Merge branch 'release/1.18.1'

Release 1.18.0

.codeclimate.yml

@@ -0,0 +1,29 @@
+---
+engines:
+  gofmt:
+    enabled: true
+  golint:
+    enabled: true
+  govet:
+    enabled: true
+  csslint:
+    enabled: true
+  duplication:
+    enabled: true
+    config:
+      languages:
+        javascript:
+          mass_threshold: 80
+  eslint:
+    enabled: true
+    config:
+      config: .eslintrc.yml
+  fixme:
+    enabled: true
+ratings:
+  paths:
+  - "**.css"
+  - "**.js"
+  - "**.go"
+exclude_paths:
+- test/

.codefresh/codefresh_branch.yml

@@ -0,0 +1,46 @@
+version: '1.0'
+steps:
+
+  build_backend:
+    image: portainer/golang-builder:ci
+    working_directory: ${{main_clone}}
+    commands:
+      - mkdir -p /go/src/github.com/${{CF_REPO_OWNER}}
+      - ln -s /codefresh/volume/${{CF_REPO_NAME}}/api /go/src/github.com/${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
+      - /build.sh api/cmd/portainer
+
+  build_frontend:
+    image: portainer/angular-builder:latest
+    working_directory: ${{build_backend}}
+    commands:
+      - yarn
+      - yarn grunt build-webapp
+      - mv api/cmd/portainer/portainer dist/
+
+  get_docker_version:
+    image: alpine
+    working_directory: ${{build_frontend}}
+    commands:
+      - cf_export DOCKER_VERSION=`cat gruntfile.js | grep -m 1 'shippedDockerVersion' | cut -d\' -f2`
+
+  download_docker_binary:
+    image: busybox
+    working_directory: ${{build_frontend}}
+    commands:
+      - echo ${{DOCKER_VERSION}}
+      - wget -O /tmp/docker-binaries.tgz https://download.docker.com/linux/static/stable/x86_64/docker-${{DOCKER_VERSION}}.tgz
+      - tar -xf /tmp/docker-binaries.tgz -C /tmp
+      - mv /tmp/docker/docker dist/
+
+  build_image:
+    type: build
+    working_directory: ${{download_docker_binary}}
+    dockerfile: ./build/linux/Dockerfile
+    image_name: portainer/portainer
+    tag: ${{CF_BRANCH}}
+
+  push_image:
+    type: push
+    candidate: '${{build_image}}'
+    tag: '${{CF_BRANCH}}'
+    registry: dockerhub

.codefresh/codefresh_pullrequest.yml

@@ -0,0 +1,46 @@
+version: '1.0'
+steps:
+
+  build_backend:
+    image: portainer/golang-builder:ci
+    working_directory: ${{main_clone}}
+    commands:
+      - mkdir -p /go/src/github.com/${{CF_REPO_OWNER}}
+      - ln -s /codefresh/volume/${{CF_REPO_NAME}}/api /go/src/github.com/${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
+      - /build.sh api/cmd/portainer
+
+  build_frontend:
+    image: portainer/angular-builder:latest
+    working_directory: ${{build_backend}}
+    commands:
+      - yarn
+      - yarn grunt build-webapp
+      - mv api/cmd/portainer/portainer dist/
+
+  get_docker_version:
+    image: alpine
+    working_directory: ${{build_frontend}}
+    commands:
+      - cf_export DOCKER_VERSION=`cat gruntfile.js | grep -m 1 'shippedDockerVersion' | cut -d\' -f2`
+
+  download_docker_binary:
+    image: busybox
+    working_directory: ${{build_frontend}}
+    commands:
+      - echo ${{DOCKER_VERSION}}
+      - wget -O /tmp/docker-binaries.tgz https://download.docker.com/linux/static/stable/x86_64/docker-${{DOCKER_VERSION}}.tgz
+      - tar -xf /tmp/docker-binaries.tgz -C /tmp
+      - mv /tmp/docker/docker dist/
+
+  build_image:
+    type: build
+    working_directory: ${{download_docker_binary}}
+    dockerfile: ./build/linux/Dockerfile
+    image_name: portainer/portainer
+    tag: ${{CF_BRANCH}}
+
+  push_image:
+    type: push
+    candidate: '${{build_image}}'
+    tag: 'pr${{CF_PULL_REQUEST_NUMBER}}'
+    registry: dockerhub

.dockerignore

@@ -1,2 +1,3 @@
 *
 !dist
+!build

.eslintrc.yml

@@ -0,0 +1,284 @@
+env:
+  browser: true
+  jquery: true
+
+# globals:
+#   angular: true
+#   $: true
+#   _: true
+#   moment: true
+#   filesize: true
+#   splitargs: true
+extends:
+  - 'eslint:recommended'
+
+# http://eslint.org/docs/rules/
+rules:
+  # Possible Errors
+  no-await-in-loop: off
+  no-cond-assign: error
+  no-console: off
+  no-constant-condition: error
+  no-control-regex: error
+  no-debugger: error
+  no-dupe-args: error
+  no-dupe-keys: error
+  no-duplicate-case: error
+  no-empty-character-class: error
+  no-empty: error
+  no-ex-assign: error
+  no-extra-boolean-cast: error
+  no-extra-parens: off
+  no-extra-semi: error
+  no-func-assign: error
+  no-inner-declarations:
+    - error
+    - functions
+  no-invalid-regexp: error
+  no-irregular-whitespace: error
+  no-negated-in-lhs: error
+  no-obj-calls: error
+  no-prototype-builtins: off
+  no-regex-spaces: error
+  no-sparse-arrays: error
+  no-template-curly-in-string: off
+  no-unexpected-multiline: error
+  no-unreachable: error
+  no-unsafe-finally: off
+  no-unsafe-negation: off
+  use-isnan: error
+  valid-jsdoc: off
+  valid-typeof: error
+
+  # Best Practices
+  accessor-pairs: error
+  array-callback-return: off
+  block-scoped-var: off
+  class-methods-use-this: off
+  complexity:
+    - error
+    - 6
+  consistent-return: off
+  curly: off
+  default-case: off
+  dot-location: off
+  dot-notation: off
+  eqeqeq: error
+  guard-for-in: error
+  no-alert: error
+  no-caller: error
+  no-case-declarations: error
+  no-div-regex: error
+  no-else-return: off
+  no-empty-function: off
+  no-empty-pattern: error
+  no-eq-null: error
+  no-eval: error
+  no-extend-native: error
+  no-extra-bind: error
+  no-extra-label: off
+  no-fallthrough: error
+  no-floating-decimal: off
+  no-global-assign: off
+  no-implicit-coercion: off
+  no-implied-eval: error
+  no-invalid-this: off
+  no-iterator: error
+  no-labels:
+    - error
+    - allowLoop: true
+      allowSwitch: true
+  no-lone-blocks: error
+  no-loop-func: error
+  no-magic-number: off
+  no-multi-spaces: off
+  no-multi-str: off
+  no-native-reassign: error
+  no-new-func: error
+  no-new-wrappers: error
+  no-new: error
+  no-octal-escape: error
+  no-octal: error
+  no-param-reassign: off
+  no-proto: error
+  no-redeclare: error
+  no-restricted-properties: off
+  no-return-assign: error
+  no-return-await: off
+  no-script-url: error
+  no-self-assign: off
+  no-self-compare: error
+  no-sequences: off
+  no-throw-literal: off
+  no-unmodified-loop-condition: off
+  no-unused-expressions: error
+  no-unused-labels: off
+  no-useless-call: error
+  no-useless-concat: error
+  no-useless-escape: off
+  no-useless-return: off
+  no-void: error
+  no-warning-comments: off
+  no-with: error
+  prefer-promise-reject-errors: off
+  radix: error
+  require-await: off
+  vars-on-top: off
+  wrap-iife: error
+  yoda: off
+
+  # Strict
+  strict: off
+
+  # Variables
+  init-declarations: off
+  no-catch-shadow: error
+  no-delete-var: error
+  no-label-var: error
+  no-restricted-globals: off
+  no-shadow-restricted-names: error
+  no-shadow: off
+  no-undef-init: error
+  no-undef: off
+  no-undefined: off
+  no-unused-vars: off
+  no-use-before-define: off
+
+  # Node.js and CommonJS
+  callback-return: error
+  global-require: error
+  handle-callback-err: error
+  no-mixed-requires: off
+  no-new-require: off
+  no-path-concat: error
+  no-process-env: off
+  no-process-exit: error
+  no-restricted-modules: off
+  no-sync: off
+
+  # Stylistic Issues
+  array-bracket-spacing: off
+  block-spacing: off
+  brace-style: off
+  camelcase: off
+  capitalized-comments: off
+  comma-dangle:
+    - error
+    - never
+  comma-spacing: off
+  comma-style: off
+  computed-property-spacing: off
+  consistent-this: off
+  eol-last: off
+  func-call-spacing: off
+  func-name-matching: off
+  func-names: off
+  func-style: off
+  id-length: off
+  id-match: off
+  indent: off
+  jsx-quotes: off
+  key-spacing: off
+  keyword-spacing: off
+  line-comment-position: off
+  linebreak-style:
+    - error
+    - unix
+  lines-around-comment: off
+  lines-around-directive: off
+  max-depth: off
+  max-len: off
+  max-nested-callbacks: off
+  max-params: off
+  max-statements-per-line: off
+  max-statements:
+    - error
+    - 30
+  multiline-ternary: off
+  new-cap: off
+  new-parens: off
+  newline-after-var: off
+  newline-before-return: off
+  newline-per-chained-call: off
+  no-array-constructor: off
+  no-bitwise: off
+  no-continue: off
+  no-inline-comments: off
+  no-lonely-if: off
+  no-mixed-operators: off
+  no-mixed-spaces-and-tabs: off
+  no-multi-assign: off
+  no-multiple-empty-lines: off
+  no-negated-condition: off
+  no-nested-ternary: off
+  no-new-object: off
+  no-plusplus: off
+  no-restricted-syntax: off
+  no-spaced-func: off
+  no-tabs: off
+  no-ternary: off
+  no-trailing-spaces: off
+  no-underscore-dangle: off
+  no-unneeded-ternary: off
+  object-curly-newline: off
+  object-curly-spacing: off
+  object-property-newline: off
+  one-var-declaration-per-line: off
+  one-var: off
+  operator-assignment: off
+  operator-linebreak: off
+  padded-blocks: off
+  quote-props: off
+  quotes:
+    - error
+    - single
+  require-jsdoc: off
+  semi-spacing: off
+  semi:
+    - error
+    - always
+  sort-keys: off
+  sort-vars: off
+  space-before-blocks: off
+  space-before-function-paren: off
+  space-in-parens: off
+  space-infix-ops: off
+  space-unary-ops: off
+  spaced-comment: off
+  template-tag-spacing: off
+  unicode-bom: off
+  wrap-regex: off
+
+  # ECMAScript 6
+  arrow-body-style: off
+  arrow-parens: off
+  arrow-spacing: off
+  constructor-super: off
+  generator-star-spacing: off
+  no-class-assign: off
+  no-confusing-arrow: off
+  no-const-assign: off
+  no-dupe-class-members: off
+  no-duplicate-imports: off
+  no-new-symbol: off
+  no-restricted-imports: off
+  no-this-before-super: off
+  no-useless-computed-key: off
+  no-useless-constructor: off
+  no-useless-rename: off
+  no-var: off
+  object-shorthand: off
+  prefer-arrow-callback: off
+  prefer-const: off
+  prefer-destructuring: off
+  prefer-numeric-literals: off
+  prefer-rest-params: off
+  prefer-reflect: off
+  prefer-spread: off
+  prefer-template: off
+  require-yield: off
+  rest-spread-spacing: off
+  sort-imports: off
+  symbol-description: off
+  template-curly-spacing: off
+  yield-star-spacing: off

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,44 @@
+<!--
+
+Thanks for opening an issue on Portainer !
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+If you are reporting a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+
+If you suspect your issue is a bug, please edit your issue description to
+include the BUG REPORT INFORMATION shown below.
+
+---------------------------------------------------
+BUG REPORT INFORMATION
+---------------------------------------------------
+You do NOT have to include this information if this is a FEATURE REQUEST
+-->
+
+**Description**
+
+<!--
+Briefly describe the problem you are having in a few paragraphs.
+-->
+
+**Steps to reproduce the issue:**
+
+1.
+2.
+3.
+
+Any other info e.g. Why do you consider this to be a bug? What did you expect to happen instead?
+
+**Technical details:**
+
+* Portainer version:
+* Target Docker version (the host/cluster you manage):
+* Platform (windows/linux):
+* Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
+* Target Swarm version (if applicable):
+* Browser:

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -0,0 +1,47 @@
+---
+name: Bug report
+about: Create a bug report
+
+---
+
+<!--
+
+Thanks for reporting a bug for Portainer !
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+Before opening a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Bug description**
+
+A clear and concise description of what the bug is.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+Briefly describe what you were expecting.
+
+**Steps to reproduce the issue:**
+
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Technical details:**
+
+* Portainer version:
+* Docker version (managed by Portainer):
+* Platform (windows/linux):
+* Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
+* Browser:
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/Custom.md

@@ -0,0 +1,15 @@
+---
+name: Question
+about: Ask us a question about Portainer usage or deployment
+
+---
+
+<!--
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Question**:
+How can I deploy Portainer on... ?

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -0,0 +1,31 @@
+---
+name: Feature request
+about: Suggest a feature/enhancement that should be added in Portainer
+
+---
+
+<!--
+
+Thanks for opening a feature request for Portainer !
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+
+Before opening a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.gitignore

@@ -1,9 +1,6 @@
-logs/*
-!.gitkeep
-*.esproj/*
 node_modules
 bower_components
-.idea
 dist
-dockerui
-*.iml
+portainer-checksum.txt
+api/cmd/portainer/portainer*
+.tmp

.godir

@@ -1 +1 @@
-dockerui
+portainer

CODE_OF_CONDUCT.md

@@ -0,0 +1,46 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at anthony.lapenna@portainer.io. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

CONTRIBUTING.md

@@ -0,0 +1,76 @@
+# Contributing Guidelines
+
+Some basic conventions for contributing to this project.
+
+### General
+
+Please make sure that there aren't existing pull requests attempting to address the issue mentioned. Likewise, please check for issues related to update, as someone else may be working on the issue in a branch or fork.
+
+* Please open a discussion in a new issue / existing issue to talk about the changes you'd like to bring
+* Develop in a topic branch, not master/develop
+
+When creating a new branch, prefix it with the *type* of the change (see section **Commit Message Format** below), the associated opened issue number, a dash and some text describing the issue (using dash as a separator).
+
+For example, if you work on a bugfix for the issue #361, you could name the branch `fix361-template-selection`.
+
+### Issues open to contribution
+
+Want to contribute but don't know where to start?
+
+Some of the open issues are labeled with prefix `exp/`, this is used to mark them as available for contributors to work on. All of these have an attributed difficulty level:
+
+* **beginner**: a task that should be accessible with users not familiar with the codebase
+* **intermediate**: a task that require some understanding of the project codebase or some experience in
+either AngularJS or Golang
+* **advanced**: a task that require a deep understanding of the project codebase
+
+You can have a use Github filters to list these issues:
+
+* beginner labeled issues: https://github.com/portainer/portainer/labels/exp%2Fbeginner
+* intermediate labeled issues: https://github.com/portainer/portainer/labels/exp%2Fintermediate
+* advanced labeled issues: https://github.com/portainer/portainer/labels/exp%2Fadvanced
+
+
+### Commit Message Format
+
+Each commit message should include a **type**, a **scope** and a **subject**:
+
+```
+ <type>(<scope>): <subject>
+```
+
+Lines should not exceed 100 characters. This allows the message to be easier to read on github as well as in various git tools and produces a nice, neat commit log ie:
+
+```
+ #271 feat(containers): add exposed ports in the containers view
+ #270 fix(templates): fix a display issue in the templates view
+ #269 style(dashboard): update dashboard with new layout
+```
+
+#### Type
+
+Must be one of the following:
+
+* **feat**: A new feature
+* **fix**: A bug fix
+* **docs**: Documentation only changes
+* **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing
+  semi-colons, etc)
+* **refactor**: A code change that neither fixes a bug or adds a feature
+* **test**: Adding missing tests
+* **chore**: Changes to the build process or auxiliary tools and libraries such as documentation
+  generation
+
+#### Scope
+
+The scope could be anything specifying place of the commit change. For example `networks`,
+`containers`, `images` etc...
+You can use the **area** label tag associated on the issue here (for `area/containers` use `containers` as a scope...)
+
+#### Subject
+
+The subject contains succinct description of the change:
+
+* use the imperative, present tense: "change" not "changed" nor "changes"
+* don't capitalize first letter
+* no dot (.) at the end

Dockerfile

@@ -1,6 +0,0 @@
-FROM scratch
-
-COPY dist /
-
-EXPOSE 9000
-ENTRYPOINT ["/dockerui"]

LICENSE

@@ -1,7 +1,17 @@
-DockerUI: Copyright (c) 2013-2014 Michael Crosby. crosbymichael.com
+Copyright (c) 2018 Portainer.io
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+This software is provided 'as-is', without any express or implied
+warranty.  In no event will the authors be held liable for any damages
+arising from the use of this software.
 
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+1. The origin of this software must not be misrepresented; you must not
+   claim that you wrote the original software. If you use this software
+   in a product, an acknowledgment in the product documentation would be
+   appreciated but is not required.
+2. Altered source versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.
+3. This notice may not be removed or altered from any source distribution.

Procfile

@@ -1 +0,0 @@
-web: dockerui -p ":$PORT" -e "$DOCKER_ENDPOINT"

README.md

@@ -1,82 +1,73 @@
-## DockerUI
 
-![Containers](/containers.png)
-DockerUI is a web interface for the Docker Remote API.  The goal is to provide a pure client side implementation so it is effortless to connect and manage docker.  This project is not complete and is still under heavy development.
+<p align="center">
+  <img title="portainer" src='https://portainer.io/images/logo_alt.png' />
+</p>
 
-![Container](/container.png)
+[![Docker Pulls](https://img.shields.io/docker/pulls/portainer/portainer.svg)](https://hub.docker.com/r/portainer/portainer/)
+[![Microbadger](https://images.microbadger.com/badges/image/portainer/portainer.svg)](http://microbadger.com/images/portainer/portainer "Image size")
+[![Documentation Status](https://readthedocs.org/projects/portainer/badge/?version=stable)](http://portainer.readthedocs.io/en/stable/?badge=stable)
+[![Codefresh build status]( https://g.codefresh.io/api/badges/build?repoOwner=portainer&repoName=portainer&branch=develop&pipelineName=portainer-ci&accountName=deviantony&type=cf-1)]( https://g.codefresh.io/repositories/portainer/portainer/builds?filter=trigger:build;branch:develop;service:5922a08a3a1aab000116fcc6~portainer-ci)
+[![Code Climate](https://codeclimate.com/github/portainer/portainer/badges/gpa.svg)](https://codeclimate.com/github/portainer/portainer)
+[![Slack](https://portainer.io/slack/badge.svg)](https://portainer.io/slack/)
+[![Gitter](https://badges.gitter.im/portainer/Lobby.svg)](https://gitter.im/portainer/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
+[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=YHXZJQNJQ36H6)
 
+**_Portainer_** is a lightweight management UI which allows you to **easily** manage your different Docker environments (Docker hosts or Swarm clusters).
 
-### Goals
-* Minimal dependencies - I really want to keep this project a pure html/js app.
-* Consistency - The web UI should be consistent with the commands found on the docker CLI.
+**_Portainer_** is meant to be as **simple** to deploy as it is to use. It consists of a single container that can run on any Docker engine (can be deployed as Linux container or a Windows native container).
 
-### Container Quickstart 
-1. Run: `docker run -d -p 9000:9000 --privileged -v /var/run/docker.sock:/var/run/docker.sock dockerui/dockerui`
+**_Portainer_** allows you to manage your Docker containers, images, volumes, networks and more ! It is compatible with the *standalone Docker* engine and with *Docker Swarm mode*.
 
-2. Open your browser to `http://<dockerd host ip>:9000`
+## Demo
 
+<img src="https://portainer.io/images/screenshots/portainer.gif" width="77%"/>
 
-Bind mounting the Unix socket into the DockerUI container is much more secure than exposing your docker daemon over TCP. The `--privileged` flag is required for hosts using SELinux. You should still secure your DockerUI instance behind some type of auth. Directions for using Nginx auth are [here](https://github.com/crosbymichael/dockerui/wiki/Dockerui-with-Nginx-HTTP-Auth).
+You can try out the public demo instance: http://demo.portainer.io/ (login with the username **admin** and the password **tryportainer**).
 
-### Specify socket to connect to Docker daemon
+Please note that the public demo cluster is **reset every 15min**.
 
-By default DockerUI connects to the Docker daemon with`/var/run/docker.sock`. For this to work you need to bind mount the unix socket into the container with `-v /var/run/docker.sock:/var/run/docker.sock`.
+Alternatively, you can deploy a copy of the demo stack inside a [play-with-docker (PWD)](https://labs.play-with-docker.com) playground:
 
-You can use the `-e` flag to change this socket:
+- Browse [PWD/?stack=portainer-demo/play-with-docker/docker-stack.yml](http://play-with-docker.com/?stack=https://raw.githubusercontent.com/portainer/portainer-demo/master/play-with-docker/docker-stack.yml)
+- Sign in with your [Docker ID](https://docs.docker.com/docker-id)
+- Follow [these](https://github.com/portainer/portainer-demo/blob/master/play-with-docker/docker-stack.yml#L5-L8) steps.
 
-    # Connect to a tcp socket:
-    $ docker run -d -p 9000:9000 --privileged dockerui/dockerui -e http://127.0.0.1:2375
+Unlike the public demo, the playground sessions are deleted after 4 hours. Apart from that, all the settings are same, including default credentials.
 
-### Change address/port DockerUI is served on
-DockerUI listens on port 9000 by default. If you run DockerUI inside a container then you can bind the container's internal port to any external address and port:
+## Getting started
 
-    # Expose DockerUI on 10.20.30.1:80
-    $ docker run -d -p 10.20.30.1:80:9000 --privileged -v /var/run/docker.sock:/var/run/docker.sock dockerui/dockerui
+* [Deploy Portainer](https://portainer.readthedocs.io/en/latest/deployment.html)
+* [Documentation](https://portainer.readthedocs.io)
 
-### Check the [wiki](//github.com/crosbymichael/dockerui/wiki) for more info about using dockerui
+## Getting help
 
-### Stack
-* [Angular.js](https://github.com/angular/angular.js)
-* [Bootstrap](http://getbootstrap.com/)
-* [Gritter](https://github.com/jboesch/Gritter)
-* [Spin.js](https://github.com/fgnass/spin.js/)
-* [Golang](https://golang.org/)
-* [Vis.js](http://visjs.org/)
+* Issues: https://github.com/portainer/portainer/issues
+* FAQ: https://portainer.readthedocs.io/en/latest/faq.html
+* Slack (chat): https://portainer.io/slack/
+* Gitter (chat): https://gitter.im/portainer/Lobby
 
+## Reporting bugs and contributing
 
-### Todo:
-* Full repository support
-* Search
-* Push files to a container
-* Unit tests
+* Want to report a bug or request a feature? Please open [an issue](https://github.com/portainer/portainer/issues/new).
+* Want to help us build **_portainer_**? Follow our [contribution guidelines](https://portainer.readthedocs.io/en/latest/contribute.html) to build it  locally and make a pull request. We need all the help we can get!
 
+## Limitations
 
-### License - MIT
-The DockerUI code is licensed under the MIT license.
+**_Portainer_** has full support for the following Docker versions:
 
+* Docker 1.10 to the latest version
+* Standalone Docker Swarm >= 1.2.3 _(**NOTE:** Use of Standalone Docker Swarm is being discouraged since the introduction of built-in Swarm Mode in Docker. While older versions of Portainer had support for Standalone Docker Swarm, Portainer 1.17.0 and newer **do not** support it. However, the built-in Swarm Mode of Docker is fully supported.)_
 
-**DockerUI:**
-Copyright (c) 2014 Michael Crosby. crosbymichael.com
+Partial support for the following Docker versions (some features may not be available):
 
-Permission is hereby granted, free of charge, to any person
-obtaining a copy of this software and associated documentation 
-files (the "Software"), to deal in the Software without 
-restriction, including without limitation the rights to use, copy, 
-modify, merge, publish, distribute, sublicense, and/or sell copies 
-of the Software, and to permit persons to whom the Software is 
-furnished to do so, subject to the following conditions:
+* Docker 1.9
 
-The above copyright notice and this permission notice shall be 
-included in all copies or substantial portions of the Software.
+## Licensing
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED,
-INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 
-HOLDERS BE LIABLE FOR ANY CLAIM, 
-DAMAGES OR OTHER LIABILITY, 
-WHETHER IN AN ACTION OF CONTRACT, 
-TORT OR OTHERWISE, 
-ARISING FROM, OUT OF OR IN CONNECTION WITH 
-THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+Portainer is licensed under the zlib license. See [LICENSE](./LICENSE) for reference.
+
+Portainer also contains the following code, which is licensed under the [MIT license](https://opensource.org/licenses/MIT):
+
+UI For Docker: Copyright (c) 2013-2016 Michael Crosby (crosbymichael.com), Kevan Ahlquist (kevanahlquist.com), Anthony Lapenna (portainer.io)
+
+rdash-angular: Copyright (c) [2014] [Elliot Hesp]

api/archive/tar.go

@@ -0,0 +1,36 @@
+package archive
+
+import (
+	"archive/tar"
+	"bytes"
+)
+
+// TarFileInBuffer will create a tar archive containing a single file named via fileName and using the content
+// specified in fileContent. Returns the archive as a byte array.
+func TarFileInBuffer(fileContent []byte, fileName string) ([]byte, error) {
+	var buffer bytes.Buffer
+	tarWriter := tar.NewWriter(&buffer)
+
+	header := &tar.Header{
+		Name: fileName,
+		Mode: 0600,
+		Size: int64(len(fileContent)),
+	}
+
+	err := tarWriter.WriteHeader(header)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = tarWriter.Write(fileContent)
+	if err != nil {
+		return nil, err
+	}
+
+	err = tarWriter.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	return buffer.Bytes(), nil
+}

api/bolt/datastore.go

@@ -0,0 +1,228 @@
+package bolt
+
+import (
+	"log"
+	"path"
+	"time"
+
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/dockerhub"
+	"github.com/portainer/portainer/bolt/endpoint"
+	"github.com/portainer/portainer/bolt/endpointgroup"
+	"github.com/portainer/portainer/bolt/migrator"
+	"github.com/portainer/portainer/bolt/registry"
+	"github.com/portainer/portainer/bolt/resourcecontrol"
+	"github.com/portainer/portainer/bolt/settings"
+	"github.com/portainer/portainer/bolt/stack"
+	"github.com/portainer/portainer/bolt/tag"
+	"github.com/portainer/portainer/bolt/team"
+	"github.com/portainer/portainer/bolt/teammembership"
+	"github.com/portainer/portainer/bolt/user"
+	"github.com/portainer/portainer/bolt/version"
+)
+
+const (
+	databaseFileName = "portainer.db"
+)
+
+// Store defines the implementation of portainer.DataStore using
+// BoltDB as the storage system.
+type Store struct {
+	path                   string
+	db                     *bolt.DB
+	checkForDataMigration  bool
+	fileService            portainer.FileService
+	DockerHubService       *dockerhub.Service
+	EndpointGroupService   *endpointgroup.Service
+	EndpointService        *endpoint.Service
+	RegistryService        *registry.Service
+	ResourceControlService *resourcecontrol.Service
+	SettingsService        *settings.Service
+	StackService           *stack.Service
+	TagService             *tag.Service
+	TeamMembershipService  *teammembership.Service
+	TeamService            *team.Service
+	UserService            *user.Service
+	VersionService         *version.Service
+}
+
+// NewStore initializes a new Store and the associated services
+func NewStore(storePath string, fileService portainer.FileService) (*Store, error) {
+	store := &Store{
+		path:        storePath,
+		fileService: fileService,
+	}
+
+	databasePath := path.Join(storePath, databaseFileName)
+	databaseFileExists, err := fileService.FileExists(databasePath)
+	if err != nil {
+		return nil, err
+	}
+
+	if !databaseFileExists {
+		store.checkForDataMigration = false
+	} else {
+		store.checkForDataMigration = true
+	}
+
+	return store, nil
+}
+
+// Open opens and initializes the BoltDB database.
+func (store *Store) Open() error {
+	databasePath := path.Join(store.path, databaseFileName)
+	db, err := bolt.Open(databasePath, 0600, &bolt.Options{Timeout: 1 * time.Second})
+	if err != nil {
+		return err
+	}
+	store.db = db
+
+	return store.initServices()
+}
+
+// Init creates the default data set.
+func (store *Store) Init() error {
+	groups, err := store.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	if len(groups) == 0 {
+		unassignedGroup := &portainer.EndpointGroup{
+			Name:            "Unassigned",
+			Description:     "Unassigned endpoints",
+			Labels:          []portainer.Pair{},
+			AuthorizedUsers: []portainer.UserID{},
+			AuthorizedTeams: []portainer.TeamID{},
+			Tags:            []string{},
+		}
+
+		return store.EndpointGroupService.CreateEndpointGroup(unassignedGroup)
+	}
+
+	return nil
+}
+
+// Close closes the BoltDB database.
+func (store *Store) Close() error {
+	if store.db != nil {
+		return store.db.Close()
+	}
+	return nil
+}
+
+// MigrateData automatically migrate the data based on the DBVersion.
+func (store *Store) MigrateData() error {
+	if !store.checkForDataMigration {
+		return store.VersionService.StoreDBVersion(portainer.DBVersion)
+	}
+
+	version, err := store.VersionService.DBVersion()
+	if err == portainer.ErrObjectNotFound {
+		version = 0
+	} else if err != nil {
+		return err
+	}
+
+	if version < portainer.DBVersion {
+		migratorParams := &migrator.Parameters{
+			DB:                     store.db,
+			DatabaseVersion:        version,
+			EndpointGroupService:   store.EndpointGroupService,
+			EndpointService:        store.EndpointService,
+			ResourceControlService: store.ResourceControlService,
+			SettingsService:        store.SettingsService,
+			StackService:           store.StackService,
+			UserService:            store.UserService,
+			VersionService:         store.VersionService,
+			FileService:            store.fileService,
+		}
+		migrator := migrator.NewMigrator(migratorParams)
+
+		log.Printf("Migrating database from version %v to %v.\n", version, portainer.DBVersion)
+		err = migrator.Migrate()
+		if err != nil {
+			log.Printf("An error occurred during database migration: %s\n", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (store *Store) initServices() error {
+	dockerhubService, err := dockerhub.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.DockerHubService = dockerhubService
+
+	endpointgroupService, err := endpointgroup.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.EndpointGroupService = endpointgroupService
+
+	endpointService, err := endpoint.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.EndpointService = endpointService
+
+	registryService, err := registry.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.RegistryService = registryService
+
+	resourcecontrolService, err := resourcecontrol.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.ResourceControlService = resourcecontrolService
+
+	settingsService, err := settings.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.SettingsService = settingsService
+
+	stackService, err := stack.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.StackService = stackService
+
+	tagService, err := tag.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.TagService = tagService
+
+	teammembershipService, err := teammembership.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.TeamMembershipService = teammembershipService
+
+	teamService, err := team.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.TeamService = teamService
+
+	userService, err := user.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.UserService = userService
+
+	versionService, err := version.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.VersionService = versionService
+
+	return nil
+}

api/bolt/dockerhub/dockerhub.go

@@ -0,0 +1,48 @@
+package dockerhub
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName   = "dockerhub"
+	dockerHubKey = "DOCKERHUB"
+)
+
+// Service represents a service for managing Dockerhub data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// DockerHub returns the DockerHub object.
+func (service *Service) DockerHub() (*portainer.DockerHub, error) {
+	var dockerhub portainer.DockerHub
+
+	err := internal.GetObject(service.db, BucketName, []byte(dockerHubKey), &dockerhub)
+	if err != nil {
+		return nil, err
+	}
+
+	return &dockerhub, nil
+}
+
+// UpdateDockerHub updates a DockerHub object.
+func (service *Service) UpdateDockerHub(dockerhub *portainer.DockerHub) error {
+	return internal.UpdateObject(service.db, BucketName, []byte(dockerHubKey), dockerhub)
+}

api/bolt/endpoint/endpoint.go

@@ -0,0 +1,138 @@
+package endpoint
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "endpoints"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Endpoint returns an endpoint by ID.
+func (service *Service) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error) {
+	var endpoint portainer.Endpoint
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return &endpoint, nil
+}
+
+// UpdateEndpoint updates an endpoint.
+func (service *Service) UpdateEndpoint(ID portainer.EndpointID, endpoint *portainer.Endpoint) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, endpoint)
+}
+
+// DeleteEndpoint deletes an endpoint.
+func (service *Service) DeleteEndpoint(ID portainer.EndpointID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
+
+// Endpoints return an array containing all the endpoints.
+func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
+	var endpoints = make([]portainer.Endpoint, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var endpoint portainer.Endpoint
+			err := internal.UnmarshalObject(v, &endpoint)
+			if err != nil {
+				return err
+			}
+			endpoints = append(endpoints, endpoint)
+		}
+
+		return nil
+	})
+
+	return endpoints, err
+}
+
+// CreateEndpoint assign an ID to a new endpoint and saves it.
+func (service *Service) CreateEndpoint(endpoint *portainer.Endpoint) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		endpoint.ID = portainer.EndpointID(id)
+
+		data, err := internal.MarshalObject(endpoint)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(endpoint.ID)), data)
+	})
+}
+
+// Synchronize creates, updates and deletes endpoints inside a single transaction.
+func (service *Service) Synchronize(toCreate, toUpdate, toDelete []*portainer.Endpoint) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		for _, endpoint := range toCreate {
+			id, _ := bucket.NextSequence()
+			endpoint.ID = portainer.EndpointID(id)
+
+			data, err := internal.MarshalObject(endpoint)
+			if err != nil {
+				return err
+			}
+
+			err = bucket.Put(internal.Itob(int(endpoint.ID)), data)
+			if err != nil {
+				return err
+			}
+		}
+
+		for _, endpoint := range toUpdate {
+			data, err := internal.MarshalObject(endpoint)
+			if err != nil {
+				return err
+			}
+
+			err = bucket.Put(internal.Itob(int(endpoint.ID)), data)
+			if err != nil {
+				return err
+			}
+		}
+
+		for _, endpoint := range toDelete {
+			err := bucket.Delete(internal.Itob(int(endpoint.ID)))
+			if err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+}

api/bolt/endpointgroup/endpointgroup.go

@@ -0,0 +1,95 @@
+package endpointgroup
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "endpoint_groups"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// EndpointGroup returns an endpoint group by ID.
+func (service *Service) EndpointGroup(ID portainer.EndpointGroupID) (*portainer.EndpointGroup, error) {
+	var endpointGroup portainer.EndpointGroup
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &endpointGroup)
+	if err != nil {
+		return nil, err
+	}
+
+	return &endpointGroup, nil
+}
+
+// UpdateEndpointGroup updates an endpoint group.
+func (service *Service) UpdateEndpointGroup(ID portainer.EndpointGroupID, endpointGroup *portainer.EndpointGroup) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, endpointGroup)
+}
+
+// DeleteEndpointGroup deletes an endpoint group.
+func (service *Service) DeleteEndpointGroup(ID portainer.EndpointGroupID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
+
+// EndpointGroups return an array containing all the endpoint groups.
+func (service *Service) EndpointGroups() ([]portainer.EndpointGroup, error) {
+	var endpointGroups = make([]portainer.EndpointGroup, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var endpointGroup portainer.EndpointGroup
+			err := internal.UnmarshalObject(v, &endpointGroup)
+			if err != nil {
+				return err
+			}
+			endpointGroups = append(endpointGroups, endpointGroup)
+		}
+
+		return nil
+	})
+
+	return endpointGroups, err
+}
+
+// CreateEndpointGroup assign an ID to a new endpoint group and saves it.
+func (service *Service) CreateEndpointGroup(endpointGroup *portainer.EndpointGroup) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		endpointGroup.ID = portainer.EndpointGroupID(id)
+
+		data, err := internal.MarshalObject(endpointGroup)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(endpointGroup.ID)), data)
+	})
+}

api/bolt/internal/db.go

@@ -0,0 +1,94 @@
+package internal
+
+import (
+	"encoding/binary"
+
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer"
+)
+
+// Itob returns an 8-byte big endian representation of v.
+// This function is typically used for encoding integer IDs to byte slices
+// so that they can be used as BoltDB keys.
+func Itob(v int) []byte {
+	b := make([]byte, 8)
+	binary.BigEndian.PutUint64(b, uint64(v))
+	return b
+}
+
+// CreateBucket is a generic function used to create a bucket inside a bolt database.
+func CreateBucket(db *bolt.DB, bucketName string) error {
+	return db.Update(func(tx *bolt.Tx) error {
+		_, err := tx.CreateBucketIfNotExists([]byte(bucketName))
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// GetObject is a generic function used to retrieve an unmarshalled object from a bolt database.
+func GetObject(db *bolt.DB, bucketName string, key []byte, object interface{}) error {
+	var data []byte
+
+	err := db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+
+		value := bucket.Get(key)
+		if value == nil {
+			return portainer.ErrObjectNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	return UnmarshalObject(data, object)
+}
+
+// UpdateObject is a generic function used to update an object inside a bolt database.
+func UpdateObject(db *bolt.DB, bucketName string, key []byte, object interface{}) error {
+	return db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+
+		data, err := MarshalObject(object)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put(key, data)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
+
+// DeleteObject is a generic function used to delete an object inside a bolt database.
+func DeleteObject(db *bolt.DB, bucketName string, key []byte) error {
+	return db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+		return bucket.Delete(key)
+	})
+}
+
+// GetNextIdentifier is a generic function that returns the specified bucket identifier incremented by 1.
+func GetNextIdentifier(db *bolt.DB, bucketName string) int {
+	var identifier int
+
+	db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+		id := bucket.Sequence()
+		identifier = int(id)
+		return nil
+	})
+
+	identifier++
+	return identifier
+}

api/bolt/internal/json.go

@@ -0,0 +1,15 @@
+package internal
+
+import (
+	"encoding/json"
+)
+
+// MarshalObject encodes an object to binary format
+func MarshalObject(object interface{}) ([]byte, error) {
+	return json.Marshal(object)
+}
+
+// UnmarshalObject decodes an object from binary data
+func UnmarshalObject(data []byte, object interface{}) error {
+	return json.Unmarshal(data, object)
+}

api/bolt/migrator/migrate_dbversion0.go

@@ -0,0 +1,36 @@
+package migrator
+
+import (
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/user"
+)
+
+func (m *Migrator) updateAdminUserToDBVersion1() error {
+	u, err := m.userService.UserByUsername("admin")
+	if err == nil {
+		admin := &portainer.User{
+			Username: "admin",
+			Password: u.Password,
+			Role:     portainer.AdministratorRole,
+		}
+		err = m.userService.CreateUser(admin)
+		if err != nil {
+			return err
+		}
+		err = m.removeLegacyAdminUser()
+		if err != nil {
+			return err
+		}
+	} else if err != nil && err != portainer.ErrObjectNotFound {
+		return err
+	}
+	return nil
+}
+
+func (m *Migrator) removeLegacyAdminUser() error {
+	return m.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(user.BucketName))
+		return bucket.Delete([]byte("admin"))
+	})
+}

api/bolt/migrator/migrate_dbversion1.go

@@ -0,0 +1,103 @@
+package migrator
+
+import (
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+)
+
+func (m *Migrator) updateResourceControlsToDBVersion2() error {
+	legacyResourceControls, err := m.retrieveLegacyResourceControls()
+	if err != nil {
+		return err
+	}
+
+	for _, resourceControl := range legacyResourceControls {
+		resourceControl.SubResourceIDs = []string{}
+		resourceControl.TeamAccesses = []portainer.TeamResourceAccess{}
+
+		owner, err := m.userService.User(resourceControl.OwnerID)
+		if err != nil {
+			return err
+		}
+
+		if owner.Role == portainer.AdministratorRole {
+			resourceControl.AdministratorsOnly = true
+			resourceControl.UserAccesses = []portainer.UserResourceAccess{}
+		} else {
+			resourceControl.AdministratorsOnly = false
+			userAccess := portainer.UserResourceAccess{
+				UserID:      resourceControl.OwnerID,
+				AccessLevel: portainer.ReadWriteAccessLevel,
+			}
+			resourceControl.UserAccesses = []portainer.UserResourceAccess{userAccess}
+		}
+
+		err = m.resourceControlService.CreateResourceControl(&resourceControl)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) updateEndpointsToDBVersion2() error {
+	legacyEndpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.AuthorizedTeams = []portainer.TeamID{}
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) retrieveLegacyResourceControls() ([]portainer.ResourceControl, error) {
+	legacyResourceControls := make([]portainer.ResourceControl, 0)
+	err := m.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte("containerResourceControl"))
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var resourceControl portainer.ResourceControl
+			err := internal.UnmarshalObject(v, &resourceControl)
+			if err != nil {
+				return err
+			}
+			resourceControl.Type = portainer.ContainerResourceControl
+			legacyResourceControls = append(legacyResourceControls, resourceControl)
+		}
+
+		bucket = tx.Bucket([]byte("serviceResourceControl"))
+		cursor = bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var resourceControl portainer.ResourceControl
+			err := internal.UnmarshalObject(v, &resourceControl)
+			if err != nil {
+				return err
+			}
+			resourceControl.Type = portainer.ServiceResourceControl
+			legacyResourceControls = append(legacyResourceControls, resourceControl)
+		}
+
+		bucket = tx.Bucket([]byte("volumeResourceControl"))
+		cursor = bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var resourceControl portainer.ResourceControl
+			err := internal.UnmarshalObject(v, &resourceControl)
+			if err != nil {
+				return err
+			}
+			resourceControl.Type = portainer.VolumeResourceControl
+			legacyResourceControls = append(legacyResourceControls, resourceControl)
+		}
+		return nil
+	})
+	return legacyResourceControls, err
+}

api/bolt/migrator/migrate_dbversion10.go

@@ -0,0 +1,28 @@
+package migrator
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion11() error {
+	legacyEndpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		if endpoint.Type == portainer.AgentOnDockerEnvironment {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = true
+		} else {
+			if endpoint.TLSConfig.TLSSkipVerify && !endpoint.TLSConfig.TLS {
+				endpoint.TLSConfig.TLSSkipVerify = false
+			}
+		}
+
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion11.go

@@ -0,0 +1,127 @@
+package migrator
+
+import (
+	"strconv"
+	"strings"
+
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+	"github.com/portainer/portainer/bolt/stack"
+)
+
+func (m *Migrator) updateEndpointsToVersion12() error {
+	legacyEndpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.Tags = []string{}
+
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) updateEndpointGroupsToVersion12() error {
+	legacyEndpointGroups, err := m.endpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, group := range legacyEndpointGroups {
+		group.Tags = []string{}
+
+		err = m.endpointGroupService.UpdateEndpointGroup(group.ID, &group)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+type legacyStack struct {
+	ID          string               `json:"Id"`
+	Name        string               `json:"Name"`
+	EndpointID  portainer.EndpointID `json:"EndpointId"`
+	SwarmID     string               `json:"SwarmId"`
+	EntryPoint  string               `json:"EntryPoint"`
+	Env         []portainer.Pair     `json:"Env"`
+	ProjectPath string
+}
+
+func (m *Migrator) updateStacksToVersion12() error {
+	legacyStacks, err := m.retrieveLegacyStacks()
+	if err != nil {
+		return err
+	}
+
+	for _, legacyStack := range legacyStacks {
+		err := m.convertLegacyStack(&legacyStack)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) convertLegacyStack(s *legacyStack) error {
+	stackID := m.stackService.GetNextIdentifier()
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackID),
+		Name:       s.Name,
+		Type:       portainer.DockerSwarmStack,
+		SwarmID:    s.SwarmID,
+		EndpointID: 0,
+		EntryPoint: s.EntryPoint,
+		Env:        s.Env,
+	}
+
+	stack.ProjectPath = strings.Replace(s.ProjectPath, s.ID, strconv.Itoa(stackID), 1)
+	err := m.fileService.Rename(s.ProjectPath, stack.ProjectPath)
+	if err != nil {
+		return err
+	}
+
+	err = m.deleteLegacyStack(s.ID)
+	if err != nil {
+		return err
+	}
+
+	return m.stackService.CreateStack(stack)
+}
+
+func (m *Migrator) deleteLegacyStack(legacyID string) error {
+	return m.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stack.BucketName))
+		return bucket.Delete([]byte(legacyID))
+	})
+}
+
+func (m *Migrator) retrieveLegacyStacks() ([]legacyStack, error) {
+	var legacyStacks = make([]legacyStack, 0)
+	err := m.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(stack.BucketName))
+		cursor := bucket.Cursor()
+
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var stack legacyStack
+			err := internal.UnmarshalObject(v, &stack)
+			if err != nil {
+				return err
+			}
+			legacyStacks = append(legacyStacks, stack)
+		}
+
+		return nil
+	})
+
+	return legacyStacks, err
+}

api/bolt/migrator/migrate_dbversion2.go

@@ -0,0 +1,20 @@
+package migrator
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateSettingsToDBVersion3() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.AuthenticationMethod = portainer.AuthenticationInternal
+	legacySettings.LDAPSettings = portainer.LDAPSettings{
+		TLSConfig: portainer.TLSConfiguration{},
+		SearchSettings: []portainer.LDAPSearchSettings{
+			portainer.LDAPSearchSettings{},
+		},
+	}
+
+	return m.settingsService.UpdateSettings(legacySettings)
+}

api/bolt/migrator/migrate_dbversion3.go

@@ -0,0 +1,28 @@
+package migrator
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToDBVersion4() error {
+	legacyEndpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.TLSConfig = portainer.TLSConfiguration{}
+		if endpoint.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = false
+			endpoint.TLSConfig.TLSCACertPath = endpoint.TLSCACertPath
+			endpoint.TLSConfig.TLSCertPath = endpoint.TLSCertPath
+			endpoint.TLSConfig.TLSKeyPath = endpoint.TLSKeyPath
+		}
+
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion4.go

@@ -0,0 +1,11 @@
+package migrator
+
+func (m *Migrator) updateSettingsToVersion5() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.AllowBindMountsForRegularUsers = true
+	return m.settingsService.UpdateSettings(legacySettings)
+}

api/bolt/migrator/migrate_dbversion5.go

@@ -0,0 +1,11 @@
+package migrator
+
+func (m *Migrator) updateSettingsToVersion6() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+
+	legacySettings.AllowPrivilegedModeForRegularUsers = true
+	return m.settingsService.UpdateSettings(legacySettings)
+}

api/bolt/migrator/migrate_dbversion6.go

@@ -0,0 +1,11 @@
+package migrator
+
+func (m *Migrator) updateSettingsToVersion7() error {
+	legacySettings, err := m.settingsService.Settings()
+	if err != nil {
+		return err
+	}
+	legacySettings.DisplayDonationHeader = true
+
+	return m.settingsService.UpdateSettings(legacySettings)
+}

api/bolt/migrator/migrate_dbversion7.go

@@ -0,0 +1,20 @@
+package migrator
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion8() error {
+	legacyEndpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.Extensions = []portainer.EndpointExtension{}
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion8.go

@@ -0,0 +1,20 @@
+package migrator
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion9() error {
+	legacyEndpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.GroupID = portainer.EndpointGroupID(1)
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrate_dbversion9.go

@@ -0,0 +1,20 @@
+package migrator
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion10() error {
+	legacyEndpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.Type = portainer.DockerEnvironment
+		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator/migrator.go

@@ -0,0 +1,174 @@
+package migrator
+
+import (
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/endpoint"
+	"github.com/portainer/portainer/bolt/endpointgroup"
+	"github.com/portainer/portainer/bolt/resourcecontrol"
+	"github.com/portainer/portainer/bolt/settings"
+	"github.com/portainer/portainer/bolt/stack"
+	"github.com/portainer/portainer/bolt/user"
+	"github.com/portainer/portainer/bolt/version"
+)
+
+type (
+	// Migrator defines a service to migrate data after a Portainer version update.
+	Migrator struct {
+		currentDBVersion       int
+		db                     *bolt.DB
+		endpointGroupService   *endpointgroup.Service
+		endpointService        *endpoint.Service
+		resourceControlService *resourcecontrol.Service
+		settingsService        *settings.Service
+		stackService           *stack.Service
+		userService            *user.Service
+		versionService         *version.Service
+		fileService            portainer.FileService
+	}
+
+	// Parameters represents the required parameters to create a new Migrator instance.
+	Parameters struct {
+		DB                     *bolt.DB
+		DatabaseVersion        int
+		EndpointGroupService   *endpointgroup.Service
+		EndpointService        *endpoint.Service
+		ResourceControlService *resourcecontrol.Service
+		SettingsService        *settings.Service
+		StackService           *stack.Service
+		UserService            *user.Service
+		VersionService         *version.Service
+		FileService            portainer.FileService
+	}
+)
+
+// NewMigrator creates a new Migrator.
+func NewMigrator(parameters *Parameters) *Migrator {
+	return &Migrator{
+		db:                     parameters.DB,
+		currentDBVersion:       parameters.DatabaseVersion,
+		endpointGroupService:   parameters.EndpointGroupService,
+		endpointService:        parameters.EndpointService,
+		resourceControlService: parameters.ResourceControlService,
+		settingsService:        parameters.SettingsService,
+		stackService:           parameters.StackService,
+		userService:            parameters.UserService,
+		versionService:         parameters.VersionService,
+		fileService:            parameters.FileService,
+	}
+}
+
+// Migrate checks the database version and migrate the existing data to the most recent data model.
+func (m *Migrator) Migrate() error {
+
+	// Portainer < 1.12
+	if m.currentDBVersion < 1 {
+		err := m.updateAdminUserToDBVersion1()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.12.x
+	if m.currentDBVersion < 2 {
+		err := m.updateResourceControlsToDBVersion2()
+		if err != nil {
+			return err
+		}
+		err = m.updateEndpointsToDBVersion2()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.13.x
+	if m.currentDBVersion < 3 {
+		err := m.updateSettingsToDBVersion3()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.14.0
+	if m.currentDBVersion < 4 {
+		err := m.updateEndpointsToDBVersion4()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1235
+	if m.currentDBVersion < 5 {
+		err := m.updateSettingsToVersion5()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1236
+	if m.currentDBVersion < 6 {
+		err := m.updateSettingsToVersion6()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1449
+	if m.currentDBVersion < 7 {
+		err := m.updateSettingsToVersion7()
+		if err != nil {
+			return err
+		}
+	}
+
+	if m.currentDBVersion < 8 {
+		err := m.updateEndpointsToVersion8()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https: //github.com/portainer/portainer/issues/1396
+	if m.currentDBVersion < 9 {
+		err := m.updateEndpointsToVersion9()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/461
+	if m.currentDBVersion < 10 {
+		err := m.updateEndpointsToVersion10()
+		if err != nil {
+			return err
+		}
+	}
+
+	// https://github.com/portainer/portainer/issues/1906
+	if m.currentDBVersion < 11 {
+		err := m.updateEndpointsToVersion11()
+		if err != nil {
+			return err
+		}
+	}
+
+	// Portainer 1.18.0
+	if m.currentDBVersion < 12 {
+		err := m.updateEndpointsToVersion12()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateEndpointGroupsToVersion12()
+		if err != nil {
+			return err
+		}
+
+		err = m.updateStacksToVersion12()
+		if err != nil {
+			return err
+		}
+	}
+
+	return m.versionService.StoreDBVersion(portainer.DBVersion)
+}

api/bolt/registry/registry.go

@@ -0,0 +1,95 @@
+package registry
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "registries"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Registry returns an registry by ID.
+func (service *Service) Registry(ID portainer.RegistryID) (*portainer.Registry, error) {
+	var registry portainer.Registry
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &registry)
+	if err != nil {
+		return nil, err
+	}
+
+	return &registry, nil
+}
+
+// Registries returns an array containing all the registries.
+func (service *Service) Registries() ([]portainer.Registry, error) {
+	var registries = make([]portainer.Registry, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var registry portainer.Registry
+			err := internal.UnmarshalObject(v, &registry)
+			if err != nil {
+				return err
+			}
+			registries = append(registries, registry)
+		}
+
+		return nil
+	})
+
+	return registries, err
+}
+
+// CreateRegistry creates a new registry.
+func (service *Service) CreateRegistry(registry *portainer.Registry) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		registry.ID = portainer.RegistryID(id)
+
+		data, err := internal.MarshalObject(registry)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(registry.ID)), data)
+	})
+}
+
+// UpdateRegistry updates an registry.
+func (service *Service) UpdateRegistry(ID portainer.RegistryID, registry *portainer.Registry) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, registry)
+}
+
+// DeleteRegistry deletes an registry.
+func (service *Service) DeleteRegistry(ID portainer.RegistryID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}

api/bolt/resourcecontrol/resourcecontrol.go

@@ -0,0 +1,134 @@
+package resourcecontrol
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "resource_control"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// ResourceControl returns a ResourceControl object by ID
+func (service *Service) ResourceControl(ID portainer.ResourceControlID) (*portainer.ResourceControl, error) {
+	var resourceControl portainer.ResourceControl
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &resourceControl)
+	if err != nil {
+		return nil, err
+	}
+
+	return &resourceControl, nil
+}
+
+// ResourceControlByResourceID returns a ResourceControl object by checking if the resourceID is equal
+// to the main ResourceID or in SubResourceIDs
+func (service *Service) ResourceControlByResourceID(resourceID string) (*portainer.ResourceControl, error) {
+	var resourceControl *portainer.ResourceControl
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+		cursor := bucket.Cursor()
+
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var rc portainer.ResourceControl
+			err := internal.UnmarshalObject(v, &rc)
+			if err != nil {
+				return err
+			}
+
+			if rc.ResourceID == resourceID {
+				resourceControl = &rc
+				break
+			}
+
+			for _, subResourceID := range rc.SubResourceIDs {
+				if subResourceID == resourceID {
+					resourceControl = &rc
+					break
+				}
+			}
+		}
+
+		if resourceControl == nil {
+			return portainer.ErrObjectNotFound
+		}
+
+		return nil
+	})
+
+	return resourceControl, err
+}
+
+// ResourceControls returns all the ResourceControl objects
+func (service *Service) ResourceControls() ([]portainer.ResourceControl, error) {
+	var rcs = make([]portainer.ResourceControl, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var resourceControl portainer.ResourceControl
+			err := internal.UnmarshalObject(v, &resourceControl)
+			if err != nil {
+				return err
+			}
+			rcs = append(rcs, resourceControl)
+		}
+
+		return nil
+	})
+
+	return rcs, err
+}
+
+// CreateResourceControl creates a new ResourceControl object
+func (service *Service) CreateResourceControl(resourceControl *portainer.ResourceControl) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		resourceControl.ID = portainer.ResourceControlID(id)
+
+		data, err := internal.MarshalObject(resourceControl)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(resourceControl.ID)), data)
+	})
+}
+
+// UpdateResourceControl saves a ResourceControl object.
+func (service *Service) UpdateResourceControl(ID portainer.ResourceControlID, resourceControl *portainer.ResourceControl) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, resourceControl)
+}
+
+// DeleteResourceControl deletes a ResourceControl object by ID
+func (service *Service) DeleteResourceControl(ID portainer.ResourceControlID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}

api/bolt/settings/settings.go

@@ -0,0 +1,48 @@
+package settings
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName  = "settings"
+	settingsKey = "SETTINGS"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Settings retrieve the settings object.
+func (service *Service) Settings() (*portainer.Settings, error) {
+	var settings portainer.Settings
+
+	err := internal.GetObject(service.db, BucketName, []byte(settingsKey), &settings)
+	if err != nil {
+		return nil, err
+	}
+
+	return &settings, nil
+}
+
+// UpdateSettings persists a Settings object.
+func (service *Service) UpdateSettings(settings *portainer.Settings) error {
+	return internal.UpdateObject(service.db, BucketName, []byte(settingsKey), settings)
+}

api/bolt/stack/stack.go

@@ -0,0 +1,134 @@
+package stack
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "stacks"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Stack returns a stack object by ID.
+func (service *Service) Stack(ID portainer.StackID) (*portainer.Stack, error) {
+	var stack portainer.Stack
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &stack)
+	if err != nil {
+		return nil, err
+	}
+
+	return &stack, nil
+}
+
+// StackByName returns a stack object by name.
+func (service *Service) StackByName(name string) (*portainer.Stack, error) {
+	var stack *portainer.Stack
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+		cursor := bucket.Cursor()
+
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var t portainer.Stack
+			err := internal.UnmarshalObject(v, &t)
+			if err != nil {
+				return err
+			}
+
+			if t.Name == name {
+				stack = &t
+				break
+			}
+		}
+
+		if stack == nil {
+			return portainer.ErrObjectNotFound
+		}
+
+		return nil
+	})
+
+	return stack, err
+}
+
+// Stacks returns an array containing all the stacks.
+func (service *Service) Stacks() ([]portainer.Stack, error) {
+	var stacks = make([]portainer.Stack, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var stack portainer.Stack
+			err := internal.UnmarshalObject(v, &stack)
+			if err != nil {
+				return err
+			}
+			stacks = append(stacks, stack)
+		}
+
+		return nil
+	})
+
+	return stacks, err
+}
+
+// GetNextIdentifier returns the next identifier for a stack.
+func (service *Service) GetNextIdentifier() int {
+	return internal.GetNextIdentifier(service.db, BucketName)
+}
+
+// CreateStack creates a new stack.
+func (service *Service) CreateStack(stack *portainer.Stack) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		// We manually manage sequences for stacks
+		err := bucket.SetSequence(uint64(stack.ID))
+		if err != nil {
+			return err
+		}
+
+		data, err := internal.MarshalObject(stack)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(stack.ID)), data)
+	})
+}
+
+// UpdateStack updates a stack.
+func (service *Service) UpdateStack(ID portainer.StackID, stack *portainer.Stack) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, stack)
+}
+
+// DeleteStack deletes a stack.
+func (service *Service) DeleteStack(ID portainer.StackID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}

api/bolt/tag/tag.go

@@ -0,0 +1,76 @@
+package tag
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "tags"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Tags return an array containing all the tags.
+func (service *Service) Tags() ([]portainer.Tag, error) {
+	var tags = make([]portainer.Tag, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var tag portainer.Tag
+			err := internal.UnmarshalObject(v, &tag)
+			if err != nil {
+				return err
+			}
+			tags = append(tags, tag)
+		}
+
+		return nil
+	})
+
+	return tags, err
+}
+
+// CreateTag creates a new tag.
+func (service *Service) CreateTag(tag *portainer.Tag) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		tag.ID = portainer.TagID(id)
+
+		data, err := internal.MarshalObject(tag)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(tag.ID)), data)
+	})
+}
+
+// DeleteTag deletes a tag.
+func (service *Service) DeleteTag(ID portainer.TagID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}

api/bolt/team/team.go

@@ -0,0 +1,126 @@
+package team
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "teams"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Team returns a Team by ID
+func (service *Service) Team(ID portainer.TeamID) (*portainer.Team, error) {
+	var team portainer.Team
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &team)
+	if err != nil {
+		return nil, err
+	}
+
+	return &team, nil
+}
+
+// TeamByName returns a team by name.
+func (service *Service) TeamByName(name string) (*portainer.Team, error) {
+	var team *portainer.Team
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var t portainer.Team
+			err := internal.UnmarshalObject(v, &t)
+			if err != nil {
+				return err
+			}
+
+			if t.Name == name {
+				team = &t
+				break
+			}
+		}
+
+		if team == nil {
+			return portainer.ErrObjectNotFound
+		}
+
+		return nil
+	})
+
+	return team, err
+}
+
+// Teams return an array containing all the teams.
+func (service *Service) Teams() ([]portainer.Team, error) {
+	var teams = make([]portainer.Team, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var team portainer.Team
+			err := internal.UnmarshalObject(v, &team)
+			if err != nil {
+				return err
+			}
+			teams = append(teams, team)
+		}
+
+		return nil
+	})
+
+	return teams, err
+}
+
+// UpdateTeam saves a Team.
+func (service *Service) UpdateTeam(ID portainer.TeamID, team *portainer.Team) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, team)
+}
+
+// CreateTeam creates a new Team.
+func (service *Service) CreateTeam(team *portainer.Team) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		team.ID = portainer.TeamID(id)
+
+		data, err := internal.MarshalObject(team)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(team.ID)), data)
+	})
+}
+
+// DeleteTeam deletes a Team.
+func (service *Service) DeleteTeam(ID portainer.TeamID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}

api/bolt/teammembership/teammembership.go

@@ -0,0 +1,197 @@
+package teammembership
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "team_membership"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// TeamMembership returns a TeamMembership object by ID
+func (service *Service) TeamMembership(ID portainer.TeamMembershipID) (*portainer.TeamMembership, error) {
+	var membership portainer.TeamMembership
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &membership)
+	if err != nil {
+		return nil, err
+	}
+
+	return &membership, nil
+}
+
+// TeamMemberships return an array containing all the TeamMembership objects.
+func (service *Service) TeamMemberships() ([]portainer.TeamMembership, error) {
+	var memberships = make([]portainer.TeamMembership, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var membership portainer.TeamMembership
+			err := internal.UnmarshalObject(v, &membership)
+			if err != nil {
+				return err
+			}
+			memberships = append(memberships, membership)
+		}
+
+		return nil
+	})
+
+	return memberships, err
+}
+
+// TeamMembershipsByUserID return an array containing all the TeamMembership objects where the specified userID is present.
+func (service *Service) TeamMembershipsByUserID(userID portainer.UserID) ([]portainer.TeamMembership, error) {
+	var memberships = make([]portainer.TeamMembership, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var membership portainer.TeamMembership
+			err := internal.UnmarshalObject(v, &membership)
+			if err != nil {
+				return err
+			}
+
+			if membership.UserID == userID {
+				memberships = append(memberships, membership)
+			}
+		}
+
+		return nil
+	})
+
+	return memberships, err
+}
+
+// TeamMembershipsByTeamID return an array containing all the TeamMembership objects where the specified teamID is present.
+func (service *Service) TeamMembershipsByTeamID(teamID portainer.TeamID) ([]portainer.TeamMembership, error) {
+	var memberships = make([]portainer.TeamMembership, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var membership portainer.TeamMembership
+			err := internal.UnmarshalObject(v, &membership)
+			if err != nil {
+				return err
+			}
+
+			if membership.TeamID == teamID {
+				memberships = append(memberships, membership)
+			}
+		}
+
+		return nil
+	})
+
+	return memberships, err
+}
+
+// UpdateTeamMembership saves a TeamMembership object.
+func (service *Service) UpdateTeamMembership(ID portainer.TeamMembershipID, membership *portainer.TeamMembership) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, membership)
+}
+
+// CreateTeamMembership creates a new TeamMembership object.
+func (service *Service) CreateTeamMembership(membership *portainer.TeamMembership) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		membership.ID = portainer.TeamMembershipID(id)
+
+		data, err := internal.MarshalObject(membership)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(membership.ID)), data)
+	})
+}
+
+// DeleteTeamMembership deletes a TeamMembership object.
+func (service *Service) DeleteTeamMembership(ID portainer.TeamMembershipID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
+
+// DeleteTeamMembershipByUserID deletes all the TeamMembership object associated to a UserID.
+func (service *Service) DeleteTeamMembershipByUserID(userID portainer.UserID) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var membership portainer.TeamMembership
+			err := internal.UnmarshalObject(v, &membership)
+			if err != nil {
+				return err
+			}
+
+			if membership.UserID == userID {
+				err := bucket.Delete(internal.Itob(int(membership.ID)))
+				if err != nil {
+					return err
+				}
+			}
+		}
+
+		return nil
+	})
+}
+
+// DeleteTeamMembershipByTeamID deletes all the TeamMembership object associated to a TeamID.
+func (service *Service) DeleteTeamMembershipByTeamID(teamID portainer.TeamID) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var membership portainer.TeamMembership
+			err := internal.UnmarshalObject(v, &membership)
+			if err != nil {
+				return err
+			}
+
+			if membership.TeamID == teamID {
+				err := bucket.Delete(internal.Itob(int(membership.ID)))
+				if err != nil {
+					return err
+				}
+			}
+		}
+
+		return nil
+	})
+}

api/bolt/user/user.go

@@ -0,0 +1,149 @@
+package user
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "users"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// User returns a user by ID
+func (service *Service) User(ID portainer.UserID) (*portainer.User, error) {
+	var user portainer.User
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &user)
+	if err != nil {
+		return nil, err
+	}
+
+	return &user, nil
+}
+
+// UserByUsername returns a user by username.
+func (service *Service) UserByUsername(username string) (*portainer.User, error) {
+	var user *portainer.User
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+		cursor := bucket.Cursor()
+
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var u portainer.User
+			err := internal.UnmarshalObject(v, &u)
+			if err != nil {
+				return err
+			}
+
+			if u.Username == username {
+				user = &u
+				break
+			}
+		}
+
+		if user == nil {
+			return portainer.ErrObjectNotFound
+		}
+		return nil
+	})
+
+	return user, err
+}
+
+// Users return an array containing all the users.
+func (service *Service) Users() ([]portainer.User, error) {
+	var users = make([]portainer.User, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var user portainer.User
+			err := internal.UnmarshalObject(v, &user)
+			if err != nil {
+				return err
+			}
+			users = append(users, user)
+		}
+
+		return nil
+	})
+
+	return users, err
+}
+
+// UsersByRole return an array containing all the users with the specified role.
+func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
+	var users = make([]portainer.User, 0)
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var user portainer.User
+			err := internal.UnmarshalObject(v, &user)
+			if err != nil {
+				return err
+			}
+
+			if user.Role == role {
+				users = append(users, user)
+			}
+		}
+		return nil
+	})
+
+	return users, err
+}
+
+// UpdateUser saves a user.
+func (service *Service) UpdateUser(ID portainer.UserID, user *portainer.User) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, user)
+}
+
+// CreateUser creates a new user.
+func (service *Service) CreateUser(user *portainer.User) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		user.ID = portainer.UserID(id)
+
+		data, err := internal.MarshalObject(user)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(user.ID)), data)
+	})
+}
+
+// DeleteUser deletes a user.
+func (service *Service) DeleteUser(ID portainer.UserID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}

api/bolt/version/version.go

@@ -0,0 +1,66 @@
+package version
+
+import (
+	"strconv"
+
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "version"
+	versionKey = "DB_VERSION"
+)
+
+// Service represents a service to manage stored versions.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// DBVersion retrieves the stored database version.
+func (service *Service) DBVersion() (int, error) {
+	var data []byte
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		value := bucket.Get([]byte(versionKey))
+		if value == nil {
+			return portainer.ErrObjectNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+
+		return nil
+	})
+	if err != nil {
+		return 0, err
+	}
+
+	return strconv.Atoi(string(data))
+}
+
+// StoreDBVersion store the database version.
+func (service *Service) StoreDBVersion(version int) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		data := []byte(strconv.Itoa(version))
+		return bucket.Put([]byte(versionKey), data)
+	})
+}

api/cli/cli.go

@@ -0,0 +1,141 @@
+package cli
+
+import (
+	"time"
+
+	"github.com/portainer/portainer"
+
+	"os"
+	"path/filepath"
+	"strings"
+
+	"gopkg.in/alecthomas/kingpin.v2"
+)
+
+// Service implements the CLIService interface
+type Service struct{}
+
+const (
+	errInvalidEndpointProtocol       = portainer.Error("Invalid endpoint protocol: Portainer only supports unix:// or tcp://")
+	errSocketNotFound                = portainer.Error("Unable to locate Unix socket")
+	errEndpointsFileNotFound         = portainer.Error("Unable to locate external endpoints file")
+	errInvalidSyncInterval           = portainer.Error("Invalid synchronization interval")
+	errEndpointExcludeExternal       = portainer.Error("Cannot use the -H flag mutually with --external-endpoints")
+	errNoAuthExcludeAdminPassword    = portainer.Error("Cannot use --no-auth with --admin-password or --admin-password-file")
+	errAdminPassExcludeAdminPassFile = portainer.Error("Cannot use --admin-password with --admin-password-file")
+)
+
+// ParseFlags parse the CLI flags and return a portainer.Flags struct
+func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
+	kingpin.Version(version)
+
+	flags := &portainer.CLIFlags{
+		Addr:              kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
+		Assets:            kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
+		Data:              kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
+		EndpointURL:       kingpin.Flag("host", "Endpoint URL").Short('H').String(),
+		ExternalEndpoints: kingpin.Flag("external-endpoints", "Path to a file defining available endpoints").String(),
+		NoAuth:            kingpin.Flag("no-auth", "Disable authentication").Default(defaultNoAuth).Bool(),
+		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAnalytics).Bool(),
+		TLS:               kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
+		TLSSkipVerify:     kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
+		TLSCacert:         kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
+		TLSCert:           kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
+		TLSKey:            kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
+		SSL:               kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
+		SSLCert:           kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
+		SSLKey:            kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
+		SyncInterval:      kingpin.Flag("sync-interval", "Duration between each synchronization via the external endpoints source").Default(defaultSyncInterval).String(),
+		AdminPassword:     kingpin.Flag("admin-password", "Hashed admin password").String(),
+		AdminPasswordFile: kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
+		Labels:            pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
+		Logo:              kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
+		Templates:         kingpin.Flag("templates", "URL to the templates (apps) definitions").Short('t').String(),
+	}
+
+	kingpin.Parse()
+
+	if !filepath.IsAbs(*flags.Assets) {
+		ex, err := os.Executable()
+		if err != nil {
+			panic(err)
+		}
+		*flags.Assets = filepath.Join(filepath.Dir(ex), *flags.Assets)
+	}
+
+	return flags, nil
+}
+
+// ValidateFlags validates the values of the flags.
+func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
+
+	if *flags.EndpointURL != "" && *flags.ExternalEndpoints != "" {
+		return errEndpointExcludeExternal
+	}
+
+	err := validateEndpointURL(*flags.EndpointURL)
+	if err != nil {
+		return err
+	}
+
+	err = validateExternalEndpoints(*flags.ExternalEndpoints)
+	if err != nil {
+		return err
+	}
+
+	err = validateSyncInterval(*flags.SyncInterval)
+	if err != nil {
+		return err
+	}
+
+	if *flags.NoAuth && (*flags.AdminPassword != "" || *flags.AdminPasswordFile != "") {
+		return errNoAuthExcludeAdminPassword
+	}
+
+	if *flags.AdminPassword != "" && *flags.AdminPasswordFile != "" {
+		return errAdminPassExcludeAdminPassFile
+	}
+
+	return nil
+}
+
+func validateEndpointURL(endpointURL string) error {
+	if endpointURL != "" {
+		if !strings.HasPrefix(endpointURL, "unix://") && !strings.HasPrefix(endpointURL, "tcp://") {
+			return errInvalidEndpointProtocol
+		}
+
+		if strings.HasPrefix(endpointURL, "unix://") {
+			socketPath := strings.TrimPrefix(endpointURL, "unix://")
+			if _, err := os.Stat(socketPath); err != nil {
+				if os.IsNotExist(err) {
+					return errSocketNotFound
+				}
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func validateExternalEndpoints(externalEndpoints string) error {
+	if externalEndpoints != "" {
+		if _, err := os.Stat(externalEndpoints); err != nil {
+			if os.IsNotExist(err) {
+				return errEndpointsFileNotFound
+			}
+			return err
+		}
+	}
+	return nil
+}
+
+func validateSyncInterval(syncInterval string) error {
+	if syncInterval != defaultSyncInterval {
+		_, err := time.ParseDuration(syncInterval)
+		if err != nil {
+			return errInvalidSyncInterval
+		}
+	}
+	return nil
+}

api/cli/defaults.go

@@ -0,0 +1,20 @@
+// +build !windows
+
+package cli
+
+const (
+	defaultBindAddress     = ":9000"
+	defaultDataDirectory   = "/data"
+	defaultAssetsDirectory = "./"
+	defaultNoAuth          = "false"
+	defaultNoAnalytics     = "false"
+	defaultTLS             = "false"
+	defaultTLSSkipVerify   = "false"
+	defaultTLSCACertPath   = "/certs/ca.pem"
+	defaultTLSCertPath     = "/certs/cert.pem"
+	defaultTLSKeyPath      = "/certs/key.pem"
+	defaultSSL             = "false"
+	defaultSSLCertPath     = "/certs/portainer.crt"
+	defaultSSLKeyPath      = "/certs/portainer.key"
+	defaultSyncInterval    = "60s"
+)

api/cli/defaults_windows.go

@@ -0,0 +1,18 @@
+package cli
+
+const (
+	defaultBindAddress     = ":9000"
+	defaultDataDirectory   = "C:\\data"
+	defaultAssetsDirectory = "./"
+	defaultNoAuth          = "false"
+	defaultNoAnalytics     = "false"
+	defaultTLS             = "false"
+	defaultTLSSkipVerify   = "false"
+	defaultTLSCACertPath   = "C:\\certs\\ca.pem"
+	defaultTLSCertPath     = "C:\\certs\\cert.pem"
+	defaultTLSKeyPath      = "C:\\certs\\key.pem"
+	defaultSSL             = "false"
+	defaultSSLCertPath     = "C:\\certs\\portainer.crt"
+	defaultSSLKeyPath      = "C:\\certs\\portainer.key"
+	defaultSyncInterval    = "60s"
+)

api/cli/pairlist.go

@@ -0,0 +1,40 @@
+package cli
+
+import (
+	"github.com/portainer/portainer"
+
+	"fmt"
+	"gopkg.in/alecthomas/kingpin.v2"
+	"strings"
+)
+
+type pairList []portainer.Pair
+
+// Set implementation for a list of portainer.Pair
+func (l *pairList) Set(value string) error {
+	parts := strings.SplitN(value, "=", 2)
+	if len(parts) != 2 {
+		return fmt.Errorf("expected NAME=VALUE got '%s'", value)
+	}
+	p := new(portainer.Pair)
+	p.Name = parts[0]
+	p.Value = parts[1]
+	*l = append(*l, *p)
+	return nil
+}
+
+// String implementation for a list of pair
+func (l *pairList) String() string {
+	return ""
+}
+
+// IsCumulative implementation for a list of pair
+func (l *pairList) IsCumulative() bool {
+	return true
+}
+
+func pairs(s kingpin.Settings) (target *[]portainer.Pair) {
+	target = new([]portainer.Pair)
+	s.SetValue((*pairList)(target))
+	return
+}

api/cmd/portainer/main.go

@@ -0,0 +1,425 @@
+package main // import "github.com/portainer/portainer"
+
+import (
+	"strings"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt"
+	"github.com/portainer/portainer/cli"
+	"github.com/portainer/portainer/cron"
+	"github.com/portainer/portainer/crypto"
+	"github.com/portainer/portainer/exec"
+	"github.com/portainer/portainer/filesystem"
+	"github.com/portainer/portainer/git"
+	"github.com/portainer/portainer/http"
+	"github.com/portainer/portainer/http/client"
+	"github.com/portainer/portainer/jwt"
+	"github.com/portainer/portainer/ldap"
+	"github.com/portainer/portainer/libcompose"
+
+	"log"
+)
+
+func initCLI() *portainer.CLIFlags {
+	var cli portainer.CLIService = &cli.Service{}
+	flags, err := cli.ParseFlags(portainer.APIVersion)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = cli.ValidateFlags(flags)
+	if err != nil {
+		log.Fatal(err)
+	}
+	return flags
+}
+
+func initFileService(dataStorePath string) portainer.FileService {
+	fileService, err := filesystem.NewService(dataStorePath, "")
+	if err != nil {
+		log.Fatal(err)
+	}
+	return fileService
+}
+
+func initStore(dataStorePath string, fileService portainer.FileService) *bolt.Store {
+	store, err := bolt.NewStore(dataStorePath, fileService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = store.Open()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = store.Init()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = store.MigrateData()
+	if err != nil {
+		log.Fatal(err)
+	}
+	return store
+}
+
+func initComposeStackManager(dataStorePath string) portainer.ComposeStackManager {
+	return libcompose.NewComposeStackManager(dataStorePath)
+}
+
+func initSwarmStackManager(assetsPath string, dataStorePath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (portainer.SwarmStackManager, error) {
+	return exec.NewSwarmStackManager(assetsPath, dataStorePath, signatureService, fileService)
+}
+
+func initJWTService(authenticationEnabled bool) portainer.JWTService {
+	if authenticationEnabled {
+		jwtService, err := jwt.NewService()
+		if err != nil {
+			log.Fatal(err)
+		}
+		return jwtService
+	}
+	return nil
+}
+
+func initDigitalSignatureService() portainer.DigitalSignatureService {
+	return &crypto.ECDSAService{}
+}
+
+func initCryptoService() portainer.CryptoService {
+	return &crypto.Service{}
+}
+
+func initLDAPService() portainer.LDAPService {
+	return &ldap.Service{}
+}
+
+func initGitService() portainer.GitService {
+	return &git.Service{}
+}
+
+func initEndpointWatcher(endpointService portainer.EndpointService, externalEnpointFile string, syncInterval string) bool {
+	authorizeEndpointMgmt := true
+	if externalEnpointFile != "" {
+		authorizeEndpointMgmt = false
+		log.Println("Using external endpoint definition. Endpoint management via the API will be disabled.")
+		endpointWatcher := cron.NewWatcher(endpointService, syncInterval)
+		err := endpointWatcher.WatchEndpointFile(externalEnpointFile)
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+	return authorizeEndpointMgmt
+}
+
+func initStatus(authorizeEndpointMgmt bool, flags *portainer.CLIFlags) *portainer.Status {
+	return &portainer.Status{
+		Analytics:          !*flags.NoAnalytics,
+		Authentication:     !*flags.NoAuth,
+		EndpointManagement: authorizeEndpointMgmt,
+		Version:            portainer.APIVersion,
+	}
+}
+
+func initDockerHub(dockerHubService portainer.DockerHubService) error {
+	_, err := dockerHubService.DockerHub()
+	if err == portainer.ErrObjectNotFound {
+		dockerhub := &portainer.DockerHub{
+			Authentication: false,
+			Username:       "",
+			Password:       "",
+		}
+		return dockerHubService.UpdateDockerHub(dockerhub)
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func initSettings(settingsService portainer.SettingsService, flags *portainer.CLIFlags) error {
+	_, err := settingsService.Settings()
+	if err == portainer.ErrObjectNotFound {
+		settings := &portainer.Settings{
+			LogoURL:                     *flags.Logo,
+			DisplayExternalContributors: false,
+			AuthenticationMethod:        portainer.AuthenticationInternal,
+			LDAPSettings: portainer.LDAPSettings{
+				TLSConfig: portainer.TLSConfiguration{},
+				SearchSettings: []portainer.LDAPSearchSettings{
+					portainer.LDAPSearchSettings{},
+				},
+			},
+			AllowBindMountsForRegularUsers:     true,
+			AllowPrivilegedModeForRegularUsers: true,
+		}
+
+		if *flags.Templates != "" {
+			settings.TemplatesURL = *flags.Templates
+		} else {
+			settings.TemplatesURL = portainer.DefaultTemplatesURL
+		}
+
+		if *flags.Labels != nil {
+			settings.BlackListedLabels = *flags.Labels
+		} else {
+			settings.BlackListedLabels = make([]portainer.Pair, 0)
+		}
+
+		return settingsService.UpdateSettings(settings)
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func retrieveFirstEndpointFromDatabase(endpointService portainer.EndpointService) *portainer.Endpoint {
+	endpoints, err := endpointService.Endpoints()
+	if err != nil {
+		log.Fatal(err)
+	}
+	return &endpoints[0]
+}
+
+func loadAndParseKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	private, public, err := fileService.LoadKeyPair()
+	if err != nil {
+		return err
+	}
+	return signatureService.ParseKeyPair(private, public)
+}
+
+func generateAndStoreKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	private, public, err := signatureService.GenerateKeyPair()
+	if err != nil {
+		return err
+	}
+	privateHeader, publicHeader := signatureService.PEMHeaders()
+	return fileService.StoreKeyPair(private, public, privateHeader, publicHeader)
+}
+
+func initKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	existingKeyPair, err := fileService.KeyPairFilesExist()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if existingKeyPair {
+		return loadAndParseKeyPair(fileService, signatureService)
+	}
+	return generateAndStoreKeyPair(fileService, signatureService)
+}
+
+func createTLSSecuredEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService) error {
+	tlsConfiguration := portainer.TLSConfiguration{
+		TLS:           *flags.TLS,
+		TLSSkipVerify: *flags.TLSSkipVerify,
+	}
+
+	if *flags.TLS {
+		tlsConfiguration.TLSCACertPath = *flags.TLSCacert
+		tlsConfiguration.TLSCertPath = *flags.TLSCert
+		tlsConfiguration.TLSKeyPath = *flags.TLSKey
+	} else if !*flags.TLS && *flags.TLSSkipVerify {
+		tlsConfiguration.TLS = true
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:            "primary",
+		URL:             *flags.EndpointURL,
+		GroupID:         portainer.EndpointGroupID(1),
+		Type:            portainer.DockerEnvironment,
+		TLSConfig:       tlsConfiguration,
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+		Tags:            []string{},
+	}
+
+	if strings.HasPrefix(endpoint.URL, "tcp://") {
+		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(tlsConfiguration.TLSCACertPath, tlsConfiguration.TLSCertPath, tlsConfiguration.TLSKeyPath, tlsConfiguration.TLSSkipVerify)
+		if err != nil {
+			return err
+		}
+
+		agentOnDockerEnvironment, err := client.ExecutePingOperation(endpoint.URL, tlsConfig)
+		if err != nil {
+			return err
+		}
+
+		if agentOnDockerEnvironment {
+			endpoint.Type = portainer.AgentOnDockerEnvironment
+		}
+	}
+
+	return endpointService.CreateEndpoint(endpoint)
+}
+
+func createUnsecuredEndpoint(endpointURL string, endpointService portainer.EndpointService) error {
+	if strings.HasPrefix(endpointURL, "tcp://") {
+		_, err := client.ExecutePingOperation(endpointURL, nil)
+		if err != nil {
+			return err
+		}
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:            "primary",
+		URL:             endpointURL,
+		GroupID:         portainer.EndpointGroupID(1),
+		Type:            portainer.DockerEnvironment,
+		TLSConfig:       portainer.TLSConfiguration{},
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+		Tags:            []string{},
+	}
+
+	return endpointService.CreateEndpoint(endpoint)
+}
+
+func initEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService) error {
+	if *flags.EndpointURL == "" {
+		return nil
+	}
+
+	endpoints, err := endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	if len(endpoints) > 0 {
+		log.Println("Instance already has defined endpoints. Skipping the endpoint defined via CLI.")
+		return nil
+	}
+
+	if *flags.TLS || *flags.TLSSkipVerify {
+		return createTLSSecuredEndpoint(flags, endpointService)
+	}
+	return createUnsecuredEndpoint(*flags.EndpointURL, endpointService)
+}
+
+func main() {
+	flags := initCLI()
+
+	fileService := initFileService(*flags.Data)
+
+	store := initStore(*flags.Data, fileService)
+	defer store.Close()
+
+	jwtService := initJWTService(!*flags.NoAuth)
+
+	cryptoService := initCryptoService()
+
+	digitalSignatureService := initDigitalSignatureService()
+
+	ldapService := initLDAPService()
+
+	gitService := initGitService()
+
+	authorizeEndpointMgmt := initEndpointWatcher(store.EndpointService, *flags.ExternalEndpoints, *flags.SyncInterval)
+
+	err := initKeyPair(fileService, digitalSignatureService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	swarmStackManager, err := initSwarmStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	composeStackManager := initComposeStackManager(*flags.Data)
+
+	err = initSettings(store.SettingsService, flags)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = initDockerHub(store.DockerHubService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	applicationStatus := initStatus(authorizeEndpointMgmt, flags)
+
+	err = initEndpoint(flags, store.EndpointService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	adminPasswordHash := ""
+	if *flags.AdminPasswordFile != "" {
+		content, err := fileService.GetFileContent(*flags.AdminPasswordFile)
+		if err != nil {
+			log.Fatal(err)
+		}
+		adminPasswordHash, err = cryptoService.Hash(content)
+		if err != nil {
+			log.Fatal(err)
+		}
+	} else if *flags.AdminPassword != "" {
+		adminPasswordHash = *flags.AdminPassword
+	}
+
+	if adminPasswordHash != "" {
+		users, err := store.UserService.UsersByRole(portainer.AdministratorRole)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		if len(users) == 0 {
+			log.Printf("Creating admin user with password hash %s", adminPasswordHash)
+			user := &portainer.User{
+				Username: "admin",
+				Role:     portainer.AdministratorRole,
+				Password: adminPasswordHash,
+			}
+			err := store.UserService.CreateUser(user)
+			if err != nil {
+				log.Fatal(err)
+			}
+		} else {
+			log.Println("Instance already has an administrator user defined. Skipping admin password related flags.")
+		}
+	}
+
+	var server portainer.Server = &http.Server{
+		Status:                 applicationStatus,
+		BindAddress:            *flags.Addr,
+		AssetsPath:             *flags.Assets,
+		AuthDisabled:           *flags.NoAuth,
+		EndpointManagement:     authorizeEndpointMgmt,
+		UserService:            store.UserService,
+		TeamService:            store.TeamService,
+		TeamMembershipService:  store.TeamMembershipService,
+		EndpointService:        store.EndpointService,
+		EndpointGroupService:   store.EndpointGroupService,
+		ResourceControlService: store.ResourceControlService,
+		SettingsService:        store.SettingsService,
+		RegistryService:        store.RegistryService,
+		DockerHubService:       store.DockerHubService,
+		StackService:           store.StackService,
+		TagService:             store.TagService,
+		SwarmStackManager:      swarmStackManager,
+		ComposeStackManager:    composeStackManager,
+		CryptoService:          cryptoService,
+		JWTService:             jwtService,
+		FileService:            fileService,
+		LDAPService:            ldapService,
+		GitService:             gitService,
+		SignatureService:       digitalSignatureService,
+		SSL:                    *flags.SSL,
+		SSLCert:                *flags.SSLCert,
+		SSLKey:                 *flags.SSLKey,
+	}
+
+	log.Printf("Starting Portainer %s on %s", portainer.APIVersion, *flags.Addr)
+	err = server.Start()
+	if err != nil {
+		log.Fatal(err)
+	}
+}

api/cron/endpoint_sync.go

@@ -0,0 +1,209 @@
+package cron
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"log"
+	"os"
+	"strings"
+
+	"github.com/portainer/portainer"
+)
+
+type (
+	endpointSyncJob struct {
+		logger           *log.Logger
+		endpointService  portainer.EndpointService
+		endpointFilePath string
+	}
+
+	synchronization struct {
+		endpointsToCreate []*portainer.Endpoint
+		endpointsToUpdate []*portainer.Endpoint
+		endpointsToDelete []*portainer.Endpoint
+	}
+
+	fileEndpoint struct {
+		Name          string `json:"Name"`
+		URL           string `json:"URL"`
+		TLS           bool   `json:"TLS,omitempty"`
+		TLSSkipVerify bool   `json:"TLSSkipVerify,omitempty"`
+		TLSCACert     string `json:"TLSCACert,omitempty"`
+		TLSCert       string `json:"TLSCert,omitempty"`
+		TLSKey        string `json:"TLSKey,omitempty"`
+	}
+)
+
+const (
+	// ErrEmptyEndpointArray is an error raised when the external endpoint source array is empty.
+	ErrEmptyEndpointArray = portainer.Error("External endpoint source is empty")
+)
+
+func newEndpointSyncJob(endpointFilePath string, endpointService portainer.EndpointService) endpointSyncJob {
+	return endpointSyncJob{
+		logger:           log.New(os.Stderr, "", log.LstdFlags),
+		endpointService:  endpointService,
+		endpointFilePath: endpointFilePath,
+	}
+}
+
+func endpointSyncError(err error, logger *log.Logger) bool {
+	if err != nil {
+		logger.Printf("Endpoint synchronization error: %s", err)
+		return true
+	}
+	return false
+}
+
+func isValidEndpoint(endpoint *portainer.Endpoint) bool {
+	if endpoint.Name != "" && endpoint.URL != "" {
+		if !strings.HasPrefix(endpoint.URL, "unix://") && !strings.HasPrefix(endpoint.URL, "tcp://") {
+			return false
+		}
+		return true
+	}
+	return false
+}
+
+func convertFileEndpoints(fileEndpoints []fileEndpoint) []portainer.Endpoint {
+	convertedEndpoints := make([]portainer.Endpoint, 0)
+
+	for _, e := range fileEndpoints {
+		endpoint := portainer.Endpoint{
+			Name:      e.Name,
+			URL:       e.URL,
+			TLSConfig: portainer.TLSConfiguration{},
+		}
+		if e.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = e.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = e.TLSCACert
+			endpoint.TLSConfig.TLSCertPath = e.TLSCert
+			endpoint.TLSConfig.TLSKeyPath = e.TLSKey
+		}
+		convertedEndpoints = append(convertedEndpoints, endpoint)
+	}
+
+	return convertedEndpoints
+}
+
+func endpointExists(endpoint *portainer.Endpoint, endpoints []portainer.Endpoint) int {
+	for idx, v := range endpoints {
+		if endpoint.Name == v.Name && isValidEndpoint(&v) {
+			return idx
+		}
+	}
+	return -1
+}
+
+func mergeEndpointIfRequired(original, updated *portainer.Endpoint) *portainer.Endpoint {
+	var endpoint *portainer.Endpoint
+	if original.URL != updated.URL || original.TLSConfig.TLS != updated.TLSConfig.TLS ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSSkipVerify != updated.TLSConfig.TLSSkipVerify) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCACertPath != updated.TLSConfig.TLSCACertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCertPath != updated.TLSConfig.TLSCertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSKeyPath != updated.TLSConfig.TLSKeyPath) {
+		endpoint = original
+		endpoint.URL = updated.URL
+		if updated.TLSConfig.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = updated.TLSConfig.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = updated.TLSConfig.TLSCACertPath
+			endpoint.TLSConfig.TLSCertPath = updated.TLSConfig.TLSCertPath
+			endpoint.TLSConfig.TLSKeyPath = updated.TLSConfig.TLSKeyPath
+		} else {
+			endpoint.TLSConfig.TLS = false
+			endpoint.TLSConfig.TLSSkipVerify = false
+			endpoint.TLSConfig.TLSCACertPath = ""
+			endpoint.TLSConfig.TLSCertPath = ""
+			endpoint.TLSConfig.TLSKeyPath = ""
+		}
+	}
+	return endpoint
+}
+
+func (sync synchronization) requireSync() bool {
+	if len(sync.endpointsToCreate) != 0 || len(sync.endpointsToUpdate) != 0 || len(sync.endpointsToDelete) != 0 {
+		return true
+	}
+	return false
+}
+
+// TMP: endpointSyncJob method to access logger, should be generic
+func (job endpointSyncJob) prepareSyncData(storedEndpoints, fileEndpoints []portainer.Endpoint) *synchronization {
+	endpointsToCreate := make([]*portainer.Endpoint, 0)
+	endpointsToUpdate := make([]*portainer.Endpoint, 0)
+	endpointsToDelete := make([]*portainer.Endpoint, 0)
+
+	for idx := range storedEndpoints {
+		fidx := endpointExists(&storedEndpoints[idx], fileEndpoints)
+		if fidx != -1 {
+			endpoint := mergeEndpointIfRequired(&storedEndpoints[idx], &fileEndpoints[fidx])
+			if endpoint != nil {
+				job.logger.Printf("New definition for a stored endpoint found in file, updating database. [name: %v] [url: %v]\n", endpoint.Name, endpoint.URL)
+				endpointsToUpdate = append(endpointsToUpdate, endpoint)
+			}
+		} else {
+			job.logger.Printf("Stored endpoint not found in file (definition might be invalid), removing from database. [name: %v] [url: %v]", storedEndpoints[idx].Name, storedEndpoints[idx].URL)
+			endpointsToDelete = append(endpointsToDelete, &storedEndpoints[idx])
+		}
+	}
+
+	for idx, endpoint := range fileEndpoints {
+		if !isValidEndpoint(&endpoint) {
+			job.logger.Printf("Invalid file endpoint definition, skipping. [name: %v] [url: %v]", endpoint.Name, endpoint.URL)
+			continue
+		}
+		sidx := endpointExists(&fileEndpoints[idx], storedEndpoints)
+		if sidx == -1 {
+			job.logger.Printf("File endpoint not found in database, adding to database. [name: %v] [url: %v]", fileEndpoints[idx].Name, fileEndpoints[idx].URL)
+			endpointsToCreate = append(endpointsToCreate, &fileEndpoints[idx])
+		}
+	}
+
+	return &synchronization{
+		endpointsToCreate: endpointsToCreate,
+		endpointsToUpdate: endpointsToUpdate,
+		endpointsToDelete: endpointsToDelete,
+	}
+}
+
+func (job endpointSyncJob) Sync() error {
+	data, err := ioutil.ReadFile(job.endpointFilePath)
+	if endpointSyncError(err, job.logger) {
+		return err
+	}
+
+	var fileEndpoints []fileEndpoint
+	err = json.Unmarshal(data, &fileEndpoints)
+	if endpointSyncError(err, job.logger) {
+		return err
+	}
+
+	if len(fileEndpoints) == 0 {
+		return ErrEmptyEndpointArray
+	}
+
+	storedEndpoints, err := job.endpointService.Endpoints()
+	if endpointSyncError(err, job.logger) {
+		return err
+	}
+
+	convertedFileEndpoints := convertFileEndpoints(fileEndpoints)
+
+	sync := job.prepareSyncData(storedEndpoints, convertedFileEndpoints)
+	if sync.requireSync() {
+		err = job.endpointService.Synchronize(sync.endpointsToCreate, sync.endpointsToUpdate, sync.endpointsToDelete)
+		if endpointSyncError(err, job.logger) {
+			return err
+		}
+		job.logger.Printf("Endpoint synchronization ended. [created: %v] [updated: %v] [deleted: %v]", len(sync.endpointsToCreate), len(sync.endpointsToUpdate), len(sync.endpointsToDelete))
+	}
+	return nil
+}
+
+func (job endpointSyncJob) Run() {
+	job.logger.Println("Endpoint synchronization job started.")
+	err := job.Sync()
+	endpointSyncError(err, job.logger)
+}

api/cron/watcher.go

@@ -0,0 +1,40 @@
+package cron
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/robfig/cron"
+)
+
+// Watcher represents a service for managing crons.
+type Watcher struct {
+	Cron            *cron.Cron
+	EndpointService portainer.EndpointService
+	syncInterval    string
+}
+
+// NewWatcher initializes a new service.
+func NewWatcher(endpointService portainer.EndpointService, syncInterval string) *Watcher {
+	return &Watcher{
+		Cron:            cron.New(),
+		EndpointService: endpointService,
+		syncInterval:    syncInterval,
+	}
+}
+
+// WatchEndpointFile starts a cron job to synchronize the endpoints from a file
+func (watcher *Watcher) WatchEndpointFile(endpointFilePath string) error {
+	job := newEndpointSyncJob(endpointFilePath, watcher.EndpointService)
+
+	err := job.Sync()
+	if err != nil {
+		return err
+	}
+
+	err = watcher.Cron.AddJob("@every "+watcher.syncInterval, job)
+	if err != nil {
+		return err
+	}
+
+	watcher.Cron.Start()
+	return nil
+}

api/crypto/crypto.go

@@ -0,0 +1,22 @@
+package crypto
+
+import (
+	"golang.org/x/crypto/bcrypt"
+)
+
+// Service represents a service for encrypting/hashing data.
+type Service struct{}
+
+// Hash hashes a string using the bcrypt algorithm
+func (*Service) Hash(data string) (string, error) {
+	hash, err := bcrypt.GenerateFromPassword([]byte(data), bcrypt.DefaultCost)
+	if err != nil {
+		return "", nil
+	}
+	return string(hash), nil
+}
+
+// CompareHashAndData compares a hash to clear data and returns an error if the comparison fails.
+func (*Service) CompareHashAndData(hash string, data string) error {
+	return bcrypt.CompareHashAndPassword([]byte(hash), []byte(data))
+}

api/crypto/ecdsa.go

@@ -0,0 +1,125 @@
+package crypto
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/md5"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"math/big"
+)
+
+const (
+	// PrivateKeyPemHeader represents the header that is appended to the PEM file when
+	// storing the private key.
+	PrivateKeyPemHeader = "EC PRIVATE KEY"
+	// PublicKeyPemHeader represents the header that is appended to the PEM file when
+	// storing the public key.
+	PublicKeyPemHeader = "ECDSA PUBLIC KEY"
+)
+
+// ECDSAService is a service used to create digital signatures when communicating with
+// an agent based environment. It will automatically generates a key pair using ECDSA or
+// can also reuse an existing ECDSA key pair.
+type ECDSAService struct {
+	privateKey    *ecdsa.PrivateKey
+	publicKey     *ecdsa.PublicKey
+	encodedPubKey string
+}
+
+// EncodedPublicKey returns the encoded version of the public that can be used
+// to be shared with other services. It's the hexadecimal encoding of the public key
+// content.
+func (service *ECDSAService) EncodedPublicKey() string {
+	return service.encodedPubKey
+}
+
+// PEMHeaders returns the ECDSA PEM headers.
+func (service *ECDSAService) PEMHeaders() (string, string) {
+	return PrivateKeyPemHeader, PublicKeyPemHeader
+}
+
+// ParseKeyPair parses existing private/public key pair content and associate
+// the parsed keys to the service.
+func (service *ECDSAService) ParseKeyPair(private, public []byte) error {
+	privateKey, err := x509.ParseECPrivateKey(private)
+	if err != nil {
+		return err
+	}
+
+	service.privateKey = privateKey
+
+	encodedKey := hex.EncodeToString(public)
+	service.encodedPubKey = encodedKey
+
+	publicKey, err := x509.ParsePKIXPublicKey(public)
+	if err != nil {
+		return err
+	}
+
+	service.publicKey = publicKey.(*ecdsa.PublicKey)
+
+	return nil
+}
+
+// GenerateKeyPair will create a new key pair using ECDSA.
+func (service *ECDSAService) GenerateKeyPair() ([]byte, []byte, error) {
+	pubkeyCurve := elliptic.P256()
+
+	privatekey, err := ecdsa.GenerateKey(pubkeyCurve, rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	service.privateKey = privatekey
+	service.publicKey = &privatekey.PublicKey
+
+	private, err := x509.MarshalECPrivateKey(service.privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(service.publicKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	encodedKey := hex.EncodeToString(public)
+	service.encodedPubKey = encodedKey
+
+	return private, public, nil
+}
+
+// Sign creates a signature from a message.
+// It automatically hash the message using MD5 and creates a signature from
+// that hash.
+// It then encodes the generated signature in base64.
+func (service *ECDSAService) Sign(message string) (string, error) {
+	digest := md5.New()
+	digest.Write([]byte(message))
+	hash := digest.Sum(nil)
+
+	r := big.NewInt(0)
+	s := big.NewInt(0)
+
+	r, s, err := ecdsa.Sign(rand.Reader, service.privateKey, hash)
+	if err != nil {
+		return "", err
+	}
+
+	keyBytes := service.privateKey.Params().BitSize / 8
+
+	rBytes := r.Bytes()
+	rBytesPadded := make([]byte, keyBytes)
+	copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
+
+	sBytes := s.Bytes()
+	sBytesPadded := make([]byte, keyBytes)
+	copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
+
+	signature := append(rBytesPadded, sBytesPadded...)
+
+	return base64.RawStdEncoding.EncodeToString(signature), nil
+}

api/crypto/tls.go

@@ -0,0 +1,59 @@
+package crypto
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+)
+
+// CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
+// loaded from memory.
+func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {
+	config := &tls.Config{}
+	config.InsecureSkipVerify = skipServerVerification
+
+	if !skipClientVerification {
+		certificate, err := tls.X509KeyPair(cert, key)
+		if err != nil {
+			return nil, err
+		}
+		config.Certificates = []tls.Certificate{certificate}
+	}
+
+	if !skipServerVerification {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		config.RootCAs = caCertPool
+	}
+
+	return config, nil
+}
+
+// CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key
+// loaded from disk.
+func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipServerVerification bool) (*tls.Config, error) {
+	config := &tls.Config{}
+	config.InsecureSkipVerify = skipServerVerification
+
+	if certPath != "" && keyPath != "" {
+		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+		if err != nil {
+			return nil, err
+		}
+
+		config.Certificates = []tls.Certificate{cert}
+	}
+
+	if !skipServerVerification && caCertPath != "" {
+		caCert, err := ioutil.ReadFile(caCertPath)
+		if err != nil {
+			return nil, err
+		}
+
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		config.RootCAs = caCertPool
+	}
+
+	return config, nil
+}

api/errors.go

@@ -0,0 +1,94 @@
+package portainer
+
+// General errors.
+const (
+	ErrUnauthorized           = Error("Unauthorized")
+	ErrResourceAccessDenied   = Error("Access denied to resource")
+	ErrObjectNotFound         = Error("Object not found inside the database")
+	ErrMissingSecurityContext = Error("Unable to find security details in request context")
+)
+
+// User errors.
+const (
+	ErrUserAlreadyExists       = Error("User already exists")
+	ErrInvalidUsername         = Error("Invalid username. White spaces are not allowed")
+	ErrAdminAlreadyInitialized = Error("An administrator user already exists")
+	ErrAdminCannotRemoveSelf   = Error("Cannot remove your own user account. Contact another administrator")
+)
+
+// Team errors.
+const (
+	ErrTeamAlreadyExists = Error("Team already exists")
+)
+
+// TeamMembership errors.
+const (
+	ErrTeamMembershipAlreadyExists = Error("Team membership already exists for this user and team")
+)
+
+// ResourceControl errors.
+const (
+	ErrResourceControlAlreadyExists = Error("A resource control is already applied on this resource")
+	ErrInvalidResourceControlType   = Error("Unsupported resource control type")
+)
+
+// Endpoint errors.
+const (
+	ErrEndpointAccessDenied = Error("Access denied to endpoint")
+)
+
+// Azure environment errors
+const (
+	ErrAzureInvalidCredentials = Error("Invalid Azure credentials")
+)
+
+// Endpoint group errors.
+const (
+	ErrCannotRemoveDefaultGroup = Error("Cannot remove the default endpoint group")
+)
+
+// Registry errors.
+const (
+	ErrRegistryAlreadyExists = Error("A registry is already defined for this URL")
+)
+
+// Stack errors
+const (
+	ErrStackAlreadyExists              = Error("A stack already exists with this name")
+	ErrComposeFileNotFoundInRepository = Error("Unable to find a Compose file in the repository")
+	ErrStackNotExternal                = Error("Not an external stack")
+)
+
+// Tag errors
+const (
+	ErrTagAlreadyExists = Error("A tag already exists with this name")
+)
+
+// Endpoint extensions error
+const (
+	ErrEndpointExtensionNotSupported      = Error("This extension is not supported")
+	ErrEndpointExtensionAlreadyAssociated = Error("This extension is already associated to the endpoint")
+)
+
+// Crypto errors.
+const (
+	ErrCryptoHashFailure = Error("Unable to hash data")
+)
+
+// JWT errors.
+const (
+	ErrSecretGeneration   = Error("Unable to generate secret key")
+	ErrInvalidJWTToken    = Error("Invalid JWT token")
+	ErrMissingContextData = Error("Unable to find JWT data in request context")
+)
+
+// File errors.
+const (
+	ErrUndefinedTLSFileType = Error("Undefined TLS file type")
+)
+
+// Error represents an application error.
+type Error string
+
+// Error returns the error message.
+func (e Error) Error() string { return string(e) }

api/exec/swarm_stack.go

@@ -0,0 +1,178 @@
+package exec
+
+import (
+	"bytes"
+	"encoding/json"
+	"os"
+	"os/exec"
+	"path"
+	"runtime"
+
+	"github.com/portainer/portainer"
+)
+
+// SwarmStackManager represents a service for managing stacks.
+type SwarmStackManager struct {
+	binaryPath       string
+	dataPath         string
+	signatureService portainer.DigitalSignatureService
+	fileService      portainer.FileService
+}
+
+// NewSwarmStackManager initializes a new SwarmStackManager service.
+// It also updates the configuration of the Docker CLI binary.
+func NewSwarmStackManager(binaryPath, dataPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (*SwarmStackManager, error) {
+	manager := &SwarmStackManager{
+		binaryPath:       binaryPath,
+		dataPath:         dataPath,
+		signatureService: signatureService,
+		fileService:      fileService,
+	}
+
+	err := manager.updateDockerCLIConfiguration(dataPath)
+	if err != nil {
+		return nil, err
+	}
+
+	return manager, nil
+}
+
+// Login executes the docker login command against a list of registries (including DockerHub).
+func (manager *SwarmStackManager) Login(dockerhub *portainer.DockerHub, registries []portainer.Registry, endpoint *portainer.Endpoint) {
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	for _, registry := range registries {
+		if registry.Authentication {
+			registryArgs := append(args, "login", "--username", registry.Username, "--password", registry.Password, registry.URL)
+			runCommandAndCaptureStdErr(command, registryArgs, nil, "")
+		}
+	}
+
+	if dockerhub.Authentication {
+		dockerhubArgs := append(args, "login", "--username", dockerhub.Username, "--password", dockerhub.Password)
+		runCommandAndCaptureStdErr(command, dockerhubArgs, nil, "")
+	}
+}
+
+// Logout executes the docker logout command.
+func (manager *SwarmStackManager) Logout(endpoint *portainer.Endpoint) error {
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	args = append(args, "logout")
+	return runCommandAndCaptureStdErr(command, args, nil, "")
+}
+
+// Deploy executes the docker stack deploy command.
+func (manager *SwarmStackManager) Deploy(stack *portainer.Stack, prune bool, endpoint *portainer.Endpoint) error {
+	stackFilePath := path.Join(stack.ProjectPath, stack.EntryPoint)
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+
+	if prune {
+		args = append(args, "stack", "deploy", "--prune", "--with-registry-auth", "--compose-file", stackFilePath, stack.Name)
+	} else {
+		args = append(args, "stack", "deploy", "--with-registry-auth", "--compose-file", stackFilePath, stack.Name)
+	}
+
+	env := make([]string, 0)
+	for _, envvar := range stack.Env {
+		env = append(env, envvar.Name+"="+envvar.Value)
+	}
+
+	stackFolder := path.Dir(stackFilePath)
+	return runCommandAndCaptureStdErr(command, args, env, stackFolder)
+}
+
+// Remove executes the docker stack rm command.
+func (manager *SwarmStackManager) Remove(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
+	command, args := prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
+	args = append(args, "stack", "rm", stack.Name)
+	return runCommandAndCaptureStdErr(command, args, nil, "")
+}
+
+func runCommandAndCaptureStdErr(command string, args []string, env []string, workingDir string) error {
+	var stderr bytes.Buffer
+	cmd := exec.Command(command, args...)
+	cmd.Stderr = &stderr
+	cmd.Dir = workingDir
+
+	if env != nil {
+		cmd.Env = os.Environ()
+		cmd.Env = append(cmd.Env, env...)
+	}
+
+	err := cmd.Run()
+	if err != nil {
+		return portainer.Error(stderr.String())
+	}
+
+	return nil
+}
+
+func prepareDockerCommandAndArgs(binaryPath, dataPath string, endpoint *portainer.Endpoint) (string, []string) {
+	// Assume Linux as a default
+	command := path.Join(binaryPath, "docker")
+
+	if runtime.GOOS == "windows" {
+		command = path.Join(binaryPath, "docker.exe")
+	}
+
+	args := make([]string, 0)
+	args = append(args, "--config", dataPath)
+	args = append(args, "-H", endpoint.URL)
+
+	if endpoint.TLSConfig.TLS {
+		args = append(args, "--tls")
+
+		if !endpoint.TLSConfig.TLSSkipVerify {
+			args = append(args, "--tlsverify", "--tlscacert", endpoint.TLSConfig.TLSCACertPath)
+		}
+
+		if endpoint.TLSConfig.TLSCertPath != "" && endpoint.TLSConfig.TLSKeyPath != "" {
+			args = append(args, "--tlscert", endpoint.TLSConfig.TLSCertPath, "--tlskey", endpoint.TLSConfig.TLSKeyPath)
+		}
+	}
+
+	return command, args
+}
+
+func (manager *SwarmStackManager) updateDockerCLIConfiguration(dataPath string) error {
+	configFilePath := path.Join(dataPath, "config.json")
+	config, err := manager.retrieveConfigurationFromDisk(configFilePath)
+	if err != nil {
+		return err
+	}
+
+	signature, err := manager.signatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return err
+	}
+
+	if config["HttpHeaders"] == nil {
+		config["HttpHeaders"] = make(map[string]interface{})
+	}
+	headersObject := config["HttpHeaders"].(map[string]interface{})
+	headersObject["X-PortainerAgent-ManagerOperation"] = "1"
+	headersObject["X-PortainerAgent-Signature"] = signature
+	headersObject["X-PortainerAgent-PublicKey"] = manager.signatureService.EncodedPublicKey()
+
+	err = manager.fileService.WriteJSONToFile(configFilePath, config)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (manager *SwarmStackManager) retrieveConfigurationFromDisk(path string) (map[string]interface{}, error) {
+	var config map[string]interface{}
+
+	raw, err := manager.fileService.GetFileContent(path)
+	if err != nil {
+		return make(map[string]interface{}), nil
+	}
+
+	err = json.Unmarshal([]byte(raw), &config)
+	if err != nil {
+		return nil, err
+	}
+
+	return config, nil
+}

api/filesystem/filesystem.go

@@ -0,0 +1,320 @@
+package filesystem
+
+import (
+	"bytes"
+	"encoding/json"
+	"encoding/pem"
+	"io/ioutil"
+
+	"github.com/portainer/portainer"
+
+	"io"
+	"os"
+	"path"
+)
+
+const (
+	// TLSStorePath represents the subfolder where TLS files are stored in the file store folder.
+	TLSStorePath = "tls"
+	// LDAPStorePath represents the subfolder where LDAP TLS files are stored in the TLSStorePath.
+	LDAPStorePath = "ldap"
+	// TLSCACertFile represents the name on disk for a TLS CA file.
+	TLSCACertFile = "ca.pem"
+	// TLSCertFile represents the name on disk for a TLS certificate file.
+	TLSCertFile = "cert.pem"
+	// TLSKeyFile represents the name on disk for a TLS key file.
+	TLSKeyFile = "key.pem"
+	// ComposeStorePath represents the subfolder where compose files are stored in the file store folder.
+	ComposeStorePath = "compose"
+	// ComposeFileDefaultName represents the default name of a compose file.
+	ComposeFileDefaultName = "docker-compose.yml"
+	// PrivateKeyFile represents the name on disk of the file containing the private key.
+	PrivateKeyFile = "portainer.key"
+	// PublicKeyFile represents the name on disk of the file containing the public key.
+	PublicKeyFile = "portainer.pub"
+)
+
+// Service represents a service for managing files and directories.
+type Service struct {
+	dataStorePath string
+	fileStorePath string
+}
+
+// NewService initializes a new service. It creates a data directory and a directory to store files
+// inside this directory if they don't exist.
+func NewService(dataStorePath, fileStorePath string) (*Service, error) {
+	service := &Service{
+		dataStorePath: dataStorePath,
+		fileStorePath: path.Join(dataStorePath, fileStorePath),
+	}
+
+	err := os.MkdirAll(dataStorePath, 0755)
+	if err != nil {
+		return nil, err
+	}
+
+	err = service.createDirectoryInStore(TLSStorePath)
+	if err != nil {
+		return nil, err
+	}
+
+	err = service.createDirectoryInStore(ComposeStorePath)
+	if err != nil {
+		return nil, err
+	}
+
+	return service, nil
+}
+
+// RemoveDirectory removes a directory on the filesystem.
+func (service *Service) RemoveDirectory(directoryPath string) error {
+	return os.RemoveAll(directoryPath)
+}
+
+// GetStackProjectPath returns the absolute path on the FS for a stack based
+// on its identifier.
+func (service *Service) GetStackProjectPath(stackIdentifier string) string {
+	return path.Join(service.fileStorePath, ComposeStorePath, stackIdentifier)
+}
+
+// StoreStackFileFromBytes creates a subfolder in the ComposeStorePath and stores a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreStackFileFromBytes(stackIdentifier, fileName string, data []byte) (string, error) {
+	stackStorePath := path.Join(ComposeStorePath, stackIdentifier)
+	err := service.createDirectoryInStore(stackStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	composeFilePath := path.Join(stackStorePath, fileName)
+	r := bytes.NewReader(data)
+
+	err = service.createFileInStore(composeFilePath, r)
+	if err != nil {
+		return "", err
+	}
+
+	return path.Join(service.fileStorePath, stackStorePath), nil
+}
+
+// StoreTLSFileFromBytes creates a folder in the TLSStorePath and stores a new file from bytes.
+// It returns the path to the newly created file.
+func (service *Service) StoreTLSFileFromBytes(folder string, fileType portainer.TLSFileType, data []byte) (string, error) {
+	storePath := path.Join(TLSStorePath, folder)
+	err := service.createDirectoryInStore(storePath)
+	if err != nil {
+		return "", err
+	}
+
+	var fileName string
+	switch fileType {
+	case portainer.TLSFileCA:
+		fileName = TLSCACertFile
+	case portainer.TLSFileCert:
+		fileName = TLSCertFile
+	case portainer.TLSFileKey:
+		fileName = TLSKeyFile
+	default:
+		return "", portainer.ErrUndefinedTLSFileType
+	}
+
+	tlsFilePath := path.Join(storePath, fileName)
+	r := bytes.NewReader(data)
+	err = service.createFileInStore(tlsFilePath, r)
+	if err != nil {
+		return "", err
+	}
+	return path.Join(service.fileStorePath, tlsFilePath), nil
+}
+
+// GetPathForTLSFile returns the absolute path to a specific TLS file for an endpoint.
+func (service *Service) GetPathForTLSFile(folder string, fileType portainer.TLSFileType) (string, error) {
+	var fileName string
+	switch fileType {
+	case portainer.TLSFileCA:
+		fileName = TLSCACertFile
+	case portainer.TLSFileCert:
+		fileName = TLSCertFile
+	case portainer.TLSFileKey:
+		fileName = TLSKeyFile
+	default:
+		return "", portainer.ErrUndefinedTLSFileType
+	}
+	return path.Join(service.fileStorePath, TLSStorePath, folder, fileName), nil
+}
+
+// DeleteTLSFiles deletes a folder in the TLS store path.
+func (service *Service) DeleteTLSFiles(folder string) error {
+	storePath := path.Join(service.fileStorePath, TLSStorePath, folder)
+	err := os.RemoveAll(storePath)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// DeleteTLSFile deletes a specific TLS file from a folder.
+func (service *Service) DeleteTLSFile(folder string, fileType portainer.TLSFileType) error {
+	var fileName string
+	switch fileType {
+	case portainer.TLSFileCA:
+		fileName = TLSCACertFile
+	case portainer.TLSFileCert:
+		fileName = TLSCertFile
+	case portainer.TLSFileKey:
+		fileName = TLSKeyFile
+	default:
+		return portainer.ErrUndefinedTLSFileType
+	}
+
+	filePath := path.Join(service.fileStorePath, TLSStorePath, folder, fileName)
+
+	err := os.Remove(filePath)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetFileContent returns a string content from file.
+func (service *Service) GetFileContent(filePath string) (string, error) {
+	content, err := ioutil.ReadFile(filePath)
+	if err != nil {
+		return "", err
+	}
+
+	return string(content), nil
+}
+
+// Rename renames a file or directory
+func (service *Service) Rename(oldPath, newPath string) error {
+	return os.Rename(oldPath, newPath)
+}
+
+// WriteJSONToFile writes JSON to the specified file.
+func (service *Service) WriteJSONToFile(path string, content interface{}) error {
+	jsonContent, err := json.Marshal(content)
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(path, jsonContent, 0644)
+}
+
+// FileExists checks for the existence of the specified file.
+func (service *Service) FileExists(filePath string) (bool, error) {
+	if _, err := os.Stat(filePath); err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
+
+// KeyPairFilesExist checks for the existence of the key files.
+func (service *Service) KeyPairFilesExist() (bool, error) {
+	privateKeyPath := path.Join(service.dataStorePath, PrivateKeyFile)
+	exists, err := service.FileExists(privateKeyPath)
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+
+	publicKeyPath := path.Join(service.dataStorePath, PublicKeyFile)
+	exists, err = service.FileExists(publicKeyPath)
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// StoreKeyPair store the specified keys content as PEM files on disk.
+func (service *Service) StoreKeyPair(private, public []byte, privatePEMHeader, publicPEMHeader string) error {
+	err := service.createPEMFileInStore(private, privatePEMHeader, PrivateKeyFile)
+	if err != nil {
+		return err
+	}
+
+	err = service.createPEMFileInStore(public, publicPEMHeader, PublicKeyFile)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// LoadKeyPair retrieve the content of both key files on disk.
+func (service *Service) LoadKeyPair() ([]byte, []byte, error) {
+	privateKey, err := service.getContentFromPEMFile(PrivateKeyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	publicKey, err := service.getContentFromPEMFile(PublicKeyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return privateKey, publicKey, nil
+}
+
+// createDirectoryInStore creates a new directory in the file store
+func (service *Service) createDirectoryInStore(name string) error {
+	path := path.Join(service.fileStorePath, name)
+	return os.MkdirAll(path, 0700)
+}
+
+// createFile creates a new file in the file store with the content from r.
+func (service *Service) createFileInStore(filePath string, r io.Reader) error {
+	path := path.Join(service.fileStorePath, filePath)
+
+	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, r)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) createPEMFileInStore(content []byte, fileType, filePath string) error {
+	path := path.Join(service.fileStorePath, filePath)
+	block := &pem.Block{Type: fileType, Bytes: content}
+
+	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	err = pem.Encode(out, block)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) getContentFromPEMFile(filePath string) ([]byte, error) {
+	path := path.Join(service.fileStorePath, filePath)
+
+	fileContent, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(fileContent)
+	return block.Bytes, nil
+}

api/git/git.go

@@ -0,0 +1,39 @@
+package git
+
+import (
+	"net/url"
+	"strings"
+
+	"gopkg.in/src-d/go-git.v4"
+)
+
+// Service represents a service for managing Git.
+type Service struct{}
+
+// NewService initializes a new service.
+func NewService(dataStorePath string) (*Service, error) {
+	service := &Service{}
+
+	return service, nil
+}
+
+// ClonePublicRepository clones a public git repository using the specified URL in the specified
+// destination folder.
+func (service *Service) ClonePublicRepository(repositoryURL, destination string) error {
+	return cloneRepository(repositoryURL, destination)
+}
+
+// ClonePrivateRepositoryWithBasicAuth clones a private git repository using the specified URL in the specified
+// destination folder. It will use the specified username and password for basic HTTP authentication.
+func (service *Service) ClonePrivateRepositoryWithBasicAuth(repositoryURL, destination, username, password string) error {
+	credentials := username + ":" + url.PathEscape(password)
+	repositoryURL = strings.Replace(repositoryURL, "://", "://"+credentials+"@", 1)
+	return cloneRepository(repositoryURL, destination)
+}
+
+func cloneRepository(repositoryURL, destination string) error {
+	_, err := git.PlainClone(destination, false, &git.CloneOptions{
+		URL: repositoryURL,
+	})
+	return err
+}

api/http/client/client.go

@@ -0,0 +1,99 @@
+package client
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/portainer/portainer"
+)
+
+// HTTPClient represents a client to send HTTP requests.
+type HTTPClient struct {
+	*http.Client
+}
+
+// NewHTTPClient is used to build a new HTTPClient.
+func NewHTTPClient() *HTTPClient {
+	return &HTTPClient{
+		&http.Client{
+			Timeout: time.Second * 5,
+		},
+	}
+}
+
+// AzureAuthenticationResponse represents an Azure API authentication response.
+type AzureAuthenticationResponse struct {
+	AccessToken string `json:"access_token"`
+	ExpiresOn   string `json:"expires_on"`
+}
+
+// ExecuteAzureAuthenticationRequest is used to execute an authentication request
+// against the Azure API. It re-uses the same http.Client.
+func (client *HTTPClient) ExecuteAzureAuthenticationRequest(credentials *portainer.AzureCredentials) (*AzureAuthenticationResponse, error) {
+	loginURL := fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/token", credentials.TenantID)
+	params := url.Values{
+		"grant_type":    {"client_credentials"},
+		"client_id":     {credentials.ApplicationID},
+		"client_secret": {credentials.AuthenticationKey},
+		"resource":      {"https://management.azure.com/"},
+	}
+
+	response, err := client.PostForm(loginURL, params)
+	if err != nil {
+		return nil, err
+	}
+
+	if response.StatusCode != http.StatusOK {
+		return nil, portainer.ErrAzureInvalidCredentials
+	}
+
+	var token AzureAuthenticationResponse
+	err = json.NewDecoder(response.Body).Decode(&token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &token, nil
+}
+
+// ExecutePingOperation will send a SystemPing operation HTTP request to a Docker environment
+// using the specified host and optional TLS configuration.
+// It uses a new Http.Client for each operation.
+func ExecutePingOperation(host string, tlsConfig *tls.Config) (bool, error) {
+	transport := &http.Transport{}
+
+	scheme := "http"
+	if tlsConfig != nil {
+		transport.TLSClientConfig = tlsConfig
+		scheme = "https"
+	}
+
+	client := &http.Client{
+		Timeout:   time.Second * 3,
+		Transport: transport,
+	}
+
+	target := strings.Replace(host, "tcp://", scheme+"://", 1)
+	return pingOperation(client, target)
+}
+
+func pingOperation(client *http.Client, target string) (bool, error) {
+	pingOperationURL := target + "/_ping"
+
+	response, err := client.Get(pingOperationURL)
+	if err != nil {
+		return false, err
+	}
+
+	agentOnDockerEnvironment := false
+	if response.Header.Get(portainer.PortainerAgentHeader) != "" {
+		agentOnDockerEnvironment = true
+	}
+
+	return agentOnDockerEnvironment, nil
+}

api/http/error/error.go

@@ -0,0 +1,41 @@
+package error
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+)
+
+type (
+	// LoggerHandler defines a HTTP handler that includes a HandlerError return pointer
+	LoggerHandler func(http.ResponseWriter, *http.Request) *HandlerError
+	// HandlerError represents an error raised inside a HTTP handler
+	HandlerError struct {
+		StatusCode int
+		Message    string
+		Err        error
+	}
+	errorResponse struct {
+		Err string `json:"err,omitempty"`
+	}
+)
+
+func (handler LoggerHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	err := handler(rw, r)
+	if err != nil {
+		writeErrorResponse(rw, err)
+	}
+}
+
+func writeErrorResponse(rw http.ResponseWriter, err *HandlerError) {
+	log.Printf("http error: %s (err=%s) (code=%d)\n", err.Message, err.Err, err.StatusCode)
+	rw.Header().Set("Content-Type", "application/json")
+	rw.WriteHeader(err.StatusCode)
+	json.NewEncoder(rw).Encode(&errorResponse{Err: err.Message})
+}
+
+// WriteError is a convenience function that creates a new HandlerError before calling writeErrorResponse.
+// For use outside of the standard http handlers.
+func WriteError(rw http.ResponseWriter, code int, message string, err error) {
+	writeErrorResponse(rw, &HandlerError{code, message, err})
+}

api/http/handler/auth/authenticate.go

@@ -0,0 +1,79 @@
+package auth
+
+import (
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type authenticatePayload struct {
+	Username string
+	Password string
+}
+
+type authenticateResponse struct {
+	JWT string `json:"jwt"`
+}
+
+func (payload *authenticatePayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Username) {
+		return portainer.Error("Invalid username")
+	}
+	if govalidator.IsNull(payload.Password) {
+		return portainer.Error("Invalid password")
+	}
+	return nil
+}
+
+func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if handler.authDisabled {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Cannot authenticate user. Portainer was started with the --no-auth flag", ErrAuthDisabled}
+	}
+
+	var payload authenticatePayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	u, err := handler.UserService.UserByUsername(payload.Username)
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid credentials", ErrInvalidCredentials}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
+	}
+
+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	if settings.AuthenticationMethod == portainer.AuthenticationLDAP && u.ID != 1 {
+		err = handler.LDAPService.AuthenticateUser(payload.Username, payload.Password, &settings.LDAPSettings)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate user via LDAP/AD", err}
+		}
+	} else {
+		err = handler.CryptoService.CompareHashAndData(u.Password, payload.Password)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", ErrInvalidCredentials}
+		}
+	}
+
+	tokenData := &portainer.TokenData{
+		ID:       u.ID,
+		Username: u.Username,
+		Role:     u.Role,
+	}
+
+	token, err := handler.JWTService.GenerateToken(tokenData)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to generate JWT token", err}
+	}
+
+	return response.JSON(w, &authenticateResponse{JWT: token})
+}

api/http/handler/auth/handler.go

@@ -0,0 +1,41 @@
+package auth
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
+)
+
+const (
+	// ErrInvalidCredentials is an error raised when credentials for a user are invalid
+	ErrInvalidCredentials = portainer.Error("Invalid credentials")
+	// ErrAuthDisabled is an error raised when trying to access the authentication endpoints
+	// when the server has been started with the --no-auth flag
+	ErrAuthDisabled = portainer.Error("Authentication is disabled")
+)
+
+// Handler is the HTTP handler used to handle authentication operations.
+type Handler struct {
+	*mux.Router
+	authDisabled    bool
+	UserService     portainer.UserService
+	CryptoService   portainer.CryptoService
+	JWTService      portainer.JWTService
+	LDAPService     portainer.LDAPService
+	SettingsService portainer.SettingsService
+}
+
+// NewHandler creates a handler to manage authentication operations.
+func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter, authDisabled bool) *Handler {
+	h := &Handler{
+		Router:       mux.NewRouter(),
+		authDisabled: authDisabled,
+	}
+	h.Handle("/auth",
+		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
+
+	return h
+}

api/http/handler/dockerhub/dockerhub_inspect.go

@@ -0,0 +1,19 @@
+package dockerhub
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/response"
+)
+
+// GET request on /api/dockerhub
+func (handler *Handler) dockerhubInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	dockerhub, err := handler.DockerHubService.DockerHub()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve DockerHub details from the database", err}
+	}
+
+	hideFields(dockerhub)
+	return response.JSON(w, dockerhub)
+}

api/http/handler/dockerhub/dockerhub_update.go

@@ -0,0 +1,52 @@
+package dockerhub
+
+import (
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type dockerhubUpdatePayload struct {
+	Authentication bool
+	Username       string
+	Password       string
+}
+
+func (payload *dockerhubUpdatePayload) Validate(r *http.Request) error {
+	if payload.Authentication && (govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password)) {
+		return portainer.Error("Invalid credentials. Username and password must be specified when authentication is enabled")
+	}
+	return nil
+}
+
+// PUT request on /api/dockerhub
+func (handler *Handler) dockerhubUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload dockerhubUpdatePayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	dockerhub := &portainer.DockerHub{
+		Authentication: false,
+		Username:       "",
+		Password:       "",
+	}
+
+	if payload.Authentication {
+		dockerhub.Authentication = true
+		dockerhub.Username = payload.Username
+		dockerhub.Password = payload.Password
+	}
+
+	err = handler.DockerHubService.UpdateDockerHub(dockerhub)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the Dockerhub changes inside the database", err}
+	}
+
+	return response.Empty(w)
+}

api/http/handler/dockerhub/handler.go

@@ -0,0 +1,33 @@
+package dockerhub
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
+)
+
+func hideFields(dockerHub *portainer.DockerHub) {
+	dockerHub.Password = ""
+}
+
+// Handler is the HTTP handler used to handle DockerHub operations.
+type Handler struct {
+	*mux.Router
+	DockerHubService portainer.DockerHubService
+}
+
+// NewHandler creates a handler to manage Dockerhub operations.
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
+	h := &Handler{
+		Router: mux.NewRouter(),
+	}
+	h.Handle("/dockerhub",
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.dockerhubInspect))).Methods(http.MethodGet)
+	h.Handle("/dockerhub",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.dockerhubUpdate))).Methods(http.MethodPut)
+
+	return h
+}

api/http/handler/endpointgroups/endpointgroup_create.go

@@ -0,0 +1,66 @@
+package endpointgroups
+
+import (
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type endpointGroupCreatePayload struct {
+	Name                string
+	Description         string
+	AssociatedEndpoints []portainer.EndpointID
+	Tags                []string
+}
+
+func (payload *endpointGroupCreatePayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Name) {
+		return portainer.Error("Invalid endpoint group name")
+	}
+	if payload.Tags == nil {
+		payload.Tags = []string{}
+	}
+	return nil
+}
+
+// POST request on /api/endpoint_groups
+func (handler *Handler) endpointGroupCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload endpointGroupCreatePayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	endpointGroup := &portainer.EndpointGroup{
+		Name:            payload.Name,
+		Description:     payload.Description,
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Tags:            payload.Tags,
+	}
+
+	err = handler.EndpointGroupService.CreateEndpointGroup(endpointGroup)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the endpoint group inside the database", err}
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
+	}
+
+	for _, endpoint := range endpoints {
+		if endpoint.GroupID == portainer.EndpointGroupID(1) {
+			err = handler.checkForGroupAssignment(endpoint, endpointGroup.ID, payload.AssociatedEndpoints)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update endpoint", err}
+			}
+		}
+	}
+
+	return response.JSON(w, endpointGroup)
+}

api/http/handler/endpointgroups/endpointgroup_delete.go

@@ -0,0 +1,51 @@
+package endpointgroups
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+// DELETE request on /api/endpoint_groups/:id
+func (handler *Handler) endpointGroupDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint group identifier route variable", err}
+	}
+
+	if endpointGroupID == 1 {
+		return &httperror.HandlerError{http.StatusForbidden, "Unable to remove the default 'Unassigned' group", portainer.ErrCannotRemoveDefaultGroup}
+	}
+
+	_, err = handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint group with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint group with the specified identifier inside the database", err}
+	}
+
+	err = handler.EndpointGroupService.DeleteEndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the endpoint group from the database", err}
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
+	}
+
+	for _, endpoint := range endpoints {
+		if endpoint.GroupID == portainer.EndpointGroupID(endpointGroupID) {
+			endpoint.GroupID = portainer.EndpointGroupID(1)
+			err = handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update endpoint", err}
+			}
+		}
+	}
+
+	return response.Empty(w)
+}

api/http/handler/endpointgroups/endpointgroup_inspect.go

@@ -0,0 +1,27 @@
+package endpointgroups
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+// GET request on /api/endpoint_groups/:id
+func (handler *Handler) endpointGroupInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint group identifier route variable", err}
+	}
+
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint group with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint group with the specified identifier inside the database", err}
+	}
+
+	return response.JSON(w, endpointGroup)
+}

api/http/handler/endpointgroups/endpointgroup_list.go

@@ -0,0 +1,25 @@
+package endpointgroups
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/response"
+	"github.com/portainer/portainer/http/security"
+)
+
+// GET request on /api/endpoint_groups
+func (handler *Handler) endpointGroupList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from the database", err}
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
+	}
+
+	endpointGroups = security.FilterEndpointGroups(endpointGroups, securityContext)
+	return response.JSON(w, endpointGroups)
+}

api/http/handler/endpointgroups/endpointgroup_update.go

@@ -0,0 +1,73 @@
+package endpointgroups
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type endpointGroupUpdatePayload struct {
+	Name                string
+	Description         string
+	AssociatedEndpoints []portainer.EndpointID
+	Tags                []string
+}
+
+func (payload *endpointGroupUpdatePayload) Validate(r *http.Request) error {
+	return nil
+}
+
+// PUT request on /api/endpoint_groups/:id
+func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint group identifier route variable", err}
+	}
+
+	var payload endpointGroupUpdatePayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint group with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint group with the specified identifier inside the database", err}
+	}
+
+	if payload.Name != "" {
+		endpointGroup.Name = payload.Name
+	}
+
+	if payload.Description != "" {
+		endpointGroup.Description = payload.Description
+	}
+
+	if payload.Tags != nil {
+		endpointGroup.Tags = payload.Tags
+	}
+
+	err = handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, endpointGroup)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint group changes inside the database", err}
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
+	}
+
+	for _, endpoint := range endpoints {
+		err = handler.updateEndpointGroup(endpoint, portainer.EndpointGroupID(endpointGroupID), payload.AssociatedEndpoints)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update endpoint", err}
+		}
+	}
+
+	return response.JSON(w, endpointGroup)
+}

api/http/handler/endpointgroups/endpointgroup_update_access.go

@@ -0,0 +1,63 @@
+package endpointgroups
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type endpointGroupUpdateAccessPayload struct {
+	AuthorizedUsers []int
+	AuthorizedTeams []int
+}
+
+func (payload *endpointGroupUpdateAccessPayload) Validate(r *http.Request) error {
+	return nil
+}
+
+// PUT request on /api/endpoint_groups/:id/access
+func (handler *Handler) endpointGroupUpdateAccess(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint group identifier route variable", err}
+	}
+
+	var payload endpointGroupUpdateAccessPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint group with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint group with the specified identifier inside the database", err}
+	}
+
+	if payload.AuthorizedUsers != nil {
+		authorizedUserIDs := []portainer.UserID{}
+		for _, value := range payload.AuthorizedUsers {
+			authorizedUserIDs = append(authorizedUserIDs, portainer.UserID(value))
+		}
+		endpointGroup.AuthorizedUsers = authorizedUserIDs
+	}
+
+	if payload.AuthorizedTeams != nil {
+		authorizedTeamIDs := []portainer.TeamID{}
+		for _, value := range payload.AuthorizedTeams {
+			authorizedTeamIDs = append(authorizedTeamIDs, portainer.TeamID(value))
+		}
+		endpointGroup.AuthorizedTeams = authorizedTeamIDs
+	}
+
+	err = handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, endpointGroup)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint group changes inside the database", err}
+	}
+
+	return response.JSON(w, endpointGroup)
+}

api/http/handler/endpointgroups/handler.go

@@ -0,0 +1,69 @@
+package endpointgroups
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
+)
+
+// Handler is the HTTP handler used to handle endpoint group operations.
+type Handler struct {
+	*mux.Router
+	EndpointService      portainer.EndpointService
+	EndpointGroupService portainer.EndpointGroupService
+}
+
+// NewHandler creates a handler to manage endpoint group operations.
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
+	h := &Handler{
+		Router: mux.NewRouter(),
+	}
+	h.Handle("/endpoint_groups",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointGroupCreate))).Methods(http.MethodPost)
+	h.Handle("/endpoint_groups",
+		bouncer.RestrictedAccess(httperror.LoggerHandler(h.endpointGroupList))).Methods(http.MethodGet)
+	h.Handle("/endpoint_groups/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointGroupInspect))).Methods(http.MethodGet)
+	h.Handle("/endpoint_groups/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointGroupUpdate))).Methods(http.MethodPut)
+	h.Handle("/endpoint_groups/{id}/access",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointGroupUpdateAccess))).Methods(http.MethodPut)
+	h.Handle("/endpoint_groups/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointGroupDelete))).Methods(http.MethodDelete)
+
+	return h
+}
+
+func (handler *Handler) checkForGroupUnassignment(endpoint portainer.Endpoint, associatedEndpoints []portainer.EndpointID) error {
+	for _, id := range associatedEndpoints {
+		if id == endpoint.ID {
+			return nil
+		}
+	}
+
+	endpoint.GroupID = portainer.EndpointGroupID(1)
+	return handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+}
+
+func (handler *Handler) checkForGroupAssignment(endpoint portainer.Endpoint, groupID portainer.EndpointGroupID, associatedEndpoints []portainer.EndpointID) error {
+	for _, id := range associatedEndpoints {
+
+		if id == endpoint.ID {
+			endpoint.GroupID = groupID
+			return handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		}
+	}
+	return nil
+}
+
+func (handler *Handler) updateEndpointGroup(endpoint portainer.Endpoint, groupID portainer.EndpointGroupID, associatedEndpoints []portainer.EndpointID) error {
+	if endpoint.GroupID == groupID {
+		return handler.checkForGroupUnassignment(endpoint, associatedEndpoints)
+	} else if endpoint.GroupID == portainer.EndpointGroupID(1) {
+		return handler.checkForGroupAssignment(endpoint, groupID, associatedEndpoints)
+	}
+	return nil
+}

api/http/handler/endpointproxy/handler.go

@@ -0,0 +1,32 @@
+package endpointproxy
+
+import (
+	"github.com/gorilla/mux"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+)
+
+// Handler is the HTTP handler used to proxy requests to external APIs.
+type Handler struct {
+	*mux.Router
+	requestBouncer  *security.RequestBouncer
+	EndpointService portainer.EndpointService
+	ProxyManager    *proxy.Manager
+}
+
+// NewHandler creates a handler to proxy requests to external APIs.
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
+	h := &Handler{
+		Router:         mux.NewRouter(),
+		requestBouncer: bouncer,
+	}
+	h.PathPrefix("/{id}/azure").Handler(
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToAzureAPI)))
+	h.PathPrefix("/{id}/docker").Handler(
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToDockerAPI)))
+	h.PathPrefix("/{id}/extensions/storidge").Handler(
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToStoridgeAPI)))
+	return h
+}

api/http/handler/endpointproxy/proxy_azure.go

@@ -0,0 +1,43 @@
+package endpointproxy
+
+import (
+	"strconv"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+
+	"net/http"
+)
+
+func (handler *Handler) proxyRequestsToAzureAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	err = handler.requestBouncer.EndpointAccess(r, endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
+	}
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetProxy(string(endpointID))
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create proxy", err}
+		}
+	}
+
+	id := strconv.Itoa(endpointID)
+	http.StripPrefix("/"+id+"/azure", proxy).ServeHTTP(w, r)
+	return nil
+}

api/http/handler/endpointproxy/proxy_docker.go

@@ -0,0 +1,43 @@
+package endpointproxy
+
+import (
+	"strconv"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+
+	"net/http"
+)
+
+func (handler *Handler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	err = handler.requestBouncer.EndpointAccess(r, endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
+	}
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetProxy(string(endpointID))
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create proxy", err}
+		}
+	}
+
+	id := strconv.Itoa(endpointID)
+	http.StripPrefix("/"+id+"/docker", proxy).ServeHTTP(w, r)
+	return nil
+}

api/http/handler/endpointproxy/proxy_storidge.go

@@ -0,0 +1,56 @@
+package endpointproxy
+
+import (
+	"strconv"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+
+	"net/http"
+)
+
+func (handler *Handler) proxyRequestsToStoridgeAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	err = handler.requestBouncer.EndpointAccess(r, endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
+	}
+
+	var storidgeExtension *portainer.EndpointExtension
+	for _, extension := range endpoint.Extensions {
+		if extension.Type == portainer.StoridgeEndpointExtension {
+			storidgeExtension = &extension
+		}
+	}
+
+	if storidgeExtension == nil {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Storidge extension not supported on this endpoint", portainer.ErrEndpointExtensionNotSupported}
+	}
+
+	proxyExtensionKey := string(endpoint.ID) + "_" + string(portainer.StoridgeEndpointExtension)
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetExtensionProxy(proxyExtensionKey)
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterExtensionProxy(proxyExtensionKey, storidgeExtension.URL)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create extension proxy", err}
+		}
+	}
+
+	id := strconv.Itoa(endpointID)
+	http.StripPrefix("/"+id+"/extensions/storidge", proxy).ServeHTTP(w, r)
+	return nil
+}

api/http/handler/endpoints/endpoint_create.go

@@ -0,0 +1,306 @@
+package endpoints
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/crypto"
+	"github.com/portainer/portainer/http/client"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type endpointCreatePayload struct {
+	Name                   string
+	URL                    string
+	EndpointType           int
+	PublicURL              string
+	GroupID                int
+	TLS                    bool
+	TLSSkipVerify          bool
+	TLSSkipClientVerify    bool
+	TLSCACertFile          []byte
+	TLSCertFile            []byte
+	TLSKeyFile             []byte
+	AzureApplicationID     string
+	AzureTenantID          string
+	AzureAuthenticationKey string
+	Tags                   []string
+}
+
+func (payload *endpointCreatePayload) Validate(r *http.Request) error {
+	name, err := request.RetrieveMultiPartFormValue(r, "Name", false)
+	if err != nil {
+		return portainer.Error("Invalid stack name")
+	}
+	payload.Name = name
+
+	endpointType, err := request.RetrieveNumericMultiPartFormValue(r, "EndpointType", false)
+	if err != nil || endpointType == 0 {
+		return portainer.Error("Invalid endpoint type value. Value must be one of: 1 (Docker environment), 2 (Agent environment) or 3 (Azure environment)")
+	}
+	payload.EndpointType = endpointType
+
+	groupID, _ := request.RetrieveNumericMultiPartFormValue(r, "GroupID", true)
+	if groupID == 0 {
+		groupID = 1
+	}
+	payload.GroupID = groupID
+
+	var tags []string
+	err = request.RetrieveMultiPartFormJSONValue(r, "Tags", &tags, true)
+	if err != nil {
+		return portainer.Error("Invalid Tags parameter")
+	}
+	payload.Tags = tags
+
+	useTLS, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLS", true)
+	payload.TLS = useTLS
+
+	if payload.TLS {
+		skipTLSServerVerification, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLSSkipVerify", true)
+		payload.TLSSkipVerify = skipTLSServerVerification
+		skipTLSClientVerification, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLSSkipClientVerify", true)
+		payload.TLSSkipClientVerify = skipTLSClientVerification
+
+		if !payload.TLSSkipVerify {
+			caCert, err := request.RetrieveMultiPartFormFile(r, "TLSCACertFile")
+			if err != nil {
+				return portainer.Error("Invalid CA certificate file. Ensure that the file is uploaded correctly")
+			}
+			payload.TLSCACertFile = caCert
+		}
+
+		if !payload.TLSSkipClientVerify {
+			cert, err := request.RetrieveMultiPartFormFile(r, "TLSCertFile")
+			if err != nil {
+				return portainer.Error("Invalid certificate file. Ensure that the file is uploaded correctly")
+			}
+			payload.TLSCertFile = cert
+
+			key, err := request.RetrieveMultiPartFormFile(r, "TLSKeyFile")
+			if err != nil {
+				return portainer.Error("Invalid key file. Ensure that the file is uploaded correctly")
+			}
+			payload.TLSKeyFile = key
+		}
+	}
+
+	switch portainer.EndpointType(payload.EndpointType) {
+	case portainer.AzureEnvironment:
+		azureApplicationID, err := request.RetrieveMultiPartFormValue(r, "AzureApplicationID", false)
+		if err != nil {
+			return portainer.Error("Invalid Azure application ID")
+		}
+		payload.AzureApplicationID = azureApplicationID
+
+		azureTenantID, err := request.RetrieveMultiPartFormValue(r, "AzureTenantID", false)
+		if err != nil {
+			return portainer.Error("Invalid Azure tenant ID")
+		}
+		payload.AzureTenantID = azureTenantID
+
+		azureAuthenticationKey, err := request.RetrieveMultiPartFormValue(r, "AzureAuthenticationKey", false)
+		if err != nil {
+			return portainer.Error("Invalid Azure authentication key")
+		}
+		payload.AzureAuthenticationKey = azureAuthenticationKey
+	default:
+		url, err := request.RetrieveMultiPartFormValue(r, "URL", false)
+		if err != nil {
+			return portainer.Error("Invalid endpoint URL")
+		}
+		payload.URL = url
+
+		publicURL, _ := request.RetrieveMultiPartFormValue(r, "PublicURL", true)
+		payload.PublicURL = publicURL
+	}
+
+	return nil
+}
+
+// POST request on /api/endpoints
+func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if !handler.authorizeEndpointManagement {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Endpoint management is disabled", ErrEndpointManagementDisabled}
+	}
+
+	payload := &endpointCreatePayload{}
+	err := payload.Validate(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	endpoint, endpointCreationError := handler.createEndpoint(payload)
+	if endpointCreationError != nil {
+		return endpointCreationError
+	}
+
+	return response.JSON(w, endpoint)
+}
+
+func (handler *Handler) createEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
+	if portainer.EndpointType(payload.EndpointType) == portainer.AzureEnvironment {
+		return handler.createAzureEndpoint(payload)
+	}
+
+	if payload.TLS {
+		return handler.createTLSSecuredEndpoint(payload)
+	}
+	return handler.createUnsecuredEndpoint(payload)
+}
+
+func (handler *Handler) createAzureEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
+	credentials := portainer.AzureCredentials{
+		ApplicationID:     payload.AzureApplicationID,
+		TenantID:          payload.AzureTenantID,
+		AuthenticationKey: payload.AzureAuthenticationKey,
+	}
+
+	httpClient := client.NewHTTPClient()
+	_, err := httpClient.ExecuteAzureAuthenticationRequest(&credentials)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate against Azure", err}
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:             payload.Name,
+		URL:              payload.URL,
+		Type:             portainer.AzureEnvironment,
+		GroupID:          portainer.EndpointGroupID(payload.GroupID),
+		PublicURL:        payload.PublicURL,
+		AuthorizedUsers:  []portainer.UserID{},
+		AuthorizedTeams:  []portainer.TeamID{},
+		Extensions:       []portainer.EndpointExtension{},
+		AzureCredentials: credentials,
+		Tags:             payload.Tags,
+	}
+
+	err = handler.EndpointService.CreateEndpoint(endpoint)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint inside the database", err}
+	}
+
+	return endpoint, nil
+}
+
+func (handler *Handler) createUnsecuredEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
+	endpointType := portainer.DockerEnvironment
+
+	if !strings.HasPrefix(payload.URL, "unix://") {
+		agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.URL, nil)
+		if err != nil {
+			return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to ping Docker environment", err}
+		}
+		if agentOnDockerEnvironment {
+			endpointType = portainer.AgentOnDockerEnvironment
+		}
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:      payload.Name,
+		URL:       payload.URL,
+		Type:      endpointType,
+		GroupID:   portainer.EndpointGroupID(payload.GroupID),
+		PublicURL: payload.PublicURL,
+		TLSConfig: portainer.TLSConfiguration{
+			TLS: false,
+		},
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+		Tags:            payload.Tags,
+	}
+
+	err := handler.EndpointService.CreateEndpoint(endpoint)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint inside the database", err}
+	}
+
+	return endpoint, nil
+}
+
+func (handler *Handler) createTLSSecuredEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
+	tlsConfig, err := crypto.CreateTLSConfigurationFromBytes(payload.TLSCACertFile, payload.TLSCertFile, payload.TLSKeyFile, payload.TLSSkipClientVerify, payload.TLSSkipVerify)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to create TLS configuration", err}
+	}
+
+	agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.URL, tlsConfig)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to ping Docker environment", err}
+	}
+
+	endpointType := portainer.DockerEnvironment
+	if agentOnDockerEnvironment {
+		endpointType = portainer.AgentOnDockerEnvironment
+	}
+
+	endpoint := &portainer.Endpoint{
+		Name:      payload.Name,
+		URL:       payload.URL,
+		Type:      endpointType,
+		GroupID:   portainer.EndpointGroupID(payload.GroupID),
+		PublicURL: payload.PublicURL,
+		TLSConfig: portainer.TLSConfiguration{
+			TLS:           payload.TLS,
+			TLSSkipVerify: payload.TLSSkipVerify,
+		},
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+		Tags:            payload.Tags,
+	}
+
+	err = handler.EndpointService.CreateEndpoint(endpoint)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint inside the database", err}
+	}
+
+	filesystemError := handler.storeTLSFiles(endpoint, payload)
+	if err != nil {
+		handler.EndpointService.DeleteEndpoint(endpoint.ID)
+		return nil, filesystemError
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
+	}
+
+	return endpoint, nil
+}
+
+func (handler *Handler) storeTLSFiles(endpoint *portainer.Endpoint, payload *endpointCreatePayload) *httperror.HandlerError {
+	folder := strconv.Itoa(int(endpoint.ID))
+
+	if !payload.TLSSkipVerify {
+		caCertPath, err := handler.FileService.StoreTLSFileFromBytes(folder, portainer.TLSFileCA, payload.TLSCACertFile)
+		if err != nil {
+			handler.EndpointService.DeleteEndpoint(endpoint.ID)
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist TLS CA certificate file on disk", err}
+		}
+		endpoint.TLSConfig.TLSCACertPath = caCertPath
+	}
+
+	if !payload.TLSSkipClientVerify {
+		certPath, err := handler.FileService.StoreTLSFileFromBytes(folder, portainer.TLSFileCert, payload.TLSCertFile)
+		if err != nil {
+			handler.EndpointService.DeleteEndpoint(endpoint.ID)
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist TLS certificate file on disk", err}
+		}
+		endpoint.TLSConfig.TLSCertPath = certPath
+
+		keyPath, err := handler.FileService.StoreTLSFileFromBytes(folder, portainer.TLSFileKey, payload.TLSKeyFile)
+		if err != nil {
+			handler.EndpointService.DeleteEndpoint(endpoint.ID)
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist TLS key file on disk", err}
+		}
+		endpoint.TLSConfig.TLSKeyPath = keyPath
+	}
+
+	return nil
+}

api/http/handler/endpoints/endpoint_delete.go

@@ -0,0 +1,48 @@
+package endpoints
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+// DELETE request on /api/endpoints/:id
+func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if !handler.authorizeEndpointManagement {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Endpoint management is disabled", ErrEndpointManagementDisabled}
+	}
+
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	if endpoint.TLSConfig.TLS {
+		folder := strconv.Itoa(endpointID)
+		err = handler.FileService.DeleteTLSFiles(folder)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove TLS files from disk", err}
+		}
+	}
+
+	err = handler.EndpointService.DeleteEndpoint(portainer.EndpointID(endpointID))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove endpoint from the database", err}
+	}
+
+	handler.ProxyManager.DeleteProxy(string(endpointID))
+	handler.ProxyManager.DeleteExtensionProxies(string(endpointID))
+
+	return response.Empty(w)
+}

api/http/handler/endpoints/endpoint_extension_add.go

@@ -0,0 +1,73 @@
+package endpoints
+
+import (
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type endpointExtensionAddPayload struct {
+	Type int
+	URL  string
+}
+
+func (payload *endpointExtensionAddPayload) Validate(r *http.Request) error {
+	if payload.Type != 1 {
+		return portainer.Error("Invalid type value. Value must be one of: 1 (Storidge)")
+	}
+	if payload.Type == 1 && govalidator.IsNull(payload.URL) {
+		return portainer.Error("Invalid extension URL")
+	}
+	return nil
+}
+
+// POST request on /api/endpoints/:id/extensions
+func (handler *Handler) endpointExtensionAdd(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	var payload endpointExtensionAddPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	extensionType := portainer.EndpointExtensionType(payload.Type)
+
+	var extension *portainer.EndpointExtension
+	for _, ext := range endpoint.Extensions {
+		if ext.Type == extensionType {
+			extension = &ext
+		}
+	}
+
+	if extension != nil {
+		extension.URL = payload.URL
+	} else {
+		extension = &portainer.EndpointExtension{
+			Type: extensionType,
+			URL:  payload.URL,
+		}
+		endpoint.Extensions = append(endpoint.Extensions, *extension)
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
+	}
+
+	return response.JSON(w, extension)
+}

api/http/handler/endpoints/endpoint_extension_remove.go

@@ -0,0 +1,43 @@
+package endpoints
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+// DELETE request on /api/endpoints/:id/extensions/:extensionType
+func (handler *Handler) endpointExtensionRemove(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	extensionType, err := request.RetrieveNumericRouteVariableValue(r, "extensionType")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid extension type route variable", err}
+	}
+
+	for idx, ext := range endpoint.Extensions {
+		if ext.Type == portainer.EndpointExtensionType(extensionType) {
+			endpoint.Extensions = append(endpoint.Extensions[:idx], endpoint.Extensions[idx+1:]...)
+		}
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
+	}
+
+	return response.Empty(w)
+}

api/http/handler/endpoints/endpoint_inspect.go

@@ -0,0 +1,27 @@
+package endpoints
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+// GET request on /api/endpoints/:id
+func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	return response.JSON(w, endpoint)
+}

api/http/handler/endpoints/endpoint_list.go

@@ -0,0 +1,34 @@
+package endpoints
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/response"
+	"github.com/portainer/portainer/http/security"
+)
+
+// GET request on /api/endpoints
+func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
+	}
+
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from the database", err}
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
+	}
+
+	filteredEndpoints := security.FilterEndpoints(endpoints, endpointGroups, securityContext)
+
+	for _, endpoint := range filteredEndpoints {
+		hideFields(&endpoint)
+	}
+	return response.JSON(w, filteredEndpoints)
+}

api/http/handler/endpoints/endpoint_update.go

@@ -0,0 +1,142 @@
+package endpoints
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/client"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type endpointUpdatePayload struct {
+	Name                   string
+	URL                    string
+	PublicURL              string
+	GroupID                int
+	TLS                    bool
+	TLSSkipVerify          bool
+	TLSSkipClientVerify    bool
+	AzureApplicationID     string
+	AzureTenantID          string
+	AzureAuthenticationKey string
+	Tags                   []string
+}
+
+func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
+	return nil
+}
+
+// PUT request on /api/endpoints/:id
+func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if !handler.authorizeEndpointManagement {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Endpoint management is disabled", ErrEndpointManagementDisabled}
+	}
+
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	var payload endpointUpdatePayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	if payload.Name != "" {
+		endpoint.Name = payload.Name
+	}
+
+	if payload.URL != "" {
+		endpoint.URL = payload.URL
+	}
+
+	if payload.PublicURL != "" {
+		endpoint.PublicURL = payload.PublicURL
+	}
+
+	if payload.GroupID != 0 {
+		endpoint.GroupID = portainer.EndpointGroupID(payload.GroupID)
+	}
+
+	if payload.Tags != nil {
+		endpoint.Tags = payload.Tags
+	}
+
+	if endpoint.Type == portainer.AzureEnvironment {
+		credentials := endpoint.AzureCredentials
+		if payload.AzureApplicationID != "" {
+			credentials.ApplicationID = payload.AzureApplicationID
+		}
+		if payload.AzureTenantID != "" {
+			credentials.TenantID = payload.AzureTenantID
+		}
+		if payload.AzureAuthenticationKey != "" {
+			credentials.AuthenticationKey = payload.AzureAuthenticationKey
+		}
+
+		httpClient := client.NewHTTPClient()
+		_, authErr := httpClient.ExecuteAzureAuthenticationRequest(&credentials)
+		if authErr != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate against Azure", authErr}
+		}
+		endpoint.AzureCredentials = credentials
+	}
+
+	folder := strconv.Itoa(endpointID)
+	if payload.TLS {
+		endpoint.TLSConfig.TLS = true
+		endpoint.TLSConfig.TLSSkipVerify = payload.TLSSkipVerify
+		if !payload.TLSSkipVerify {
+			caCertPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCA)
+			endpoint.TLSConfig.TLSCACertPath = caCertPath
+		} else {
+			endpoint.TLSConfig.TLSCACertPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileCA)
+		}
+
+		if !payload.TLSSkipClientVerify {
+			certPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileCert)
+			endpoint.TLSConfig.TLSCertPath = certPath
+			keyPath, _ := handler.FileService.GetPathForTLSFile(folder, portainer.TLSFileKey)
+			endpoint.TLSConfig.TLSKeyPath = keyPath
+		} else {
+			endpoint.TLSConfig.TLSCertPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileCert)
+			endpoint.TLSConfig.TLSKeyPath = ""
+			handler.FileService.DeleteTLSFile(folder, portainer.TLSFileKey)
+		}
+	} else {
+		endpoint.TLSConfig.TLS = false
+		endpoint.TLSConfig.TLSSkipVerify = false
+		endpoint.TLSConfig.TLSCACertPath = ""
+		endpoint.TLSConfig.TLSCertPath = ""
+		endpoint.TLSConfig.TLSKeyPath = ""
+		err = handler.FileService.DeleteTLSFiles(folder)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove TLS files from disk", err}
+		}
+	}
+
+	_, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to register HTTP proxy for the endpoint", err}
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
+	}
+
+	return response.JSON(w, endpoint)
+}

api/http/handler/endpoints/endpoint_update_access.go

@@ -0,0 +1,67 @@
+package endpoints
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type endpointUpdateAccessPayload struct {
+	AuthorizedUsers []int
+	AuthorizedTeams []int
+}
+
+func (payload *endpointUpdateAccessPayload) Validate(r *http.Request) error {
+	return nil
+}
+
+// PUT request on /api/endpoints/:id/access
+func (handler *Handler) endpointUpdateAccess(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if !handler.authorizeEndpointManagement {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Endpoint management is disabled", ErrEndpointManagementDisabled}
+	}
+
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	var payload endpointUpdateAccessPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	if payload.AuthorizedUsers != nil {
+		authorizedUserIDs := []portainer.UserID{}
+		for _, value := range payload.AuthorizedUsers {
+			authorizedUserIDs = append(authorizedUserIDs, portainer.UserID(value))
+		}
+		endpoint.AuthorizedUsers = authorizedUserIDs
+	}
+
+	if payload.AuthorizedTeams != nil {
+		authorizedTeamIDs := []portainer.TeamID{}
+		for _, value := range payload.AuthorizedTeams {
+			authorizedTeamIDs = append(authorizedTeamIDs, portainer.TeamID(value))
+		}
+		endpoint.AuthorizedTeams = authorizedTeamIDs
+	}
+
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
+	}
+
+	return response.JSON(w, endpoint)
+}

api/http/handler/endpoints/handler.go

@@ -0,0 +1,59 @@
+package endpoints
+
+import (
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+
+	"net/http"
+
+	"github.com/gorilla/mux"
+)
+
+const (
+	// ErrEndpointManagementDisabled is an error raised when trying to access the endpoints management endpoints
+	// when the server has been started with the --external-endpoints flag
+	ErrEndpointManagementDisabled = portainer.Error("Endpoint management is disabled")
+)
+
+func hideFields(endpoint *portainer.Endpoint) {
+	endpoint.AzureCredentials = portainer.AzureCredentials{}
+}
+
+// Handler is the HTTP handler used to handle endpoint operations.
+type Handler struct {
+	*mux.Router
+	authorizeEndpointManagement bool
+	EndpointService             portainer.EndpointService
+	EndpointGroupService        portainer.EndpointGroupService
+	FileService                 portainer.FileService
+	ProxyManager                *proxy.Manager
+}
+
+// NewHandler creates a handler to manage endpoint operations.
+func NewHandler(bouncer *security.RequestBouncer, authorizeEndpointManagement bool) *Handler {
+	h := &Handler{
+		Router: mux.NewRouter(),
+		authorizeEndpointManagement: authorizeEndpointManagement,
+	}
+
+	h.Handle("/endpoints",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointCreate))).Methods(http.MethodPost)
+	h.Handle("/endpoints",
+		bouncer.RestrictedAccess(httperror.LoggerHandler(h.endpointList))).Methods(http.MethodGet)
+	h.Handle("/endpoints/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointInspect))).Methods(http.MethodGet)
+	h.Handle("/endpoints/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointUpdate))).Methods(http.MethodPut)
+	h.Handle("/endpoints/{id}/access",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointUpdateAccess))).Methods(http.MethodPut)
+	h.Handle("/endpoints/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointDelete))).Methods(http.MethodDelete)
+	h.Handle("/endpoints/{id}/extensions",
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.endpointExtensionAdd))).Methods(http.MethodPost)
+	h.Handle("/endpoints/{id}/extensions/{extensionType}",
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.endpointExtensionRemove))).Methods(http.MethodDelete)
+
+	return h
+}

api/http/handler/file/handler.go

@@ -0,0 +1,37 @@
+package file
+
+import (
+	"net/http"
+	"strings"
+)
+
+// Handler represents an HTTP API handler for managing static files.
+type Handler struct {
+	http.Handler
+}
+
+// NewHandler creates a handler to serve static files.
+func NewHandler(assetPublicPath string) *Handler {
+	h := &Handler{
+		Handler: http.FileServer(http.Dir(assetPublicPath)),
+	}
+	return h
+}
+
+func isHTML(acceptContent []string) bool {
+	for _, accept := range acceptContent {
+		if strings.Contains(accept, "text/html") {
+			return true
+		}
+	}
+	return false
+}
+
+func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if !isHTML(r.Header["Accept"]) {
+		w.Header().Set("Cache-Control", "max-age=31536000")
+	} else {
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	}
+	handler.Handler.ServeHTTP(w, r)
+}

api/http/handler/handler.go

@@ -0,0 +1,97 @@
+package handler
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/portainer/portainer/http/handler/auth"
+	"github.com/portainer/portainer/http/handler/dockerhub"
+	"github.com/portainer/portainer/http/handler/endpointgroups"
+	"github.com/portainer/portainer/http/handler/endpointproxy"
+	"github.com/portainer/portainer/http/handler/endpoints"
+	"github.com/portainer/portainer/http/handler/file"
+	"github.com/portainer/portainer/http/handler/registries"
+	"github.com/portainer/portainer/http/handler/resourcecontrols"
+	"github.com/portainer/portainer/http/handler/settings"
+	"github.com/portainer/portainer/http/handler/stacks"
+	"github.com/portainer/portainer/http/handler/status"
+	"github.com/portainer/portainer/http/handler/tags"
+	"github.com/portainer/portainer/http/handler/teammemberships"
+	"github.com/portainer/portainer/http/handler/teams"
+	"github.com/portainer/portainer/http/handler/templates"
+	"github.com/portainer/portainer/http/handler/upload"
+	"github.com/portainer/portainer/http/handler/users"
+	"github.com/portainer/portainer/http/handler/websocket"
+)
+
+// Handler is a collection of all the service handlers.
+type Handler struct {
+	AuthHandler *auth.Handler
+
+	DockerHubHandler       *dockerhub.Handler
+	EndpointGroupHandler   *endpointgroups.Handler
+	EndpointHandler        *endpoints.Handler
+	EndpointProxyHandler   *endpointproxy.Handler
+	FileHandler            *file.Handler
+	RegistryHandler        *registries.Handler
+	ResourceControlHandler *resourcecontrols.Handler
+	SettingsHandler        *settings.Handler
+	StackHandler           *stacks.Handler
+	StatusHandler          *status.Handler
+	TagHandler             *tags.Handler
+	TeamMembershipHandler  *teammemberships.Handler
+	TeamHandler            *teams.Handler
+	TemplatesHandler       *templates.Handler
+	UploadHandler          *upload.Handler
+	UserHandler            *users.Handler
+	WebSocketHandler       *websocket.Handler
+}
+
+// ServeHTTP delegates a request to the appropriate subhandler.
+func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	switch {
+	case strings.HasPrefix(r.URL.Path, "/api/auth"):
+		http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/dockerhub"):
+		http.StripPrefix("/api", h.DockerHubHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/endpoint_groups"):
+		http.StripPrefix("/api", h.EndpointGroupHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/endpoints"):
+		switch {
+		case strings.Contains(r.URL.Path, "/docker/"):
+			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
+		case strings.Contains(r.URL.Path, "/extensions/storidge"):
+			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
+		case strings.Contains(r.URL.Path, "/azure/"):
+			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
+		default:
+			http.StripPrefix("/api", h.EndpointHandler).ServeHTTP(w, r)
+		}
+	case strings.HasPrefix(r.URL.Path, "/api/registries"):
+		http.StripPrefix("/api", h.RegistryHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/resource_controls"):
+		http.StripPrefix("/api", h.ResourceControlHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/settings"):
+		http.StripPrefix("/api", h.SettingsHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/stacks"):
+		http.StripPrefix("/api", h.StackHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/status"):
+		http.StripPrefix("/api", h.StatusHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/tags"):
+		http.StripPrefix("/api", h.TagHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/templates"):
+		http.StripPrefix("/api", h.TemplatesHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/upload"):
+		http.StripPrefix("/api", h.UploadHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/users"):
+		http.StripPrefix("/api", h.UserHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/teams"):
+		http.StripPrefix("/api", h.TeamHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/team_memberships"):
+		http.StripPrefix("/api", h.TeamMembershipHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/websocket"):
+		http.StripPrefix("/api", h.WebSocketHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/"):
+		h.FileHandler.ServeHTTP(w, r)
+	}
+}

api/http/handler/registries/handler.go

@@ -0,0 +1,43 @@
+package registries
+
+import (
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
+
+	"net/http"
+
+	"github.com/gorilla/mux"
+)
+
+func hideFields(registry *portainer.Registry) {
+	registry.Password = ""
+}
+
+// Handler is the HTTP handler used to handle registry operations.
+type Handler struct {
+	*mux.Router
+	RegistryService portainer.RegistryService
+}
+
+// NewHandler creates a handler to manage registry operations.
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
+	h := &Handler{
+		Router: mux.NewRouter(),
+	}
+
+	h.Handle("/registries",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryCreate))).Methods(http.MethodPost)
+	h.Handle("/registries",
+		bouncer.RestrictedAccess(httperror.LoggerHandler(h.registryList))).Methods(http.MethodGet)
+	h.Handle("/registries/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryInspect))).Methods(http.MethodGet)
+	h.Handle("/registries/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryUpdate))).Methods(http.MethodPut)
+	h.Handle("/registries/{id}/access",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryUpdateAccess))).Methods(http.MethodPut)
+	h.Handle("/registries/{id}",
+		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryDelete))).Methods(http.MethodDelete)
+
+	return h
+}

api/http/handler/registries/registry_create.go

@@ -0,0 +1,68 @@
+package registries
+
+import (
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type registryCreatePayload struct {
+	Name           string
+	URL            string
+	Authentication bool
+	Username       string
+	Password       string
+}
+
+func (payload *registryCreatePayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Name) {
+		return portainer.Error("Invalid registry name")
+	}
+	if govalidator.IsNull(payload.URL) {
+		return portainer.Error("Invalid registry URL")
+	}
+	if payload.Authentication && (govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password)) {
+		return portainer.Error("Invalid credentials. Username and password must be specified when authentication is enabled")
+	}
+	return nil
+}
+
+func (handler *Handler) registryCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload registryCreatePayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve registries from the database", err}
+	}
+	for _, r := range registries {
+		if r.URL == payload.URL {
+			return &httperror.HandlerError{http.StatusConflict, "A registry with the same URL already exists", portainer.ErrRegistryAlreadyExists}
+		}
+	}
+
+	registry := &portainer.Registry{
+		Name:            payload.Name,
+		URL:             payload.URL,
+		Authentication:  payload.Authentication,
+		Username:        payload.Username,
+		Password:        payload.Password,
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+	}
+
+	err = handler.RegistryService.CreateRegistry(registry)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the registry inside the database", err}
+	}
+
+	hideFields(registry)
+	return response.JSON(w, registry)
+}

api/http/handler/registries/registry_delete.go

@@ -0,0 +1,32 @@
+package registries
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+// DELETE request on /api/registries/:id
+func (handler *Handler) registryDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid registry identifier route variable", err}
+	}
+
+	_, err = handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err}
+	}
+
+	err = handler.RegistryService.DeleteRegistry(portainer.RegistryID(registryID))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the registry from the database", err}
+	}
+
+	return response.Empty(w)
+}

api/http/handler/registries/registry_inspect.go

@@ -0,0 +1,28 @@
+package registries
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+// GET request on /api/registries/:id
+func (handler *Handler) registryInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid registry identifier route variable", err}
+	}
+
+	registry, err := handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err}
+	}
+
+	hideFields(registry)
+	return response.JSON(w, registry)
+}

api/http/handler/registries/registry_list.go

@@ -0,0 +1,29 @@
+package registries
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/response"
+	"github.com/portainer/portainer/http/security"
+)
+
+// GET request on /api/registries
+func (handler *Handler) registryList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve registries from the database", err}
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
+	}
+
+	filteredRegistries := security.FilterRegistries(registries, securityContext)
+
+	for _, registry := range filteredRegistries {
+		hideFields(&registry)
+	}
+	return response.JSON(w, registries)
+}

api/http/handler/registries/registry_update.go

@@ -0,0 +1,82 @@
+package registries
+
+import (
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type registryUpdatePayload struct {
+	Name           string
+	URL            string
+	Authentication bool
+	Username       string
+	Password       string
+}
+
+func (payload *registryUpdatePayload) Validate(r *http.Request) error {
+	if payload.Authentication && (govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password)) {
+		return portainer.Error("Invalid credentials. Username and password must be specified when authentication is enabled")
+	}
+	return nil
+}
+
+// PUT request on /api/registries/:id
+func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid registry identifier route variable", err}
+	}
+
+	var payload registryUpdatePayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	registry, err := handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err}
+	}
+
+	registries, err := handler.RegistryService.Registries()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve registries from the database", err}
+	}
+	for _, r := range registries {
+		if r.URL == payload.URL && r.ID != registry.ID {
+			return &httperror.HandlerError{http.StatusConflict, "Another registry with the same URL already exists", portainer.ErrRegistryAlreadyExists}
+		}
+	}
+
+	if payload.Name != "" {
+		registry.Name = payload.Name
+	}
+
+	if payload.URL != "" {
+		registry.URL = payload.URL
+	}
+
+	if payload.Authentication {
+		registry.Authentication = true
+		registry.Username = payload.Username
+		registry.Password = payload.Password
+	} else {
+		registry.Authentication = false
+		registry.Username = ""
+		registry.Password = ""
+	}
+
+	err = handler.RegistryService.UpdateRegistry(registry.ID, registry)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist registry changes inside the database", err}
+	}
+
+	return response.JSON(w, registry)
+}

api/http/handler/registries/registry_update_access.go

@@ -0,0 +1,63 @@
+package registries
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+)
+
+type registryUpdateAccessPayload struct {
+	AuthorizedUsers []int
+	AuthorizedTeams []int
+}
+
+func (payload *registryUpdateAccessPayload) Validate(r *http.Request) error {
+	return nil
+}
+
+// PUT request on /api/registries/:id/access
+func (handler *Handler) registryUpdateAccess(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid registry identifier route variable", err}
+	}
+
+	var payload registryUpdateAccessPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	registry, err := handler.RegistryService.Registry(portainer.RegistryID(registryID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err}
+	}
+
+	if payload.AuthorizedUsers != nil {
+		authorizedUserIDs := []portainer.UserID{}
+		for _, value := range payload.AuthorizedUsers {
+			authorizedUserIDs = append(authorizedUserIDs, portainer.UserID(value))
+		}
+		registry.AuthorizedUsers = authorizedUserIDs
+	}
+
+	if payload.AuthorizedTeams != nil {
+		authorizedTeamIDs := []portainer.TeamID{}
+		for _, value := range payload.AuthorizedTeams {
+			authorizedTeamIDs = append(authorizedTeamIDs, portainer.TeamID(value))
+		}
+		registry.AuthorizedTeams = authorizedTeamIDs
+	}
+
+	err = handler.RegistryService.UpdateRegistry(registry.ID, registry)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist registry changes inside the database", err}
+	}
+
+	return response.JSON(w, registry)
+}

api/http/handler/resourcecontrols/handler.go

@@ -0,0 +1,31 @@
+package resourcecontrols
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/security"
+)
+
+// Handler is the HTTP handler used to handle resource control operations.
+type Handler struct {
+	*mux.Router
+	ResourceControlService portainer.ResourceControlService
+}
+
+// NewHandler creates a handler to manage resource control operations.
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
+	h := &Handler{
+		Router: mux.NewRouter(),
+	}
+	h.Handle("/resource_controls",
+		bouncer.RestrictedAccess(httperror.LoggerHandler(h.resourceControlCreate))).Methods(http.MethodPost)
+	h.Handle("/resource_controls/{id}",
+		bouncer.RestrictedAccess(httperror.LoggerHandler(h.resourceControlUpdate))).Methods(http.MethodPut)
+	h.Handle("/resource_controls/{id}",
+		bouncer.RestrictedAccess(httperror.LoggerHandler(h.resourceControlDelete))).Methods(http.MethodDelete)
+
+	return h
+}

api/http/handler/resourcecontrols/resourcecontrol_create.go

@@ -0,0 +1,116 @@
+package resourcecontrols
+
+import (
+	"net/http"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+	"github.com/portainer/portainer/http/security"
+)
+
+type resourceControlCreatePayload struct {
+	ResourceID         string
+	Type               string
+	AdministratorsOnly bool
+	Users              []int
+	Teams              []int
+	SubResourceIDs     []string
+}
+
+func (payload *resourceControlCreatePayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.ResourceID) {
+		return portainer.Error("Invalid resource identifier")
+	}
+
+	if govalidator.IsNull(payload.Type) {
+		return portainer.Error("Invalid type")
+	}
+
+	if len(payload.Users) == 0 && len(payload.Teams) == 0 && !payload.AdministratorsOnly {
+		return portainer.Error("Invalid resource control declaration. Must specify Users, Teams or AdministratorOnly")
+	}
+	return nil
+}
+
+// POST request on /api/resource_controls
+func (handler *Handler) resourceControlCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload resourceControlCreatePayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	var resourceControlType portainer.ResourceControlType
+	switch payload.Type {
+	case "container":
+		resourceControlType = portainer.ContainerResourceControl
+	case "service":
+		resourceControlType = portainer.ServiceResourceControl
+	case "volume":
+		resourceControlType = portainer.VolumeResourceControl
+	case "network":
+		resourceControlType = portainer.NetworkResourceControl
+	case "secret":
+		resourceControlType = portainer.SecretResourceControl
+	case "stack":
+		resourceControlType = portainer.StackResourceControl
+	case "config":
+		resourceControlType = portainer.ConfigResourceControl
+	default:
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid type value. Value must be one of: container, service, volume, network, secret, stack or config", portainer.ErrInvalidResourceControlType}
+	}
+
+	rc, err := handler.ResourceControlService.ResourceControlByResourceID(payload.ResourceID)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve resource controls from the database", err}
+	}
+	if rc != nil {
+		return &httperror.HandlerError{http.StatusConflict, "A resource control is already associated to this resource", portainer.ErrResourceControlAlreadyExists}
+	}
+
+	var userAccesses = make([]portainer.UserResourceAccess, 0)
+	for _, v := range payload.Users {
+		userAccess := portainer.UserResourceAccess{
+			UserID:      portainer.UserID(v),
+			AccessLevel: portainer.ReadWriteAccessLevel,
+		}
+		userAccesses = append(userAccesses, userAccess)
+	}
+
+	var teamAccesses = make([]portainer.TeamResourceAccess, 0)
+	for _, v := range payload.Teams {
+		teamAccess := portainer.TeamResourceAccess{
+			TeamID:      portainer.TeamID(v),
+			AccessLevel: portainer.ReadWriteAccessLevel,
+		}
+		teamAccesses = append(teamAccesses, teamAccess)
+	}
+
+	resourceControl := portainer.ResourceControl{
+		ResourceID:         payload.ResourceID,
+		SubResourceIDs:     payload.SubResourceIDs,
+		Type:               resourceControlType,
+		AdministratorsOnly: payload.AdministratorsOnly,
+		UserAccesses:       userAccesses,
+		TeamAccesses:       teamAccesses,
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
+	}
+
+	if !security.AuthorizedResourceControlCreation(&resourceControl, securityContext) {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to create a resource control for the specified resource", portainer.ErrResourceAccessDenied}
+	}
+
+	err = handler.ResourceControlService.CreateResourceControl(&resourceControl)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the resource control inside the database", err}
+	}
+
+	return response.JSON(w, resourceControl)
+}

api/http/handler/resourcecontrols/resourcecontrol_delete.go

@@ -0,0 +1,42 @@
+package resourcecontrols
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+	"github.com/portainer/portainer/http/security"
+)
+
+// DELETE request on /api/resource_controls/:id
+func (handler *Handler) resourceControlDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	resourceControlID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid resource control identifier route variable", err}
+	}
+
+	resourceControl, err := handler.ResourceControlService.ResourceControl(portainer.ResourceControlID(resourceControlID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a resource control with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a resource control with with the specified identifier inside the database", err}
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
+	}
+
+	if !security.AuthorizedResourceControlDeletion(resourceControl, securityContext) {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to delete the resource control", portainer.ErrResourceAccessDenied}
+	}
+
+	err = handler.ResourceControlService.DeleteResourceControl(portainer.ResourceControlID(resourceControlID))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the resource control from the database", err}
+	}
+
+	return response.Empty(w)
+}

api/http/handler/resourcecontrols/resourcecontrol_update.go

@@ -0,0 +1,87 @@
+package resourcecontrols
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/response"
+	"github.com/portainer/portainer/http/security"
+)
+
+type resourceControlUpdatePayload struct {
+	AdministratorsOnly bool
+	Users              []int
+	Teams              []int
+}
+
+func (payload *resourceControlUpdatePayload) Validate(r *http.Request) error {
+	if len(payload.Users) == 0 && len(payload.Teams) == 0 && !payload.AdministratorsOnly {
+		return portainer.Error("Invalid resource control declaration. Must specify Users, Teams or AdministratorOnly")
+	}
+	return nil
+}
+
+// PUT request on /api/resource_controls/:id
+func (handler *Handler) resourceControlUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	resourceControlID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid resource control identifier route variable", err}
+	}
+
+	var payload resourceControlUpdatePayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	resourceControl, err := handler.ResourceControlService.ResourceControl(portainer.ResourceControlID(resourceControlID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a resource control with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a resource control with with the specified identifier inside the database", err}
+	}
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
+	}
+
+	if !security.AuthorizedResourceControlAccess(resourceControl, securityContext) {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update the resource control", portainer.ErrResourceAccessDenied}
+	}
+
+	resourceControl.AdministratorsOnly = payload.AdministratorsOnly
+
+	var userAccesses = make([]portainer.UserResourceAccess, 0)
+	for _, v := range payload.Users {
+		userAccess := portainer.UserResourceAccess{
+			UserID:      portainer.UserID(v),
+			AccessLevel: portainer.ReadWriteAccessLevel,
+		}
+		userAccesses = append(userAccesses, userAccess)
+	}
+	resourceControl.UserAccesses = userAccesses
+
+	var teamAccesses = make([]portainer.TeamResourceAccess, 0)
+	for _, v := range payload.Teams {
+		teamAccess := portainer.TeamResourceAccess{
+			TeamID:      portainer.TeamID(v),
+			AccessLevel: portainer.ReadWriteAccessLevel,
+		}
+		teamAccesses = append(teamAccesses, teamAccess)
+	}
+	resourceControl.TeamAccesses = teamAccesses
+
+	if !security.AuthorizedResourceControlUpdate(resourceControl, securityContext) {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to update the resource control", portainer.ErrResourceAccessDenied}
+	}
+
+	err = handler.ResourceControlService.UpdateResourceControl(resourceControl.ID, resourceControl)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist resource control changes inside the database", err}
+	}
+
+	return response.JSON(w, resourceControl)
+}