Merge branch 'release/2.11'

Co-authored-by: Simon Meng <simon.meng@portainer.io>

.vscode.example/portainer.code-snippets

@@ -150,6 +150,7 @@
       "// @description ",
       "// @description **Access policy**: ",
       "// @tags ",
+      "// @security ApiKeyAuth",
       "// @security jwt",
       "// @accept json",
       "// @produce json",

CONTRIBUTING.md

@@ -120,6 +120,7 @@ When adding a new route to an existing handler use the following as a template (
 // @description
 // @description **Access policy**:
 // @tags
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/apikey/apikey.go

@@ -0,0 +1,30 @@
+package apikey
+
+import (
+	"crypto/rand"
+	"io"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+// APIKeyService represents a service for managing API keys.
+type APIKeyService interface {
+	HashRaw(rawKey string) []byte
+	GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error)
+	GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error)
+	GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error)
+	GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error)
+	UpdateAPIKey(apiKey *portainer.APIKey) error
+	DeleteAPIKey(apiKeyID portainer.APIKeyID) error
+	InvalidateUserKeyCache(userId portainer.UserID) bool
+}
+
+// generateRandomKey generates a random key of specified length
+// source: https://github.com/gorilla/securecookie/blob/master/securecookie.go#L515
+func generateRandomKey(length int) []byte {
+	k := make([]byte, length)
+	if _, err := io.ReadFull(rand.Reader, k); err != nil {
+		return nil
+	}
+	return k
+}

api/apikey/apikey_test.go

@@ -0,0 +1,50 @@
+package apikey
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_generateRandomKey(t *testing.T) {
+	is := assert.New(t)
+
+	tests := []struct {
+		name      string
+		wantLenth int
+	}{
+		{
+			name:      "Generate a random key of length 16",
+			wantLenth: 16,
+		},
+		{
+			name:      "Generate a random key of length 32",
+			wantLenth: 32,
+		},
+		{
+			name:      "Generate a random key of length 64",
+			wantLenth: 64,
+		},
+		{
+			name:      "Generate a random key of length 128",
+			wantLenth: 128,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := generateRandomKey(tt.wantLenth)
+			is.Equal(tt.wantLenth, len(got))
+		})
+	}
+
+	t.Run("Generated keys are unique", func(t *testing.T) {
+		keys := make(map[string]bool)
+		for i := 0; i < 100; i++ {
+			key := generateRandomKey(8)
+			_, ok := keys[string(key)]
+			is.False(ok)
+			keys[string(key)] = true
+		}
+	})
+}

api/apikey/cache.go

@@ -0,0 +1,69 @@
+package apikey
+
+import (
+	lru "github.com/hashicorp/golang-lru"
+	portainer "github.com/portainer/portainer/api"
+)
+
+const defaultAPIKeyCacheSize = 1024
+
+// entry is a tuple containing the user and API key associated to an API key digest
+type entry struct {
+	user   portainer.User
+	apiKey portainer.APIKey
+}
+
+// apiKeyCache is a concurrency-safe, in-memory cache which primarily exists for to reduce database roundtrips.
+// We store the api-key digest (keys) and the associated user and key-data (values) in the cache.
+// This is required because HTTP requests will contain only the api-key digest in the x-api-key request header;
+// digest value must be mapped to a portainer user (and respective key data) for validation.
+// This cache is used to avoid multiple database queries to retrieve these user/key associated to the digest.
+type apiKeyCache struct {
+	// cache type [string]entry cache (key: string(digest), value: user/key entry)
+	// note: []byte keys are not supported by golang-lru Cache
+	cache *lru.Cache
+}
+
+// NewAPIKeyCache creates a new cache for API keys
+func NewAPIKeyCache(cacheSize int) *apiKeyCache {
+	cache, _ := lru.New(cacheSize)
+	return &apiKeyCache{cache: cache}
+}
+
+// Get returns the user/key associated to an api-key's digest
+// This is required because HTTP requests will contain the digest of the API key in header,
+// the digest value must be mapped to a portainer user.
+func (c *apiKeyCache) Get(digest []byte) (portainer.User, portainer.APIKey, bool) {
+	val, ok := c.cache.Get(string(digest))
+	if !ok {
+		return portainer.User{}, portainer.APIKey{}, false
+	}
+	tuple := val.(entry)
+
+	return tuple.user, tuple.apiKey, true
+}
+
+// Set persists a user/key entry to the cache
+func (c *apiKeyCache) Set(digest []byte, user portainer.User, apiKey portainer.APIKey) {
+	c.cache.Add(string(digest), entry{
+		user:   user,
+		apiKey: apiKey,
+	})
+}
+
+// Delete evicts a digest's user/key entry key from the cache
+func (c *apiKeyCache) Delete(digest []byte) {
+	c.cache.Remove(string(digest))
+}
+
+// InvalidateUserKeyCache loops through all the api-keys associated to a user and removes them from the cache
+func (c *apiKeyCache) InvalidateUserKeyCache(userId portainer.UserID) bool {
+	present := false
+	for _, k := range c.cache.Keys() {
+		user, _, _ := c.Get([]byte(k.(string)))
+		if user.ID == userId {
+			present = c.cache.Remove(k)
+		}
+	}
+	return present
+}

api/apikey/cache_test.go

@@ -0,0 +1,181 @@
+package apikey
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_apiKeyCacheGet(t *testing.T) {
+	is := assert.New(t)
+
+	keyCache := NewAPIKeyCache(10)
+
+	// pre-populate cache
+	keyCache.cache.Add(string("foo"), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
+	keyCache.cache.Add(string(""), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
+
+	tests := []struct {
+		digest []byte
+		found  bool
+	}{
+		{
+			digest: []byte("foo"),
+			found:  true,
+		},
+		{
+			digest: []byte(""),
+			found:  true,
+		},
+		{
+			digest: []byte("bar"),
+			found:  false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(string(test.digest), func(t *testing.T) {
+			_, _, found := keyCache.Get(test.digest)
+			is.Equal(test.found, found)
+		})
+	}
+}
+
+func Test_apiKeyCacheSet(t *testing.T) {
+	is := assert.New(t)
+
+	keyCache := NewAPIKeyCache(10)
+
+	// pre-populate cache
+	keyCache.Set([]byte("bar"), portainer.User{ID: 2}, portainer.APIKey{})
+	keyCache.Set([]byte("foo"), portainer.User{ID: 1}, portainer.APIKey{})
+
+	// overwrite existing entry
+	keyCache.Set([]byte("foo"), portainer.User{ID: 3}, portainer.APIKey{})
+
+	val, ok := keyCache.cache.Get(string("bar"))
+	is.True(ok)
+
+	tuple := val.(entry)
+	is.Equal(portainer.User{ID: 2}, tuple.user)
+
+	val, ok = keyCache.cache.Get(string("foo"))
+	is.True(ok)
+
+	tuple = val.(entry)
+	is.Equal(portainer.User{ID: 3}, tuple.user)
+}
+
+func Test_apiKeyCacheDelete(t *testing.T) {
+	is := assert.New(t)
+
+	keyCache := NewAPIKeyCache(10)
+
+	t.Run("Delete an existing entry", func(t *testing.T) {
+		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.Delete([]byte("foo"))
+
+		_, ok := keyCache.cache.Get(string("foo"))
+		is.False(ok)
+	})
+
+	t.Run("Delete a non-existing entry", func(t *testing.T) {
+		nonPanicFunc := func() { keyCache.Delete([]byte("non-existent-key")) }
+		is.NotPanics(nonPanicFunc)
+	})
+}
+
+func Test_apiKeyCacheLRU(t *testing.T) {
+	is := assert.New(t)
+
+	tests := []struct {
+		name        string
+		cacheLen    int
+		key         []string
+		foundKeys   []string
+		evictedKeys []string
+	}{
+		{
+			name:        "Cache length is 1, add 2 keys",
+			cacheLen:    1,
+			key:         []string{"foo", "bar"},
+			foundKeys:   []string{"bar"},
+			evictedKeys: []string{"foo"},
+		},
+		{
+			name:        "Cache length is 1, add 3 keys",
+			cacheLen:    1,
+			key:         []string{"foo", "bar", "baz"},
+			foundKeys:   []string{"baz"},
+			evictedKeys: []string{"foo", "bar"},
+		},
+		{
+			name:        "Cache length is 2, add 3 keys",
+			cacheLen:    2,
+			key:         []string{"foo", "bar", "baz"},
+			foundKeys:   []string{"bar", "baz"},
+			evictedKeys: []string{"foo"},
+		},
+		{
+			name:        "Cache length is 2, add 4 keys",
+			cacheLen:    2,
+			key:         []string{"foo", "bar", "baz", "qux"},
+			foundKeys:   []string{"baz", "qux"},
+			evictedKeys: []string{"foo", "bar"},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			keyCache := NewAPIKeyCache(test.cacheLen)
+
+			for _, key := range test.key {
+				keyCache.Set([]byte(key), portainer.User{ID: 1}, portainer.APIKey{})
+			}
+
+			for _, key := range test.foundKeys {
+				_, _, found := keyCache.Get([]byte(key))
+				is.True(found, "Key %s not found", key)
+			}
+
+			for _, key := range test.evictedKeys {
+				_, _, found := keyCache.Get([]byte(key))
+				is.False(found, "key %s should have been evicted", key)
+			}
+		})
+	}
+}
+
+func Test_apiKeyCacheInvalidateUserKeyCache(t *testing.T) {
+	is := assert.New(t)
+
+	keyCache := NewAPIKeyCache(10)
+
+	t.Run("Removes users keys from cache", func(t *testing.T) {
+		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+
+		ok := keyCache.InvalidateUserKeyCache(1)
+		is.True(ok)
+
+		_, ok = keyCache.cache.Get(string("foo"))
+		is.False(ok)
+	})
+
+	t.Run("Does not affect other keys", func(t *testing.T) {
+		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("bar"), entry{user: portainer.User{ID: 2}, apiKey: portainer.APIKey{}})
+
+		ok := keyCache.InvalidateUserKeyCache(1)
+		is.True(ok)
+
+		ok = keyCache.InvalidateUserKeyCache(1)
+		is.False(ok)
+
+		_, ok = keyCache.cache.Get(string("foo"))
+		is.False(ok)
+
+		_, ok = keyCache.cache.Get(string("bar"))
+		is.True(ok)
+	})
+}

api/apikey/service.go

@@ -0,0 +1,126 @@
+package apikey
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/pkg/errors"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+const portainerAPIKeyPrefix = "ptr_"
+
+var ErrInvalidAPIKey = errors.New("Invalid API key")
+
+type apiKeyService struct {
+	apiKeyRepository portainer.APIKeyRepository
+	userRepository   portainer.UserService
+	cache            *apiKeyCache
+}
+
+func NewAPIKeyService(apiKeyRepository portainer.APIKeyRepository, userRepository portainer.UserService) *apiKeyService {
+	return &apiKeyService{
+		apiKeyRepository: apiKeyRepository,
+		userRepository:   userRepository,
+		cache:            NewAPIKeyCache(defaultAPIKeyCacheSize),
+	}
+}
+
+// HashRaw computes a hash digest of provided raw API key.
+func (a *apiKeyService) HashRaw(rawKey string) []byte {
+	hashDigest := sha256.Sum256([]byte(rawKey))
+	return hashDigest[:]
+}
+
+// GenerateApiKey generates a raw API key for a user (for one-time display).
+// The generated API key is stored in the cache and database.
+func (a *apiKeyService) GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error) {
+	randKey := generateRandomKey(32)
+	encodedRawAPIKey := base64.StdEncoding.EncodeToString(randKey)
+	prefixedAPIKey := portainerAPIKeyPrefix + encodedRawAPIKey
+
+	hashDigest := a.HashRaw(prefixedAPIKey)
+
+	apiKey := &portainer.APIKey{
+		UserID:      user.ID,
+		Description: description,
+		Prefix:      prefixedAPIKey[:7],
+		DateCreated: time.Now().Unix(),
+		Digest:      hashDigest,
+	}
+
+	err := a.apiKeyRepository.CreateAPIKey(apiKey)
+	if err != nil {
+		return "", nil, errors.Wrap(err, "Unable to create API key")
+	}
+
+	// persist api-key to cache
+	a.cache.Set(apiKey.Digest, user, *apiKey)
+
+	return prefixedAPIKey, apiKey, nil
+}
+
+// GetAPIKey returns an API key by its ID.
+func (a *apiKeyService) GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error) {
+	return a.apiKeyRepository.GetAPIKey(apiKeyID)
+}
+
+// GetAPIKeys returns all the API keys associated to a user.
+func (a *apiKeyService) GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error) {
+	return a.apiKeyRepository.GetAPIKeysByUserID(userID)
+}
+
+// GetDigestUserAndKey returns the user and api-key associated to a specified hash digest.
+// A cache lookup is performed first; if the user/api-key is not found in the cache, respective database lookups are performed.
+func (a *apiKeyService) GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error) {
+	// get api key from cache if possible
+	cachedUser, cachedKey, ok := a.cache.Get(digest)
+	if ok {
+		return cachedUser, cachedKey, nil
+	}
+
+	apiKey, err := a.apiKeyRepository.GetAPIKeyByDigest(digest)
+	if err != nil {
+		return portainer.User{}, portainer.APIKey{}, errors.Wrap(err, "Unable to retrieve API key")
+	}
+
+	user, err := a.userRepository.User(apiKey.UserID)
+	if err != nil {
+		return portainer.User{}, portainer.APIKey{}, errors.Wrap(err, "Unable to retrieve digest user")
+	}
+
+	// persist api-key to cache - for quicker future lookups
+	a.cache.Set(apiKey.Digest, *user, *apiKey)
+
+	return *user, *apiKey, nil
+}
+
+// UpdateAPIKey updates an API key and in cache and database.
+func (a *apiKeyService) UpdateAPIKey(apiKey *portainer.APIKey) error {
+	user, _, err := a.GetDigestUserAndKey(apiKey.Digest)
+	if err != nil {
+		return errors.Wrap(err, "Unable to retrieve API key")
+	}
+	a.cache.Set(apiKey.Digest, user, *apiKey)
+	return a.apiKeyRepository.UpdateAPIKey(apiKey)
+}
+
+// DeleteAPIKey deletes an API key and removes the digest/api-key entry from the cache.
+func (a *apiKeyService) DeleteAPIKey(apiKeyID portainer.APIKeyID) error {
+	// get api-key digest to remove from cache
+	apiKey, err := a.apiKeyRepository.GetAPIKey(apiKeyID)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("Unable to retrieve API key: %d", apiKeyID))
+	}
+
+	// delete the user/api-key from cache
+	a.cache.Delete(apiKey.Digest)
+	return a.apiKeyRepository.DeleteAPIKey(apiKeyID)
+}
+
+func (a *apiKeyService) InvalidateUserKeyCache(userId portainer.UserID) bool {
+	return a.cache.InvalidateUserKeyCache(userId)
+}

api/apikey/service_test.go

@@ -0,0 +1,309 @@
+package apikey
+
+import (
+	"crypto/sha256"
+	"log"
+	"strings"
+	"testing"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_SatisfiesAPIKeyServiceInterface(t *testing.T) {
+	is := assert.New(t)
+	is.Implements((*APIKeyService)(nil), NewAPIKeyService(nil, nil))
+}
+
+func Test_GenerateApiKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully generates API key", func(t *testing.T) {
+		desc := "test-1"
+		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, desc)
+		is.NoError(err)
+		is.NotEmpty(rawKey)
+		is.NotEmpty(apiKey)
+		is.Equal(desc, apiKey.Description)
+	})
+
+	t.Run("Api key prefix is 7 chars", func(t *testing.T) {
+		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-2")
+		is.NoError(err)
+
+		is.Equal(rawKey[:7], apiKey.Prefix)
+		is.Len(apiKey.Prefix, 7)
+	})
+
+	t.Run("Api key has 'ptr_' as prefix", func(t *testing.T) {
+		rawKey, _, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x")
+		is.NoError(err)
+
+		is.Equal(portainerAPIKeyPrefix, "ptr_")
+		is.True(strings.HasPrefix(rawKey, "ptr_"))
+	})
+
+	t.Run("Successfully caches API key", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-3")
+		is.NoError(err)
+
+		userFromCache, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(user, userFromCache)
+		is.Equal(apiKey, &apiKeyFromCache)
+	})
+
+	t.Run("Decoded raw api-key digest matches generated digest", func(t *testing.T) {
+		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-4")
+		is.NoError(err)
+
+		generatedDigest := sha256.Sum256([]byte(rawKey))
+
+		is.Equal(apiKey.Digest, generatedDigest[:])
+	})
+}
+
+func Test_GetAPIKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully returns all API keys", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		apiKeyGot, err := service.GetAPIKey(apiKey.ID)
+		is.NoError(err)
+
+		is.Equal(apiKey, apiKeyGot)
+	})
+}
+
+func Test_GetAPIKeys(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully returns all API keys", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, _, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+		_, _, err = service.GenerateApiKey(user, "test-2")
+		is.NoError(err)
+
+		keys, err := service.GetAPIKeys(user.ID)
+		is.NoError(err)
+		is.Len(keys, 2)
+	})
+}
+
+func Test_GetDigestUserAndKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully returns user and api key associated to digest", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
+		is.NoError(err)
+		is.Equal(user, userGot)
+		is.Equal(*apiKey, apiKeyGot)
+	})
+
+	t.Run("Successfully caches user and api key associated to digest", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
+		is.NoError(err)
+		is.Equal(user, userGot)
+		is.Equal(*apiKey, apiKeyGot)
+
+		userFromCache, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(userGot, userFromCache)
+		is.Equal(apiKeyGot, apiKeyFromCache)
+	})
+}
+
+func Test_UpdateAPIKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully updates the api-key LastUsed time", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		store.User().CreateUser(&user)
+		_, apiKey, err := service.GenerateApiKey(user, "test-x")
+		is.NoError(err)
+
+		apiKey.LastUsed = time.Now().UTC().Unix()
+		err = service.UpdateAPIKey(apiKey)
+		is.NoError(err)
+
+		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
+		is.NoError(err)
+
+		log.Println(apiKey)
+		log.Println(apiKeyGot)
+
+		is.Equal(apiKey.LastUsed, apiKeyGot.LastUsed)
+
+	})
+
+	t.Run("Successfully updates api-key in cache upon api-key update", func(t *testing.T) {
+		_, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x2")
+		is.NoError(err)
+
+		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(*apiKey, apiKeyFromCache)
+
+		apiKey.LastUsed = time.Now().UTC().Unix()
+		is.NotEqual(*apiKey, apiKeyFromCache)
+
+		err = service.UpdateAPIKey(apiKey)
+		is.NoError(err)
+
+		_, updatedAPIKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(*apiKey, updatedAPIKeyFromCache)
+	})
+}
+
+func Test_DeleteAPIKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully updates the api-key", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
+		is.NoError(err)
+		is.Equal(*apiKey, apiKeyGot)
+
+		err = service.DeleteAPIKey(apiKey.ID)
+		is.NoError(err)
+
+		_, _, err = service.GetDigestUserAndKey(apiKey.Digest)
+		is.Error(err)
+	})
+
+	t.Run("Successfully removes api-key from cache upon deletion", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
+		is.True(ok)
+		is.Equal(*apiKey, apiKeyFromCache)
+
+		err = service.DeleteAPIKey(apiKey.ID)
+		is.NoError(err)
+
+		_, _, ok = service.cache.Get(apiKey.Digest)
+		is.False(ok)
+	})
+}
+
+func Test_InvalidateUserKeyCache(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully updates evicts keys from cache", func(t *testing.T) {
+		// generate api keys
+		user := portainer.User{ID: 1}
+		_, apiKey1, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		_, apiKey2, err := service.GenerateApiKey(user, "test-2")
+		is.NoError(err)
+
+		// verify api keys are present in cache
+		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
+		is.True(ok)
+		is.Equal(*apiKey1, apiKeyFromCache)
+
+		_, apiKeyFromCache, ok = service.cache.Get(apiKey2.Digest)
+		is.True(ok)
+		is.Equal(*apiKey2, apiKeyFromCache)
+
+		// evict cache
+		ok = service.InvalidateUserKeyCache(user.ID)
+		is.True(ok)
+
+		// verify users keys have been flushed from cache
+		_, _, ok = service.cache.Get(apiKey1.Digest)
+		is.False(ok)
+
+		_, _, ok = service.cache.Get(apiKey2.Digest)
+		is.False(ok)
+	})
+
+	t.Run("User key eviction does not affect other users keys", func(t *testing.T) {
+		// generate keys for 2 users
+		user1 := portainer.User{ID: 1}
+		_, apiKey1, err := service.GenerateApiKey(user1, "test-1")
+		is.NoError(err)
+
+		user2 := portainer.User{ID: 2}
+		_, apiKey2, err := service.GenerateApiKey(user2, "test-2")
+		is.NoError(err)
+
+		// verify keys in cache
+		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
+		is.True(ok)
+		is.Equal(*apiKey1, apiKeyFromCache)
+
+		_, apiKeyFromCache, ok = service.cache.Get(apiKey2.Digest)
+		is.True(ok)
+		is.Equal(*apiKey2, apiKeyFromCache)
+
+		// evict key of single user from cache
+		ok = service.cache.InvalidateUserKeyCache(user1.ID)
+		is.True(ok)
+
+		// verify user1 key has been flushed from cache
+		_, _, ok = service.cache.Get(apiKey1.Digest)
+		is.False(ok)
+
+		// verify user2 key is still in cache
+		_, _, ok = service.cache.Get(apiKey2.Digest)
+		is.True(ok)
+	})
+}

api/aws/ecr/authorization_token.go

@@ -0,0 +1,61 @@
+package ecr
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"strings"
+	"time"
+)
+
+func (s *Service) GetEncodedAuthorizationToken() (token *string, expiry *time.Time, err error) {
+	getAuthorizationTokenOutput, err := s.client.GetAuthorizationToken(context.TODO(), nil)
+	if err != nil {
+		return
+	}
+
+	if len(getAuthorizationTokenOutput.AuthorizationData) == 0 {
+		err = fmt.Errorf("AuthorizationData is empty")
+		return
+	}
+
+	authData := getAuthorizationTokenOutput.AuthorizationData[0]
+
+	token = authData.AuthorizationToken
+	expiry = authData.ExpiresAt
+
+	return
+}
+
+func (s *Service) GetAuthorizationToken() (token *string, expiry *time.Time, err error) {
+	tokenEncodedStr, expiry, err := s.GetEncodedAuthorizationToken()
+	if err != nil {
+		return
+	}
+
+	tokenByte, err := base64.StdEncoding.DecodeString(*tokenEncodedStr)
+	if err != nil {
+		return
+	}
+	tokenStr := string(tokenByte)
+	token = &tokenStr
+
+	return
+}
+
+func (s *Service) ParseAuthorizationToken(token string) (username string, password string, err error) {
+	if len(token) == 0 {
+		return
+	}
+
+	splitToken := strings.Split(token, ":")
+	if len(splitToken) < 2 {
+		err = fmt.Errorf("invalid ECR authorization token")
+		return
+	}
+
+	username = splitToken[0]
+	password = splitToken[1]
+
+	return
+}

api/aws/ecr/ecr.go

@@ -0,0 +1,32 @@
+package ecr
+
+import (
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/ecr"
+)
+
+type (
+	Service struct {
+		accessKey string
+		secretKey string
+		region    string
+		client    *ecr.Client
+	}
+)
+
+func NewService(accessKey, secretKey, region string) *Service {
+	options := ecr.Options{
+		Region:      region,
+		Credentials: aws.NewCredentialsCache(credentials.NewStaticCredentialsProvider(accessKey, secretKey, "")),
+	}
+
+	client := ecr.New(options)
+
+	return &Service{
+		accessKey: accessKey,
+		secretKey: secretKey,
+		region:    region,
+		client:    client,
+	}
+}

api/bolt/apikeyrepository/apikeyrepository.go

@@ -0,0 +1,137 @@
+package apikeyrepository
+
+import (
+	"bytes"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/errors"
+	"github.com/portainer/portainer/api/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "api_key"
+)
+
+// Service represents a service for managing api-key data.
+type Service struct {
+	connection *internal.DbConnection
+}
+
+// NewService creates a new instance of a service.
+func NewService(connection *internal.DbConnection) (*Service, error) {
+	err := internal.CreateBucket(connection, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		connection: connection,
+	}, nil
+}
+
+// GetAPIKeysByUserID returns a slice containing all the APIKeys a user has access to.
+func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer.APIKey, error) {
+	var result = make([]portainer.APIKey, 0)
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var record portainer.APIKey
+			err := internal.UnmarshalObject(v, &record)
+			if err != nil {
+				return err
+			}
+
+			if record.UserID == userID {
+				result = append(result, record)
+			}
+		}
+		return nil
+	})
+
+	return result, err
+}
+
+// GetAPIKeyByDigest returns the API key for the associated digest.
+// Note: there is a 1-to-1 mapping of api-key and digest
+func (service *Service) GetAPIKeyByDigest(digest []byte) (*portainer.APIKey, error) {
+	var result portainer.APIKey
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var record portainer.APIKey
+			err := internal.UnmarshalObject(v, &record)
+			if err != nil {
+				return err
+			}
+
+			if bytes.Equal(record.Digest, digest) {
+				result = record
+				return nil
+			}
+		}
+		return nil
+	})
+
+	return &result, err
+}
+
+// CreateAPIKey creates a new APIKey object.
+func (service *Service) CreateAPIKey(record *portainer.APIKey) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		record.ID = portainer.APIKeyID(id)
+
+		data, err := internal.MarshalObject(record)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(record.ID)), data)
+	})
+}
+
+// GetAPIKey retrieves an existing APIKey object by api key ID.
+func (service *Service) GetAPIKey(keyID portainer.APIKeyID) (*portainer.APIKey, error) {
+	var apiKey *portainer.APIKey
+
+	err := service.connection.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+		item := bucket.Get(internal.Itob(int(keyID)))
+		if item == nil {
+			return errors.ErrObjectNotFound
+		}
+
+		err := internal.UnmarshalObject(item, &apiKey)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+
+	return apiKey, err
+}
+
+func (service *Service) UpdateAPIKey(key *portainer.APIKey) error {
+	identifier := internal.Itob(int(key.ID))
+	return internal.UpdateObject(service.connection, BucketName, identifier, key)
+}
+
+func (service *Service) DeleteAPIKey(ID portainer.APIKeyID) error {
+	return service.connection.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		return bucket.Delete(internal.Itob(int(ID)))
+	})
+}

api/bolt/datastore.go

@@ -5,6 +5,7 @@ import (
 	"path"
 	"time"
 
+	"github.com/portainer/portainer/api/bolt/apikeyrepository"
 	"github.com/portainer/portainer/api/bolt/helmuserrepository"
 
 	"github.com/boltdb/bolt"
@@ -60,6 +61,7 @@ type Store struct {
 	RegistryService           *registry.Service
 	ResourceControlService    *resourcecontrol.Service
 	RoleService               *role.Service
+	APIKeyRepositoryService   *apikeyrepository.Service
 	ScheduleService           *schedule.Service
 	SettingsService           *settings.Service
 	SSLSettingsService        *ssl.Service

api/bolt/services.go

@@ -2,6 +2,7 @@ package bolt
 
 import (
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/apikeyrepository"
 	"github.com/portainer/portainer/api/bolt/customtemplate"
 	"github.com/portainer/portainer/api/bolt/dockerhub"
 	"github.com/portainer/portainer/api/bolt/edgegroup"
@@ -155,6 +156,12 @@ func (store *Store) initServices() error {
 	}
 	store.UserService = userService
 
+	apiKeyService, err := apikeyrepository.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.APIKeyRepositoryService = apiKeyService
+
 	versionService, err := version.NewService(store.connection)
 	if err != nil {
 		return err
@@ -231,6 +238,11 @@ func (store *Store) Role() portainer.RoleService {
 	return store.RoleService
 }
 
+// APIKeyRepository gives access to the api-key data management layer
+func (store *Store) APIKeyRepository() portainer.APIKeyRepository {
+	return store.APIKeyRepositoryService
+}
+
 // Settings gives access to the Settings data management layer
 func (store *Store) Settings() portainer.SettingsService {
 	return store.SettingsService

api/bolt/webhook/webhook.go

@@ -150,3 +150,9 @@ func (service *Service) CreateWebhook(webhook *portainer.Webhook) error {
 		return bucket.Put(internal.Itob(int(webhook.ID)), data)
 	})
 }
+
+// UpdateWebhook update a webhook.
+func (service *Service) UpdateWebhook(ID portainer.WebhookID, webhook *portainer.Webhook) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.connection, BucketName, identifier, webhook)
+}

api/cmd/portainer/main.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/apikey"
 	"github.com/portainer/portainer/api/bolt"
 	"github.com/portainer/portainer/api/chisel"
 	"github.com/portainer/portainer/api/cli"
@@ -104,8 +105,15 @@ func initComposeStackManager(assetsPath string, configPath string, reverseTunnel
 	return composeWrapper
 }
 
-func initSwarmStackManager(assetsPath string, configPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) (portainer.SwarmStackManager, error) {
-	return exec.NewSwarmStackManager(assetsPath, configPath, signatureService, fileService, reverseTunnelService)
+func initSwarmStackManager(
+	assetsPath string,
+	configPath string,
+	signatureService portainer.DigitalSignatureService,
+	fileService portainer.FileService,
+	reverseTunnelService portainer.ReverseTunnelService,
+	dataStore portainer.DataStore,
+) (portainer.SwarmStackManager, error) {
+	return exec.NewSwarmStackManager(assetsPath, configPath, signatureService, fileService, reverseTunnelService, dataStore)
 }
 
 func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore portainer.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, assetsPath string) portainer.KubernetesDeployer {
@@ -116,6 +124,10 @@ func initHelmPackageManager(assetsPath string) (libhelm.HelmPackageManager, erro
 	return libhelm.NewHelmPackageManager(libhelm.HelmConfig{BinaryPath: assetsPath})
 }
 
+func initAPIKeyService(datastore portainer.DataStore) apikey.APIKeyService {
+	return apikey.NewAPIKeyService(datastore.APIKeyRepository(), datastore.User())
+}
+
 func initJWTService(dataStore portainer.DataStore) (portainer.JWTService, error) {
 	settings, err := dataStore.Settings().Settings()
 	if err != nil {
@@ -457,6 +469,8 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal(err)
 	}
 
+	apiKeyService := initAPIKeyService(dataStore)
+
 	jwtService, err := initJWTService(dataStore)
 	if err != nil {
 		log.Fatalf("failed initializing JWT service: %v", err)
@@ -518,7 +532,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	composeStackManager := initComposeStackManager(*flags.Assets, dockerConfigPath, reverseTunnelService, proxyManager)
 
-	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, digitalSignatureService, fileService, reverseTunnelService)
+	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, digitalSignatureService, fileService, reverseTunnelService, dataStore)
 	if err != nil {
 		log.Fatalf("failed initializing swarm stack manager: %s", err)
 	}
@@ -618,6 +632,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		KubernetesDeployer:          kubernetesDeployer,
 		HelmPackageManager:          helmPackageManager,
 		CryptoService:               cryptoService,
+		APIKeyService:               apiKeyService,
 		JWTService:                  jwtService,
 		FileService:                 fileService,
 		LDAPService:                 ldapService,

api/exec/swarm_stack.go

@@ -12,6 +12,7 @@ import (
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/internal/registryutils"
 	"github.com/portainer/portainer/api/internal/stackutils"
 )
 
@@ -22,17 +23,25 @@ type SwarmStackManager struct {
 	signatureService     portainer.DigitalSignatureService
 	fileService          portainer.FileService
 	reverseTunnelService portainer.ReverseTunnelService
+	dataStore            portainer.DataStore
 }
 
 // NewSwarmStackManager initializes a new SwarmStackManager service.
 // It also updates the configuration of the Docker CLI binary.
-func NewSwarmStackManager(binaryPath, configPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) (*SwarmStackManager, error) {
+func NewSwarmStackManager(
+	binaryPath, configPath string,
+	signatureService portainer.DigitalSignatureService,
+	fileService portainer.FileService,
+	reverseTunnelService portainer.ReverseTunnelService,
+	datastore portainer.DataStore,
+) (*SwarmStackManager, error) {
 	manager := &SwarmStackManager{
 		binaryPath:           binaryPath,
 		configPath:           configPath,
 		signatureService:     signatureService,
 		fileService:          fileService,
 		reverseTunnelService: reverseTunnelService,
+		dataStore:            datastore,
 	}
 
 	err := manager.updateDockerCLIConfiguration(manager.configPath)
@@ -51,7 +60,17 @@ func (manager *SwarmStackManager) Login(registries []portainer.Registry, endpoin
 	}
 	for _, registry := range registries {
 		if registry.Authentication {
-			registryArgs := append(args, "login", "--username", registry.Username, "--password", registry.Password, registry.URL)
+			err = registryutils.EnsureRegTokenValid(manager.dataStore, &registry)
+			if err != nil {
+				return err
+			}
+
+			username, password, err := registryutils.GetRegEffectiveCredential(&registry)
+			if err != nil {
+				return err
+			}
+
+			registryArgs := append(args, "login", "--username", username, "--password", password, registry.URL)
 			runCommandAndCaptureStdErr(command, registryArgs, nil, "")
 		}
 	}

api/go.mod

@@ -6,6 +6,9 @@ require (
 	github.com/Microsoft/go-winio v0.4.17
 	github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535
+	github.com/aws/aws-sdk-go-v2 v1.11.1
+	github.com/aws/aws-sdk-go-v2/credentials v1.6.2
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.10.1
 	github.com/boltdb/bolt v1.3.1
 	github.com/containerd/containerd v1.5.7 // indirect
 	github.com/coreos/go-semver v0.3.0
@@ -22,6 +25,7 @@ require (
 	github.com/gorilla/mux v1.7.3
 	github.com/gorilla/securecookie v1.1.1
 	github.com/gorilla/websocket v1.4.2
+	github.com/hashicorp/golang-lru v0.5.4
 	github.com/joho/godotenv v1.3.0
 	github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389
 	github.com/json-iterator/go v1.1.11

api/go.sum

@@ -86,6 +86,22 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:l
 github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0S6Vi7/lbWECcX0j45yZReDZ56BQsrVBOEEY=
 github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
 github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
+github.com/aws/aws-sdk-go-v2 v1.11.1 h1:GzvOVAdTbWxhEMRK4FfiblkGverOkAT0UodDxC1jHQM=
+github.com/aws/aws-sdk-go-v2 v1.11.1/go.mod h1:SQfA+m2ltnu1cA0soUkj4dRSsmITiVQUJvBIZjzfPyQ=
+github.com/aws/aws-sdk-go-v2/credentials v1.6.2 h1:2faRNX8JgZVy7dDxERkaGBqb/xo5Rgmc8JMPL5j1o58=
+github.com/aws/aws-sdk-go-v2/credentials v1.6.2/go.mod h1:8kRH9fthlxHEeNJ3g1N3NTSUMBba+KtTM8hp6SvUWn8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.8.1/go.mod h1:MYiG3oeEcmrdBOV7JOIWhionzyRZJWCnByS5FmvhAoU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.1 h1:LZwqhOyqQ2w64PZk04V0Om9AEExtW8WMkCRoE1h9/94=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.1/go.mod h1:22SEiBSQm5AyKEjoPcG1hzpeTI+m9CXfE6yt1h49wBE=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.1 h1:ObMfGNk0xjOWduPxsrRWVwZZia3e9fOcO6zlKCkt38s=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.1/go.mod h1:1xvCD+I5BcDuQUc+psZr7LI1a9pclAWZs3S3Gce5+lg=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.10.1 h1:onTF83DG9dsRv6UzuhYb7phiktjwQ++s/n+ZtNlTQnM=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.10.1/go.mod h1:9RH1zeu1Ls3x2EQew/eCDuq2AlC0M8RzYfYy5+5gSLc=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.5.1/go.mod h1:fEaHB2bi+wVZw4uKMHEXTL9LwtT4EL//DOhTeflqIVo=
+github.com/aws/aws-sdk-go-v2/service/sso v1.6.1/go.mod h1:/73aFBwUl60wKBKhdth2pEOkut5ZNjVHGF9hjXz0bM0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.10.1/go.mod h1:+BmlPeQ1Y+PuIho93MMKDby12PoUnt1SZXQdEHCzSlw=
+github.com/aws/smithy-go v1.9.0 h1:c7FUdEqrQA1/UVKKCNDFQPNKGp4FQg3YW4Ck5SLTG58=
+github.com/aws/smithy-go v1.9.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -378,8 +394,9 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -425,6 +442,8 @@ github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
+github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -441,6 +460,10 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
 github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
@@ -590,8 +613,6 @@ github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a h1:qY8TbocN75n
 github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a/go.mod h1:n54EEIq+MM0NNtqLeCby8ljL+l275VpolXO0ibHegLE=
 github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108 h1:5e8KAnDa2G3cEHK7aV/ue8lOaoQwBZUzoALslwWkR04=
 github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108/go.mod h1:YvYAk7krKTzB+rFwDr0jQ3sQu2BtiXK1AR0sZH7nhJA=
-github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33 h1:H8HR2dHdBf8HANSkUyVw4o8+4tegGcd+zyKZ3e599II=
-github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33/go.mod h1:Y2TfgviWI4rT2qaOTHr+hq6MdKIE5YjgQAu7qwptTV0=
 github.com/portainer/libhttp v0.0.0-20211021135806-13e6c55c5fbc h1:vxVN9srGND+iA9oBmyFgtbtOvnmOCLmxw20ncYCJ5HA=
 github.com/portainer/libhttp v0.0.0-20211021135806-13e6c55c5fbc/go.mod h1:nyQA6IahOruIvENCcBk54aaUvV2WHFdXkvBjIutg+SY=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=

api/http/handler/auth/logout.go

@@ -11,6 +11,7 @@ import (
 // @id Logout
 // @summary Logout
 // @description **Access policy**: authenticated
+// @security ApiKeyAuth
 // @security jwt
 // @tags auth
 // @success 204 "Success"

api/http/handler/backup/backup.go

@@ -26,6 +26,7 @@ func (p *backupPayload) Validate(r *http.Request) error {
 // @description  Creates an archive with a system data snapshot that could be used to restore the system.
 // @description **Access policy**: admin
 // @tags backup
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce octet-stream

api/http/handler/customtemplates/customtemplate_create.go

@@ -22,6 +22,7 @@ import (
 // @description Create a custom template.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @accept json,multipart/form-data
 // @produce json

api/http/handler/customtemplates/customtemplate_delete.go

@@ -18,6 +18,7 @@ import (
 // @description Remove a template.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Template identifier"
 // @success 204 "Success"

api/http/handler/customtemplates/customtemplate_file.go

@@ -19,6 +19,7 @@ type fileResponse struct {
 // @description Retrieve the content of the Stack file for the specified custom template
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "Template identifier"

api/http/handler/customtemplates/customtemplate_inspect.go

@@ -18,6 +18,7 @@ import (
 // @description Retrieve details about a template.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "Template identifier"

api/http/handler/customtemplates/customtemplate_list.go

@@ -17,6 +17,7 @@ import (
 // @description List available custom templates.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param type query []int true "Template types" Enums(1,2,3)

api/http/handler/customtemplates/customtemplate_update.go

@@ -62,6 +62,7 @@ func (payload *customTemplateUpdatePayload) Validate(r *http.Request) error {
 // @description Update a template.
 // @description **Access policy**: authenticated
 // @tags custom_templates
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgegroups/edgegroup_create.go

@@ -36,6 +36,7 @@ func (payload *edgeGroupCreatePayload) Validate(r *http.Request) error {
 // @summary Create an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgegroups/edgegroup_delete.go

@@ -15,6 +15,7 @@ import (
 // @summary Deletes an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "EdgeGroup Id"
 // @success 204

api/http/handler/edgegroups/edgegroup_inspect.go

@@ -14,6 +14,7 @@ import (
 // @summary Inspects an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "EdgeGroup Id"

api/http/handler/edgegroups/edgegroup_list.go

@@ -19,6 +19,7 @@ type decoratedEdgeGroup struct {
 // @summary list EdgeGroups
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} decoratedEdgeGroup "EdgeGroups"

api/http/handler/edgegroups/edgegroup_update.go

@@ -38,6 +38,7 @@ func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
 // @summary Updates an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgejobs/edgejob_create.go

@@ -18,6 +18,7 @@ import (
 // @summary Create an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param method query string true "Creation Method" Enums(file, string)

api/http/handler/edgejobs/edgejob_delete.go

@@ -15,6 +15,7 @@ import (
 // @summary Delete an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @param id path string true "EdgeJob Id"
 // @success 204

api/http/handler/edgejobs/edgejob_file.go

@@ -18,6 +18,7 @@ type edgeJobFileResponse struct {
 // @summary Fetch a file of an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_inspect.go

@@ -19,6 +19,7 @@ type edgeJobInspectResponse struct {
 // @summary Inspect an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_list.go

@@ -11,6 +11,7 @@ import (
 // @summary Fetch EdgeJobs list
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} portainer.EdgeJob

api/http/handler/edgejobs/edgejob_tasklogs_clear.go

@@ -15,6 +15,7 @@ import (
 // @summary Clear the log for a specifc task on an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_tasklogs_collect.go

@@ -14,6 +14,7 @@ import (
 // @summary Collect the log for a specifc task on an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_tasklogs_inspect.go

@@ -17,6 +17,7 @@ type fileResponse struct {
 // @summary Fetch the log for a specifc task on an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_tasks_list.go

@@ -21,6 +21,7 @@ type taskContainer struct {
 // @summary Fetch the list of tasks on an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeJob Id"

api/http/handler/edgejobs/edgejob_update.go

@@ -32,6 +32,7 @@ func (payload *edgeJobUpdatePayload) Validate(r *http.Request) error {
 // @summary Update an EdgeJob
 // @description **Access policy**: administrator
 // @tags edge_jobs
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgestacks/edgestack_create.go

@@ -21,6 +21,7 @@ import (
 // @summary Create an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param method query string true "Creation Method" Enums(file,string,repository)

api/http/handler/edgestacks/edgestack_delete.go

@@ -15,6 +15,7 @@ import (
 // @summary Delete an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @param id path string true "EdgeStack Id"
 // @success 204

api/http/handler/edgestacks/edgestack_file.go

@@ -18,6 +18,7 @@ type stackFileResponse struct {
 // @summary Fetches the stack file for an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeStack Id"

api/http/handler/edgestacks/edgestack_inspect.go

@@ -14,6 +14,7 @@ import (
 // @summary Inspect an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path string true "EdgeStack Id"

api/http/handler/edgestacks/edgestack_list.go

@@ -11,6 +11,7 @@ import (
 // @summary Fetches the list of EdgeStacks
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} portainer.EdgeStack

api/http/handler/edgestacks/edgestack_update.go

@@ -35,6 +35,7 @@ func (payload *updateEdgeStackPayload) Validate(r *http.Request) error {
 // @summary Update an EdgeStack
 // @description **Access policy**: administrator
 // @tags edge_stacks
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/edgetemplates/edgetemplate_list.go

@@ -19,6 +19,7 @@ type templateFileFormat struct {
 // @summary Fetches the list of Edge Templates
 // @description **Access policy**: administrator
 // @tags edge_templates
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpointgroups/endpointgroup_create.go

@@ -36,6 +36,7 @@ func (payload *endpointGroupCreatePayload) Validate(r *http.Request) error {
 // @description Create a new environment(endpoint) group.
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpointgroups/endpointgroup_delete.go

@@ -16,6 +16,7 @@ import (
 // @description Remove an environment(endpoint) group.
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "EndpointGroup identifier"
 // @success 204 "Success"

api/http/handler/endpointgroups/endpointgroup_endpoint_add.go

@@ -15,6 +15,7 @@ import (
 // @description Add an environment(endpoint) to an environment(endpoint) group
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "EndpointGroup identifier"
 // @param endpointId path int true "Environment(Endpoint) identifier"

api/http/handler/endpointgroups/endpointgroup_endpoint_delete.go

@@ -14,6 +14,7 @@ import (
 // @summary Removes environment(endpoint) from an environment(endpoint) group
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "EndpointGroup identifier"
 // @param endpointId path int true "Environment(Endpoint) identifier"

api/http/handler/endpointgroups/endpointgroup_inspect.go

@@ -14,6 +14,7 @@ import (
 // @description Retrieve details abont an environment(endpoint) group.
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpointgroups/endpointgroup_list.go

@@ -15,6 +15,7 @@ import (
 // @description only return authorized environment(endpoint) groups.
 // @description **Access policy**: restricted
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} portainer.EndpointGroup "Environment(Endpoint) group"

api/http/handler/endpointgroups/endpointgroup_update.go

@@ -32,6 +32,7 @@ func (payload *endpointGroupUpdatePayload) Validate(r *http.Request) error {
 // @description Update an environment(endpoint) group.
 // @description **Access policy**: administrator
 // @tags endpoint_groups
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpoints/endpoint_association_delete.go

@@ -19,6 +19,7 @@ import (
 // @summary De-association an edge environment(endpoint)
 // @description De-association an edge environment(endpoint).
 // @description **Access policy**: administrator
+// @security ApiKeyAuth
 // @security jwt
 // @tags endpoints
 // @produce json

api/http/handler/endpoints/endpoint_create.go

@@ -152,6 +152,7 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 // @description  Create a new environment(endpoint) that will be used to manage an environment(endpoint).
 // @description **Access policy**: administrator
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @accept multipart/form-data
 // @produce json

api/http/handler/endpoints/endpoint_delete.go

@@ -16,6 +16,7 @@ import (
 // @description Remove an environment(endpoint).
 // @description **Access policy**: administrator
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Environment(Endpoint) identifier"
 // @success 204 "Success"

api/http/handler/endpoints/endpoint_dockerhub_status.go

@@ -29,6 +29,7 @@ type dockerhubStatusResponse struct {
 // @description get docker pull limits for a docker hub registry in the environment
 // @description **Access policy**:
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "endpoint ID"

api/http/handler/endpoints/endpoint_inspect.go

@@ -15,6 +15,7 @@ import (
 // @description Retrieve details about an environment(endpoint).
 // @description **Access policy**: restricted
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"

api/http/handler/endpoints/endpoint_list.go

@@ -20,6 +20,7 @@ import (
 // @description only return authorized environments(endpoints).
 // @description **Access policy**: restricted
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param start query int false "Start searching from"

api/http/handler/endpoints/endpoint_registries_inspect.go

@@ -16,6 +16,7 @@ import (
 // @summary get registry for environment
 // @description **Access policy**: authenticated
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "identifier"

api/http/handler/endpoints/endpoint_registries_list.go

@@ -19,6 +19,7 @@ import (
 // @description **Access policy**: authenticated
 // @tags endpoints
 // @param namespace query string false "required if kubernetes environment, will show registries by namespace"
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"

api/http/handler/endpoints/endpoint_registry_access.go

@@ -25,6 +25,7 @@ func (payload *registryAccessPayload) Validate(r *http.Request) error {
 // @summary update registry access for environment
 // @description **Access policy**: authenticated
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/endpoints/endpoint_settings_update.go

@@ -39,6 +39,7 @@ func (payload *endpointSettingsUpdatePayload) Validate(r *http.Request) error {
 // @summary Update settings for an environment(endpoint)
 // @description Update settings for an environment(endpoint).
 // @description **Access policy**: authenticated
+// @security ApiKeyAuth
 // @security jwt
 // @tags endpoints
 // @accept json

api/http/handler/endpoints/endpoint_snapshot.go

@@ -16,6 +16,7 @@ import (
 // @description Snapshots an environment(endpoint)
 // @description **Access policy**: administrator
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Environment(Endpoint) identifier"
 // @success 204 "Success"

api/http/handler/endpoints/endpoint_snapshots.go

@@ -15,6 +15,7 @@ import (
 // @description Snapshot all environments(endpoints)
 // @description **Access policy**: administrator
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @success 204 "Success"
 // @failure 500 "Server Error"

api/http/handler/endpoints/endpoint_status_inspect.go

@@ -54,6 +54,7 @@ type endpointStatusInspectResponse struct {
 // @description Environment(Endpoint) for edge agent to check status of environment(endpoint)
 // @description **Access policy**: restricted only to Edge environments(endpoints)
 // @tags endpoints
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Environment(Endpoint) identifier"
 // @success 200 {object} endpointStatusInspectResponse "Success"

api/http/handler/endpoints/endpoint_update.go

@@ -57,6 +57,7 @@ func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
 // @summary Update an environment(endpoint)
 // @description Update an environment(endpoint).
 // @description **Access policy**: authenticated
+// @security ApiKeyAuth
 // @security jwt
 // @tags endpoints
 // @accept json

api/http/handler/handler.go

@@ -76,7 +76,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.9.3
+// @version 2.11.0
 // @description.markdown api-description.md
 // @termsOfService
 
@@ -89,6 +89,10 @@ type Handler struct {
 // @BasePath /api
 // @schemes http https
 
+// @securitydefinitions.apikey ApiKeyAuth
+// @in header
+// @name Authorization
+
 // @securitydefinitions.apikey jwt
 // @in header
 // @name Authorization

api/http/handler/helm/handler.go

@@ -26,17 +26,19 @@ type Handler struct {
 	*mux.Router
 	requestBouncer     requestBouncer
 	dataStore          portainer.DataStore
+	jwtService         portainer.JWTService
 	kubeConfigService  kubernetes.KubeConfigService
 	kubernetesDeployer portainer.KubernetesDeployer
 	helmPackageManager libhelm.HelmPackageManager
 }
 
 // NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer requestBouncer, dataStore portainer.DataStore, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeConfigService kubernetes.KubeConfigService) *Handler {
+func NewHandler(bouncer requestBouncer, dataStore portainer.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeConfigService kubernetes.KubeConfigService) *Handler {
 	h := &Handler{
 		Router:             mux.NewRouter(),
 		requestBouncer:     bouncer,
 		dataStore:          dataStore,
+		jwtService:         jwtService,
 		kubernetesDeployer: kubernetesDeployer,
 		helmPackageManager: helmPackageManager,
 		kubeConfigService:  kubeConfigService,
@@ -91,7 +93,12 @@ func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.Kubernet
 		return nil, &httperror.HandlerError{http.StatusNotFound, "Unable to find an environment on request context", err}
 	}
 
-	bearerToken, err := security.ExtractBearerToken(r)
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+	}
+
+	bearerToken, err := handler.jwtService.GenerateToken(tokenData)
 	if err != nil {
 		return nil, &httperror.HandlerError{http.StatusUnauthorized, "Unauthorized", err}
 	}

api/http/handler/helm/helm_delete.go

@@ -14,6 +14,7 @@ import (
 // @description
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Environment(Endpoint) identifier"
 // @param release path string true "The name of the release/application to uninstall"

api/http/handler/helm/helm_delete_test.go

@@ -11,6 +11,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/exec/exectest"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
 	"github.com/stretchr/testify/assert"
 
@@ -30,10 +31,13 @@ func Test_helmDelete(t *testing.T) {
 	err = store.User().CreateUser(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
 	is.NoError(err, "Error creating a user")
 
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
 	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
 	kubeConfigService := kubernetes.NewKubeConfigCAService("", "")
-	h := NewHandler(helper.NewTestRequestBouncer(), store, kubernetesDeployer, helmPackageManager, kubeConfigService)
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeConfigService)
 
 	is.NotNil(h, "Handler should not fail")
 

api/http/handler/helm/helm_install.go

@@ -38,6 +38,7 @@ var errChartNameInvalid = errors.New("invalid chart name. " +
 // @description
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/helm/helm_install_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/portainer/portainer/api/exec/exectest"
 	"github.com/portainer/portainer/api/http/security"
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
 	"github.com/stretchr/testify/assert"
 )
@@ -32,10 +33,13 @@ func Test_helmInstall(t *testing.T) {
 	err = store.User().CreateUser(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
 	is.NoError(err, "error creating a user")
 
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
 	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
 	kubeConfigService := kubernetes.NewKubeConfigCAService("", "")
-	h := NewHandler(helper.NewTestRequestBouncer(), store, kubernetesDeployer, helmPackageManager, kubeConfigService)
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeConfigService)
 
 	is.NotNil(h, "Handler should not fail")
 

api/http/handler/helm/helm_list.go

@@ -14,6 +14,7 @@ import (
 // @description
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/helm/helm_list_test.go

@@ -12,6 +12,8 @@ import (
 	"github.com/portainer/libhelm/release"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
 	"github.com/stretchr/testify/assert"
 
@@ -20,28 +22,33 @@ import (
 )
 
 func Test_helmList(t *testing.T) {
+	is := assert.New(t)
+
 	store, teardown := bolt.MustNewTestStore(true)
 	defer teardown()
 
 	err := store.Endpoint().CreateEndpoint(&portainer.Endpoint{ID: 1})
-	assert.NoError(t, err, "error creating environment")
+	is.NoError(err, "error creating environment")
 
 	err = store.User().CreateUser(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
-	assert.NoError(t, err, "error creating a user")
+	is.NoError(err, "error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initialising jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
 	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
 	kubeConfigService := kubernetes.NewKubeConfigCAService("", "")
-	h := NewHandler(helper.NewTestRequestBouncer(), store, kubernetesDeployer, helmPackageManager, kubeConfigService)
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeConfigService)
 
 	// Install a single chart.  We expect to get these values back
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
 	h.helmPackageManager.Install(options)
 
 	t.Run("helmList", func(t *testing.T) {
-		is := assert.New(t)
-
 		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm", nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
 		req.Header.Add("Authorization", "Bearer dummytoken")
 
 		rr := httptest.NewRecorder()

api/http/handler/helm/helm_repo_search.go

@@ -16,6 +16,7 @@ import (
 // @description **Access policy**: authenticated
 // @tags helm
 // @param repo query string true "Helm repository URL"
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {object} string "Success"

api/http/handler/helm/helm_show.go

@@ -20,6 +20,7 @@ import (
 // @param repo query string true "Helm repository URL"
 // @param chart query string true "Chart name"
 // @param command path string true "chart/values/readme"
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce text/plain

api/http/handler/helm/user_helm_repos.go

@@ -33,6 +33,7 @@ func (p *addHelmRepoUrlPayload) Validate(_ *http.Request) error {
 // @description Create a user helm repository.
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json
@@ -93,6 +94,7 @@ func (handler *Handler) userCreateHelmRepo(w http.ResponseWriter, r *http.Reques
 // @description Inspect a user helm repositories.
 // @description **Access policy**: authenticated
 // @tags helm
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "User identifier"

api/http/handler/kubernetes/kubernetes_config.go

@@ -5,8 +5,6 @@ import (
 	"fmt"
 	"net/http"
 
-	clientV1 "k8s.io/client-go/tools/clientcmd/api/v1"
-
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
@@ -14,6 +12,7 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	kcli "github.com/portainer/portainer/api/kubernetes/cli"
+	clientV1 "k8s.io/client-go/tools/clientcmd/api/v1"
 )
 
 // @id GetKubernetesConfig
@@ -21,6 +20,7 @@ import (
 // @description Generates kubeconfig file enabling client communication with k8s api server
 // @description **Access policy**: authenticated
 // @tags kubernetes
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json
@@ -122,21 +122,14 @@ func (handler *Handler) buildConfig(r *http.Request, tokenData *portainer.TokenD
 	authInfosSet := make(map[string]bool)
 
 	for idx, endpoint := range endpoints {
-		cli, err := handler.kubernetesClientFactory.GetKubeClient(&endpoint)
-		if err != nil {
-			return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to create Kubernetes client", err}
-		}
-
-		serviceAccount, err := cli.GetServiceAccount(tokenData)
-		if err != nil {
-			return nil, &httperror.HandlerError{http.StatusInternalServerError, fmt.Sprintf("unable to find serviceaccount associated with user; username=%s", tokenData.Username), err}
-		}
+		instanceID := handler.kubernetesClientFactory.GetInstanceID()
+		serviceAccountName := kcli.UserServiceAccountName(int(tokenData.ID), instanceID)
 
 		configClusters[idx] = buildCluster(r, endpoint)
-		configContexts[idx] = buildContext(serviceAccount.Name, endpoint)
-		if !authInfosSet[serviceAccount.Name] {
-			configAuthInfos = append(configAuthInfos, buildAuthInfo(serviceAccount.Name, bearerToken))
-			authInfosSet[serviceAccount.Name] = true
+		configContexts[idx] = buildContext(serviceAccountName, endpoint)
+		if !authInfosSet[serviceAccountName] {
+			configAuthInfos = append(configAuthInfos, buildAuthInfo(serviceAccountName, bearerToken))
+			authInfosSet[serviceAccountName] = true
 		}
 	}
 

api/http/handler/kubernetes/kubernetes_nodes_limits.go

@@ -15,6 +15,7 @@ import (
 // @description Get CPU and memory limits of all nodes within k8s cluster
 // @description **Access policy**: authenticated
 // @tags kubernetes
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/kubernetes/namespaces_toggle_system.go

@@ -22,6 +22,7 @@ func (payload *namespacesToggleSystemPayload) Validate(r *http.Request) error {
 // @summary Toggle the system state for a namespace
 // @description  Toggle the system state for a namespace
 // @description **Access policy**: administrator or environment(endpoint) admin
+// @security ApiKeyAuth
 // @security jwt
 // @tags kubernetes
 // @accept json

api/http/handler/ldap/ldap_check.go

@@ -22,6 +22,7 @@ func (payload *checkPayload) Validate(r *http.Request) error {
 // @description Test LDAP connectivity using LDAP details
 // @description **Access policy**: administrator
 // @tags ldap
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @param body body checkPayload true "details"

api/http/handler/motd/motd.go

@@ -30,6 +30,7 @@ type motdData struct {
 // @summary fetches the message of the day
 // @description **Access policy**: restricted
 // @tags motd
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {object} motdResponse

api/http/handler/registries/registry_configure.go

@@ -21,7 +21,8 @@ type registryConfigurePayload struct {
 	Username string `example:"registry_user"`
 	// Password used to authenticate against this registry. required when Authentication is true
 	Password string `example:"registry_password"`
-
+	// ECR region
+	Region  string
 	// Use TLS
 	TLS bool `example:"true"`
 	// Skip the verification of the server TLS certificate
@@ -47,6 +48,9 @@ func (payload *registryConfigurePayload) Validate(r *http.Request) error {
 
 		password, _ := request.RetrieveMultiPartFormValue(r, "Password", true)
 		payload.Password = password
+
+		region, _ := request.RetrieveMultiPartFormValue(r, "Region", true)
+		payload.Region = region
 	}
 
 	useTLS, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLS", true)
@@ -83,6 +87,7 @@ func (payload *registryConfigurePayload) Validate(r *http.Request) error {
 // @description Configures a registry.
 // @description **Access policy**: restricted
 // @tags registries
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json
@@ -133,6 +138,10 @@ func (handler *Handler) registryConfigure(w http.ResponseWriter, r *http.Request
 		} else {
 			registry.ManagementConfiguration.Password = payload.Password
 		}
+
+		if payload.Region != "" {
+			registry.ManagementConfiguration.Ecr.Region = payload.Region
+		}
 	}
 
 	if payload.TLS {

api/http/handler/registries/registry_create.go

@@ -17,8 +17,15 @@ import (
 type registryCreatePayload struct {
 	// Name that will be used to identify this registry
 	Name string `example:"my-registry" validate:"required"`
-	// Registry Type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry), 4 (Gitlab registry), 5 (ProGet registry) or 6 (DockerHub)
-	Type portainer.RegistryType `example:"1" validate:"required" enums:"1,2,3,4,5,6"`
+	// Registry Type. Valid values are:
+	//	1 (Quay.io),
+	//	2 (Azure container registry),
+	//	3 (custom registry),
+	//	4 (Gitlab registry),
+	//	5 (ProGet registry),
+	//	6 (DockerHub)
+	//	7 (ECR)
+	Type portainer.RegistryType `example:"1" validate:"required" enums:"1,2,3,4,5,6,7"`
 	// URL or IP address of the Docker registry
 	URL string `example:"registry.mydomain.tld:2375/feed" validate:"required"`
 	// BaseURL required for ProGet registry
@@ -33,6 +40,8 @@ type registryCreatePayload struct {
 	Gitlab portainer.GitlabRegistryData
 	// Quay specific details, required when type = 1
 	Quay portainer.QuayRegistryData
+	// ECR specific details, required when type = 7
+	Ecr portainer.EcrData
 }
 
 func (payload *registryCreatePayload) Validate(_ *http.Request) error {
@@ -42,14 +51,22 @@ func (payload *registryCreatePayload) Validate(_ *http.Request) error {
 	if govalidator.IsNull(payload.URL) {
 		return errors.New("Invalid registry URL")
 	}
-	if payload.Authentication && (govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password)) {
-		return errors.New("Invalid credentials. Username and password must be specified when authentication is enabled")
+
+	if payload.Authentication {
+		if govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password) {
+			return errors.New("Invalid credentials. Username and password must be specified when authentication is enabled")
+		}
+		if payload.Type == portainer.EcrRegistry {
+			if govalidator.IsNull(payload.Ecr.Region) {
+				return errors.New("invalid credentials: access key ID, secret access key and region must be specified when authentication is enabled")
+			}
+		}
 	}
 
 	switch payload.Type {
-	case portainer.QuayRegistry, portainer.AzureRegistry, portainer.CustomRegistry, portainer.GitlabRegistry, portainer.ProGetRegistry, portainer.DockerHubRegistry:
+	case portainer.QuayRegistry, portainer.AzureRegistry, portainer.CustomRegistry, portainer.GitlabRegistry, portainer.ProGetRegistry, portainer.DockerHubRegistry, portainer.EcrRegistry:
 	default:
-		return errors.New("invalid registry type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry), 4 (Gitlab registry), 5 (ProGet registry) or 6 (DockerHub)")
+		return errors.New("invalid registry type. Valid values are: 1 (Quay.io), 2 (Azure container registry), 3 (custom registry), 4 (Gitlab registry), 5 (ProGet registry), 6 (DockerHub), 7 (ECR)")
 	}
 
 	if payload.Type == portainer.ProGetRegistry && payload.BaseURL == "" {
@@ -64,6 +81,7 @@ func (payload *registryCreatePayload) Validate(_ *http.Request) error {
 // @description Create a new registry.
 // @description **Access policy**: restricted
 // @tags registries
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json
@@ -95,9 +113,10 @@ func (handler *Handler) registryCreate(w http.ResponseWriter, r *http.Request) *
 		Authentication:   payload.Authentication,
 		Username:         payload.Username,
 		Password:         payload.Password,
-		RegistryAccesses: portainer.RegistryAccesses{},
 		Gitlab:           payload.Gitlab,
 		Quay:             payload.Quay,
+		RegistryAccesses: portainer.RegistryAccesses{},
+		Ecr:              payload.Ecr,
 	}
 
 	registries, err := handler.DataStore.Registry().Registries()

api/http/handler/registries/registry_create_test.go

@@ -33,6 +33,20 @@ func Test_registryCreatePayload_Validate(t *testing.T) {
 		err := payload.Validate(nil)
 		assert.NoError(t, err)
 	})
+	t.Run("Can't create a AWS ECR registry if authentication required, but access key ID, secret access key or region is empty", func(t *testing.T) {
+		payload := basePayload
+		payload.Type = portainer.EcrRegistry
+		payload.Authentication = true
+		err := payload.Validate(nil)
+		assert.Error(t, err)
+	})
+	t.Run("Do not require access key ID, secret access key, region for public AWS ECR registry", func(t *testing.T) {
+		payload := basePayload
+		payload.Type = portainer.EcrRegistry
+		payload.Authentication = false
+		err := payload.Validate(nil)
+		assert.NoError(t, err)
+	})
 }
 
 type testRegistryService struct {

api/http/handler/registries/registry_delete.go

@@ -17,6 +17,7 @@ import (
 // @description Remove a registry
 // @description **Access policy**: restricted
 // @tags registries
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Registry identifier"
 // @success 204 "Success"

api/http/handler/registries/registry_inspect.go

@@ -16,6 +16,7 @@ import (
 // @description Retrieve details about a registry.
 // @description **Access policy**: restricted
 // @tags registries
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @param id path int true "Registry identifier"

api/http/handler/registries/registry_list.go

@@ -16,6 +16,7 @@ import (
 // @description will only return authorized registries.
 // @description **Access policy**: restricted
 // @tags registries
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} portainer.Registry "Success"

api/http/handler/registries/registry_update.go

@@ -2,6 +2,7 @@ package registries
 
 import (
 	"errors"
+	"github.com/portainer/portainer/api/internal/endpointutils"
 	"net/http"
 
 	httperror "github.com/portainer/libhttp/error"
@@ -26,8 +27,12 @@ type registryUpdatePayload struct {
 	Username *string `example:"registry_user"`
 	// Password used to authenticate against this registry. required when Authentication is true
 	Password         *string `example:"registry_password"`
-	RegistryAccesses *portainer.RegistryAccesses
+	// Quay data
 	Quay             *portainer.QuayRegistryData
+	// Registry access control
+	RegistryAccesses *portainer.RegistryAccesses `json:",omitempty"`
+	// ECR data
+	Ecr              *portainer.EcrData          `json:",omitempty"`
 }
 
 func (payload *registryUpdatePayload) Validate(r *http.Request) error {
@@ -39,6 +44,7 @@ func (payload *registryUpdatePayload) Validate(r *http.Request) error {
 // @description Update a registry
 // @description **Access policy**: restricted
 // @tags registries
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json
@@ -55,6 +61,7 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
 	}
+
 	if !securityContext.IsAdmin {
 		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update registry", httperrors.ErrResourceAccessDenied}
 	}
@@ -81,29 +88,41 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 		registry.Name = *payload.Name
 	}
 
-	shouldUpdateSecrets := false
-
 	if registry.Type == portainer.ProGetRegistry && payload.BaseURL != nil {
 		registry.BaseURL = *payload.BaseURL
 	}
 
+	shouldUpdateSecrets := false
+
 	if payload.Authentication != nil {
+		shouldUpdateSecrets = shouldUpdateSecrets || (registry.Authentication != *payload.Authentication)
+
 		if *payload.Authentication {
 			registry.Authentication = true
-			shouldUpdateSecrets = shouldUpdateSecrets || (payload.Username != nil && *payload.Username != registry.Username) || (payload.Password != nil && *payload.Password != registry.Password)
 
 			if payload.Username != nil {
+				shouldUpdateSecrets = shouldUpdateSecrets || (registry.Username != *payload.Username)
 				registry.Username = *payload.Username
 			}
 
 			if payload.Password != nil && *payload.Password != "" {
+				shouldUpdateSecrets = shouldUpdateSecrets || (registry.Password != *payload.Password)
 				registry.Password = *payload.Password
 			}
 
+			if registry.Type == portainer.EcrRegistry && payload.Ecr != nil && payload.Ecr.Region != "" {
+				shouldUpdateSecrets = shouldUpdateSecrets || (registry.Ecr.Region != payload.Ecr.Region)
+				registry.Ecr.Region = payload.Ecr.Region
+			}
 		} else {
 			registry.Authentication = false
 			registry.Username = ""
 			registry.Password = ""
+
+			registry.Ecr.Region = ""
+
+			registry.AccessToken = ""
+			registry.AccessTokenExpiry = 0
 		}
 	}
 
@@ -115,6 +134,7 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve registries from the database", err}
 		}
+
 		for _, r := range registries {
 			if r.ID != registry.ID && handler.registriesHaveSameURLAndCredentials(&r, registry) {
 				return &httperror.HandlerError{http.StatusConflict, "Another registry with the same URL and credentials already exists", errors.New("A registry is already defined for this URL and credentials")}
@@ -123,13 +143,16 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 	}
 
 	if shouldUpdateSecrets {
+		registry.AccessToken = ""
+		registry.AccessTokenExpiry = 0
+
 		for endpointID, endpointAccess := range registry.RegistryAccesses {
 			endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update access to registry", err}
 			}
 
-			if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+			if endpointutils.IsKubernetesEndpoint(endpoint) {
 				err = handler.updateEndpointRegistryAccess(endpoint, registry, endpointAccess)
 				if err != nil {
 					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update access to registry", err}

api/http/handler/resourcecontrols/resourcecontrol_create.go

@@ -58,6 +58,7 @@ func (payload *resourceControlCreatePayload) Validate(r *http.Request) error {
 // @description Create a new resource control to restrict access to a Docker resource.
 // @description **Access policy**: administrator
 // @tags resource_controls
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/resourcecontrols/resourcecontrol_delete.go

@@ -15,6 +15,7 @@ import (
 // @description Remove a resource control.
 // @description **Access policy**: administrator
 // @tags resource_controls
+// @security ApiKeyAuth
 // @security jwt
 // @param id path int true "Resource control identifier"
 // @success 204 "Success"

api/http/handler/resourcecontrols/resourcecontrol_update.go

@@ -40,6 +40,7 @@ func (payload *resourceControlUpdatePayload) Validate(r *http.Request) error {
 // @description Update a resource control
 // @description **Access policy**: authenticated
 // @tags resource_controls
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/roles/role_list.go

@@ -12,6 +12,7 @@ import (
 // @description List all roles available for use
 // @description **Access policy**: administrator
 // @tags roles
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {array} portainer.Role "Success"

api/http/handler/settings/settings_inspect.go

@@ -12,6 +12,7 @@ import (
 // @description Retrieve Portainer settings.
 // @description **Access policy**: administrator
 // @tags settings
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {object} portainer.Settings "Success"

api/http/handler/settings/settings_update.go

@@ -78,6 +78,7 @@ func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
 // @description Update Portainer settings.
 // @description **Access policy**: administrator
 // @tags settings
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json

api/http/handler/ssl/ssl_inspect.go

@@ -12,6 +12,7 @@ import (
 // @description Retrieve the ssl settings.
 // @description **Access policy**: administrator
 // @tags ssl
+// @security ApiKeyAuth
 // @security jwt
 // @produce json
 // @success 200 {object} portainer.SSLSettings "Success"

api/http/handler/ssl/ssl_update.go

@@ -28,6 +28,7 @@ func (payload *sslUpdatePayload) Validate(r *http.Request) error {
 // @description Update the ssl settings.
 // @description **Access policy**: administrator
 // @tags ssl
+// @security ApiKeyAuth
 // @security jwt
 // @accept json
 // @produce json