {
 
 // CreateEndpointGroup assign an ID to a new endpoint group and saves it.
 func (service *Service) CreateEndpointGroup(endpointGroup *portainer.EndpointGroup) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()

api/bolt/endpointrelation/endpointrelation.go

@@ -13,18 +13,18 @@ const (
 
 // Service represents a service for managing endpoint relation data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -33,7 +33,7 @@ func (service *Service) EndpointRelation(endpointID portainer.EndpointID) (*port
 	var endpointRelation portainer.EndpointRelation
 	identifier := internal.Itob(int(endpointID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &endpointRelation)
+	err := internal.GetObject(service.connection, BucketName, identifier, &endpointRelation)
 	if err != nil {
 		return nil, err
 	}
@@ -43,7 +43,7 @@ func (service *Service) EndpointRelation(endpointID portainer.EndpointID) (*port
 
 // CreateEndpointRelation saves endpointRelation
 func (service *Service) CreateEndpointRelation(endpointRelation *portainer.EndpointRelation) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		data, err := internal.MarshalObject(endpointRelation)
@@ -58,11 +58,11 @@ func (service *Service) CreateEndpointRelation(endpointRelation *portainer.Endpo
 // UpdateEndpointRelation updates an Endpoint relation object
 func (service *Service) UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error {
 	identifier := internal.Itob(int(EndpointID))
-	return internal.UpdateObject(service.db, BucketName, identifier, endpointRelation)
+	return internal.UpdateObject(service.connection, BucketName, identifier, endpointRelation)
 }
 
 // DeleteEndpointRelation deletes an Endpoint relation object
 func (service *Service) DeleteEndpointRelation(EndpointID portainer.EndpointID) error {
 	identifier := internal.Itob(int(EndpointID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

api/bolt/errors/errors.go

@@ -0,0 +1,8 @@
+package errors
+
+import "errors"
+
+var (
+	ErrObjectNotFound = errors.New("Object not found inside the database")
+	ErrWrongDBEdition = errors.New("The Portainer database is set for Portainer Business Edition, please follow the instructions in our documention to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+)

api/bolt/extension/extension.go

@@ -1,7 +1,7 @@
 package extension
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +14,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +34,7 @@ func (service *Service) Extension(ID portainer.ExtensionID) (*portainer.Extensio
 	var extension portainer.Extension
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &extension)
+	err := internal.GetObject(service.connection, BucketName, identifier, &extension)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +46,7 @@ func (service *Service) Extension(ID portainer.ExtensionID) (*portainer.Extensio
 func (service *Service) Extensions() ([]portainer.Extension, error) {
 	var extensions = make([]portainer.Extension, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -67,7 +67,7 @@ func (service *Service) Extensions() ([]portainer.Extension, error) {
 
 // Persist persists a extension inside the database.
 func (service *Service) Persist(extension *portainer.Extension) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		data, err := internal.MarshalObject(extension)
@@ -82,5 +82,5 @@ func (service *Service) Persist(extension *portainer.Extension) error {
 // DeleteExtension deletes a Extension.
 func (service *Service) DeleteExtension(ID portainer.ExtensionID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

api/bolt/init.go

@@ -1,11 +1,31 @@
 package bolt
 
-import portainer "github.com/portainer/portainer/api"
+import (
+	"github.com/gofrs/uuid"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
+)
 
 // Init creates the default data set.
 func (store *Store) Init() error {
-	_, err := store.SettingsService.Settings()
-	if err == portainer.ErrObjectNotFound {
+	instanceID, err := store.VersionService.InstanceID()
+	if err == errors.ErrObjectNotFound {
+		uid, err := uuid.NewV4()
+		if err != nil {
+			return err
+		}
+
+		instanceID = uid.String()
+		err = store.VersionService.StoreInstanceID(instanceID)
+		if err != nil {
+			return err
+		}
+	} else if err != nil {
+		return err
+	}
+
+	_, err = store.SettingsService.Settings()
+	if err == errors.ErrObjectNotFound {
 		defaultSettings := &portainer.Settings{
 			AuthenticationMethod: portainer.AuthenticationInternal,
 			BlackListedLabels:    make([]portainer.Pair, 0),
@@ -20,13 +40,11 @@ func (store *Store) Init() error {
 					portainer.LDAPGroupSearchSettings{},
 				},
 			},
-			OAuthSettings:                      portainer.OAuthSettings{},
-			AllowBindMountsForRegularUsers:     true,
-			AllowPrivilegedModeForRegularUsers: true,
-			AllowVolumeBrowserForRegularUsers:  false,
-			EnableHostManagementFeatures:       false,
-			EdgeAgentCheckinInterval:           portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
-			TemplatesURL:                       portainer.DefaultTemplatesURL,
+			OAuthSettings: portainer.OAuthSettings{},
+
+			EdgeAgentCheckinInterval: portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
+			TemplatesURL:             portainer.DefaultTemplatesURL,
+			UserSessionTimeout:       portainer.DefaultUserSessionTimeout,
 		}
 
 		err = store.SettingsService.UpdateSettings(defaultSettings)
@@ -38,7 +56,7 @@ func (store *Store) Init() error {
 	}
 
 	_, err = store.DockerHubService.DockerHub()
-	if err == portainer.ErrObjectNotFound {
+	if err == errors.ErrObjectNotFound {
 		defaultDockerHub := &portainer.DockerHub{
 			Authentication: false,
 			Username:       "",
@@ -74,60 +92,5 @@ func (store *Store) Init() error {
 		}
 	}
 
-	roles, err := store.RoleService.Roles()
-	if err != nil {
-		return err
-	}
-
-	if len(roles) == 0 {
-		environmentAdministratorRole := &portainer.Role{
-			Name:           "Endpoint administrator",
-			Description:    "Full control of all resources in an endpoint",
-			Priority:       1,
-			Authorizations: portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
-		}
-
-		err = store.RoleService.CreateRole(environmentAdministratorRole)
-		if err != nil {
-			return err
-		}
-
-		environmentReadOnlyUserRole := &portainer.Role{
-			Name:           "Helpdesk",
-			Description:    "Read-only access of all resources in an endpoint",
-			Priority:       2,
-			Authorizations: portainer.DefaultEndpointAuthorizationsForHelpDeskRole(false),
-		}
-
-		err = store.RoleService.CreateRole(environmentReadOnlyUserRole)
-		if err != nil {
-			return err
-		}
-
-		standardUserRole := &portainer.Role{
-			Name:           "Standard user",
-			Description:    "Full control of assigned resources in an endpoint",
-			Priority:       3,
-			Authorizations: portainer.DefaultEndpointAuthorizationsForStandardUserRole(false),
-		}
-
-		err = store.RoleService.CreateRole(standardUserRole)
-		if err != nil {
-			return err
-		}
-
-		readOnlyUserRole := &portainer.Role{
-			Name:           "Read-only user",
-			Description:    "Read-only access of assigned resources in an endpoint",
-			Priority:       4,
-			Authorizations: portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(false),
-		}
-
-		err = store.RoleService.CreateRole(readOnlyUserRole)
-		if err != nil {
-			return err
-		}
-	}
-
 	return nil
 }

api/bolt/internal/db.go

@@ -4,9 +4,13 @@ import (
 	"encoding/binary"
 
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
 )
 
+type DbConnection struct {
+	*bolt.DB
+}
+
 // Itob returns an 8-byte big endian representation of v.
 // This function is typically used for encoding integer IDs to byte slices
 // so that they can be used as BoltDB keys.
@@ -17,8 +21,8 @@ func Itob(v int) []byte {
 }
 
 // CreateBucket is a generic function used to create a bucket inside a bolt database.
-func CreateBucket(db *bolt.DB, bucketName string) error {
-	return db.Update(func(tx *bolt.Tx) error {
+func CreateBucket(connection *DbConnection, bucketName string) error {
+	return connection.Update(func(tx *bolt.Tx) error {
 		_, err := tx.CreateBucketIfNotExists([]byte(bucketName))
 		if err != nil {
 			return err
@@ -28,15 +32,15 @@ func CreateBucket(db *bolt.DB, bucketName string) error {
 }
 
 // GetObject is a generic function used to retrieve an unmarshalled object from a bolt database.
-func GetObject(db *bolt.DB, bucketName string, key []byte, object interface{}) error {
+func GetObject(connection *DbConnection, bucketName string, key []byte, object interface{}) error {
 	var data []byte
 
-	err := db.View(func(tx *bolt.Tx) error {
+	err := connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
 
 		value := bucket.Get(key)
 		if value == nil {
-			return portainer.ErrObjectNotFound
+			return errors.ErrObjectNotFound
 		}
 
 		data = make([]byte, len(value))
@@ -52,8 +56,8 @@ func GetObject(db *bolt.DB, bucketName string, key []byte, object interface{}) e
 }
 
 // UpdateObject is a generic function used to update an object inside a bolt database.
-func UpdateObject(db *bolt.DB, bucketName string, key []byte, object interface{}) error {
-	return db.Update(func(tx *bolt.Tx) error {
+func UpdateObject(connection *DbConnection, bucketName string, key []byte, object interface{}) error {
+	return connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
 
 		data, err := MarshalObject(object)
@@ -71,18 +75,18 @@ func UpdateObject(db *bolt.DB, bucketName string, key []byte, object interface{}
 }
 
 // DeleteObject is a generic function used to delete an object inside a bolt database.
-func DeleteObject(db *bolt.DB, bucketName string, key []byte) error {
-	return db.Update(func(tx *bolt.Tx) error {
+func DeleteObject(connection *DbConnection, bucketName string, key []byte) error {
+	return connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
 		return bucket.Delete(key)
 	})
 }
 
 // GetNextIdentifier is a generic function that returns the specified bucket identifier incremented by 1.
-func GetNextIdentifier(db *bolt.DB, bucketName string) int {
+func GetNextIdentifier(connection *DbConnection, bucketName string) int {
 	var identifier int
 
-	db.Update(func(tx *bolt.Tx) error {
+	connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
 		id, err := bucket.NextSequence()
 		if err != nil {

api/bolt/migrator/migrate_dbversion0.go

@@ -3,6 +3,7 @@ package migrator
 import (
 	"github.com/boltdb/bolt"
 	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/user"
 )
 
@@ -22,7 +23,7 @@ func (m *Migrator) updateAdminUserToDBVersion1() error {
 		if err != nil {
 			return err
 		}
-	} else if err != nil && err != portainer.ErrObjectNotFound {
+	} else if err != nil && err != errors.ErrObjectNotFound {
 		return err
 	}
 	return nil

api/bolt/migrator/migrate_dbversion19.go

@@ -2,10 +2,10 @@ package migrator
 
 import (
 	"strings"
-
-	portainer "github.com/portainer/portainer/api"
 )
 
+const scheduleScriptExecutionJobType = 1
+
 func (m *Migrator) updateUsersToDBVersion20() error {
 	return m.authorizationService.UpdateUsersAuthorizations()
 }
@@ -28,7 +28,7 @@ func (m *Migrator) updateSchedulesToDBVersion20() error {
 	}
 
 	for _, schedule := range legacySchedules {
-		if schedule.JobType == portainer.ScriptExecutionJobType {
+		if schedule.JobType == scheduleScriptExecutionJobType {
 			if schedule.CronExpression == "0 0 * * *" {
 				schedule.CronExpression = "0 * * * *"
 			} else if schedule.CronExpression == "0 0 0/2 * *" {

api/bolt/migrator/migrate_dbversion20.go

@@ -1,6 +1,9 @@
 package migrator
 
-import portainer "github.com/portainer/portainer/api"
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/internal/authorization"
+)
 
 func (m *Migrator) updateResourceControlsToDBVersion22() error {
 	legacyResourceControls, err := m.resourceControlService.ResourceControls()
@@ -32,7 +35,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	}
 
 	for _, user := range legacyUsers {
-		user.PortainerAuthorizations = portainer.DefaultPortainerAuthorizations()
+		user.PortainerAuthorizations = authorization.DefaultPortainerAuthorizations()
 		err = m.userService.UpdateUser(user.ID, &user)
 		if err != nil {
 			return err
@@ -44,7 +47,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 		return err
 	}
 	endpointAdministratorRole.Priority = 1
-	endpointAdministratorRole.Authorizations = portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole()
+	endpointAdministratorRole.Authorizations = authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole()
 
 	err = m.roleService.UpdateRole(endpointAdministratorRole.ID, endpointAdministratorRole)
 
@@ -53,7 +56,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 		return err
 	}
 	helpDeskRole.Priority = 2
-	helpDeskRole.Authorizations = portainer.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)
+	helpDeskRole.Authorizations = authorization.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)
 
 	err = m.roleService.UpdateRole(helpDeskRole.ID, helpDeskRole)
 
@@ -62,7 +65,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 		return err
 	}
 	standardUserRole.Priority = 3
-	standardUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)
+	standardUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)
 
 	err = m.roleService.UpdateRole(standardUserRole.ID, standardUserRole)
 
@@ -71,7 +74,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 		return err
 	}
 	readOnlyUserRole.Priority = 4
-	readOnlyUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)
+	readOnlyUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)
 
 	err = m.roleService.UpdateRole(readOnlyUserRole.ID, readOnlyUserRole)
 	if err != nil {

api/bolt/migrator/migrate_dbversion23.go

@@ -8,10 +8,26 @@ func (m *Migrator) updateSettingsToDB24() error {
 		return err
 	}
 
-	if legacySettings.TemplatesURL == "" {
-		legacySettings.TemplatesURL = portainer.DefaultTemplatesURL
+	legacySettings.AllowHostNamespaceForRegularUsers = true
+	legacySettings.AllowDeviceMappingForRegularUsers = true
+	legacySettings.AllowStackManagementForRegularUsers = true
 
-		return m.settingsService.UpdateSettings(legacySettings)
+	return m.settingsService.UpdateSettings(legacySettings)
+}
+
+func (m *Migrator) updateStacksToDB24() error {
+	stacks, err := m.stackService.Stacks()
+	if err != nil {
+		return err
+	}
+
+	for idx := range stacks {
+		stack := &stacks[idx]
+		stack.Status = portainer.StackStatusActive
+		err := m.stackService.UpdateStack(stack.ID, stack)
+		if err != nil {
+			return err
+		}
 	}
 
 	return nil

api/bolt/migrator/migrate_dbversion24.go

@@ -0,0 +1,23 @@
+package migrator
+
+import (
+	"github.com/portainer/portainer/api"
+)
+
+func (m *Migrator) updateSettingsToDB25() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	if legacySettings.TemplatesURL == "" {
+		legacySettings.TemplatesURL = portainer.DefaultTemplatesURL
+	}
+
+	legacySettings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
+	legacySettings.EnableTelemetry = true
+
+	legacySettings.AllowContainerCapabilitiesForRegularUsers = true
+
+	return m.settingsService.UpdateSettings(legacySettings)
+}

api/bolt/migrator/migrate_dbversion25.go

@@ -0,0 +1,51 @@
+package migrator
+
+import (
+	portainer "github.com/portainer/portainer/api"
+)
+
+func (m *Migrator) updateEndpointSettingsToDB25() error {
+	settings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	endpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for i := range endpoints {
+		endpoint := endpoints[i]
+
+		securitySettings := portainer.EndpointSecuritySettings{}
+
+		if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment ||
+			endpoint.Type == portainer.AgentOnDockerEnvironment ||
+			endpoint.Type == portainer.DockerEnvironment {
+
+			securitySettings = portainer.EndpointSecuritySettings{
+				AllowBindMountsForRegularUsers:            settings.AllowBindMountsForRegularUsers,
+				AllowContainerCapabilitiesForRegularUsers: settings.AllowContainerCapabilitiesForRegularUsers,
+				AllowDeviceMappingForRegularUsers:         settings.AllowDeviceMappingForRegularUsers,
+				AllowHostNamespaceForRegularUsers:         settings.AllowHostNamespaceForRegularUsers,
+				AllowPrivilegedModeForRegularUsers:        settings.AllowPrivilegedModeForRegularUsers,
+				AllowStackManagementForRegularUsers:       settings.AllowStackManagementForRegularUsers,
+			}
+
+			if endpoint.Type == portainer.AgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
+				securitySettings.AllowVolumeBrowserForRegularUsers = settings.AllowVolumeBrowserForRegularUsers
+				securitySettings.EnableHostManagementFeatures = settings.EnableHostManagementFeatures
+			}
+		}
+
+		endpoint.SecuritySettings = securitySettings
+
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion26.go

@@ -0,0 +1,40 @@
+package migrator
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
+	"github.com/portainer/portainer/api/internal/stackutils"
+)
+
+func (m *Migrator) updateStackResourceControlToDB27() error {
+	resourceControls, err := m.resourceControlService.ResourceControls()
+	if err != nil {
+		return err
+	}
+
+	for _, resource := range resourceControls {
+		if resource.Type != portainer.StackResourceControl {
+			continue
+		}
+
+		stackName := resource.ResourceID
+
+		stack, err := m.stackService.StackByName(stackName)
+		if err != nil {
+			if err == errors.ErrObjectNotFound {
+				continue
+			}
+
+			return err
+		}
+
+		resource.ResourceID = stackutils.ResourceControlID(stack.EndpointID, stack.Name)
+
+		err = m.resourceControlService.UpdateResourceControl(resource.ID, &resource)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrator.go

@@ -2,7 +2,7 @@ package migrator
 
 import (
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/endpoint"
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
 	"github.com/portainer/portainer/api/bolt/endpointrelation"
@@ -17,6 +17,7 @@ import (
 	"github.com/portainer/portainer/api/bolt/teammembership"
 	"github.com/portainer/portainer/api/bolt/user"
 	"github.com/portainer/portainer/api/bolt/version"
+	"github.com/portainer/portainer/api/internal/authorization"
 )
 
 type (
@@ -39,7 +40,7 @@ type (
 		userService             *user.Service
 		versionService          *version.Service
 		fileService             portainer.FileService
-		authorizationService    *portainer.AuthorizationService
+		authorizationService    *authorization.Service
 	}
 
 	// Parameters represents the required parameters to create a new Migrator instance.
@@ -61,7 +62,7 @@ type (
 		UserService             *user.Service
 		VersionService          *version.Service
 		FileService             portainer.FileService
-		AuthorizationService    *portainer.AuthorizationService
+		AuthorizationService    *authorization.Service
 	}
 )
 
@@ -320,7 +321,7 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 
-	// Portainer 2.0
+	// Portainer 1.24.1
 	if m.currentDBVersion < 24 {
 		err := m.updateSettingsToDB24()
 		if err != nil {
@@ -328,5 +329,34 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 
+	// Portainer 2.0.0
+	if m.currentDBVersion < 25 {
+		err := m.updateSettingsToDB25()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateStacksToDB24()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 2.1.0
+	if m.currentDBVersion < 26 {
+		err := m.updateEndpointSettingsToDB25()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 2.2.0
+	if m.currentDBVersion < 27 {
+		err := m.updateStackResourceControlToDB27()
+		if err != nil {
+			return err
+		}
+	}
+
 	return m.versionService.StoreDBVersion(portainer.DBVersion)
 }

api/bolt/registry/registry.go

@@ -1,7 +1,7 @@
 package registry
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +14,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +34,7 @@ func (service *Service) Registry(ID portainer.RegistryID) (*portainer.Registry,
 	var registry portainer.Registry
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &registry)
+	err := internal.GetObject(service.connection, BucketName, identifier, &registry)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +46,7 @@ func (service *Service) Registry(ID portainer.RegistryID) (*portainer.Registry,
 func (service *Service) Registries() ([]portainer.Registry, error) {
 	var registries = make([]portainer.Registry, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -67,7 +67,7 @@ func (service *Service) Registries() ([]portainer.Registry, error) {
 
 // CreateRegistry creates a new registry.
 func (service *Service) CreateRegistry(registry *portainer.Registry) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()
@@ -85,11 +85,11 @@ func (service *Service) CreateRegistry(registry *portainer.Registry) error {
 // UpdateRegistry updates an registry.
 func (service *Service) UpdateRegistry(ID portainer.RegistryID, registry *portainer.Registry) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, registry)
+	return internal.UpdateObject(service.connection, BucketName, identifier, registry)
 }
 
 // DeleteRegistry deletes an registry.
 func (service *Service) DeleteRegistry(ID portainer.RegistryID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

api/bolt/resourcecontrol/resourcecontrol.go

@@ -1,7 +1,7 @@
 package resourcecontrol
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +14,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +34,7 @@ func (service *Service) ResourceControl(ID portainer.ResourceControlID) (*portai
 	var resourceControl portainer.ResourceControl
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &resourceControl)
+	err := internal.GetObject(service.connection, BucketName, identifier, &resourceControl)
 	if err != nil {
 		return nil, err
 	}
@@ -48,7 +48,7 @@ func (service *Service) ResourceControl(ID portainer.ResourceControlID) (*portai
 func (service *Service) ResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
 	var resourceControl *portainer.ResourceControl
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 		cursor := bucket.Cursor()
 
@@ -82,7 +82,7 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 func (service *Service) ResourceControls() ([]portainer.ResourceControl, error) {
 	var rcs = make([]portainer.ResourceControl, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -103,7 +103,7 @@ func (service *Service) ResourceControls() ([]portainer.ResourceControl, error)
 
 // CreateResourceControl creates a new ResourceControl object
 func (service *Service) CreateResourceControl(resourceControl *portainer.ResourceControl) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()
@@ -121,11 +121,11 @@ func (service *Service) CreateResourceControl(resourceControl *portainer.Resourc
 // UpdateResourceControl saves a ResourceControl object.
 func (service *Service) UpdateResourceControl(ID portainer.ResourceControlID, resourceControl *portainer.ResourceControl) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, resourceControl)
+	return internal.UpdateObject(service.connection, BucketName, identifier, resourceControl)
 }
 
 // DeleteResourceControl deletes a ResourceControl object by ID
 func (service *Service) DeleteResourceControl(ID portainer.ResourceControlID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

api/bolt/role/role.go

@@ -1,7 +1,7 @@
 package role
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +14,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +34,7 @@ func (service *Service) Role(ID portainer.RoleID) (*portainer.Role, error) {
 	var set portainer.Role
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &set)
+	err := internal.GetObject(service.connection, BucketName, identifier, &set)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +46,7 @@ func (service *Service) Role(ID portainer.RoleID) (*portainer.Role, error) {
 func (service *Service) Roles() ([]portainer.Role, error) {
 	var sets = make([]portainer.Role, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -67,7 +67,7 @@ func (service *Service) Roles() ([]portainer.Role, error) {
 
 // CreateRole creates a new Role.
 func (service *Service) CreateRole(role *portainer.Role) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()
@@ -85,5 +85,5 @@ func (service *Service) CreateRole(role *portainer.Role) error {
 // UpdateRole updates a role.
 func (service *Service) UpdateRole(ID portainer.RoleID, role *portainer.Role) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, role)
+	return internal.UpdateObject(service.connection, BucketName, identifier, role)
 }

api/bolt/schedule/schedule.go

@@ -1,7 +1,7 @@
 package schedule
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +14,18 @@ const (
 
 // Service represents a service for managing schedule data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +34,7 @@ func (service *Service) Schedule(ID portainer.ScheduleID) (*portainer.Schedule,
 	var schedule portainer.Schedule
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &schedule)
+	err := internal.GetObject(service.connection, BucketName, identifier, &schedule)
 	if err != nil {
 		return nil, err
 	}
@@ -45,20 +45,20 @@ func (service *Service) Schedule(ID portainer.ScheduleID) (*portainer.Schedule,
 // UpdateSchedule updates a schedule.
 func (service *Service) UpdateSchedule(ID portainer.ScheduleID, schedule *portainer.Schedule) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, schedule)
+	return internal.UpdateObject(service.connection, BucketName, identifier, schedule)
 }
 
 // DeleteSchedule deletes a schedule.
 func (service *Service) DeleteSchedule(ID portainer.ScheduleID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }
 
 // Schedules return a array containing all the schedules.
 func (service *Service) Schedules() ([]portainer.Schedule, error) {
 	var schedules = make([]portainer.Schedule, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -82,7 +82,7 @@ func (service *Service) Schedules() ([]portainer.Schedule, error) {
 func (service *Service) SchedulesByJobType(jobType portainer.JobType) ([]portainer.Schedule, error) {
 	var schedules = make([]portainer.Schedule, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -105,7 +105,7 @@ func (service *Service) SchedulesByJobType(jobType portainer.JobType) ([]portain
 
 // CreateSchedule assign an ID to a new schedule and saves it.
 func (service *Service) CreateSchedule(schedule *portainer.Schedule) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		// We manually manage sequences for schedules
@@ -125,5 +125,5 @@ func (service *Service) CreateSchedule(schedule *portainer.Schedule) error {
 
 // GetNextIdentifier returns the next identifier for a schedule.
 func (service *Service) GetNextIdentifier() int {
-	return internal.GetNextIdentifier(service.db, BucketName)
+	return internal.GetNextIdentifier(service.connection, BucketName)
 }

api/bolt/services.go

@@ -0,0 +1,263 @@
+package bolt
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/customtemplate"
+	"github.com/portainer/portainer/api/bolt/dockerhub"
+	"github.com/portainer/portainer/api/bolt/edgegroup"
+	"github.com/portainer/portainer/api/bolt/edgejob"
+	"github.com/portainer/portainer/api/bolt/edgestack"
+	"github.com/portainer/portainer/api/bolt/endpoint"
+	"github.com/portainer/portainer/api/bolt/endpointgroup"
+	"github.com/portainer/portainer/api/bolt/endpointrelation"
+	"github.com/portainer/portainer/api/bolt/extension"
+	"github.com/portainer/portainer/api/bolt/registry"
+	"github.com/portainer/portainer/api/bolt/resourcecontrol"
+	"github.com/portainer/portainer/api/bolt/role"
+	"github.com/portainer/portainer/api/bolt/schedule"
+	"github.com/portainer/portainer/api/bolt/settings"
+	"github.com/portainer/portainer/api/bolt/stack"
+	"github.com/portainer/portainer/api/bolt/tag"
+	"github.com/portainer/portainer/api/bolt/team"
+	"github.com/portainer/portainer/api/bolt/teammembership"
+	"github.com/portainer/portainer/api/bolt/tunnelserver"
+	"github.com/portainer/portainer/api/bolt/user"
+	"github.com/portainer/portainer/api/bolt/version"
+	"github.com/portainer/portainer/api/bolt/webhook"
+)
+
+func (store *Store) initServices() error {
+	authorizationsetService, err := role.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.RoleService = authorizationsetService
+
+	customTemplateService, err := customtemplate.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.CustomTemplateService = customTemplateService
+
+	dockerhubService, err := dockerhub.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.DockerHubService = dockerhubService
+
+	edgeStackService, err := edgestack.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.EdgeStackService = edgeStackService
+
+	edgeGroupService, err := edgegroup.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.EdgeGroupService = edgeGroupService
+
+	edgeJobService, err := edgejob.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.EdgeJobService = edgeJobService
+
+	endpointgroupService, err := endpointgroup.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.EndpointGroupService = endpointgroupService
+
+	endpointService, err := endpoint.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.EndpointService = endpointService
+
+	endpointRelationService, err := endpointrelation.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.EndpointRelationService = endpointRelationService
+
+	extensionService, err := extension.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.ExtensionService = extensionService
+
+	registryService, err := registry.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.RegistryService = registryService
+
+	resourcecontrolService, err := resourcecontrol.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.ResourceControlService = resourcecontrolService
+
+	settingsService, err := settings.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.SettingsService = settingsService
+
+	stackService, err := stack.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.StackService = stackService
+
+	tagService, err := tag.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.TagService = tagService
+
+	teammembershipService, err := teammembership.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.TeamMembershipService = teammembershipService
+
+	teamService, err := team.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.TeamService = teamService
+
+	tunnelServerService, err := tunnelserver.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.TunnelServerService = tunnelServerService
+
+	userService, err := user.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.UserService = userService
+
+	versionService, err := version.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.VersionService = versionService
+
+	webhookService, err := webhook.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.WebhookService = webhookService
+
+	scheduleService, err := schedule.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.ScheduleService = scheduleService
+
+	return nil
+}
+
+// CustomTemplate gives access to the CustomTemplate data management layer
+func (store *Store) CustomTemplate() portainer.CustomTemplateService {
+	return store.CustomTemplateService
+}
+
+// DockerHub gives access to the DockerHub data management layer
+func (store *Store) DockerHub() portainer.DockerHubService {
+	return store.DockerHubService
+}
+
+// EdgeGroup gives access to the EdgeGroup data management layer
+func (store *Store) EdgeGroup() portainer.EdgeGroupService {
+	return store.EdgeGroupService
+}
+
+// EdgeJob gives access to the EdgeJob data management layer
+func (store *Store) EdgeJob() portainer.EdgeJobService {
+	return store.EdgeJobService
+}
+
+// EdgeStack gives access to the EdgeStack data management layer
+func (store *Store) EdgeStack() portainer.EdgeStackService {
+	return store.EdgeStackService
+}
+
+// Endpoint gives access to the Endpoint data management layer
+func (store *Store) Endpoint() portainer.EndpointService {
+	return store.EndpointService
+}
+
+// EndpointGroup gives access to the EndpointGroup data management layer
+func (store *Store) EndpointGroup() portainer.EndpointGroupService {
+	return store.EndpointGroupService
+}
+
+// EndpointRelation gives access to the EndpointRelation data management layer
+func (store *Store) EndpointRelation() portainer.EndpointRelationService {
+	return store.EndpointRelationService
+}
+
+// Registry gives access to the Registry data management layer
+func (store *Store) Registry() portainer.RegistryService {
+	return store.RegistryService
+}
+
+// ResourceControl gives access to the ResourceControl data management layer
+func (store *Store) ResourceControl() portainer.ResourceControlService {
+	return store.ResourceControlService
+}
+
+// Role gives access to the Role data management layer
+func (store *Store) Role() portainer.RoleService {
+	return store.RoleService
+}
+
+// Settings gives access to the Settings data management layer
+func (store *Store) Settings() portainer.SettingsService {
+	return store.SettingsService
+}
+
+// Stack gives access to the Stack data management layer
+func (store *Store) Stack() portainer.StackService {
+	return store.StackService
+}
+
+// Tag gives access to the Tag data management layer
+func (store *Store) Tag() portainer.TagService {
+	return store.TagService
+}
+
+// TeamMembership gives access to the TeamMembership data management layer
+func (store *Store) TeamMembership() portainer.TeamMembershipService {
+	return store.TeamMembershipService
+}
+
+// Team gives access to the Team data management layer
+func (store *Store) Team() portainer.TeamService {
+	return store.TeamService
+}
+
+// TunnelServer gives access to the TunnelServer data management layer
+func (store *Store) TunnelServer() portainer.TunnelServerService {
+	return store.TunnelServerService
+}
+
+// User gives access to the User data management layer
+func (store *Store) User() portainer.UserService {
+	return store.UserService
+}
+
+// Version gives access to the Version data management layer
+func (store *Store) Version() portainer.VersionService {
+	return store.VersionService
+}
+
+// Webhook gives access to the Webhook data management layer
+func (store *Store) Webhook() portainer.WebhookService {
+	return store.WebhookService
+}

api/bolt/settings/settings.go

@@ -1,10 +1,8 @@
 package settings
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
-
-	"github.com/boltdb/bolt"
 )
 
 const (
@@ -15,18 +13,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +32,7 @@ func NewService(db *bolt.DB) (*Service, error) {
 func (service *Service) Settings() (*portainer.Settings, error) {
 	var settings portainer.Settings
 
-	err := internal.GetObject(service.db, BucketName, []byte(settingsKey), &settings)
+	err := internal.GetObject(service.connection, BucketName, []byte(settingsKey), &settings)
 	if err != nil {
 		return nil, err
 	}
@@ -44,5 +42,5 @@ func (service *Service) Settings() (*portainer.Settings, error) {
 
 // UpdateSettings persists a Settings object.
 func (service *Service) UpdateSettings(settings *portainer.Settings) error {
-	return internal.UpdateObject(service.db, BucketName, []byte(settingsKey), settings)
+	return internal.UpdateObject(service.connection, BucketName, []byte(settingsKey), settings)
 }

api/bolt/stack/stack.go

@@ -1,7 +1,8 @@
 package stack
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +15,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +35,7 @@ func (service *Service) Stack(ID portainer.StackID) (*portainer.Stack, error) {
 	var stack portainer.Stack
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &stack)
+	err := internal.GetObject(service.connection, BucketName, identifier, &stack)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +47,7 @@ func (service *Service) Stack(ID portainer.StackID) (*portainer.Stack, error) {
 func (service *Service) StackByName(name string) (*portainer.Stack, error) {
 	var stack *portainer.Stack
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 		cursor := bucket.Cursor()
 
@@ -64,7 +65,7 @@ func (service *Service) StackByName(name string) (*portainer.Stack, error) {
 		}
 
 		if stack == nil {
-			return portainer.ErrObjectNotFound
+			return errors.ErrObjectNotFound
 		}
 
 		return nil
@@ -77,7 +78,7 @@ func (service *Service) StackByName(name string) (*portainer.Stack, error) {
 func (service *Service) Stacks() ([]portainer.Stack, error) {
 	var stacks = make([]portainer.Stack, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -98,12 +99,12 @@ func (service *Service) Stacks() ([]portainer.Stack, error) {
 
 // GetNextIdentifier returns the next identifier for a stack.
 func (service *Service) GetNextIdentifier() int {
-	return internal.GetNextIdentifier(service.db, BucketName)
+	return internal.GetNextIdentifier(service.connection, BucketName)
 }
 
 // CreateStack creates a new stack.
 func (service *Service) CreateStack(stack *portainer.Stack) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		// We manually manage sequences for stacks
@@ -124,11 +125,11 @@ func (service *Service) CreateStack(stack *portainer.Stack) error {
 // UpdateStack updates a stack.
 func (service *Service) UpdateStack(ID portainer.StackID, stack *portainer.Stack) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, stack)
+	return internal.UpdateObject(service.connection, BucketName, identifier, stack)
 }
 
 // DeleteStack deletes a stack.
 func (service *Service) DeleteStack(ID portainer.StackID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

api/bolt/tag/tag.go

@@ -1,7 +1,7 @@
 package tag
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +14,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -33,7 +33,7 @@ func NewService(db *bolt.DB) (*Service, error) {
 func (service *Service) Tags() ([]portainer.Tag, error) {
 	var tags = make([]portainer.Tag, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -57,7 +57,7 @@ func (service *Service) Tag(ID portainer.TagID) (*portainer.Tag, error) {
 	var tag portainer.Tag
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &tag)
+	err := internal.GetObject(service.connection, BucketName, identifier, &tag)
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +67,7 @@ func (service *Service) Tag(ID portainer.TagID) (*portainer.Tag, error) {
 
 // CreateTag creates a new tag.
 func (service *Service) CreateTag(tag *portainer.Tag) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()
@@ -85,11 +85,11 @@ func (service *Service) CreateTag(tag *portainer.Tag) error {
 // UpdateTag updates a tag.
 func (service *Service) UpdateTag(ID portainer.TagID, tag *portainer.Tag) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, tag)
+	return internal.UpdateObject(service.connection, BucketName, identifier, tag)
 }
 
 // DeleteTag deletes a tag.
 func (service *Service) DeleteTag(ID portainer.TagID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

api/bolt/team/team.go

@@ -1,7 +1,10 @@
 package team
 
 import (
-	"github.com/portainer/portainer/api"
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +17,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +37,7 @@ func (service *Service) Team(ID portainer.TeamID) (*portainer.Team, error) {
 	var team portainer.Team
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &team)
+	err := internal.GetObject(service.connection, BucketName, identifier, &team)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +49,7 @@ func (service *Service) Team(ID portainer.TeamID) (*portainer.Team, error) {
 func (service *Service) TeamByName(name string) (*portainer.Team, error) {
 	var team *portainer.Team
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -57,14 +60,14 @@ func (service *Service) TeamByName(name string) (*portainer.Team, error) {
 				return err
 			}
 
-			if t.Name == name {
+			if strings.EqualFold(t.Name, name) {
 				team = &t
 				break
 			}
 		}
 
 		if team == nil {
-			return portainer.ErrObjectNotFound
+			return errors.ErrObjectNotFound
 		}
 
 		return nil
@@ -77,7 +80,7 @@ func (service *Service) TeamByName(name string) (*portainer.Team, error) {
 func (service *Service) Teams() ([]portainer.Team, error) {
 	var teams = make([]portainer.Team, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -99,12 +102,12 @@ func (service *Service) Teams() ([]portainer.Team, error) {
 // UpdateTeam saves a Team.
 func (service *Service) UpdateTeam(ID portainer.TeamID, team *portainer.Team) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, team)
+	return internal.UpdateObject(service.connection, BucketName, identifier, team)
 }
 
 // CreateTeam creates a new Team.
 func (service *Service) CreateTeam(team *portainer.Team) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()
@@ -122,5 +125,5 @@ func (service *Service) CreateTeam(team *portainer.Team) error {
 // DeleteTeam deletes a Team.
 func (service *Service) DeleteTeam(ID portainer.TeamID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

api/bolt/teammembership/teammembership.go

@@ -1,7 +1,7 @@
 package teammembership
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +14,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +34,7 @@ func (service *Service) TeamMembership(ID portainer.TeamMembershipID) (*portaine
 	var membership portainer.TeamMembership
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &membership)
+	err := internal.GetObject(service.connection, BucketName, identifier, &membership)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +46,7 @@ func (service *Service) TeamMembership(ID portainer.TeamMembershipID) (*portaine
 func (service *Service) TeamMemberships() ([]portainer.TeamMembership, error) {
 	var memberships = make([]portainer.TeamMembership, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -69,7 +69,7 @@ func (service *Service) TeamMemberships() ([]portainer.TeamMembership, error) {
 func (service *Service) TeamMembershipsByUserID(userID portainer.UserID) ([]portainer.TeamMembership, error) {
 	var memberships = make([]portainer.TeamMembership, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -95,7 +95,7 @@ func (service *Service) TeamMembershipsByUserID(userID portainer.UserID) ([]port
 func (service *Service) TeamMembershipsByTeamID(teamID portainer.TeamID) ([]portainer.TeamMembership, error) {
 	var memberships = make([]portainer.TeamMembership, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -120,12 +120,12 @@ func (service *Service) TeamMembershipsByTeamID(teamID portainer.TeamID) ([]port
 // UpdateTeamMembership saves a TeamMembership object.
 func (service *Service) UpdateTeamMembership(ID portainer.TeamMembershipID, membership *portainer.TeamMembership) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, membership)
+	return internal.UpdateObject(service.connection, BucketName, identifier, membership)
 }
 
 // CreateTeamMembership creates a new TeamMembership object.
 func (service *Service) CreateTeamMembership(membership *portainer.TeamMembership) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()
@@ -143,12 +143,12 @@ func (service *Service) CreateTeamMembership(membership *portainer.TeamMembershi
 // DeleteTeamMembership deletes a TeamMembership object.
 func (service *Service) DeleteTeamMembership(ID portainer.TeamMembershipID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }
 
 // DeleteTeamMembershipByUserID deletes all the TeamMembership object associated to a UserID.
 func (service *Service) DeleteTeamMembershipByUserID(userID portainer.UserID) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -173,7 +173,7 @@ func (service *Service) DeleteTeamMembershipByUserID(userID portainer.UserID) er
 
 // DeleteTeamMembershipByTeamID deletes all the TeamMembership object associated to a TeamID.
 func (service *Service) DeleteTeamMembershipByTeamID(teamID portainer.TeamID) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()

api/bolt/tunnelserver/tunnelserver.go

@@ -1,10 +1,8 @@
 package tunnelserver
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
-
-	"github.com/boltdb/bolt"
 )
 
 const (
@@ -15,18 +13,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +32,7 @@ func NewService(db *bolt.DB) (*Service, error) {
 func (service *Service) Info() (*portainer.TunnelServerInfo, error) {
 	var info portainer.TunnelServerInfo
 
-	err := internal.GetObject(service.db, BucketName, []byte(infoKey), &info)
+	err := internal.GetObject(service.connection, BucketName, []byte(infoKey), &info)
 	if err != nil {
 		return nil, err
 	}
@@ -44,5 +42,5 @@ func (service *Service) Info() (*portainer.TunnelServerInfo, error) {
 
 // UpdateInfo persists a TunnelServerInfo object.
 func (service *Service) UpdateInfo(settings *portainer.TunnelServerInfo) error {
-	return internal.UpdateObject(service.db, BucketName, []byte(infoKey), settings)
+	return internal.UpdateObject(service.connection, BucketName, []byte(infoKey), settings)
 }

api/bolt/user/user.go

@@ -1,7 +1,10 @@
 package user
 
 import (
-	"github.com/portainer/portainer/api"
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +17,18 @@ const (
 
 // Service represents a service for managing endpoint data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -34,7 +37,7 @@ func (service *Service) User(ID portainer.UserID) (*portainer.User, error) {
 	var user portainer.User
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &user)
+	err := internal.GetObject(service.connection, BucketName, identifier, &user)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +49,9 @@ func (service *Service) User(ID portainer.UserID) (*portainer.User, error) {
 func (service *Service) UserByUsername(username string) (*portainer.User, error) {
 	var user *portainer.User
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	username = strings.ToLower(username)
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 		cursor := bucket.Cursor()
 
@@ -57,14 +62,14 @@ func (service *Service) UserByUsername(username string) (*portainer.User, error)
 				return err
 			}
 
-			if u.Username == username {
+			if strings.EqualFold(u.Username, username) {
 				user = &u
 				break
 			}
 		}
 
 		if user == nil {
-			return portainer.ErrObjectNotFound
+			return errors.ErrObjectNotFound
 		}
 		return nil
 	})
@@ -76,7 +81,7 @@ func (service *Service) UserByUsername(username string) (*portainer.User, error)
 func (service *Service) Users() ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -98,7 +103,7 @@ func (service *Service) Users() ([]portainer.User, error) {
 // UsersByRole return an array containing all the users with the specified role.
 func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -122,16 +127,18 @@ func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User,
 // UpdateUser saves a user.
 func (service *Service) UpdateUser(ID portainer.UserID, user *portainer.User) error {
 	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, user)
+	user.Username = strings.ToLower(user.Username)
+	return internal.UpdateObject(service.connection, BucketName, identifier, user)
 }
 
 // CreateUser creates a new user.
 func (service *Service) CreateUser(user *portainer.User) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()
 		user.ID = portainer.UserID(id)
+		user.Username = strings.ToLower(user.Username)
 
 		data, err := internal.MarshalObject(user)
 		if err != nil {
@@ -145,5 +152,5 @@ func (service *Service) CreateUser(user *portainer.User) error {
 // DeleteUser deletes a user.
 func (service *Service) DeleteUser(ID portainer.UserID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }

api/bolt/version/version.go

@@ -4,30 +4,33 @@ import (
 	"strconv"
 
 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"
 )
 
 const (
 	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "version"
-	versionKey = "DB_VERSION"
+	BucketName  = "version"
+	versionKey  = "DB_VERSION"
+	instanceKey = "INSTANCE_ID"
+	editionKey  = "EDITION"
 )
 
 // Service represents a service to manage stored versions.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -35,12 +38,12 @@ func NewService(db *bolt.DB) (*Service, error) {
 func (service *Service) DBVersion() (int, error) {
 	var data []byte
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		value := bucket.Get([]byte(versionKey))
 		if value == nil {
-			return portainer.ErrObjectNotFound
+			return errors.ErrObjectNotFound
 		}
 
 		data = make([]byte, len(value))
@@ -55,12 +58,94 @@ func (service *Service) DBVersion() (int, error) {
 	return strconv.Atoi(string(data))
 }
 
+// Edition retrieves the stored portainer edition.
+func (service *Service) Edition() (portainer.SoftwareEdition, error) {
+	editionData, err := service.getKey(editionKey)
+	if err != nil {
+		return 0, err
+	}
+
+	edition, err := strconv.Atoi(string(editionData))
+	if err != nil {
+		return 0, err
+	}
+
+	return portainer.SoftwareEdition(edition), nil
+}
+
 // StoreDBVersion store the database version.
 func (service *Service) StoreDBVersion(version int) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		data := []byte(strconv.Itoa(version))
 		return bucket.Put([]byte(versionKey), data)
 	})
 }
+
+// InstanceID retrieves the stored instance ID.
+func (service *Service) InstanceID() (string, error) {
+	var data []byte
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		value := bucket.Get([]byte(instanceKey))
+		if value == nil {
+			return errors.ErrObjectNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+
+		return nil
+	})
+	if err != nil {
+		return "", err
+	}
+
+	return string(data), nil
+}
+
+// StoreInstanceID store the instance ID.
+func (service *Service) StoreInstanceID(ID string) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		data := []byte(ID)
+		return bucket.Put([]byte(instanceKey), data)
+	})
+}
+
+func (service *Service) getKey(key string) ([]byte, error) {
+	var data []byte
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		value := bucket.Get([]byte(key))
+		if value == nil {
+			return errors.ErrObjectNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+
+		return nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return data, nil
+}
+
+func (service *Service) setKey(key string, value string) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		data := []byte(value)
+		return bucket.Put([]byte(key), data)
+	})
+}

api/bolt/webhook/webhook.go

@@ -1,7 +1,8 @@
 package webhook
 
 import (
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"
 
 	"github.com/boltdb/bolt"
@@ -14,18 +15,18 @@ const (
 
 // Service represents a service for managing webhook data.
 type Service struct {
-	db *bolt.DB
+	connection *internal.DbConnection
 }
 
 // NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
 	if err != nil {
 		return nil, err
 	}
 
 	return &Service{
-		db: db,
+		connection: connection,
 	}, nil
 }
 
@@ -33,7 +34,7 @@ func NewService(db *bolt.DB) (*Service, error) {
 func (service *Service) Webhooks() ([]portainer.Webhook, error) {
 	var webhooks = make([]portainer.Webhook, 0)
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		cursor := bucket.Cursor()
@@ -57,7 +58,7 @@ func (service *Service) Webhook(ID portainer.WebhookID) (*portainer.Webhook, err
 	var webhook portainer.Webhook
 	identifier := internal.Itob(int(ID))
 
-	err := internal.GetObject(service.db, BucketName, identifier, &webhook)
+	err := internal.GetObject(service.connection, BucketName, identifier, &webhook)
 	if err != nil {
 		return nil, err
 	}
@@ -69,7 +70,7 @@ func (service *Service) Webhook(ID portainer.WebhookID) (*portainer.Webhook, err
 func (service *Service) WebhookByResourceID(ID string) (*portainer.Webhook, error) {
 	var webhook *portainer.Webhook
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 		cursor := bucket.Cursor()
 
@@ -87,7 +88,7 @@ func (service *Service) WebhookByResourceID(ID string) (*portainer.Webhook, erro
 		}
 
 		if webhook == nil {
-			return portainer.ErrObjectNotFound
+			return errors.ErrObjectNotFound
 		}
 
 		return nil
@@ -100,7 +101,7 @@ func (service *Service) WebhookByResourceID(ID string) (*portainer.Webhook, erro
 func (service *Service) WebhookByToken(token string) (*portainer.Webhook, error) {
 	var webhook *portainer.Webhook
 
-	err := service.db.View(func(tx *bolt.Tx) error {
+	err := service.connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 		cursor := bucket.Cursor()
 
@@ -118,7 +119,7 @@ func (service *Service) WebhookByToken(token string) (*portainer.Webhook, error)
 		}
 
 		if webhook == nil {
-			return portainer.ErrObjectNotFound
+			return errors.ErrObjectNotFound
 		}
 
 		return nil
@@ -130,12 +131,12 @@ func (service *Service) WebhookByToken(token string) (*portainer.Webhook, error)
 // DeleteWebhook deletes a webhook.
 func (service *Service) DeleteWebhook(ID portainer.WebhookID) error {
 	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
+	return internal.DeleteObject(service.connection, BucketName, identifier)
 }
 
 // CreateWebhook assign an ID to a new webhook and saves it.
 func (service *Service) CreateWebhook(webhook *portainer.Webhook) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))
 
 		id, _ := bucket.NextSequence()

api/chisel/schedules.go

@@ -6,42 +6,42 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )
 
-// AddSchedule register a schedule inside the tunnel details associated to an endpoint.
-func (service *Service) AddSchedule(endpointID portainer.EndpointID, schedule *portainer.EdgeSchedule) {
+// AddEdgeJob register an EdgeJob inside the tunnel details associated to an endpoint.
+func (service *Service) AddEdgeJob(endpointID portainer.EndpointID, edgeJob *portainer.EdgeJob) {
 	tunnel := service.GetTunnelDetails(endpointID)
 
-	existingScheduleIndex := -1
-	for idx, existingSchedule := range tunnel.Schedules {
-		if existingSchedule.ID == schedule.ID {
-			existingScheduleIndex = idx
+	existingJobIndex := -1
+	for idx, existingJob := range tunnel.Jobs {
+		if existingJob.ID == edgeJob.ID {
+			existingJobIndex = idx
 			break
 		}
 	}
 
-	if existingScheduleIndex == -1 {
-		tunnel.Schedules = append(tunnel.Schedules, *schedule)
+	if existingJobIndex == -1 {
+		tunnel.Jobs = append(tunnel.Jobs, *edgeJob)
 	} else {
-		tunnel.Schedules[existingScheduleIndex] = *schedule
+		tunnel.Jobs[existingJobIndex] = *edgeJob
 	}
 
 	key := strconv.Itoa(int(endpointID))
 	service.tunnelDetailsMap.Set(key, tunnel)
 }
 
-// RemoveSchedule will remove the specified schedule from each tunnel it was registered with.
-func (service *Service) RemoveSchedule(scheduleID portainer.ScheduleID) {
+// RemoveEdgeJob will remove the specified Edge job from each tunnel it was registered with.
+func (service *Service) RemoveEdgeJob(edgeJobID portainer.EdgeJobID) {
 	for item := range service.tunnelDetailsMap.IterBuffered() {
 		tunnelDetails := item.Val.(*portainer.TunnelDetails)
 
-		updatedSchedules := make([]portainer.EdgeSchedule, 0)
-		for _, schedule := range tunnelDetails.Schedules {
-			if schedule.ID == scheduleID {
+		updatedJobs := make([]portainer.EdgeJob, 0)
+		for _, edgeJob := range tunnelDetails.Jobs {
+			if edgeJob.ID == edgeJobID {
 				continue
 			}
-			updatedSchedules = append(updatedSchedules, schedule)
+			updatedJobs = append(updatedJobs, edgeJob)
 		}
 
-		tunnelDetails.Schedules = updatedSchedules
+		tunnelDetails.Jobs = updatedJobs
 		service.tunnelDetailsMap.Set(item.Key, tunnelDetails)
 	}
 }

api/chisel/service.go

@@ -1,17 +1,17 @@
 package chisel
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"strconv"
 	"time"
 
 	"github.com/dchest/uniuri"
-
-	cmap "github.com/orcaman/concurrent-map"
-
 	chserver "github.com/jpillora/chisel/server"
+	cmap "github.com/orcaman/concurrent-map"
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
 )
 
 const (
@@ -28,15 +28,17 @@ type Service struct {
 	serverPort        string
 	tunnelDetailsMap  cmap.ConcurrentMap
 	dataStore         portainer.DataStore
-	snapshotter       portainer.Snapshotter
+	snapshotService   portainer.SnapshotService
 	chiselServer      *chserver.Server
+	shutdownCtx       context.Context
 }
 
 // NewService returns a pointer to a new instance of Service
-func NewService(dataStore portainer.DataStore) *Service {
+func NewService(dataStore portainer.DataStore, shutdownCtx context.Context) *Service {
 	return &Service{
 		tunnelDetailsMap: cmap.New(),
 		dataStore:        dataStore,
+		shutdownCtx:      shutdownCtx,
 	}
 }
 
@@ -45,7 +47,7 @@ func NewService(dataStore portainer.DataStore) *Service {
 // be found inside the database, it will generate a new one randomly and persist it.
 // It starts the tunnel status verification process in the background.
 // The snapshotter is used in the tunnel status verification process.
-func (service *Service) StartTunnelServer(addr, port string, snapshotter portainer.Snapshotter) error {
+func (service *Service) StartTunnelServer(addr, port string, snapshotService portainer.SnapshotService) error {
 	keySeed, err := service.retrievePrivateKeySeed()
 	if err != nil {
 		return err
@@ -78,17 +80,22 @@ func (service *Service) StartTunnelServer(addr, port string, snapshotter portain
 		return err
 	}
 
-	service.snapshotter = snapshotter
+	service.snapshotService = snapshotService
 	go service.startTunnelVerificationLoop()
 
 	return nil
 }
 
+// StopTunnelServer stops tunnel http server
+func (service *Service) StopTunnelServer() error {
+	return service.chiselServer.Close()
+}
+
 func (service *Service) retrievePrivateKeySeed() (string, error) {
 	var serverInfo *portainer.TunnelServerInfo
 
 	serverInfo, err := service.dataStore.TunnelServer().Info()
-	if err == portainer.ErrObjectNotFound {
+	if err == errors.ErrObjectNotFound {
 		keySeed := uniuri.NewLen(16)
 
 		serverInfo = &portainer.TunnelServerInfo{
@@ -109,13 +116,16 @@ func (service *Service) retrievePrivateKeySeed() (string, error) {
 func (service *Service) startTunnelVerificationLoop() {
 	log.Printf("[DEBUG] [chisel, monitoring] [check_interval_seconds: %f] [message: starting tunnel management process]", tunnelCleanupInterval.Seconds())
 	ticker := time.NewTicker(tunnelCleanupInterval)
-	stopSignal := make(chan struct{})
 
 	for {
 		select {
 		case <-ticker.C:
 			service.checkTunnels()
-		case <-stopSignal:
+		case <-service.shutdownCtx.Done():
+			log.Println("[DEBUG] Shutting down tunnel service")
+			if err := service.StopTunnelServer(); err != nil {
+				log.Printf("Stopped tunnel service: %s", err)
+			}
 			ticker.Stop()
 			return
 		}
@@ -155,7 +165,7 @@ func (service *Service) checkTunnels() {
 			}
 		}
 
-		if len(tunnel.Schedules) > 0 {
+		if len(tunnel.Jobs) > 0 {
 			endpointID, err := strconv.Atoi(item.Key)
 			if err != nil {
 				log.Printf("[ERROR] [chisel,conversion] Invalid endpoint identifier (id: %s): %s", item.Key, err)
@@ -177,13 +187,13 @@ func (service *Service) snapshotEnvironment(endpointID portainer.EndpointID, tun
 	}
 
 	endpointURL := endpoint.URL
+
 	endpoint.URL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnelPort)
-	snapshot, err := service.snapshotter.CreateSnapshot(endpoint)
+	err = service.snapshotService.SnapshotEndpoint(endpoint)
 	if err != nil {
 		return err
 	}
 
-	endpoint.Snapshots = []portainer.Snapshot{*snapshot}
 	endpoint.URL = endpointURL
 	return service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
 }

api/chisel/tunnel.go

@@ -47,11 +47,11 @@ func (service *Service) GetTunnelDetails(endpointID portainer.EndpointID) *porta
 		return tunnelDetails
 	}
 
-	schedules := make([]portainer.EdgeSchedule, 0)
+	jobs := make([]portainer.EdgeJob, 0)
 	return &portainer.TunnelDetails{
 		Status:      portainer.EdgeAgentIdle,
 		Port:        0,
-		Schedules:   schedules,
+		Jobs:        jobs,
 		Credentials: "",
 	}
 }

api/cli/cli.go

@@ -1,6 +1,7 @@
 package cli
 
 import (
+	"errors"
 	"log"
 	"time"
 
@@ -16,12 +17,11 @@ import (
 // Service implements the CLIService interface
 type Service struct{}
 
-const (
-	errInvalidEndpointProtocol       = portainer.Error("Invalid endpoint protocol: Portainer only supports unix://, npipe:// or tcp://")
-	errSocketOrNamedPipeNotFound     = portainer.Error("Unable to locate Unix socket or named pipe")
-	errInvalidSnapshotInterval       = portainer.Error("Invalid snapshot interval")
-	errNoAuthExcludeAdminPassword    = portainer.Error("Cannot use --no-auth with --admin-password or --admin-password-file")
-	errAdminPassExcludeAdminPassFile = portainer.Error("Cannot use --admin-password with --admin-password-file")
+var (
+	errInvalidEndpointProtocol       = errors.New("Invalid endpoint protocol: Portainer only supports unix://, npipe:// or tcp://")
+	errSocketOrNamedPipeNotFound     = errors.New("Unable to locate Unix socket or named pipe")
+	errInvalidSnapshotInterval       = errors.New("Invalid snapshot interval")
+	errAdminPassExcludeAdminPassFile = errors.New("Cannot use --admin-password with --admin-password-file")
 )
 
 // ParseFlags parse the CLI flags and return a portainer.Flags struct
@@ -29,28 +29,28 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 	kingpin.Version(version)
 
 	flags := &portainer.CLIFlags{
-		Addr:              kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
-		TunnelAddr:        kingpin.Flag("tunnel-addr", "Address to serve the tunnel server").Default(defaultTunnelServerAddress).String(),
-		TunnelPort:        kingpin.Flag("tunnel-port", "Port to serve the tunnel server").Default(defaultTunnelServerPort).String(),
-		Assets:            kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
-		Data:              kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
-		EndpointURL:       kingpin.Flag("host", "Endpoint URL").Short('H').String(),
-		NoAuth:            kingpin.Flag("no-auth", "Disable authentication (deprecated)").Default(defaultNoAuth).Bool(),
-		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAnalytics).Bool(),
-		TLS:               kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
-		TLSSkipVerify:     kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
-		TLSCacert:         kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
-		TLSCert:           kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
-		TLSKey:            kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
-		SSL:               kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
-		SSLCert:           kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
-		SSLKey:            kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
-		SnapshotInterval:  kingpin.Flag("snapshot-interval", "Duration between each endpoint snapshot job").Default(defaultSnapshotInterval).String(),
-		AdminPassword:     kingpin.Flag("admin-password", "Hashed admin password").String(),
-		AdminPasswordFile: kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
-		Labels:            pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
-		Logo:              kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
-		Templates:         kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
+		Addr:                      kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
+		TunnelAddr:                kingpin.Flag("tunnel-addr", "Address to serve the tunnel server").Default(defaultTunnelServerAddress).String(),
+		TunnelPort:                kingpin.Flag("tunnel-port", "Port to serve the tunnel server").Default(defaultTunnelServerPort).String(),
+		Assets:                    kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
+		Data:                      kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
+		EndpointURL:               kingpin.Flag("host", "Endpoint URL").Short('H').String(),
+		EnableEdgeComputeFeatures: kingpin.Flag("edge-compute", "Enable Edge Compute features").Bool(),
+		NoAnalytics:               kingpin.Flag("no-analytics", "Disable Analytics in app (deprecated)").Bool(),
+		TLS:                       kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
+		TLSSkipVerify:             kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
+		TLSCacert:                 kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
+		TLSCert:                   kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
+		TLSKey:                    kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
+		SSL:                       kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
+		SSLCert:                   kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
+		SSLKey:                    kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
+		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each endpoint snapshot job").Default(defaultSnapshotInterval).String(),
+		AdminPassword:             kingpin.Flag("admin-password", "Hashed admin password").String(),
+		AdminPasswordFile:         kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
+		Labels:                    pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
+		Logo:                      kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
+		Templates:                 kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
 	}
 
 	kingpin.Parse()
@@ -81,10 +81,6 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 		return err
 	}
 
-	if *flags.NoAuth && (*flags.AdminPassword != "" || *flags.AdminPasswordFile != "") {
-		return errNoAuthExcludeAdminPassword
-	}
-
 	if *flags.AdminPassword != "" && *flags.AdminPasswordFile != "" {
 		return errAdminPassExcludeAdminPassFile
 	}
@@ -93,8 +89,8 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 }
 
 func displayDeprecationWarnings(flags *portainer.CLIFlags) {
-	if *flags.NoAuth {
-		log.Println("Warning: the --no-auth flag is deprecated and will likely be removed in a future version of Portainer.")
+	if *flags.NoAnalytics {
+		log.Println("Warning: The --no-analytics flag has been kept to allow migration of instances running a previous version of Portainer with this flag enabled, to version 2.0 where enabling this flag will have no effect.")
 	}
 }
 

api/cli/defaults.go

@@ -8,8 +8,6 @@ const (
 	defaultTunnelServerPort    = "8000"
 	defaultDataDirectory       = "/data"
 	defaultAssetsDirectory     = "./"
-	defaultNoAuth              = "false"
-	defaultNoAnalytics         = "false"
 	defaultTLS                 = "false"
 	defaultTLSSkipVerify       = "false"
 	defaultTLSCACertPath       = "/certs/ca.pem"

api/cli/defaults_windows.go

@@ -6,8 +6,6 @@ const (
 	defaultTunnelServerPort    = "8000"
 	defaultDataDirectory       = "C:\\data"
 	defaultAssetsDirectory     = "./"
-	defaultNoAuth              = "false"
-	defaultNoAnalytics         = "false"
 	defaultTLS                 = "false"
 	defaultTLSSkipVerify       = "false"
 	defaultTLSCACertPath       = "C:\\certs\\ca.pem"

api/cmd/portainer/main.go

@@ -1,39 +1,45 @@
 package main
 
 import (
+	"context"
 	"log"
 	"os"
 	"strings"
-	"time"
 
-	"github.com/portainer/portainer/api/chisel"
-
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt"
+	"github.com/portainer/portainer/api/chisel"
 	"github.com/portainer/portainer/api/cli"
-	"github.com/portainer/portainer/api/cron"
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/docker"
+
 	"github.com/portainer/portainer/api/exec"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/git"
 	"github.com/portainer/portainer/api/http"
 	"github.com/portainer/portainer/api/http/client"
+	"github.com/portainer/portainer/api/http/proxy"
+	kubeproxy "github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
+	"github.com/portainer/portainer/api/internal/edge"
+	"github.com/portainer/portainer/api/internal/snapshot"
 	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
 	"github.com/portainer/portainer/api/libcompose"
+	"github.com/portainer/portainer/api/oauth"
 )
 
 func initCLI() *portainer.CLIFlags {
 	var cliService portainer.CLIService = &cli.Service{}
 	flags, err := cliService.ParseFlags(portainer.APIVersion)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed parsing flags: %v", err)
 	}
 
 	err = cliService.ValidateFlags(flags)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed validating flags:%v", err)
 	}
 	return flags
 }
@@ -41,7 +47,7 @@ func initCLI() *portainer.CLIFlags {
 func initFileService(dataStorePath string) portainer.FileService {
 	fileService, err := filesystem.NewService(dataStorePath, "")
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed creating file service: %v", err)
 	}
 	return fileService
 }
@@ -49,27 +55,32 @@ func initFileService(dataStorePath string) portainer.FileService {
 func initDataStore(dataStorePath string, fileService portainer.FileService) portainer.DataStore {
 	store, err := bolt.NewStore(dataStorePath, fileService)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed creating data store: %v", err)
 	}
 
 	err = store.Open()
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed opening store: %v", err)
 	}
 
 	err = store.Init()
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed initializing data store: %v", err)
 	}
 
-	err = store.MigrateData()
+	err = store.MigrateData(false)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed migration: %v", err)
 	}
 	return store
 }
 
-func initComposeStackManager(dataStorePath string, reverseTunnelService portainer.ReverseTunnelService) portainer.ComposeStackManager {
+func initComposeStackManager(assetsPath string, dataStorePath string, reverseTunnelService portainer.ReverseTunnelService, proxyManager *proxy.Manager) portainer.ComposeStackManager {
+	composeWrapper := exec.NewComposeWrapper(assetsPath, dataStorePath, proxyManager)
+	if composeWrapper != nil {
+		return composeWrapper
+	}
+
 	return libcompose.NewComposeStackManager(dataStorePath, reverseTunnelService)
 }
 
@@ -77,15 +88,25 @@ func initSwarmStackManager(assetsPath string, dataStorePath string, signatureSer
 	return exec.NewSwarmStackManager(assetsPath, dataStorePath, signatureService, fileService, reverseTunnelService)
 }
 
-func initJWTService(authenticationEnabled bool) portainer.JWTService {
-	if authenticationEnabled {
-		jwtService, err := jwt.NewService()
-		if err != nil {
-			log.Fatal(err)
-		}
-		return jwtService
+func initKubernetesDeployer(assetsPath string) portainer.KubernetesDeployer {
+	return exec.NewKubernetesDeployer(assetsPath)
+}
+
+func initJWTService(dataStore portainer.DataStore) (portainer.JWTService, error) {
+	settings, err := dataStore.Settings().Settings()
+	if err != nil {
+		return nil, err
 	}
-	return nil
+
+	if settings.UserSessionTimeout == "" {
+		settings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
+		dataStore.Settings().UpdateSettings(settings)
+	}
+	jwtService, err := jwt.NewService(settings.UserSessionTimeout)
+	if err != nil {
+		return nil, err
+	}
+	return jwtService, nil
 }
 
 func initDigitalSignatureService() portainer.DigitalSignatureService {
@@ -100,97 +121,37 @@ func initLDAPService() portainer.LDAPService {
 	return &ldap.Service{}
 }
 
+func initOAuthService() portainer.OAuthService {
+	return oauth.NewService()
+}
+
 func initGitService() portainer.GitService {
 	return git.NewService()
 }
 
-func initClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *docker.ClientFactory {
+func initDockerClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *docker.ClientFactory {
 	return docker.NewClientFactory(signatureService, reverseTunnelService)
 }
 
-func initSnapshotter(clientFactory *docker.ClientFactory) portainer.Snapshotter {
-	return docker.NewSnapshotter(clientFactory)
+func initKubernetesClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, instanceID string) *kubecli.ClientFactory {
+	return kubecli.NewClientFactory(signatureService, reverseTunnelService, instanceID)
 }
 
-func initJobScheduler() portainer.JobScheduler {
-	return cron.NewJobScheduler()
-}
+func initSnapshotService(snapshotInterval string, dataStore portainer.DataStore, dockerClientFactory *docker.ClientFactory, kubernetesClientFactory *kubecli.ClientFactory, shutdownCtx context.Context) (portainer.SnapshotService, error) {
+	dockerSnapshotter := docker.NewSnapshotter(dockerClientFactory)
+	kubernetesSnapshotter := kubernetes.NewSnapshotter(kubernetesClientFactory)
 
-func loadSnapshotSystemSchedule(jobScheduler portainer.JobScheduler, snapshotter portainer.Snapshotter, dataStore portainer.DataStore) error {
-	settings, err := dataStore.Settings().Settings()
+	snapshotService, err := snapshot.NewService(snapshotInterval, dataStore, dockerSnapshotter, kubernetesSnapshotter, shutdownCtx)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	schedules, err := dataStore.Schedule().SchedulesByJobType(portainer.SnapshotJobType)
-	if err != nil {
-		return err
-	}
-
-	var snapshotSchedule *portainer.Schedule
-	if len(schedules) == 0 {
-		snapshotJob := &portainer.SnapshotJob{}
-		snapshotSchedule = &portainer.Schedule{
-			ID:             portainer.ScheduleID(dataStore.Schedule().GetNextIdentifier()),
-			Name:           "system_snapshot",
-			CronExpression: "@every " + settings.SnapshotInterval,
-			Recurring:      true,
-			JobType:        portainer.SnapshotJobType,
-			SnapshotJob:    snapshotJob,
-			Created:        time.Now().Unix(),
-		}
-	} else {
-		snapshotSchedule = &schedules[0]
-	}
-
-	snapshotJobContext := cron.NewSnapshotJobContext(dataStore, snapshotter)
-	snapshotJobRunner := cron.NewSnapshotJobRunner(snapshotSchedule, snapshotJobContext)
-
-	err = jobScheduler.ScheduleJob(snapshotJobRunner)
-	if err != nil {
-		return err
-	}
-
-	if len(schedules) == 0 {
-		return dataStore.Schedule().CreateSchedule(snapshotSchedule)
-	}
-	return nil
-}
-
-func loadSchedulesFromDatabase(jobScheduler portainer.JobScheduler, jobService portainer.JobService, dataStore portainer.DataStore, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) error {
-	schedules, err := dataStore.Schedule().Schedules()
-	if err != nil {
-		return err
-	}
-
-	for _, schedule := range schedules {
-
-		if schedule.JobType == portainer.ScriptExecutionJobType {
-			jobContext := cron.NewScriptExecutionJobContext(jobService, dataStore, fileService)
-			jobRunner := cron.NewScriptExecutionJobRunner(&schedule, jobContext)
-
-			err = jobScheduler.ScheduleJob(jobRunner)
-			if err != nil {
-				return err
-			}
-		}
-
-		if schedule.EdgeSchedule != nil {
-			for _, endpointID := range schedule.EdgeSchedule.Endpoints {
-				reverseTunnelService.AddSchedule(endpointID, schedule.EdgeSchedule)
-			}
-		}
-
-	}
-
-	return nil
+	return snapshotService, nil
 }
 
 func initStatus(flags *portainer.CLIFlags) *portainer.Status {
 	return &portainer.Status{
-		Analytics:      !*flags.NoAnalytics,
-		Authentication: !*flags.NoAuth,
-		Version:        portainer.APIVersion,
+		Version: portainer.APIVersion,
 	}
 }
 
@@ -202,6 +163,8 @@ func updateSettingsFromFlags(dataStore portainer.DataStore, flags *portainer.CLI
 
 	settings.LogoURL = *flags.Logo
 	settings.SnapshotInterval = *flags.SnapshotInterval
+	settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
+	settings.EnableTelemetry = true
 
 	if *flags.Templates != "" {
 		settings.TemplatesURL = *flags.Templates
@@ -234,7 +197,7 @@ func generateAndStoreKeyPair(fileService portainer.FileService, signatureService
 func initKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
 	existingKeyPair, err := fileService.KeyPairFilesExist()
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed checking for existing key pair: %v", err)
 	}
 
 	if existingKeyPair {
@@ -243,7 +206,7 @@ func initKeyPair(fileService portainer.FileService, signatureService portainer.D
 	return generateAndStoreKeyPair(fileService, signatureService)
 }
 
-func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
+func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotService portainer.SnapshotService) error {
 	tlsConfiguration := portainer.TLSConfiguration{
 		TLS:           *flags.TLS,
 		TLSSkipVerify: *flags.TLSSkipVerify,
@@ -270,7 +233,20 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 		Extensions:         []portainer.EndpointExtension{},
 		TagIDs:             []portainer.TagID{},
 		Status:             portainer.EndpointStatusUp,
-		Snapshots:          []portainer.Snapshot{},
+		Snapshots:          []portainer.DockerSnapshot{},
+		Kubernetes:         portainer.KubernetesDefault(),
+
+		SecuritySettings: portainer.EndpointSecuritySettings{
+			AllowVolumeBrowserForRegularUsers: false,
+			EnableHostManagementFeatures:      false,
+
+			AllowBindMountsForRegularUsers:            true,
+			AllowPrivilegedModeForRegularUsers:        true,
+			AllowHostNamespaceForRegularUsers:         true,
+			AllowContainerCapabilitiesForRegularUsers: true,
+			AllowDeviceMappingForRegularUsers:         true,
+			AllowStackManagementForRegularUsers:       true,
+		},
 	}
 
 	if strings.HasPrefix(endpoint.URL, "tcp://") {
@@ -289,10 +265,15 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 		}
 	}
 
-	return snapshotAndPersistEndpoint(endpoint, dataStore, snapshotter)
+	err := snapshotService.SnapshotEndpoint(endpoint)
+	if err != nil {
+		log.Printf("http error: endpoint snapshot error (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+	}
+
+	return dataStore.Endpoint().CreateEndpoint(endpoint)
 }
 
-func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
+func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore, snapshotService portainer.SnapshotService) error {
 	if strings.HasPrefix(endpointURL, "tcp://") {
 		_, err := client.ExecutePingOperation(endpointURL, nil)
 		if err != nil {
@@ -313,27 +294,31 @@ func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore,
 		Extensions:         []portainer.EndpointExtension{},
 		TagIDs:             []portainer.TagID{},
 		Status:             portainer.EndpointStatusUp,
-		Snapshots:          []portainer.Snapshot{},
+		Snapshots:          []portainer.DockerSnapshot{},
+		Kubernetes:         portainer.KubernetesDefault(),
+
+		SecuritySettings: portainer.EndpointSecuritySettings{
+			AllowVolumeBrowserForRegularUsers: false,
+			EnableHostManagementFeatures:      false,
+
+			AllowBindMountsForRegularUsers:            true,
+			AllowPrivilegedModeForRegularUsers:        true,
+			AllowHostNamespaceForRegularUsers:         true,
+			AllowContainerCapabilitiesForRegularUsers: true,
+			AllowDeviceMappingForRegularUsers:         true,
+			AllowStackManagementForRegularUsers:       true,
+		},
 	}
 
-	return snapshotAndPersistEndpoint(endpoint, dataStore, snapshotter)
-}
-
-func snapshotAndPersistEndpoint(endpoint *portainer.Endpoint, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
-	snapshot, err := snapshotter.CreateSnapshot(endpoint)
-	endpoint.Status = portainer.EndpointStatusUp
+	err := snapshotService.SnapshotEndpoint(endpoint)
 	if err != nil {
 		log.Printf("http error: endpoint snapshot error (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 	}
 
-	if snapshot != nil {
-		endpoint.Snapshots = []portainer.Snapshot{*snapshot}
-	}
-
 	return dataStore.Endpoint().CreateEndpoint(endpoint)
 }
 
-func initEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
+func initEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotService portainer.SnapshotService) error {
 	if *flags.EndpointURL == "" {
 		return nil
 	}
@@ -349,121 +334,97 @@ func initEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snap
 	}
 
 	if *flags.TLS || *flags.TLSSkipVerify {
-		return createTLSSecuredEndpoint(flags, dataStore, snapshotter)
+		return createTLSSecuredEndpoint(flags, dataStore, snapshotService)
 	}
-	return createUnsecuredEndpoint(*flags.EndpointURL, dataStore, snapshotter)
+	return createUnsecuredEndpoint(*flags.EndpointURL, dataStore, snapshotService)
 }
 
-func initJobService(dockerClientFactory *docker.ClientFactory) portainer.JobService {
-	return docker.NewJobService(dockerClientFactory)
-}
-
-func initExtensionManager(fileService portainer.FileService, dataStore portainer.DataStore) (portainer.ExtensionManager, error) {
-	extensionManager := exec.NewExtensionManager(fileService, dataStore)
-
-	err := extensionManager.StartExtensions()
-	if err != nil {
-		return nil, err
-	}
-
-	return extensionManager, nil
-}
-
-func terminateIfNoAdminCreated(dataStore portainer.DataStore) {
-	timer1 := time.NewTimer(5 * time.Minute)
-	<-timer1.C
-
-	users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	if len(users) == 0 {
-		log.Fatal("No administrator account was created after 5 min. Shutting down the Portainer instance for security reasons.")
-		return
-	}
-}
-
-func main() {
-	flags := initCLI()
+func buildServer(flags *portainer.CLIFlags) portainer.Server {
+	shutdownCtx, shutdownTrigger := context.WithCancel(context.Background())
 
 	fileService := initFileService(*flags.Data)
 
 	dataStore := initDataStore(*flags.Data, fileService)
-	defer dataStore.Close()
 
-	jwtService := initJWTService(!*flags.NoAuth)
+	if err := dataStore.CheckCurrentEdition(); err != nil {
+		log.Fatal(err)
+	}
+
+	jwtService, err := initJWTService(dataStore)
+	if err != nil {
+		log.Fatalf("failed initializing JWT service: %v", err)
+	}
 
 	ldapService := initLDAPService()
 
+	oauthService := initOAuthService()
+
 	gitService := initGitService()
 
 	cryptoService := initCryptoService()
 
 	digitalSignatureService := initDigitalSignatureService()
 
-	err := initKeyPair(fileService, digitalSignatureService)
+	err = initKeyPair(fileService, digitalSignatureService)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed initializing key pai: %v", err)
 	}
 
-	extensionManager, err := initExtensionManager(fileService, dataStore)
+	reverseTunnelService := chisel.NewService(dataStore, shutdownCtx)
+
+	instanceID, err := dataStore.Version().InstanceID()
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed getting instance id: %v", err)
 	}
 
-	reverseTunnelService := chisel.NewService(dataStore)
+	dockerClientFactory := initDockerClientFactory(digitalSignatureService, reverseTunnelService)
+	kubernetesClientFactory := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, instanceID)
 
-	clientFactory := initClientFactory(digitalSignatureService, reverseTunnelService)
-
-	jobService := initJobService(clientFactory)
-
-	snapshotter := initSnapshotter(clientFactory)
+	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx)
+	if err != nil {
+		log.Fatalf("failed initializing snapshot service: %v", err)
+	}
+	snapshotService.Start()
 
 	swarmStackManager, err := initSwarmStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService, reverseTunnelService)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed initializing swarm stack manager: %v", err)
 	}
+	kubernetesTokenCacheManager := kubeproxy.NewTokenCacheManager()
+	proxyManager := proxy.NewManager(dataStore, digitalSignatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager)
 
-	composeStackManager := initComposeStackManager(*flags.Data, reverseTunnelService)
+	composeStackManager := initComposeStackManager(*flags.Assets, *flags.Data, reverseTunnelService, proxyManager)
+
+	kubernetesDeployer := initKubernetesDeployer(*flags.Assets)
 
 	if dataStore.IsNew() {
 		err = updateSettingsFromFlags(dataStore, flags)
 		if err != nil {
-			log.Fatal(err)
+			log.Fatalf("failed updating settings from flags: %v", err)
 		}
 	}
 
-	jobScheduler := initJobScheduler()
-
-	err = loadSchedulesFromDatabase(jobScheduler, jobService, dataStore, fileService, reverseTunnelService)
+	err = edge.LoadEdgeJobs(dataStore, reverseTunnelService)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed loading edge jobs from database: %v", err)
 	}
 
-	err = loadSnapshotSystemSchedule(jobScheduler, snapshotter, dataStore)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	jobScheduler.Start()
-
 	applicationStatus := initStatus(flags)
 
-	err = initEndpoint(flags, dataStore, snapshotter)
+	err = initEndpoint(flags, dataStore, snapshotService)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed initializing endpoint: %v", err)
 	}
 
 	adminPasswordHash := ""
 	if *flags.AdminPasswordFile != "" {
 		content, err := fileService.GetFileContent(*flags.AdminPasswordFile)
 		if err != nil {
-			log.Fatal(err)
+			log.Fatalf("failed getting admin password file: %v", err)
 		}
 		adminPasswordHash, err = cryptoService.Hash(strings.TrimSuffix(string(content), "\n"))
 		if err != nil {
-			log.Fatal(err)
+			log.Fatalf("failed hashing admin password: %v", err)
 		}
 	} else if *flags.AdminPassword != "" {
 		adminPasswordHash = *flags.AdminPassword
@@ -472,63 +433,66 @@ func main() {
 	if adminPasswordHash != "" {
 		users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
 		if err != nil {
-			log.Fatal(err)
+			log.Fatalf("failed getting admin user: %v", err)
 		}
 
 		if len(users) == 0 {
 			log.Println("Created admin user with the given password.")
 			user := &portainer.User{
-				Username:                "admin",
-				Role:                    portainer.AdministratorRole,
-				Password:                adminPasswordHash,
-				PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
+				Username: "admin",
+				Role:     portainer.AdministratorRole,
+				Password: adminPasswordHash,
 			}
 			err := dataStore.User().CreateUser(user)
 			if err != nil {
-				log.Fatal(err)
+				log.Fatalf("failed creating admin user: %v", err)
 			}
 		} else {
 			log.Println("Instance already has an administrator user defined. Skipping admin password related flags.")
 		}
 	}
 
-	if !*flags.NoAuth {
-		go terminateIfNoAdminCreated(dataStore)
-	}
-
-	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotter)
+	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService)
 	if err != nil {
-		log.Fatal(err)
+		log.Fatalf("failed starting license service: %s", err)
 	}
 
-	var server portainer.Server = &http.Server{
-		ReverseTunnelService: reverseTunnelService,
-		Status:               applicationStatus,
-		BindAddress:          *flags.Addr,
-		AssetsPath:           *flags.Assets,
-		AuthDisabled:         *flags.NoAuth,
-		DataStore:            dataStore,
-		SwarmStackManager:    swarmStackManager,
-		ComposeStackManager:  composeStackManager,
-		ExtensionManager:     extensionManager,
-		CryptoService:        cryptoService,
-		JWTService:           jwtService,
-		FileService:          fileService,
-		LDAPService:          ldapService,
-		GitService:           gitService,
-		SignatureService:     digitalSignatureService,
-		JobScheduler:         jobScheduler,
-		Snapshotter:          snapshotter,
-		SSL:                  *flags.SSL,
-		SSLCert:              *flags.SSLCert,
-		SSLKey:               *flags.SSLKey,
-		DockerClientFactory:  clientFactory,
-		JobService:           jobService,
-	}
-
-	log.Printf("Starting Portainer %s on %s", portainer.APIVersion, *flags.Addr)
-	err = server.Start()
-	if err != nil {
-		log.Fatal(err)
+	return &http.Server{
+		ReverseTunnelService:        reverseTunnelService,
+		Status:                      applicationStatus,
+		BindAddress:                 *flags.Addr,
+		AssetsPath:                  *flags.Assets,
+		DataStore:                   dataStore,
+		SwarmStackManager:           swarmStackManager,
+		ComposeStackManager:         composeStackManager,
+		KubernetesDeployer:          kubernetesDeployer,
+		CryptoService:               cryptoService,
+		JWTService:                  jwtService,
+		FileService:                 fileService,
+		LDAPService:                 ldapService,
+		OAuthService:                oauthService,
+		GitService:                  gitService,
+		ProxyManager:                proxyManager,
+		KubernetesTokenCacheManager: kubernetesTokenCacheManager,
+		SignatureService:            digitalSignatureService,
+		SnapshotService:             snapshotService,
+		SSL:                         *flags.SSL,
+		SSLCert:                     *flags.SSLCert,
+		SSLKey:                      *flags.SSLKey,
+		DockerClientFactory:         dockerClientFactory,
+		KubernetesClientFactory:     kubernetesClientFactory,
+		ShutdownCtx:                 shutdownCtx,
+		ShutdownTrigger:             shutdownTrigger,
+	}
+}
+
+func main() {
+	flags := initCLI()
+
+	for {
+		server := buildServer(flags)
+		log.Printf("Starting Portainer %s on %s\n", portainer.APIVersion, *flags.Addr)
+		err := server.Start()
+		log.Printf("Http server exited: %s\n", err)
 	}
 }

api/cron/job_script_execution.go

@@ -1,96 +0,0 @@
-package cron
-
-import (
-	"log"
-	"time"
-
-	"github.com/portainer/portainer/api"
-)
-
-// ScriptExecutionJobRunner is used to run a ScriptExecutionJob
-type ScriptExecutionJobRunner struct {
-	schedule     *portainer.Schedule
-	context      *ScriptExecutionJobContext
-	executedOnce bool
-}
-
-// ScriptExecutionJobContext represents the context of execution of a ScriptExecutionJob
-type ScriptExecutionJobContext struct {
-	dataStore   portainer.DataStore
-	jobService  portainer.JobService
-	fileService portainer.FileService
-}
-
-// NewScriptExecutionJobContext returns a new context that can be used to execute a ScriptExecutionJob
-func NewScriptExecutionJobContext(jobService portainer.JobService, dataStore portainer.DataStore, fileService portainer.FileService) *ScriptExecutionJobContext {
-	return &ScriptExecutionJobContext{
-		jobService:  jobService,
-		dataStore:   dataStore,
-		fileService: fileService,
-	}
-}
-
-// NewScriptExecutionJobRunner returns a new runner that can be scheduled
-func NewScriptExecutionJobRunner(schedule *portainer.Schedule, context *ScriptExecutionJobContext) *ScriptExecutionJobRunner {
-	return &ScriptExecutionJobRunner{
-		schedule:     schedule,
-		context:      context,
-		executedOnce: false,
-	}
-}
-
-// Run triggers the execution of the job.
-// It will iterate through all the endpoints specified in the context to
-// execute the script associated to the job.
-func (runner *ScriptExecutionJobRunner) Run() {
-	if !runner.schedule.Recurring && runner.executedOnce {
-		return
-	}
-	runner.executedOnce = true
-
-	scriptFile, err := runner.context.fileService.GetFileContent(runner.schedule.ScriptExecutionJob.ScriptPath)
-	if err != nil {
-		log.Printf("scheduled job error (script execution). Unable to retrieve script file (err=%s)\n", err)
-		return
-	}
-
-	targets := make([]*portainer.Endpoint, 0)
-	for _, endpointID := range runner.schedule.ScriptExecutionJob.Endpoints {
-		endpoint, err := runner.context.dataStore.Endpoint().Endpoint(endpointID)
-		if err != nil {
-			log.Printf("scheduled job error (script execution). Unable to retrieve information about endpoint (id=%d) (err=%s)\n", endpointID, err)
-			return
-		}
-
-		targets = append(targets, endpoint)
-	}
-
-	runner.executeAndRetry(targets, scriptFile, 0)
-}
-
-func (runner *ScriptExecutionJobRunner) executeAndRetry(endpoints []*portainer.Endpoint, script []byte, retryCount int) {
-	retryTargets := make([]*portainer.Endpoint, 0)
-
-	for _, endpoint := range endpoints {
-		err := runner.context.jobService.ExecuteScript(endpoint, "", runner.schedule.ScriptExecutionJob.Image, script, runner.schedule)
-		if err == portainer.ErrUnableToPingEndpoint {
-			retryTargets = append(retryTargets, endpoint)
-		} else if err != nil {
-			log.Printf("scheduled job error (script execution). Unable to execute script (endpoint=%s) (err=%s)\n", endpoint.Name, err)
-		}
-	}
-
-	retryCount++
-	if retryCount >= runner.schedule.ScriptExecutionJob.RetryCount {
-		return
-	}
-
-	time.Sleep(time.Duration(runner.schedule.ScriptExecutionJob.RetryInterval) * time.Second)
-
-	runner.executeAndRetry(retryTargets, script, retryCount)
-}
-
-// GetSchedule returns the schedule associated to the runner
-func (runner *ScriptExecutionJobRunner) GetSchedule() *portainer.Schedule {
-	return runner.schedule
-}

api/cron/job_snapshot.go

@@ -1,85 +0,0 @@
-package cron
-
-import (
-	"log"
-
-	"github.com/portainer/portainer/api"
-)
-
-// SnapshotJobRunner is used to run a SnapshotJob
-type SnapshotJobRunner struct {
-	schedule *portainer.Schedule
-	context  *SnapshotJobContext
-}
-
-// SnapshotJobContext represents the context of execution of a SnapshotJob
-type SnapshotJobContext struct {
-	dataStore   portainer.DataStore
-	snapshotter portainer.Snapshotter
-}
-
-// NewSnapshotJobContext returns a new context that can be used to execute a SnapshotJob
-func NewSnapshotJobContext(dataStore portainer.DataStore, snapshotter portainer.Snapshotter) *SnapshotJobContext {
-	return &SnapshotJobContext{
-		dataStore:   dataStore,
-		snapshotter: snapshotter,
-	}
-}
-
-// NewSnapshotJobRunner returns a new runner that can be scheduled
-func NewSnapshotJobRunner(schedule *portainer.Schedule, context *SnapshotJobContext) *SnapshotJobRunner {
-	return &SnapshotJobRunner{
-		schedule: schedule,
-		context:  context,
-	}
-}
-
-// GetSchedule returns the schedule associated to the runner
-func (runner *SnapshotJobRunner) GetSchedule() *portainer.Schedule {
-	return runner.schedule
-}
-
-// Run triggers the execution of the schedule.
-// It will iterate through all the endpoints available in the database to
-// create a snapshot of each one of them.
-// As a snapshot can be a long process, to avoid any concurrency issue we
-// retrieve the latest version of the endpoint right after a snapshot.
-func (runner *SnapshotJobRunner) Run() {
-	go func() {
-		endpoints, err := runner.context.dataStore.Endpoint().Endpoints()
-		if err != nil {
-			log.Printf("background schedule error (endpoint snapshot). Unable to retrieve endpoint list (err=%s)\n", err)
-			return
-		}
-
-		for _, endpoint := range endpoints {
-			if endpoint.Type == portainer.EdgeAgentEnvironment {
-				continue
-			}
-
-			snapshot, snapshotError := runner.context.snapshotter.CreateSnapshot(&endpoint)
-
-			latestEndpointReference, err := runner.context.dataStore.Endpoint().Endpoint(endpoint.ID)
-			if latestEndpointReference == nil {
-				log.Printf("background schedule error (endpoint snapshot). Endpoint not found inside the database anymore (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
-				continue
-			}
-
-			latestEndpointReference.Status = portainer.EndpointStatusUp
-			if snapshotError != nil {
-				log.Printf("background schedule error (endpoint snapshot). Unable to create snapshot (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, snapshotError)
-				latestEndpointReference.Status = portainer.EndpointStatusDown
-			}
-
-			if snapshot != nil {
-				latestEndpointReference.Snapshots = []portainer.Snapshot{*snapshot}
-			}
-
-			err = runner.context.dataStore.Endpoint().UpdateEndpoint(latestEndpointReference.ID, latestEndpointReference)
-			if err != nil {
-				log.Printf("background schedule error (endpoint snapshot). Unable to update endpoint (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
-				return
-			}
-		}
-	}()
-}

api/cron/scheduler.go

@@ -1,116 +0,0 @@
-package cron
-
-import (
-	"github.com/portainer/portainer/api"
-	"github.com/robfig/cron/v3"
-)
-
-// JobScheduler represents a service for managing crons
-type JobScheduler struct {
-	cron *cron.Cron
-}
-
-// NewJobScheduler initializes a new service
-func NewJobScheduler() *JobScheduler {
-	return &JobScheduler{
-		cron: cron.New(),
-	}
-}
-
-// ScheduleJob schedules the execution of a job via a runner
-func (scheduler *JobScheduler) ScheduleJob(runner portainer.JobRunner) error {
-	_, err := scheduler.cron.AddJob(runner.GetSchedule().CronExpression, runner)
-	return err
-}
-
-// UpdateSystemJobSchedule updates the first occurence of the specified
-// scheduled job based on the specified job type.
-// It does so by re-creating a new cron
-// and adding all the existing jobs. It will then re-schedule the new job
-// with the update cron expression passed in parameter.
-// NOTE: the cron library do not support updating schedules directly
-// hence the work-around
-func (scheduler *JobScheduler) UpdateSystemJobSchedule(jobType portainer.JobType, newCronExpression string) error {
-	cronEntries := scheduler.cron.Entries()
-	newCron := cron.New()
-
-	for _, entry := range cronEntries {
-		if entry.Job.(portainer.JobRunner).GetSchedule().JobType == jobType {
-			_, err := newCron.AddJob(newCronExpression, entry.Job)
-			if err != nil {
-				return err
-			}
-			continue
-		}
-
-		newCron.Schedule(entry.Schedule, entry.Job)
-	}
-
-	scheduler.cron.Stop()
-	scheduler.cron = newCron
-	scheduler.cron.Start()
-	return nil
-}
-
-// UpdateJobSchedule updates a specific scheduled job by re-creating a new cron
-// and adding all the existing jobs. It will then re-schedule the new job
-// via the specified JobRunner parameter.
-// NOTE: the cron library do not support updating schedules directly
-// hence the work-around
-func (scheduler *JobScheduler) UpdateJobSchedule(runner portainer.JobRunner) error {
-	cronEntries := scheduler.cron.Entries()
-	newCron := cron.New()
-
-	for _, entry := range cronEntries {
-
-		if entry.Job.(portainer.JobRunner).GetSchedule().ID == runner.GetSchedule().ID {
-
-			var jobRunner cron.Job = runner
-			if entry.Job.(portainer.JobRunner).GetSchedule().JobType == portainer.SnapshotJobType {
-				jobRunner = entry.Job
-			}
-
-			_, err := newCron.AddJob(runner.GetSchedule().CronExpression, jobRunner)
-			if err != nil {
-				return err
-			}
-			continue
-		}
-
-		newCron.Schedule(entry.Schedule, entry.Job)
-	}
-
-	scheduler.cron.Stop()
-	scheduler.cron = newCron
-	scheduler.cron.Start()
-	return nil
-}
-
-// UnscheduleJob remove a scheduled job by re-creating a new cron
-// and adding all the existing jobs except for the one specified via scheduleID.
-// NOTE: the cron library do not support removing schedules directly
-// hence the work-around
-func (scheduler *JobScheduler) UnscheduleJob(scheduleID portainer.ScheduleID) {
-	cronEntries := scheduler.cron.Entries()
-	newCron := cron.New()
-
-	for _, entry := range cronEntries {
-
-		if entry.Job.(portainer.JobRunner).GetSchedule().ID == scheduleID {
-			continue
-		}
-
-		newCron.Schedule(entry.Schedule, entry.Job)
-	}
-
-	scheduler.cron.Stop()
-	scheduler.cron = newCron
-	scheduler.cron.Start()
-}
-
-// Start starts the scheduled jobs
-func (scheduler *JobScheduler) Start() {
-	if len(scheduler.cron.Entries()) > 0 {
-		scheduler.cron.Start()
-	}
-}

api/crypto/aes.go

@@ -0,0 +1,70 @@
+package crypto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"io"
+
+	"golang.org/x/crypto/scrypt"
+)
+
+// NOTE: has to go with what is considered to be a simplistic in that it omits any
+// authentication of the encrypted data.
+// Person with better knowledge is welcomed to improve it.
+// sourced from https://golang.org/src/crypto/cipher/example_test.go
+
+var emptySalt []byte = make([]byte, 0, 0)
+
+// AesEncrypt reads from input, encrypts with AES-256 and writes to the output.
+// passphrase is used to generate an encryption key.
+func AesEncrypt(input io.Reader, output io.Writer, passphrase []byte) error {
+	// making a 32 bytes key that would correspond to AES-256
+	// don't necessarily need a salt, so just kept in empty
+	key, err := scrypt.Key(passphrase, emptySalt, 32768, 8, 1, 32)
+	if err != nil {
+		return err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return err
+	}
+
+	// If the key is unique for each ciphertext, then it's ok to use a zero
+	// IV.
+	var iv [aes.BlockSize]byte
+	stream := cipher.NewOFB(block, iv[:])
+
+	writer := &cipher.StreamWriter{S: stream, W: output}
+	// Copy the input to the output, encrypting as we go.
+	if _, err := io.Copy(writer, input); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// AesDecrypt reads from input, decrypts with AES-256 and returns the reader to a read decrypted content from.
+// passphrase is used to generate an encryption key.
+func AesDecrypt(input io.Reader, passphrase []byte) (io.Reader, error) {
+	// making a 32 bytes key that would correspond to AES-256
+	// don't necessarily need a salt, so just kept in empty
+	key, err := scrypt.Key(passphrase, emptySalt, 32768, 8, 1, 32)
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// If the key is unique for each ciphertext, then it's ok to use a zero
+	// IV.
+	var iv [aes.BlockSize]byte
+	stream := cipher.NewOFB(block, iv[:])
+
+	reader := &cipher.StreamReader{S: stream, R: input}
+
+	return reader, nil
+}

api/crypto/aes_test.go

@@ -0,0 +1,132 @@
+package crypto
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "encrypt")
+	defer os.RemoveAll(tmpdir)
+
+	var (
+		originFilePath    = filepath.Join(tmpdir, "origin")
+		encryptedFilePath = filepath.Join(tmpdir, "encrypted")
+		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
+	)
+
+	content := []byte("content")
+	ioutil.WriteFile(originFilePath, content, 0600)
+
+	originFile, _ := os.Open(originFilePath)
+	defer originFile.Close()
+
+	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+	defer encryptedFileWriter.Close()
+
+	err := AesEncrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+	assert.Nil(t, err, "Failed to encrypt a file")
+	encryptedContent, err := ioutil.ReadFile(encryptedFilePath)
+	assert.Nil(t, err, "Couldn't read encrypted file")
+	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+
+	encryptedFileReader, _ := os.Open(encryptedFilePath)
+	defer encryptedFileReader.Close()
+
+	decryptedFileWriter, _ := os.Create(decryptedFilePath)
+	defer decryptedFileWriter.Close()
+
+	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte("passphrase"))
+	assert.Nil(t, err, "Failed to decrypt file")
+
+	io.Copy(decryptedFileWriter, decryptedReader)
+
+	decryptedContent, _ := ioutil.ReadFile(decryptedFilePath)
+	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+}
+
+func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "encrypt")
+	defer os.RemoveAll(tmpdir)
+
+	var (
+		originFilePath    = filepath.Join(tmpdir, "origin")
+		encryptedFilePath = filepath.Join(tmpdir, "encrypted")
+		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
+	)
+
+	content := []byte("content")
+	ioutil.WriteFile(originFilePath, content, 0600)
+
+	originFile, _ := os.Open(originFilePath)
+	defer originFile.Close()
+
+	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+	defer encryptedFileWriter.Close()
+
+	err := AesEncrypt(originFile, encryptedFileWriter, []byte(""))
+	assert.Nil(t, err, "Failed to encrypt a file")
+	encryptedContent, err := ioutil.ReadFile(encryptedFilePath)
+	assert.Nil(t, err, "Couldn't read encrypted file")
+	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+
+	encryptedFileReader, _ := os.Open(encryptedFilePath)
+	defer encryptedFileReader.Close()
+
+	decryptedFileWriter, _ := os.Create(decryptedFilePath)
+	defer decryptedFileWriter.Close()
+
+	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte(""))
+	assert.Nil(t, err, "Failed to decrypt file")
+
+	io.Copy(decryptedFileWriter, decryptedReader)
+
+	decryptedContent, _ := ioutil.ReadFile(decryptedFilePath)
+	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+}
+
+func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T) {
+	tmpdir, _ := ioutils.TempDir("", "encrypt")
+	defer os.RemoveAll(tmpdir)
+
+	var (
+		originFilePath    = filepath.Join(tmpdir, "origin")
+		encryptedFilePath = filepath.Join(tmpdir, "encrypted")
+		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
+	)
+
+	content := []byte("content")
+	ioutil.WriteFile(originFilePath, content, 0600)
+
+	originFile, _ := os.Open(originFilePath)
+	defer originFile.Close()
+
+	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+	defer encryptedFileWriter.Close()
+
+	err := AesEncrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+	assert.Nil(t, err, "Failed to encrypt a file")
+	encryptedContent, err := ioutil.ReadFile(encryptedFilePath)
+	assert.Nil(t, err, "Couldn't read encrypted file")
+	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+
+	encryptedFileReader, _ := os.Open(encryptedFilePath)
+	defer encryptedFileReader.Close()
+
+	decryptedFileWriter, _ := os.Create(decryptedFilePath)
+	defer decryptedFileWriter.Close()
+
+	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte("garbage"))
+	assert.Nil(t, err, "Should allow to decrypt with wrong passphrase")
+
+	io.Copy(decryptedFileWriter, decryptedReader)
+
+	decryptedContent, _ := ioutil.ReadFile(decryptedFilePath)
+	assert.NotEqual(t, content, decryptedContent, "Original and decrypted content should NOT match")
+}

api/crypto/tls.go

@@ -6,6 +6,24 @@ import (
 	"io/ioutil"
 )
 
+// CreateServerTLSConfiguration creates a basic tls.Config to be used by servers with recommended TLS settings
+func CreateServerTLSConfiguration() *tls.Config {
+	return &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		},
+	}
+}
+
 // CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from memory.
 func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {

api/docker/client.go

@@ -1,6 +1,7 @@
 package docker
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -11,8 +12,9 @@ import (
 	"github.com/portainer/portainer/api/crypto"
 )
 
+var errUnsupportedEnvironmentType = errors.New("Environment not supported")
+
 const (
-	unsupportedEnvironmentType  = portainer.Error("Environment not supported")
 	defaultDockerRequestTimeout = 60
 	dockerClientVersion         = "1.37"
 )
@@ -31,13 +33,15 @@ func NewClientFactory(signatureService portainer.DigitalSignatureService, revers
 	}
 }
 
-// CreateClient is a generic function to create a Docker client based on
+// createClient is a generic function to create a Docker client based on
 // a specific endpoint configuration. The nodeName parameter can be used
 // with an agent enabled endpoint to target a specific node in an agent cluster.
 func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeName string) (*client.Client, error) {
-	if endpoint.Type == portainer.AgentOnDockerEnvironment {
+	if endpoint.Type == portainer.AzureEnvironment {
+		return nil, errUnsupportedEnvironmentType
+	} else if endpoint.Type == portainer.AgentOnDockerEnvironment {
 		return createAgentClient(endpoint, factory.signatureService, nodeName)
-	} else if endpoint.Type == portainer.EdgeAgentEnvironment {
+	} else if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
 		return createEdgeClient(endpoint, factory.reverseTunnelService, nodeName)
 	}
 

api/docker/errors.go

@@ -0,0 +1,8 @@
+package docker
+
+import "errors"
+
+// Docker errors
+var (
+	ErrUnableToPingEndpoint = errors.New("Unable to communicate with the endpoint")
+)

api/docker/job.go

@@ -1,115 +0,0 @@
-package docker
-
-import (
-	"bytes"
-	"context"
-	"io"
-	"io/ioutil"
-	"strconv"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/api/types/strslice"
-	"github.com/docker/docker/client"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/archive"
-)
-
-// JobService represents a service that handles the execution of jobs
-type JobService struct {
-	dockerClientFactory *ClientFactory
-}
-
-// NewJobService returns a pointer to a new job service
-func NewJobService(dockerClientFactory *ClientFactory) *JobService {
-	return &JobService{
-		dockerClientFactory: dockerClientFactory,
-	}
-}
-
-// ExecuteScript will leverage a privileged container to execute a script against the specified endpoint/nodename.
-// It will copy the script content specified as a parameter inside a container based on the specified image and execute it.
-func (service *JobService) ExecuteScript(endpoint *portainer.Endpoint, nodeName, image string, script []byte, schedule *portainer.Schedule) error {
-	buffer, err := archive.TarFileInBuffer(script, "script.sh", 0700)
-	if err != nil {
-		return err
-	}
-
-	cli, err := service.dockerClientFactory.CreateClient(endpoint, nodeName)
-	if err != nil {
-		return err
-	}
-	defer cli.Close()
-
-	_, err = cli.Ping(context.Background())
-	if err != nil {
-		return portainer.ErrUnableToPingEndpoint
-	}
-
-	err = pullImage(cli, image)
-	if err != nil {
-		return err
-	}
-
-	containerConfig := &container.Config{
-		AttachStdin:  true,
-		AttachStdout: true,
-		AttachStderr: true,
-		Tty:          true,
-		WorkingDir:   "/tmp",
-		Image:        image,
-		Labels: map[string]string{
-			"io.portainer.job.endpoint": strconv.Itoa(int(endpoint.ID)),
-		},
-		Cmd: strslice.StrSlice([]string{"sh", "/tmp/script.sh"}),
-	}
-
-	if schedule != nil {
-		containerConfig.Labels["io.portainer.schedule.id"] = strconv.Itoa(int(schedule.ID))
-	}
-
-	hostConfig := &container.HostConfig{
-		Binds:       []string{"/:/host", "/etc:/etc:ro", "/usr:/usr:ro", "/run:/run:ro", "/sbin:/sbin:ro", "/var:/var:ro"},
-		NetworkMode: "host",
-		Privileged:  true,
-	}
-
-	networkConfig := &network.NetworkingConfig{}
-
-	body, err := cli.ContainerCreate(context.Background(), containerConfig, hostConfig, networkConfig, "")
-	if err != nil {
-		return err
-	}
-
-	if schedule != nil {
-		err = cli.ContainerRename(context.Background(), body.ID, schedule.Name+"_"+body.ID)
-		if err != nil {
-			return err
-		}
-	}
-
-	copyOptions := types.CopyToContainerOptions{}
-	err = cli.CopyToContainer(context.Background(), body.ID, "/tmp", bytes.NewReader(buffer), copyOptions)
-	if err != nil {
-		return err
-	}
-
-	startOptions := types.ContainerStartOptions{}
-	return cli.ContainerStart(context.Background(), body.ID, startOptions)
-}
-
-func pullImage(cli *client.Client, image string) error {
-	imageReadCloser, err := cli.ImagePull(context.Background(), image, types.ImagePullOptions{})
-	if err != nil {
-		return err
-	}
-	defer imageReadCloser.Close()
-
-	_, err = io.Copy(ioutil.Discard, imageReadCloser)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}

api/docker/snapshot.go

@@ -12,13 +12,36 @@ import (
 	"github.com/portainer/portainer/api"
 )
 
-func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.Snapshot, error) {
+// Snapshotter represents a service used to create endpoint snapshots
+type Snapshotter struct {
+	clientFactory *ClientFactory
+}
+
+// NewSnapshotter returns a new Snapshotter instance
+func NewSnapshotter(clientFactory *ClientFactory) *Snapshotter {
+	return &Snapshotter{
+		clientFactory: clientFactory,
+	}
+}
+
+// CreateSnapshot creates a snapshot of a specific Docker endpoint
+func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*portainer.DockerSnapshot, error) {
+	cli, err := snapshotter.clientFactory.CreateClient(endpoint, "")
+	if err != nil {
+		return nil, err
+	}
+	defer cli.Close()
+
+	return snapshot(cli, endpoint)
+}
+
+func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.DockerSnapshot, error) {
 	_, err := cli.Ping(context.Background())
 	if err != nil {
 		return nil, err
 	}
 
-	snapshot := &portainer.Snapshot{
+	snapshot := &portainer.DockerSnapshot{
 		StackCount: 0,
 	}
 
@@ -68,7 +91,7 @@ func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.Snap
 	return snapshot, nil
 }
 
-func snapshotInfo(snapshot *portainer.Snapshot, cli *client.Client) error {
+func snapshotInfo(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
 	info, err := cli.Info(context.Background())
 	if err != nil {
 		return err
@@ -82,7 +105,7 @@ func snapshotInfo(snapshot *portainer.Snapshot, cli *client.Client) error {
 	return nil
 }
 
-func snapshotNodes(snapshot *portainer.Snapshot, cli *client.Client) error {
+func snapshotNodes(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
 	nodes, err := cli.NodeList(context.Background(), types.NodeListOptions{})
 	if err != nil {
 		return err
@@ -95,10 +118,11 @@ func snapshotNodes(snapshot *portainer.Snapshot, cli *client.Client) error {
 	}
 	snapshot.TotalCPU = int(nanoCpus / 1e9)
 	snapshot.TotalMemory = totalMem
+	snapshot.NodeCount = len(nodes)
 	return nil
 }
 
-func snapshotSwarmServices(snapshot *portainer.Snapshot, cli *client.Client) error {
+func snapshotSwarmServices(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
 	stacks := make(map[string]struct{})
 
 	services, err := cli.ServiceList(context.Background(), types.ServiceListOptions{})
@@ -119,7 +143,7 @@ func snapshotSwarmServices(snapshot *portainer.Snapshot, cli *client.Client) err
 	return nil
 }
 
-func snapshotContainers(snapshot *portainer.Snapshot, cli *client.Client) error {
+func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
 	containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{All: true})
 	if err != nil {
 		return err
@@ -159,7 +183,7 @@ func snapshotContainers(snapshot *portainer.Snapshot, cli *client.Client) error
 	return nil
 }
 
-func snapshotImages(snapshot *portainer.Snapshot, cli *client.Client) error {
+func snapshotImages(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
 	images, err := cli.ImageList(context.Background(), types.ImageListOptions{})
 	if err != nil {
 		return err
@@ -170,7 +194,7 @@ func snapshotImages(snapshot *portainer.Snapshot, cli *client.Client) error {
 	return nil
 }
 
-func snapshotVolumes(snapshot *portainer.Snapshot, cli *client.Client) error {
+func snapshotVolumes(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
 	volumes, err := cli.VolumeList(context.Background(), filters.Args{})
 	if err != nil {
 		return err
@@ -181,7 +205,7 @@ func snapshotVolumes(snapshot *portainer.Snapshot, cli *client.Client) error {
 	return nil
 }
 
-func snapshotNetworks(snapshot *portainer.Snapshot, cli *client.Client) error {
+func snapshotNetworks(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
 	networks, err := cli.NetworkList(context.Background(), types.NetworkListOptions{})
 	if err != nil {
 		return err
@@ -190,7 +214,7 @@ func snapshotNetworks(snapshot *portainer.Snapshot, cli *client.Client) error {
 	return nil
 }
 
-func snapshotVersion(snapshot *portainer.Snapshot, cli *client.Client) error {
+func snapshotVersion(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
 	version, err := cli.ServerVersion(context.Background())
 	if err != nil {
 		return err

api/docker/snapshotter.go

@@ -1,28 +0,0 @@
-package docker
-
-import (
-	"github.com/portainer/portainer/api"
-)
-
-// Snapshotter represents a service used to create endpoint snapshots
-type Snapshotter struct {
-	clientFactory *ClientFactory
-}
-
-// NewSnapshotter returns a new Snapshotter instance
-func NewSnapshotter(clientFactory *ClientFactory) *Snapshotter {
-	return &Snapshotter{
-		clientFactory: clientFactory,
-	}
-}
-
-// CreateSnapshot creates a snapshot of a specific endpoint
-func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*portainer.Snapshot, error) {
-	cli, err := snapshotter.clientFactory.CreateClient(endpoint, "")
-	if err != nil {
-		return nil, err
-	}
-	defer cli.Close()
-
-	return snapshot(cli, endpoint)
-}

api/edgegroup.go

@@ -1,54 +0,0 @@
-package portainer
-
-// EdgeGroupRelatedEndpoints returns a list of endpoints related to this Edge group
-func EdgeGroupRelatedEndpoints(edgeGroup *EdgeGroup, endpoints []Endpoint, endpointGroups []EndpointGroup) []EndpointID {
-	if !edgeGroup.Dynamic {
-		return edgeGroup.Endpoints
-	}
-
-	endpointIDs := []EndpointID{}
-	for _, endpoint := range endpoints {
-		if endpoint.Type != EdgeAgentEnvironment {
-			continue
-		}
-
-		var endpointGroup EndpointGroup
-		for _, group := range endpointGroups {
-			if endpoint.GroupID == group.ID {
-				endpointGroup = group
-				break
-			}
-		}
-
-		if edgeGroupRelatedToEndpoint(edgeGroup, &endpoint, &endpointGroup) {
-			endpointIDs = append(endpointIDs, endpoint.ID)
-		}
-	}
-
-	return endpointIDs
-}
-
-// edgeGroupRelatedToEndpoint returns true is edgeGroup is associated with endpoint
-func edgeGroupRelatedToEndpoint(edgeGroup *EdgeGroup, endpoint *Endpoint, endpointGroup *EndpointGroup) bool {
-	if !edgeGroup.Dynamic {
-		for _, endpointID := range edgeGroup.Endpoints {
-			if endpoint.ID == endpointID {
-				return true
-			}
-		}
-		return false
-	}
-
-	endpointTags := TagSet(endpoint.TagIDs)
-	if endpointGroup.TagIDs != nil {
-		endpointTags = TagUnion(endpointTags, TagSet(endpointGroup.TagIDs))
-	}
-	edgeGroupTags := TagSet(edgeGroup.TagIDs)
-
-	if edgeGroup.PartialMatch {
-		intersection := TagIntersection(endpointTags, edgeGroupTags)
-		return len(intersection) != 0
-	}
-
-	return TagContains(edgeGroupTags, endpointTags)
-}

api/errors.go

@@ -1,112 +0,0 @@
-package portainer
-
-// General errors.
-const (
-	ErrUnauthorized           = Error("Unauthorized")
-	ErrResourceAccessDenied   = Error("Access denied to resource")
-	ErrAuthorizationRequired  = Error("Authorization required for this operation")
-	ErrObjectNotFound         = Error("Object not found inside the database")
-	ErrMissingSecurityContext = Error("Unable to find security details in request context")
-)
-
-// User errors.
-const (
-	ErrUserAlreadyExists          = Error("User already exists")
-	ErrInvalidUsername            = Error("Invalid username. White spaces are not allowed")
-	ErrAdminAlreadyInitialized    = Error("An administrator user already exists")
-	ErrAdminCannotRemoveSelf      = Error("Cannot remove your own user account. Contact another administrator")
-	ErrCannotRemoveLastLocalAdmin = Error("Cannot remove the last local administrator account")
-)
-
-// Team errors.
-const (
-	ErrTeamAlreadyExists = Error("Team already exists")
-)
-
-// TeamMembership errors.
-const (
-	ErrTeamMembershipAlreadyExists = Error("Team membership already exists for this user and team")
-)
-
-// ResourceControl errors.
-const (
-	ErrResourceControlAlreadyExists = Error("A resource control is already applied on this resource")
-	ErrInvalidResourceControlType   = Error("Unsupported resource control type")
-)
-
-// Endpoint errors.
-const (
-	ErrEndpointAccessDenied = Error("Access denied to endpoint")
-)
-
-// Endpoint group errors.
-const (
-	ErrCannotRemoveDefaultGroup = Error("Cannot remove the default endpoint group")
-)
-
-// Registry errors.
-const (
-	ErrRegistryAlreadyExists = Error("A registry is already defined for this URL")
-)
-
-// Stack errors
-const (
-	ErrStackAlreadyExists              = Error("A stack already exists with this name")
-	ErrComposeFileNotFoundInRepository = Error("Unable to find a Compose file in the repository")
-	ErrStackNotExternal                = Error("Not an external stack")
-)
-
-// Tag errors
-const (
-	ErrTagAlreadyExists = Error("A tag already exists with this name")
-)
-
-// Endpoint extensions error
-const (
-	ErrEndpointExtensionNotSupported      = Error("This extension is not supported")
-	ErrEndpointExtensionAlreadyAssociated = Error("This extension is already associated to the endpoint")
-)
-
-// Crypto errors.
-const (
-	ErrCryptoHashFailure = Error("Unable to hash data")
-)
-
-// JWT errors.
-const (
-	ErrSecretGeneration   = Error("Unable to generate secret key")
-	ErrInvalidJWTToken    = Error("Invalid JWT token")
-	ErrMissingContextData = Error("Unable to find JWT data in request context")
-)
-
-// File errors.
-const (
-	ErrUndefinedTLSFileType = Error("Undefined TLS file type")
-)
-
-// Extension errors.
-const (
-	ErrExtensionAlreadyEnabled = Error("This extension is already enabled")
-)
-
-// Docker errors.
-const (
-	ErrUnableToPingEndpoint = Error("Unable to communicate with the endpoint")
-)
-
-// Schedule errors.
-const (
-	ErrHostManagementFeaturesDisabled = Error("Host management features are disabled")
-)
-
-// Error represents an application error.
-type Error string
-
-// Error returns the error message.
-func (e Error) Error() string { return string(e) }
-
-// Webhook errors
-const (
-	ErrWebhookAlreadyExists   = Error("A webhook for this resource already exists")
-	ErrUnsupportedWebhookType = Error("Webhooks for this resource are not currently supported")
-)

api/exec/compose_wrapper.go

@@ -0,0 +1,141 @@
+package exec
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"path"
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/proxy"
+)
+
+// ComposeWrapper is a wrapper for docker-compose binary
+type ComposeWrapper struct {
+	binaryPath   string
+	dataPath     string
+	proxyManager *proxy.Manager
+}
+
+// NewComposeWrapper returns a docker-compose wrapper if corresponding binary present, otherwise nil
+func NewComposeWrapper(binaryPath, dataPath string, proxyManager *proxy.Manager) *ComposeWrapper {
+	if !IsBinaryPresent(programPath(binaryPath, "docker-compose")) {
+		return nil
+	}
+
+	return &ComposeWrapper{
+		binaryPath:   binaryPath,
+		dataPath:     dataPath,
+		proxyManager: proxyManager,
+	}
+}
+
+// ComposeSyntaxMaxVersion returns the maximum supported version of the docker compose syntax
+func (w *ComposeWrapper) ComposeSyntaxMaxVersion() string {
+	return portainer.ComposeSyntaxMaxVersion
+}
+
+// NormalizeStackName returns a new stack name with unsupported characters replaced
+func (w *ComposeWrapper) NormalizeStackName(name string) string {
+	return name
+}
+
+// Up builds, (re)creates and starts containers in the background. Wraps `docker-compose up -d` command
+func (w *ComposeWrapper) Up(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
+	_, err := w.command([]string{"up", "-d"}, stack, endpoint)
+	return err
+}
+
+// Down stops and removes containers, networks, images, and volumes. Wraps `docker-compose down --remove-orphans` command
+func (w *ComposeWrapper) Down(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
+	_, err := w.command([]string{"down", "--remove-orphans"}, stack, endpoint)
+	return err
+}
+
+func (w *ComposeWrapper) command(command []string, stack *portainer.Stack, endpoint *portainer.Endpoint) ([]byte, error) {
+	if endpoint == nil {
+		return nil, errors.New("cannot call a compose command on an empty endpoint")
+	}
+
+	program := programPath(w.binaryPath, "docker-compose")
+
+	options := setComposeFile(stack)
+
+	options = addProjectNameOption(options, stack)
+	options, err := addEnvFileOption(options, stack)
+	if err != nil {
+		return nil, err
+	}
+
+	if !(endpoint.URL == "" || strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://")) {
+
+		proxy, err := w.proxyManager.CreateComposeProxyServer(endpoint)
+		if err != nil {
+			return nil, err
+		}
+
+		defer proxy.Close()
+
+		options = append(options, "-H", fmt.Sprintf("http://127.0.0.1:%d", proxy.Port))
+	}
+
+	args := append(options, command...)
+
+	var stderr bytes.Buffer
+	cmd := exec.Command(program, args...)
+	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env, fmt.Sprintf("DOCKER_CONFIG=%s", w.dataPath))
+	cmd.Stderr = &stderr
+
+	out, err := cmd.Output()
+	if err != nil {
+		return out, errors.New(stderr.String())
+	}
+
+	return out, nil
+}
+
+func setComposeFile(stack *portainer.Stack) []string {
+	options := make([]string, 0)
+
+	if stack == nil || stack.EntryPoint == "" {
+		return options
+	}
+
+	composeFilePath := path.Join(stack.ProjectPath, stack.EntryPoint)
+	options = append(options, "-f", composeFilePath)
+	return options
+}
+
+func addProjectNameOption(options []string, stack *portainer.Stack) []string {
+	if stack == nil || stack.Name == "" {
+		return options
+	}
+
+	options = append(options, "-p", stack.Name)
+	return options
+}
+
+func addEnvFileOption(options []string, stack *portainer.Stack) ([]string, error) {
+	if stack == nil || stack.Env == nil || len(stack.Env) == 0 {
+		return options, nil
+	}
+
+	envFilePath := path.Join(stack.ProjectPath, "stack.env")
+
+	envfile, err := os.OpenFile(envFilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return options, err
+	}
+
+	for _, v := range stack.Env {
+		envfile.WriteString(fmt.Sprintf("%s=%s\n", v.Name, v.Value))
+	}
+	envfile.Close()
+
+	options = append(options, "--env-file", envFilePath)
+	return options, nil
+}

api/exec/compose_wrapper_integration_test.go

@@ -0,0 +1,75 @@
+// +build integration
+
+package exec
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+const composeFile = `version: "3.9"
+services:
+  busybox:
+    image: "alpine:latest"
+    container_name: "compose_wrapper_test"`
+const composedContainerName = "compose_wrapper_test"
+
+func setup(t *testing.T) (*portainer.Stack, *portainer.Endpoint) {
+	dir := t.TempDir()
+	composeFileName := "compose_wrapper_test.yml"
+	f, _ := os.Create(filepath.Join(dir, composeFileName))
+	f.WriteString(composeFile)
+
+	stack := &portainer.Stack{
+		ProjectPath: dir,
+		EntryPoint:  composeFileName,
+		Name:        "project-name",
+	}
+
+	endpoint := &portainer.Endpoint{}
+
+	return stack, endpoint
+}
+
+func Test_UpAndDown(t *testing.T) {
+
+	stack, endpoint := setup(t)
+
+	w := NewComposeWrapper("", "", nil)
+
+	err := w.Up(stack, endpoint)
+	if err != nil {
+		t.Fatalf("Error calling docker-compose up: %s", err)
+	}
+
+	if containerExists(composedContainerName) == false {
+		t.Fatal("container should exist")
+	}
+
+	err = w.Down(stack, endpoint)
+	if err != nil {
+		t.Fatalf("Error calling docker-compose down: %s", err)
+	}
+
+	if containerExists(composedContainerName) {
+		t.Fatal("container should be removed")
+	}
+}
+
+func containerExists(contaierName string) bool {
+	cmd := exec.Command(osProgram("docker"), "ps", "-a", "-f", fmt.Sprintf("name=%s", contaierName))
+
+	out, err := cmd.Output()
+	if err != nil {
+		log.Fatalf("failed to list containers: %s", err)
+	}
+
+	return strings.Contains(string(out), contaierName)
+}

api/exec/compose_wrapper_test.go

@@ -0,0 +1,143 @@
+package exec
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_setComposeFile(t *testing.T) {
+	tests := []struct {
+		name     string
+		stack    *portainer.Stack
+		expected []string
+	}{
+		{
+			name:     "should return empty result if stack is missing",
+			stack:    nil,
+			expected: []string{},
+		},
+		{
+			name:     "should return empty result if stack don't have entrypoint",
+			stack:    &portainer.Stack{},
+			expected: []string{},
+		},
+		{
+			name: "should allow file name and dir",
+			stack: &portainer.Stack{
+				ProjectPath: "dir",
+				EntryPoint:  "file",
+			},
+			expected: []string{"-f", path.Join("dir", "file")},
+		},
+		{
+			name: "should allow file name only",
+			stack: &portainer.Stack{
+				EntryPoint: "file",
+			},
+			expected: []string{"-f", "file"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := setComposeFile(tt.stack)
+			assert.ElementsMatch(t, tt.expected, result)
+		})
+	}
+}
+
+func Test_addProjectNameOption(t *testing.T) {
+	tests := []struct {
+		name     string
+		stack    *portainer.Stack
+		expected []string
+	}{
+		{
+			name:     "should not add project option if stack is missing",
+			stack:    nil,
+			expected: []string{},
+		},
+		{
+			name:     "should not add project option if stack doesn't have name",
+			stack:    &portainer.Stack{},
+			expected: []string{},
+		},
+		{
+			name: "should add project name option if stack has a name",
+			stack: &portainer.Stack{
+				Name: "project-name",
+			},
+			expected: []string{"-p", "project-name"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			options := []string{"-a", "b"}
+			result := addProjectNameOption(options, tt.stack)
+			assert.ElementsMatch(t, append(options, tt.expected...), result)
+		})
+	}
+}
+
+func Test_addEnvFileOption(t *testing.T) {
+	dir := t.TempDir()
+
+	tests := []struct {
+		name            string
+		stack           *portainer.Stack
+		expected        []string
+		expectedContent string
+	}{
+		{
+			name:     "should not add env file option if stack is missing",
+			stack:    nil,
+			expected: []string{},
+		},
+		{
+			name:     "should not add env file option if stack doesn't have env variables",
+			stack:    &portainer.Stack{},
+			expected: []string{},
+		},
+		{
+			name: "should not add env file option if stack's env variables are empty",
+			stack: &portainer.Stack{
+				ProjectPath: dir,
+				Env:         []portainer.Pair{},
+			},
+			expected: []string{},
+		},
+		{
+			name: "should add env file option if stack has env variables",
+			stack: &portainer.Stack{
+				ProjectPath: dir,
+				Env: []portainer.Pair{
+					{Name: "var1", Value: "value1"},
+					{Name: "var2", Value: "value2"},
+				},
+			},
+			expected:        []string{"--env-file", path.Join(dir, "stack.env")},
+			expectedContent: "var1=value1\nvar2=value2\n",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			options := []string{"-a", "b"}
+			result, _ := addEnvFileOption(options, tt.stack)
+			assert.ElementsMatch(t, append(options, tt.expected...), result)
+
+			if tt.expectedContent != "" {
+				f, _ := os.Open(path.Join(dir, "stack.env"))
+				content, _ := ioutil.ReadAll(f)
+
+				assert.Equal(t, tt.expectedContent, string(content))
+			}
+		})
+	}
+}

api/exec/extension.go

@@ -1,313 +0,0 @@
-package exec
-
-import (
-	"bytes"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"log"
-	"os"
-	"os/exec"
-	"path"
-	"regexp"
-	"runtime"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/coreos/go-semver/semver"
-
-	"github.com/orcaman/concurrent-map"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/client"
-)
-
-var extensionDownloadBaseURL = portainer.AssetsServerURL + "/extensions/"
-var extensionVersionRegexp = regexp.MustCompile(`\d+(\.\d+)+`)
-
-var extensionBinaryMap = map[portainer.ExtensionID]string{
-	portainer.RegistryManagementExtension:  "extension-registry-management",
-	portainer.OAuthAuthenticationExtension: "extension-oauth-authentication",
-	portainer.RBACExtension:                "extension-rbac",
-}
-
-// ExtensionManager represents a service used to
-// manage extension processes.
-type ExtensionManager struct {
-	processes   cmap.ConcurrentMap
-	fileService portainer.FileService
-	dataStore   portainer.DataStore
-}
-
-// NewExtensionManager returns a pointer to an ExtensionManager
-func NewExtensionManager(fileService portainer.FileService, dataStore portainer.DataStore) *ExtensionManager {
-	return &ExtensionManager{
-		processes:   cmap.New(),
-		fileService: fileService,
-		dataStore:   dataStore,
-	}
-}
-
-func processKey(ID portainer.ExtensionID) string {
-	return strconv.Itoa(int(ID))
-}
-
-func buildExtensionURL(extension *portainer.Extension) string {
-	return fmt.Sprintf("%s%s-%s-%s-%s.zip", extensionDownloadBaseURL, extensionBinaryMap[extension.ID], runtime.GOOS, runtime.GOARCH, extension.Version)
-}
-
-func buildExtensionPath(binaryPath string, extension *portainer.Extension) string {
-	extensionFilename := fmt.Sprintf("%s-%s-%s-%s", extensionBinaryMap[extension.ID], runtime.GOOS, runtime.GOARCH, extension.Version)
-	if runtime.GOOS == "windows" {
-		extensionFilename += ".exe"
-	}
-
-	extensionPath := path.Join(
-		binaryPath,
-		extensionFilename)
-
-	return extensionPath
-}
-
-// FetchExtensionDefinitions will fetch the list of available
-// extension definitions from the official Portainer assets server.
-// If it cannot retrieve the data from the Internet it will fallback to the locally cached
-// manifest file.
-func (manager *ExtensionManager) FetchExtensionDefinitions() ([]portainer.Extension, error) {
-	var extensionData []byte
-
-	extensionData, err := client.Get(portainer.ExtensionDefinitionsURL, 5)
-	if err != nil {
-		log.Printf("[WARN] [exec,extensions] [message: unable to retrieve extensions manifest via Internet. Extensions will be retrieved from local cache and might not be up to date] [err: %s]", err)
-
-		extensionData, err = manager.fileService.GetFileContent(portainer.LocalExtensionManifestFile)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	var extensions []portainer.Extension
-	err = json.Unmarshal(extensionData, &extensions)
-	if err != nil {
-		return nil, err
-	}
-
-	return extensions, nil
-}
-
-// InstallExtension will install the extension from an archive. It will extract the extension version number from
-// the archive file name first and return an error if the file name is not valid (cannot find extension version).
-// It will then extract the archive and execute the EnableExtension function to enable the extension.
-// Since we're missing information about this extension (stored on Portainer.io server) we need to assume
-// default information based on the extension ID.
-func (manager *ExtensionManager) InstallExtension(extension *portainer.Extension, licenseKey string, archiveFileName string, extensionArchive []byte) error {
-	extensionVersion := extensionVersionRegexp.FindString(archiveFileName)
-	if extensionVersion == "" {
-		return errors.New("invalid extension archive filename: unable to retrieve extension version")
-	}
-
-	err := manager.fileService.ExtractExtensionArchive(extensionArchive)
-	if err != nil {
-		return err
-	}
-
-	switch extension.ID {
-	case portainer.RegistryManagementExtension:
-		extension.Name = "Registry Manager"
-	case portainer.OAuthAuthenticationExtension:
-		extension.Name = "External Authentication"
-	case portainer.RBACExtension:
-		extension.Name = "Role-Based Access Control"
-	}
-	extension.ShortDescription = "Extension enabled offline"
-	extension.Version = extensionVersion
-	extension.Available = true
-
-	return manager.EnableExtension(extension, licenseKey)
-}
-
-// EnableExtension will check for the existence of the extension binary on the filesystem
-// first. If it does not exist, it will download it from the official Portainer assets server.
-// After installing the binary on the filesystem, it will execute the binary in license check
-// mode to validate the extension license. If the license is valid, it will then start
-// the extension process and register it in the processes map.
-func (manager *ExtensionManager) EnableExtension(extension *portainer.Extension, licenseKey string) error {
-	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
-	extensionBinaryExists, err := manager.fileService.FileExists(extensionBinaryPath)
-	if err != nil {
-		return err
-	}
-
-	if !extensionBinaryExists {
-		err := manager.downloadExtension(extension)
-		if err != nil {
-			return err
-		}
-	}
-
-	licenseDetails, err := validateLicense(extensionBinaryPath, licenseKey)
-	if err != nil {
-		return err
-	}
-
-	extension.License = portainer.LicenseInformation{
-		LicenseKey: licenseKey,
-		Company:    licenseDetails[0],
-		Expiration: licenseDetails[1],
-		Valid:      true,
-	}
-	extension.Version = licenseDetails[2]
-
-	return manager.startExtensionProcess(extension, extensionBinaryPath)
-}
-
-// DisableExtension will retrieve the process associated to the extension
-// from the processes map and kill the process. It will then remove the process
-// from the processes map and remove the binary associated to the extension
-// from the filesystem
-func (manager *ExtensionManager) DisableExtension(extension *portainer.Extension) error {
-	process, ok := manager.processes.Get(processKey(extension.ID))
-	if !ok {
-		return nil
-	}
-
-	err := process.(*exec.Cmd).Process.Kill()
-	if err != nil {
-		return err
-	}
-
-	manager.processes.Remove(processKey(extension.ID))
-
-	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
-	return manager.fileService.RemoveDirectory(extensionBinaryPath)
-}
-
-// StartExtensions will retrieve the extensions definitions from the Internet and check if a new version of each
-// extension is available. If so, it will automatically install the new version of the extension. If no update is
-// available it will simply start the extension.
-// The purpose of this function is to be ran at startup, as such most of the error handling won't block the program execution
-// and will log warning messages instead.
-func (manager *ExtensionManager) StartExtensions() error {
-	extensions, err := manager.dataStore.Extension().Extensions()
-	if err != nil {
-		return err
-	}
-
-	definitions, err := manager.FetchExtensionDefinitions()
-	if err != nil {
-		log.Printf("[WARN] [exec,extensions] [message: unable to retrieve extension information from Internet. Skipping extensions update check.] [err: %s]", err)
-		return nil
-	}
-
-	return manager.updateAndStartExtensions(extensions, definitions)
-}
-
-func (manager *ExtensionManager) updateAndStartExtensions(extensions []portainer.Extension, definitions []portainer.Extension) error {
-	for _, definition := range definitions {
-		for _, extension := range extensions {
-			if extension.ID == definition.ID {
-				definitionVersion := semver.New(definition.Version)
-				extensionVersion := semver.New(extension.Version)
-
-				if extensionVersion.LessThan(*definitionVersion) {
-					log.Printf("[INFO] [exec,extensions] [message: new version detected, updating extension] [extension: %s] [current_version: %s] [available_version: %s]", extension.Name, extension.Version, definition.Version)
-					err := manager.UpdateExtension(&extension, definition.Version)
-					if err != nil {
-						log.Printf("[WARN] [exec,extensions] [message: unable to update extension automatically] [extension: %s] [current_version: %s] [available_version: %s] [err: %s]", extension.Name, extension.Version, definition.Version, err)
-					}
-				} else {
-					err := manager.EnableExtension(&extension, extension.License.LicenseKey)
-					if err != nil {
-						log.Printf("[WARN] [exec,extensions] [message: unable to start extension] [extension: %s] [err: %s]", extension.Name, err)
-						extension.Enabled = false
-						extension.License.Valid = false
-					}
-				}
-
-				err := manager.dataStore.Extension().Persist(&extension)
-				if err != nil {
-					return err
-				}
-
-				break
-			}
-		}
-	}
-
-	return nil
-}
-
-// UpdateExtension will download the new extension binary from the official Portainer assets
-// server, disable the previous extension via DisableExtension, trigger a license check
-// and then start the extension process and add it to the processes map
-func (manager *ExtensionManager) UpdateExtension(extension *portainer.Extension, version string) error {
-	oldVersion := extension.Version
-
-	extension.Version = version
-	err := manager.downloadExtension(extension)
-	if err != nil {
-		return err
-	}
-
-	extension.Version = oldVersion
-	err = manager.DisableExtension(extension)
-	if err != nil {
-		return err
-	}
-
-	extension.Version = version
-	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
-
-	licenseDetails, err := validateLicense(extensionBinaryPath, extension.License.LicenseKey)
-	if err != nil {
-		return err
-	}
-
-	extension.Version = licenseDetails[2]
-
-	return manager.startExtensionProcess(extension, extensionBinaryPath)
-}
-
-func (manager *ExtensionManager) downloadExtension(extension *portainer.Extension) error {
-	extensionURL := buildExtensionURL(extension)
-
-	data, err := client.Get(extensionURL, 30)
-	if err != nil {
-		return err
-	}
-
-	return manager.fileService.ExtractExtensionArchive(data)
-}
-
-func validateLicense(binaryPath, licenseKey string) ([]string, error) {
-	licenseCheckProcess := exec.Command(binaryPath, "-license", licenseKey, "-check")
-	cmdOutput := &bytes.Buffer{}
-	licenseCheckProcess.Stdout = cmdOutput
-
-	err := licenseCheckProcess.Run()
-	if err != nil {
-		log.Printf("[DEBUG] [exec,extension] [message: unable to run extension process] [err: %s]", err)
-		return nil, errors.New("invalid extension license key")
-	}
-
-	output := string(cmdOutput.Bytes())
-
-	return strings.Split(output, "|"), nil
-}
-
-func (manager *ExtensionManager) startExtensionProcess(extension *portainer.Extension, binaryPath string) error {
-	extensionProcess := exec.Command(binaryPath, "-license", extension.License.LicenseKey)
-	extensionProcess.Stdout = os.Stdout
-	extensionProcess.Stderr = os.Stderr
-
-	err := extensionProcess.Start()
-	if err != nil {
-		log.Printf("[DEBUG] [exec,extension] [message: unable to start extension process] [err: %s]", err)
-		return err
-	}
-
-	time.Sleep(3 * time.Second)
-
-	manager.processes.Set(processKey(extension.ID), extensionProcess)
-	return nil
-}

api/exec/kubernetes_deploy.go

@@ -0,0 +1,89 @@
+package exec
+
+import (
+	"bytes"
+	"errors"
+	"io/ioutil"
+	"os/exec"
+	"path"
+	"runtime"
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+// KubernetesDeployer represents a service to deploy resources inside a Kubernetes environment.
+type KubernetesDeployer struct {
+	binaryPath string
+}
+
+// NewKubernetesDeployer initializes a new KubernetesDeployer service.
+func NewKubernetesDeployer(binaryPath string) *KubernetesDeployer {
+	return &KubernetesDeployer{
+		binaryPath: binaryPath,
+	}
+}
+
+// Deploy will deploy a Kubernetes manifest inside a specific namespace in a Kubernetes endpoint.
+// If composeFormat is set to true, it will leverage the kompose binary to deploy a compose compliant manifest.
+// Otherwise it will use kubectl to deploy the manifest.
+func (deployer *KubernetesDeployer) Deploy(endpoint *portainer.Endpoint, data string, composeFormat bool, namespace string) ([]byte, error) {
+	if composeFormat {
+		convertedData, err := deployer.convertComposeData(data)
+		if err != nil {
+			return nil, err
+		}
+		data = string(convertedData)
+	}
+
+	token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
+	if err != nil {
+		return nil, err
+	}
+
+	command := path.Join(deployer.binaryPath, "kubectl")
+	if runtime.GOOS == "windows" {
+		command = path.Join(deployer.binaryPath, "kubectl.exe")
+	}
+
+	args := make([]string, 0)
+	args = append(args, "--server", endpoint.URL)
+	args = append(args, "--insecure-skip-tls-verify")
+	args = append(args, "--token", string(token))
+	args = append(args, "--namespace", namespace)
+	args = append(args, "apply", "-f", "-")
+
+	var stderr bytes.Buffer
+	cmd := exec.Command(command, args...)
+	cmd.Stderr = &stderr
+	cmd.Stdin = strings.NewReader(data)
+
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, errors.New(stderr.String())
+	}
+
+	return output, nil
+}
+
+func (deployer *KubernetesDeployer) convertComposeData(data string) ([]byte, error) {
+	command := path.Join(deployer.binaryPath, "kompose")
+	if runtime.GOOS == "windows" {
+		command = path.Join(deployer.binaryPath, "kompose.exe")
+	}
+
+	args := make([]string, 0)
+	args = append(args, "convert", "-f", "-", "--stdout")
+
+	var stderr bytes.Buffer
+	cmd := exec.Command(command, args...)
+	cmd.Stderr = &stderr
+	cmd.Stdin = strings.NewReader(data)
+
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, errors.New(stderr.String())
+	}
+
+	return output, nil
+}

api/exec/swarm_stack.go

@@ -3,6 +3,7 @@ package exec
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@@ -103,7 +104,7 @@ func runCommandAndCaptureStdErr(command string, args []string, env []string, wor
 
 	err := cmd.Run()
 	if err != nil {
-		return portainer.Error(stderr.String())
+		return errors.New(stderr.String())
 	}
 
 	return nil
@@ -121,7 +122,7 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, dataPa
 	args = append(args, "--config", dataPath)
 
 	endpointURL := endpoint.URL
-	if endpoint.Type == portainer.EdgeAgentEnvironment {
+	if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
 		tunnel := manager.reverseTunnelService.GetTunnelDetails(endpoint.ID)
 		endpointURL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnel.Port)
 	}
@@ -133,6 +134,8 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, dataPa
 
 		if !endpoint.TLSConfig.TLSSkipVerify {
 			args = append(args, "--tlsverify", "--tlscacert", endpoint.TLSConfig.TLSCACertPath)
+		} else {
+			args = append(args, "--tlscacert", "''")
 		}
 
 		if endpoint.TLSConfig.TLSCertPath != "" && endpoint.TLSConfig.TLSKeyPath != "" {

api/exec/utils.go

@@ -0,0 +1,24 @@
+package exec
+
+import (
+	"os/exec"
+	"path/filepath"
+	"runtime"
+)
+
+func osProgram(program string) string {
+	if runtime.GOOS == "windows" {
+		program += ".exe"
+	}
+	return program
+}
+
+func programPath(rootPath, program string) string {
+	return filepath.Join(rootPath, osProgram(program))
+}
+
+// IsBinaryPresent returns true if corresponding program exists on PATH
+func IsBinaryPresent(program string) bool {
+	_, err := exec.LookPath(program)
+	return err == nil
+}

api/exec/utils_test.go

@@ -0,0 +1,16 @@
+package exec
+
+import (
+	"testing"
+)
+
+func Test_isBinaryPresent(t *testing.T) {
+
+	if !IsBinaryPresent("docker") {
+		t.Error("expect docker binary to exist on the path")
+	}
+
+	if IsBinaryPresent("executable-with-this-name-should-not-exist") {
+		t.Error("expect binary with a random name to be missing on the path")
+	}
+}

api/filesystem/filesystem.go

@@ -4,10 +4,12 @@ import (
 	"bytes"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
+	"fmt"
 	"io/ioutil"
 
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/archive"
+	"github.com/gofrs/uuid"
+	portainer "github.com/portainer/portainer/api"
 
 	"io"
 	"os"
@@ -37,13 +39,20 @@ const (
 	PublicKeyFile = "portainer.pub"
 	// BinaryStorePath represents the subfolder where binaries are stored in the file store folder.
 	BinaryStorePath = "bin"
-	// ScheduleStorePath represents the subfolder where schedule files are stored.
-	ScheduleStorePath = "schedules"
+	// EdgeJobStorePath represents the subfolder where schedule files are stored.
+	EdgeJobStorePath = "edge_jobs"
 	// ExtensionRegistryManagementStorePath represents the subfolder where files related to the
 	// registry management extension are stored.
 	ExtensionRegistryManagementStorePath = "extensions"
+	// CustomTemplateStorePath represents the subfolder where custom template files are stored in the file store folder.
+	CustomTemplateStorePath = "custom_templates"
+	// TempPath represent the subfolder where temporary files are saved
+	TempPath = "tmp"
 )
 
+// ErrUndefinedTLSFileType represents an error returned on undefined TLS file type
+var ErrUndefinedTLSFileType = errors.New("Undefined TLS file type")
+
 // Service represents a service for managing files and directories.
 type Service struct {
 	dataStorePath string
@@ -86,12 +95,6 @@ func (service *Service) GetBinaryFolder() string {
 	return path.Join(service.fileStorePath, BinaryStorePath)
 }
 
-// ExtractExtensionArchive extracts the content of an extension archive
-// specified as raw data into the binary store on the filesystem
-func (service *Service) ExtractExtensionArchive(data []byte) error {
-	return archive.UnzipArchive(data, path.Join(service.fileStorePath, BinaryStorePath))
-}
-
 // RemoveDirectory removes a directory on the filesystem.
 func (service *Service) RemoveDirectory(directoryPath string) error {
 	return os.RemoveAll(directoryPath)
@@ -188,7 +191,7 @@ func (service *Service) StoreTLSFileFromBytes(folder string, fileType portainer.
 	case portainer.TLSFileKey:
 		fileName = TLSKeyFile
 	default:
-		return "", portainer.ErrUndefinedTLSFileType
+		return "", ErrUndefinedTLSFileType
 	}
 
 	tlsFilePath := path.Join(storePath, fileName)
@@ -211,7 +214,7 @@ func (service *Service) GetPathForTLSFile(folder string, fileType portainer.TLSF
 	case portainer.TLSFileKey:
 		fileName = TLSKeyFile
 	default:
-		return "", portainer.ErrUndefinedTLSFileType
+		return "", ErrUndefinedTLSFileType
 	}
 	return path.Join(service.fileStorePath, TLSStorePath, folder, fileName), nil
 }
@@ -237,7 +240,7 @@ func (service *Service) DeleteTLSFile(folder string, fileType portainer.TLSFileT
 	case portainer.TLSFileKey:
 		fileName = TLSKeyFile
 	default:
-		return portainer.ErrUndefinedTLSFileType
+		return ErrUndefinedTLSFileType
 	}
 
 	filePath := path.Join(service.fileStorePath, TLSStorePath, folder, fileName)
@@ -392,22 +395,48 @@ func (service *Service) getContentFromPEMFile(filePath string) ([]byte, error) {
 	return block.Bytes, nil
 }
 
-// GetScheduleFolder returns the absolute path on the filesystem for a schedule based
+// GetCustomTemplateProjectPath returns the absolute path on the FS for a custom template based
 // on its identifier.
-func (service *Service) GetScheduleFolder(identifier string) string {
-	return path.Join(service.fileStorePath, ScheduleStorePath, identifier)
+func (service *Service) GetCustomTemplateProjectPath(identifier string) string {
+	return path.Join(service.fileStorePath, CustomTemplateStorePath, identifier)
 }
 
-// StoreScheduledJobFileFromBytes creates a subfolder in the ScheduleStorePath and stores a new file from bytes.
+// StoreCustomTemplateFileFromBytes creates a subfolder in the CustomTemplateStorePath and stores a new file from bytes.
 // It returns the path to the folder where the file is stored.
-func (service *Service) StoreScheduledJobFileFromBytes(identifier string, data []byte) (string, error) {
-	scheduleStorePath := path.Join(ScheduleStorePath, identifier)
-	err := service.createDirectoryInStore(scheduleStorePath)
+func (service *Service) StoreCustomTemplateFileFromBytes(identifier, fileName string, data []byte) (string, error) {
+	customTemplateStorePath := path.Join(CustomTemplateStorePath, identifier)
+	err := service.createDirectoryInStore(customTemplateStorePath)
 	if err != nil {
 		return "", err
 	}
 
-	filePath := path.Join(scheduleStorePath, createScheduledJobFileName(identifier))
+	templateFilePath := path.Join(customTemplateStorePath, fileName)
+	r := bytes.NewReader(data)
+
+	err = service.createFileInStore(templateFilePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, customTemplateStorePath), nil
+}
+
+// GetEdgeJobFolder returns the absolute path on the filesystem for an Edge job based
+// on its identifier.
+func (service *Service) GetEdgeJobFolder(identifier string) string {
+	return path.Join(service.fileStorePath, EdgeJobStorePath, identifier)
+}
+
+// StoreEdgeJobFileFromBytes creates a subfolder in the EdgeJobStorePath and stores a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreEdgeJobFileFromBytes(identifier string, data []byte) (string, error) {
+	edgeJobStorePath := path.Join(EdgeJobStorePath, identifier)
+	err := service.createDirectoryInStore(edgeJobStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	filePath := path.Join(edgeJobStorePath, createEdgeJobFileName(identifier))
 	r := bytes.NewReader(data)
 	err = service.createFileInStore(filePath, r)
 	if err != nil {
@@ -417,6 +446,67 @@ func (service *Service) StoreScheduledJobFileFromBytes(identifier string, data [
 	return path.Join(service.fileStorePath, filePath), nil
 }
 
-func createScheduledJobFileName(identifier string) string {
+func createEdgeJobFileName(identifier string) string {
 	return "job_" + identifier + ".sh"
 }
+
+// ClearEdgeJobTaskLogs clears the Edge job task logs
+func (service *Service) ClearEdgeJobTaskLogs(edgeJobID string, taskID string) error {
+	path := service.getEdgeJobTaskLogPath(edgeJobID, taskID)
+
+	err := os.Remove(path)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// GetEdgeJobTaskLogFileContent fetches the Edge job task logs
+func (service *Service) GetEdgeJobTaskLogFileContent(edgeJobID string, taskID string) (string, error) {
+	path := service.getEdgeJobTaskLogPath(edgeJobID, taskID)
+
+	fileContent, err := ioutil.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+
+	return string(fileContent), nil
+}
+
+// StoreEdgeJobTaskLogFileFromBytes stores the log file
+func (service *Service) StoreEdgeJobTaskLogFileFromBytes(edgeJobID, taskID string, data []byte) error {
+	edgeJobStorePath := path.Join(EdgeJobStorePath, edgeJobID)
+	err := service.createDirectoryInStore(edgeJobStorePath)
+	if err != nil {
+		return err
+	}
+
+	filePath := path.Join(edgeJobStorePath, fmt.Sprintf("logs_%s", taskID))
+	r := bytes.NewReader(data)
+	err = service.createFileInStore(filePath, r)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) getEdgeJobTaskLogPath(edgeJobID string, taskID string) string {
+	return fmt.Sprintf("%s/logs_%s", service.GetEdgeJobFolder(edgeJobID), taskID)
+}
+
+// GetTemporaryPath returns a temp folder
+func (service *Service) GetTemporaryPath() (string, error) {
+	uid, err := uuid.NewV4()
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, TempPath, uid.String()), nil
+}
+
+// GetDataStorePath returns path to data folder
+func (service *Service) GetDatastorePath() string {
+	return service.dataStorePath
+}

api/go.mod

@@ -25,13 +25,19 @@ require (
 	github.com/mattn/go-shellwords v1.0.6 // indirect
 	github.com/mitchellh/mapstructure v1.1.2 // indirect
 	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
+	github.com/pkg/errors v0.9.1
 	github.com/portainer/libcompose v0.5.3
 	github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2
 	github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33
-	github.com/robfig/cron/v3 v3.0.0
+	github.com/stretchr/testify v1.6.1
 	golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1
+	golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933 // indirect
+	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/src-d/go-git.v4 v4.13.1
+	k8s.io/api v0.17.2
+	k8s.io/apimachinery v0.17.2
+	k8s.io/client-go v0.17.2
 )
 
 replace github.com/docker/docker => github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203

api/go.sum

@@ -1,6 +1,15 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
+github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
+github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
+github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Microsoft/go-winio v0.3.8 h1:dvxbxtpTIjdAbx2OtL26p4eq0iEvys/U5yrsTJb3NZI=
 github.com/Microsoft/go-winio v0.3.8/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
@@ -8,6 +17,9 @@ github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+q
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
 github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs=
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
@@ -36,6 +48,7 @@ github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -60,14 +73,21 @@ github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
+github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96 h1:cenwrSVm+Z7QLSV/BsnenAOcDXdX4cMv4wP0B/5QbPg=
+github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
+github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e h1:p1yVGRW3nmb85p1Sh1ZJSDm4A4iKLS5QNbvUHMgGu/M=
+github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
+github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814 h1:gWvniJ4GbFfkf700kykAImbLiEMU0Q3QN9hQ26Js1pU=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814/go.mod h1:secRm32Ro77eD23BmPVbgLbWN+JWDw7pJszenjxI4bI=
+github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-asn1-ber/asn1-ber v1.3.1 h1:gvPdv/Hr++TRFCl0UbPFHC54P9N9jgsRPnmnr419Uck=
@@ -77,21 +97,42 @@ github.com/go-ldap/ldap/v3 v3.1.8 h1:5vU/2jOh9HqprwXp8aF915s9p6Z8wmbSEVF7/gdTFhM
 github.com/go-ldap/ldap/v3 v3.1.8/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gofrs/uuid v3.2.0+incompatible h1:y12jRkkFxsd7GpqdSZ+/KCs/fJbqpEXSGd4+jfEaewE=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1 h1:72R+M5VuhED/KujmZVcIquuo8mBgX4oVda//DQb3PXo=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d h1:7XGaL1e6bYS1yIonGp9761ExpPPV1ui0SAC59Yube9k=
+github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/mux v0.0.0-20160317213430-0eeaf8392f5b/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
@@ -101,6 +142,11 @@ github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@@ -115,13 +161,17 @@ github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82 h1:7ufdyC3aMxF
 github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82/go.mod h1:w8buj+yNfmLEP0ENlbG/FRnK6bVmuhqXnukYCs9sDvY=
 github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9 h1:0c9jcgBtHRtDU//jTrcCgWG6UHjMZytiq/3WhraNgUM=
 github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9/go.mod h1:1ffp+CRe0eAwwRb0/BownUAjMBsmTLwgAvRbfj9dRwE=
+github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v2wtGp9Gmz1Ze3eVRAWJMLokvN3QjdzCHLY=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c h1:N7A4JCA2G+j5fuFxCsJqjFU/sZe0mj8H0sSoSwbaikw=
 github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c/go.mod h1:Nn5wlyECw3iJrzi0AhIWg+AJUb4PlRQVW4/3XHH1LZA=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
@@ -134,6 +184,7 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mattn/go-shellwords v1.0.6 h1:9Jok5pILi5S1MnDirGVTufYGtksUs/V2BWUP3ZkeUUI=
 github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
@@ -145,12 +196,20 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c h1:nXxl5PrvVm2L/wCy8dQu6DMTwH4oIuGN8GJDAlqDdVE=
 github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420 h1:Yu3681ykYHDfLoI6XVjL4JWmkE+3TX9yfIWwRCh1kFM=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v0.0.0-20170515205857-f03dbe35d449 h1:Aq8iG72akPb/kszE7ksZ5ldV+JYPYii/KZOxlpJF07s=
@@ -160,9 +219,13 @@ github.com/opencontainers/runc v0.0.0-20161109192122-51371867a01c/go.mod h1:qT5X
 github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6 h1:lNCW6THrCKBiJBpz8kbVGjC7MgdCGKwuvBgc7LoD6sw=
 github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
 github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
+github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/portainer/libcompose v0.5.3 h1:tE4WcPuGvo+NKeDkDWpwNavNLZ5GHIJ4RvuZXsI9uI8=
@@ -171,7 +234,6 @@ github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2 h1:0PfgGLys9yH
 github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2/go.mod h1:/wIeGwJOMYc1JplE/OvYMO5korce39HddIfI8VKGyAM=
 github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33 h1:H8HR2dHdBf8HANSkUyVw4o8+4tegGcd+zyKZ3e599II=
 github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33/go.mod h1:Y2TfgviWI4rT2qaOTHr+hq6MdKIE5YjgQAu7qwptTV0=
-github.com/portainer/portainer v0.10.1 h1:I8K345CjGWfUGsVA8c8/gqamwLCC6CIAjxZXSklAFq0=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.1.0 h1:BQ53HtBmfOitExawJ6LokA4x8ov/z0SYYb0+HxJfRI8=
@@ -186,22 +248,29 @@ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.3 h1:CTwfnzjQ+8dS6MhHHu4YswVAD99sL2wjPqP+VkURmKE=
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/robfig/cron/v3 v3.0.0 h1:kQ6Cb7aHOHTSzNVNEhmp8EcWKLb4CbiMW9h9VyIhO4E=
-github.com/robfig/cron/v3 v3.0.0/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
 github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ=
@@ -213,30 +282,55 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg=
 github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1 h1:anGSYQpPhQwXlwsu5wmfq0nWkCNaMEMUwAv13Y92hd8=
 golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181017193950-04a2e542c03f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 h1:Ao/3l156eZf2AW5wK8a7/smtodRU+gha3+BeqJ69lRk=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933 h1:e6HwijUxhDe+hPNjZQQn9bA5PW3vNmnN64U2ZW759Lk=
+golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181019160139-8e24a49d80f8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -244,18 +338,36 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3 h1:4y9KwBHBgBNwDbtu44R5o1fdOCQUEXhbk/P4A9WmJq0=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456 h1:ng0gs1AKnRRuEMZoTLLlbOd+C17zUDepwGQBb/n+JVg=
+golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8 h1:Nw54tB0rB7hY/N0NQvRW8DG4Yk3Q6T9cu9RcFQDu1tc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7 h1:ZUjXAXmrAyrmmCPHgCA/vChHcpsX27MZ3yBonD/z1KE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.22.1 h1:/7cs52RnTJmD43s3uxzlq2U7nqVTd/37viQwMrMNlOM=
 google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
@@ -263,17 +375,44 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/src-d/go-billy.v4 v4.3.2 h1:0SQA1pRztfTFx2miS8sA97XvooFeNOmvUenF4o0EcVg=
 gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98=
 gopkg.in/src-d/go-git-fixtures.v3 v3.5.0 h1:ivZFOIltbce2Mo8IjzUHAFoq/IylO9WHhNOAJK+LsJg=
 gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
 gopkg.in/src-d/go-git.v4 v4.13.1 h1:SRtFyV8Kxc0UP7aCHcijOMQGPxHSmMOPrzulQWolkYE=
 gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.17.2 h1:NF1UFXcKN7/OOv1uxdRz3qfra8AHsPav5M93hlV9+Dc=
+k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4=
+k8s.io/apimachinery v0.17.2 h1:hwDQQFbdRlpnnsR64Asdi55GyCaIP/3WQpMmbNBeWr4=
+k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
+k8s.io/client-go v0.17.2 h1:ndIfkfXEGrNhLIgkr0+qhRguSD3u6DCmonepn1O6NYc=
+k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI=
+k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
+k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/utils v0.0.0-20191114184206-e782cd3c129f h1:GiPwtSzdP43eI1hpPCbROQCCIgCuiMMNF8YUVLF3vJo=
+k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
+sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=

api/http/client/client.go

@@ -2,20 +2,74 @@ package client
 
 import (
 	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 
 	"github.com/portainer/portainer/api"
 )
 
+var errInvalidResponseStatus = errors.New("Invalid response status (expecting 200)")
+
 const (
-	errInvalidResponseStatus = portainer.Error("Invalid response status (expecting 200)")
-	defaultHTTPTimeout       = 5
+	defaultHTTPTimeout = 5
 )
 
+// HTTPClient represents a client to send HTTP requests.
+type HTTPClient struct {
+	*http.Client
+}
+
+// NewHTTPClient is used to build a new HTTPClient.
+func NewHTTPClient() *HTTPClient {
+	return &HTTPClient{
+		&http.Client{
+			Timeout: time.Second * time.Duration(defaultHTTPTimeout),
+		},
+	}
+}
+
+// AzureAuthenticationResponse represents an Azure API authentication response.
+type AzureAuthenticationResponse struct {
+	AccessToken string `json:"access_token"`
+	ExpiresOn   string `json:"expires_on"`
+}
+
+// ExecuteAzureAuthenticationRequest is used to execute an authentication request
+// against the Azure API. It re-uses the same http.Client.
+func (client *HTTPClient) ExecuteAzureAuthenticationRequest(credentials *portainer.AzureCredentials) (*AzureAuthenticationResponse, error) {
+	loginURL := fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/token", credentials.TenantID)
+	params := url.Values{
+		"grant_type":    {"client_credentials"},
+		"client_id":     {credentials.ApplicationID},
+		"client_secret": {credentials.AuthenticationKey},
+		"resource":      {"https://management.azure.com/"},
+	}
+
+	response, err := client.PostForm(loginURL, params)
+	if err != nil {
+		return nil, err
+	}
+
+	if response.StatusCode != http.StatusOK {
+		return nil, errors.New("Invalid Azure credentials")
+	}
+
+	var token AzureAuthenticationResponse
+	err = json.NewDecoder(response.Body).Decode(&token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &token, nil
+}
+
 // Get executes a simple HTTP GET to the specified URL and returns
 // the content of the response body. Timeout can be specified via the timeout parameter,
 // will default to defaultHTTPTimeout if set to 0.

api/http/errors/errors.go

@@ -0,0 +1,12 @@
+package errors
+
+import "errors"
+
+var (
+	// ErrEndpointAccessDenied Access denied to endpoint error
+	ErrEndpointAccessDenied = errors.New("Access denied to endpoint")
+	// ErrUnauthorized Unauthorized error
+	ErrUnauthorized = errors.New("Unauthorized")
+	// ErrResourceAccessDenied Access denied to resource error
+	ErrResourceAccessDenied = errors.New("Access denied to resource")
+)

api/http/handler/auth/authenticate.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"errors"
 	"log"
 	"net/http"
 	"strings"
@@ -9,33 +10,46 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
+	bolterrors "github.com/portainer/portainer/api/bolt/errors"
+	httperrors "github.com/portainer/portainer/api/http/errors"
 )
 
 type authenticatePayload struct {
-	Username string
-	Password string
+	// Username
+	Username string `example:"admin" validate:"required"`
+	// Password
+	Password string `example:"mypassword" validate:"required"`
 }
 
 type authenticateResponse struct {
-	JWT string `json:"jwt"`
+	// JWT token used to authenticate against the API
+	JWT string `json:"jwt" example:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTQ5OTM3NjE1NH0.NJ6vE8FY1WG6jsRQzfMqeatJ4vh2TWAeeYfDhP71YEE"`
 }
 
 func (payload *authenticatePayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.Username) {
-		return portainer.Error("Invalid username")
+		return errors.New("Invalid username")
 	}
 	if govalidator.IsNull(payload.Password) {
-		return portainer.Error("Invalid password")
+		return errors.New("Invalid password")
 	}
 	return nil
 }
 
+// @id AuthenticateUser
+// @summary Authenticate
+// @description Use this endpoint to authenticate against Portainer using a username and password.
+// @tags auth
+// @accept json
+// @produce json
+// @param body body authenticatePayload true "Credentials used for authentication"
+// @success 200 {object} authenticateResponse "Success"
+// @failure 400 "Invalid request"
+// @failure 422 "Invalid Credentials"
+// @failure 500 "Server error"
+// @router /auth [post]
 func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	if handler.authDisabled {
-		return &httperror.HandlerError{http.StatusServiceUnavailable, "Cannot authenticate user. Portainer was started with the --no-auth flag", ErrAuthDisabled}
-	}
-
 	var payload authenticatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
@@ -48,19 +62,19 @@ func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *ht
 	}
 
 	u, err := handler.DataStore.User().UserByUsername(payload.Username)
-	if err != nil && err != portainer.ErrObjectNotFound {
+	if err != nil && err != bolterrors.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
 	}
 
-	if err == portainer.ErrObjectNotFound && (settings.AuthenticationMethod == portainer.AuthenticationInternal || settings.AuthenticationMethod == portainer.AuthenticationOAuth) {
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", portainer.ErrUnauthorized}
+	if err == bolterrors.ErrObjectNotFound && (settings.AuthenticationMethod == portainer.AuthenticationInternal || settings.AuthenticationMethod == portainer.AuthenticationOAuth) {
+		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
 	}
 
 	if settings.AuthenticationMethod == portainer.AuthenticationLDAP {
 		if u == nil && settings.LDAPSettings.AutoCreateUsers {
 			return handler.authenticateLDAPAndCreateUser(w, payload.Username, payload.Password, &settings.LDAPSettings)
 		} else if u == nil && !settings.LDAPSettings.AutoCreateUsers {
-			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", portainer.ErrUnauthorized}
+			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
 		}
 		return handler.authenticateLDAP(w, u, payload.Password, &settings.LDAPSettings)
 	}
@@ -79,18 +93,13 @@ func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.
 		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
 	}
 
-	err = handler.AuthorizationService.UpdateUsersAuthorizations()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
-	}
-
 	return handler.writeToken(w, user)
 }
 
 func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portainer.User, password string) *httperror.HandlerError {
 	err := handler.CryptoService.CompareHashAndData(user.Password, password)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", portainer.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
 	}
 
 	return handler.writeToken(w, user)
@@ -103,9 +112,8 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 	}
 
 	user := &portainer.User{
-		Username:                username,
-		Role:                    portainer.StandardUserRole,
-		PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
+		Username: username,
+		Role:     portainer.StandardUserRole,
 	}
 
 	err = handler.DataStore.User().CreateUser(user)
@@ -118,11 +126,6 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
 	}
 
-	err = handler.AuthorizationService.UpdateUsersAuthorizations()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
-	}
-
 	return handler.writeToken(w, user)
 }
 

api/http/handler/auth/authenticate_oauth.go

@@ -1,74 +1,56 @@
 package auth
 
 import (
-	"encoding/json"
-	"io/ioutil"
+	"errors"
 	"log"
 	"net/http"
 
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"
+	bolterrors "github.com/portainer/portainer/api/bolt/errors"
+	httperrors "github.com/portainer/portainer/api/http/errors"
 )
 
 type oauthPayload struct {
+	// OAuth code returned from OAuth Provided
 	Code string
 }
 
 func (payload *oauthPayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.Code) {
-		return portainer.Error("Invalid OAuth authorization code")
+		return errors.New("Invalid OAuth authorization code")
 	}
 	return nil
 }
 
-func (handler *Handler) authenticateThroughExtension(code, licenseKey string, settings *portainer.OAuthSettings) (string, error) {
-	extensionURL := handler.ProxyManager.GetExtensionURL(portainer.OAuthAuthenticationExtension)
-
-	encodedConfiguration, err := json.Marshal(settings)
-	if err != nil {
-		return "", nil
+// @id AuthenticateOauth
+// @summary Authenticate with OAuth
+// @tags auth
+// @accept json
+// @produce json
+// @param body body oauthPayload true "OAuth Credentials used for authentication"
+// @success 200 {object} authenticateResponse "Success"
+// @failure 400 "Invalid request"
+// @failure 422 "Invalid Credentials"
+// @failure 500 "Server error"
+// @router /auth/oauth/validate [post]
+func (handler *Handler) authenticateOAuth(code string, settings *portainer.OAuthSettings) (string, error) {
+	if code == "" {
+		return "", errors.New("Invalid OAuth authorization code")
 	}
 
-	req, err := http.NewRequest("GET", extensionURL+"/validate", nil)
+	if settings == nil {
+		return "", errors.New("Invalid OAuth configuration")
+	}
+
+	username, err := handler.OAuthService.Authenticate(code, settings)
 	if err != nil {
 		return "", err
 	}
 
-	client := &http.Client{}
-	req.Header.Set("X-OAuth-Config", string(encodedConfiguration))
-	req.Header.Set("X-OAuth-Code", code)
-	req.Header.Set("X-PortainerExtension-License", licenseKey)
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return "", err
-	}
-
-	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return "", err
-	}
-
-	type extensionResponse struct {
-		Username string `json:"Username,omitempty"`
-		Err      string `json:"err,omitempty"`
-		Details  string `json:"details,omitempty"`
-	}
-
-	var extResp extensionResponse
-	err = json.Unmarshal(body, &extResp)
-	if err != nil {
-		return "", err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return "", portainer.Error(extResp.Err + ":" + extResp.Details)
-	}
-
-	return extResp.Username, nil
+	return username, nil
 }
 
 func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
@@ -84,36 +66,28 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 	}
 
 	if settings.AuthenticationMethod != 3 {
-		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", portainer.Error("OAuth authentication is not enabled")}
+		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", errors.New("OAuth authentication is not enabled")}
 	}
 
-	extension, err := handler.DataStore.Extension().Extension(portainer.OAuthAuthenticationExtension)
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Oauth authentication extension is not enabled", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
-	}
-
-	username, err := handler.authenticateThroughExtension(payload.Code, extension.License.LicenseKey, &settings.OAuthSettings)
+	username, err := handler.authenticateOAuth(payload.Code, &settings.OAuthSettings)
 	if err != nil {
 		log.Printf("[DEBUG] - OAuth authentication error: %s", err)
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", portainer.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", httperrors.ErrUnauthorized}
 	}
 
 	user, err := handler.DataStore.User().UserByUsername(username)
-	if err != nil && err != portainer.ErrObjectNotFound {
+	if err != nil && err != bolterrors.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
 	}
 
 	if user == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
-		return &httperror.HandlerError{http.StatusForbidden, "Account not created beforehand in Portainer and automatic user provisioning not enabled", portainer.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusForbidden, "Account not created beforehand in Portainer and automatic user provisioning not enabled", httperrors.ErrUnauthorized}
 	}
 
 	if user == nil {
 		user = &portainer.User{
-			Username:                username,
-			Role:                    portainer.StandardUserRole,
-			PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
+			Username: username,
+			Role:     portainer.StandardUserRole,
 		}
 
 		err = handler.DataStore.User().CreateUser(user)
@@ -134,10 +108,6 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 			}
 		}
 
-		err = handler.AuthorizationService.UpdateUsersAuthorizations()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
-		}
 	}
 
 	return handler.writeToken(w, user)

api/http/handler/auth/handler.go

@@ -7,38 +7,34 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy"
+	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/http/security"
 )
 
-const (
-	// ErrAuthDisabled is an error raised when trying to access the authentication endpoints
-	// when the server has been started with the --no-auth flag
-	ErrAuthDisabled = portainer.Error("Authentication is disabled")
-)
-
 // Handler is the HTTP handler used to handle authentication operations.
 type Handler struct {
 	*mux.Router
-	authDisabled         bool
-	DataStore            portainer.DataStore
-	CryptoService        portainer.CryptoService
-	JWTService           portainer.JWTService
-	LDAPService          portainer.LDAPService
-	ProxyManager         *proxy.Manager
-	AuthorizationService *portainer.AuthorizationService
+	DataStore                   portainer.DataStore
+	CryptoService               portainer.CryptoService
+	JWTService                  portainer.JWTService
+	LDAPService                 portainer.LDAPService
+	OAuthService                portainer.OAuthService
+	ProxyManager                *proxy.Manager
+	KubernetesTokenCacheManager *kubernetes.TokenCacheManager
 }
 
 // NewHandler creates a handler to manage authentication operations.
-func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter, authDisabled bool) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter) *Handler {
 	h := &Handler{
-		Router:       mux.NewRouter(),
-		authDisabled: authDisabled,
+		Router: mux.NewRouter(),
 	}
 
 	h.Handle("/auth/oauth/validate",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.validateOAuth)))).Methods(http.MethodPost)
 	h.Handle("/auth",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
+	h.Handle("/auth/logout",
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.logout))).Methods(http.MethodPost)
 
 	return h
 }

api/http/handler/auth/logout.go

@@ -0,0 +1,27 @@
+package auth
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/response"
+	"github.com/portainer/portainer/api/http/security"
+)
+
+// @id Logout
+// @summary Logout
+// @security jwt
+// @tags auth
+// @success 204 "Success"
+// @failure 500 "Server error"
+// @router /auth/logout [post]
+func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user details from authentication token", err}
+	}
+
+	handler.KubernetesTokenCacheManager.RemoveUserFromCache(int(tokenData.ID))
+
+	return response.Empty(w)
+}