refactor(api): API overhaul (#392)

api/http/auth_handler.go

@@ -0,0 +1,95 @@
+package http
+
+import (
+	"github.com/portainer/portainer"
+
+	"encoding/json"
+	"github.com/asaskevich/govalidator"
+	"github.com/gorilla/mux"
+	"log"
+	"net/http"
+	"os"
+)
+
+// AuthHandler represents an HTTP API handler for managing authentication.
+type AuthHandler struct {
+	*mux.Router
+	Logger        *log.Logger
+	UserService   portainer.UserService
+	CryptoService portainer.CryptoService
+	JWTService    portainer.JWTService
+}
+
+const (
+	// ErrInvalidCredentialsFormat is an error raised when credentials format is not valid
+	ErrInvalidCredentialsFormat = portainer.Error("Invalid credentials format")
+	// ErrInvalidCredentials is an error raised when credentials for a user are invalid
+	ErrInvalidCredentials = portainer.Error("Invalid credentials")
+)
+
+// NewAuthHandler returns a new instance of DialHandler.
+func NewAuthHandler() *AuthHandler {
+	h := &AuthHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.HandleFunc("/auth", h.handlePostAuth)
+	return h
+}
+
+func (handler *AuthHandler) handlePostAuth(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "POST" {
+		handleNotAllowed(w, []string{"POST"})
+		return
+	}
+
+	var req postAuthRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		Error(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		Error(w, ErrInvalidCredentialsFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	var username = req.Username
+	var password = req.Password
+
+	u, err := handler.UserService.User(username)
+	if err == portainer.ErrUserNotFound {
+		Error(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		Error(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.CryptoService.CompareHashAndData(u.Password, password)
+	if err != nil {
+		Error(w, ErrInvalidCredentials, http.StatusUnprocessableEntity, handler.Logger)
+		return
+	}
+
+	tokenData := &portainer.TokenData{
+		username,
+	}
+	token, err := handler.JWTService.GenerateToken(tokenData)
+	if err != nil {
+		Error(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postAuthResponse{JWT: token}, handler.Logger)
+}
+
+type postAuthRequest struct {
+	Username string `valid:"alphanum,required"`
+	Password string `valid:"required"`
+}
+
+type postAuthResponse struct {
+	JWT string `json:"jwt"`
+}

api/http/docker_handler.go

@@ -0,0 +1,115 @@
+package http
+
+import (
+	"github.com/portainer/portainer"
+
+	"github.com/gorilla/mux"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+)
+
+// DockerHandler represents an HTTP API handler for proxying requests to the Docker API.
+type DockerHandler struct {
+	*mux.Router
+	Logger            *log.Logger
+	middleWareService *middleWareService
+	proxy             http.Handler
+}
+
+// NewDockerHandler returns a new instance of DockerHandler.
+func NewDockerHandler(middleWareService *middleWareService) *DockerHandler {
+	h := &DockerHandler{
+		Router:            mux.NewRouter(),
+		Logger:            log.New(os.Stderr, "", log.LstdFlags),
+		middleWareService: middleWareService,
+	}
+	h.PathPrefix("/").Handler(middleWareService.addMiddleWares(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h.proxyRequestsToDockerAPI(w, r)
+	})))
+	return h
+}
+
+func (handler *DockerHandler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.Request) {
+	handler.proxy.ServeHTTP(w, r)
+}
+
+func (handler *DockerHandler) setupProxy(config *portainer.EndpointConfiguration) error {
+	var proxy http.Handler
+	endpointURL, err := url.Parse(config.Endpoint)
+	if err != nil {
+		return err
+	}
+	if endpointURL.Scheme == "tcp" {
+		if config.TLS {
+			proxy, err = newHTTPSProxy(endpointURL, config)
+			if err != nil {
+				return err
+			}
+		} else {
+			proxy = newHTTPProxy(endpointURL)
+		}
+	} else {
+		// Assume unix:// scheme
+		proxy = newSocketProxy(endpointURL.Path)
+	}
+	handler.proxy = proxy
+	return nil
+}
+
+func newHTTPProxy(u *url.URL) http.Handler {
+	u.Scheme = "http"
+	return httputil.NewSingleHostReverseProxy(u)
+}
+
+func newHTTPSProxy(u *url.URL, endpointConfig *portainer.EndpointConfiguration) (http.Handler, error) {
+	u.Scheme = "https"
+	proxy := httputil.NewSingleHostReverseProxy(u)
+	config, err := createTLSConfiguration(endpointConfig.TLSCACertPath, endpointConfig.TLSCertPath, endpointConfig.TLSKeyPath)
+	if err != nil {
+		return nil, err
+	}
+	proxy.Transport = &http.Transport{
+		TLSClientConfig: config,
+	}
+	return proxy, nil
+}
+
+func newSocketProxy(path string) http.Handler {
+	return &unixSocketHandler{path}
+}
+
+// unixSocketHandler represents a handler to proxy HTTP requests via a unix:// socket
+type unixSocketHandler struct {
+	path string
+}
+
+func (h *unixSocketHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	conn, err := net.Dial("unix", h.path)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	c := httputil.NewClientConn(conn, nil)
+	defer c.Close()
+
+	res, err := c.Do(r)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	defer res.Body.Close()
+
+	for k, vv := range res.Header {
+		for _, v := range vv {
+			w.Header().Add(k, v)
+		}
+	}
+	if _, err := io.Copy(w, res.Body); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+}

api/http/handler.go

@@ -0,0 +1,76 @@
+package http
+
+import (
+	"github.com/portainer/portainer"
+
+	"encoding/json"
+	"log"
+	"net/http"
+	"strings"
+)
+
+// Handler is a collection of all the service handlers.
+type Handler struct {
+	AuthHandler      *AuthHandler
+	UserHandler      *UserHandler
+	SettingsHandler  *SettingsHandler
+	TemplatesHandler *TemplatesHandler
+	DockerHandler    *DockerHandler
+	WebSocketHandler *WebSocketHandler
+	FileHandler      http.Handler
+}
+
+const (
+	// ErrInvalidJSON defines an error raised the app is unable to parse request data
+	ErrInvalidJSON = portainer.Error("Invalid JSON")
+	// ErrInvalidRequestFormat defines an error raised when the format of the data sent in a request is not valid
+	ErrInvalidRequestFormat = portainer.Error("Invalid request data format")
+)
+
+// ServeHTTP delegates a request to the appropriate subhandler.
+func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if strings.HasPrefix(r.URL.Path, "/api/auth") {
+		http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
+	} else if strings.HasPrefix(r.URL.Path, "/api/users") {
+		http.StripPrefix("/api", h.UserHandler).ServeHTTP(w, r)
+	} else if strings.HasPrefix(r.URL.Path, "/api/settings") {
+		http.StripPrefix("/api", h.SettingsHandler).ServeHTTP(w, r)
+	} else if strings.HasPrefix(r.URL.Path, "/api/templates") {
+		http.StripPrefix("/api", h.TemplatesHandler).ServeHTTP(w, r)
+	} else if strings.HasPrefix(r.URL.Path, "/api/websocket") {
+		http.StripPrefix("/api", h.WebSocketHandler).ServeHTTP(w, r)
+	} else if strings.HasPrefix(r.URL.Path, "/api/docker") {
+		http.StripPrefix("/api/docker", h.DockerHandler).ServeHTTP(w, r)
+	} else if strings.HasPrefix(r.URL.Path, "/") {
+		h.FileHandler.ServeHTTP(w, r)
+	}
+}
+
+// Error writes an API error message to the response and logger.
+func Error(w http.ResponseWriter, err error, code int, logger *log.Logger) {
+	// Log error.
+	logger.Printf("http error: %s (code=%d)", err, code)
+
+	// Write generic error response.
+	w.WriteHeader(code)
+	json.NewEncoder(w).Encode(&errorResponse{Err: err.Error()})
+}
+
+// errorResponse is a generic response for sending a error.
+type errorResponse struct {
+	Err string `json:"err,omitempty"`
+}
+
+// handleNotAllowed writes an API error message to the response and sets the Allow header.
+func handleNotAllowed(w http.ResponseWriter, allowedMethods []string) {
+	w.Header().Set("Allow", strings.Join(allowedMethods, ", "))
+	w.WriteHeader(http.StatusMethodNotAllowed)
+	json.NewEncoder(w).Encode(&errorResponse{Err: http.StatusText(http.StatusMethodNotAllowed)})
+}
+
+// encodeJSON encodes v to w in JSON format. Error() is called if encoding fails.
+func encodeJSON(w http.ResponseWriter, v interface{}, logger *log.Logger) {
+	if err := json.NewEncoder(w).Encode(v); err != nil {
+		Error(w, err, http.StatusInternalServerError, logger)
+	}
+}

api/http/middleware.go

@@ -0,0 +1,63 @@
+package http
+
+import (
+	"github.com/portainer/portainer"
+
+	"net/http"
+	"strings"
+)
+
+// Service represents a service to manage HTTP middlewares
+type middleWareService struct {
+	jwtService portainer.JWTService
+}
+
+func addMiddleware(h http.Handler, middleware ...func(http.Handler) http.Handler) http.Handler {
+	for _, mw := range middleware {
+		h = mw(h)
+	}
+	return h
+}
+
+func (service *middleWareService) addMiddleWares(h http.Handler) http.Handler {
+	h = service.middleWareSecureHeaders(h)
+	h = service.middleWareAuthenticate(h)
+	return h
+}
+
+// middleWareAuthenticate provides secure headers middleware for handlers
+func (*middleWareService) middleWareSecureHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Add("X-Content-Type-Options", "nosniff")
+		w.Header().Add("X-Frame-Options", "DENY")
+		next.ServeHTTP(w, r)
+	})
+}
+
+// middleWareAuthenticate provides Authentication middleware for handlers
+func (service *middleWareService) middleWareAuthenticate(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var token string
+
+		// Get token from the Authorization header
+		tokens, ok := r.Header["Authorization"]
+		if ok && len(tokens) >= 1 {
+			token = tokens[0]
+			token = strings.TrimPrefix(token, "Bearer ")
+		}
+
+		if token == "" {
+			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+			return
+		}
+
+		err := service.jwtService.VerifyToken(token)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+		return
+	})
+}

api/http/server.go

@@ -0,0 +1,53 @@
+package http
+
+import (
+	"github.com/portainer/portainer"
+
+	"net/http"
+)
+
+// Server implements the portainer.Server interface
+type Server struct {
+	BindAddress    string
+	AssetsPath     string
+	UserService    portainer.UserService
+	CryptoService  portainer.CryptoService
+	JWTService     portainer.JWTService
+	Settings       *portainer.Settings
+	TemplatesURL   string
+	EndpointConfig *portainer.EndpointConfiguration
+}
+
+// Start starts the HTTP server
+func (server *Server) Start() error {
+	middleWareService := &middleWareService{
+		jwtService: server.JWTService,
+	}
+	var authHandler = NewAuthHandler()
+	authHandler.UserService = server.UserService
+	authHandler.CryptoService = server.CryptoService
+	authHandler.JWTService = server.JWTService
+	var userHandler = NewUserHandler(middleWareService)
+	userHandler.UserService = server.UserService
+	userHandler.CryptoService = server.CryptoService
+	var settingsHandler = NewSettingsHandler(middleWareService)
+	settingsHandler.settings = server.Settings
+	var templatesHandler = NewTemplatesHandler(middleWareService)
+	templatesHandler.templatesURL = server.TemplatesURL
+	var dockerHandler = NewDockerHandler(middleWareService)
+	dockerHandler.setupProxy(server.EndpointConfig)
+	var websocketHandler = NewWebSocketHandler()
+	websocketHandler.endpointConfiguration = server.EndpointConfig
+	var fileHandler = http.FileServer(http.Dir(server.AssetsPath))
+
+	handler := &Handler{
+		AuthHandler:      authHandler,
+		UserHandler:      userHandler,
+		SettingsHandler:  settingsHandler,
+		TemplatesHandler: templatesHandler,
+		DockerHandler:    dockerHandler,
+		WebSocketHandler: websocketHandler,
+		FileHandler:      fileHandler,
+	}
+	return http.ListenAndServe(server.BindAddress, handler)
+}

api/http/settings_handler.go

@@ -0,0 +1,39 @@
+package http
+
+import (
+	"github.com/portainer/portainer"
+
+	"github.com/gorilla/mux"
+	"log"
+	"net/http"
+	"os"
+)
+
+// SettingsHandler represents an HTTP API handler for managing settings.
+type SettingsHandler struct {
+	*mux.Router
+	Logger            *log.Logger
+	middleWareService *middleWareService
+	settings          *portainer.Settings
+}
+
+// NewSettingsHandler returns a new instance of SettingsHandler.
+func NewSettingsHandler(middleWareService *middleWareService) *SettingsHandler {
+	h := &SettingsHandler{
+		Router:            mux.NewRouter(),
+		Logger:            log.New(os.Stderr, "", log.LstdFlags),
+		middleWareService: middleWareService,
+	}
+	h.HandleFunc("/settings", h.handleGetSettings)
+	return h
+}
+
+// handleGetSettings handles GET requests on /settings
+func (handler *SettingsHandler) handleGetSettings(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "GET" {
+		handleNotAllowed(w, []string{"GET"})
+		return
+	}
+
+	encodeJSON(w, handler.settings, handler.Logger)
+}

api/http/templates_handler.go

@@ -0,0 +1,55 @@
+package http
+
+import (
+	"fmt"
+	"github.com/gorilla/mux"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+)
+
+// TemplatesHandler represents an HTTP API handler for managing templates.
+type TemplatesHandler struct {
+	*mux.Router
+	Logger            *log.Logger
+	middleWareService *middleWareService
+	templatesURL      string
+}
+
+// NewTemplatesHandler returns a new instance of TemplatesHandler.
+func NewTemplatesHandler(middleWareService *middleWareService) *TemplatesHandler {
+	h := &TemplatesHandler{
+		Router:            mux.NewRouter(),
+		Logger:            log.New(os.Stderr, "", log.LstdFlags),
+		middleWareService: middleWareService,
+	}
+	h.Handle("/templates", middleWareService.addMiddleWares(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h.handleGetTemplates(w, r)
+	})))
+	return h
+}
+
+// handleGetTemplates handles GET requests on /templates
+func (handler *TemplatesHandler) handleGetTemplates(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "GET" {
+		handleNotAllowed(w, []string{"GET"})
+		return
+	}
+
+	resp, err := http.Get(handler.templatesURL)
+	if err != nil {
+		log.Print(err)
+		http.Error(w, fmt.Sprintf("Error making request to %s: %s", handler.templatesURL, err.Error()), http.StatusInternalServerError)
+		return
+	}
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		log.Print(err)
+		http.Error(w, "Error reading body from templates URL", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.Write(body)
+}

api/http/tls.go

@@ -0,0 +1,26 @@
+package http
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+)
+
+// createTLSConfiguration initializes a tls.Config using a CA certificate, a certificate and a key
+func createTLSConfiguration(caCertPath, certPath, keyPath string) (*tls.Config, error) {
+	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		return nil, err
+	}
+	caCert, err := ioutil.ReadFile(caCertPath)
+	if err != nil {
+		return nil, err
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+	config := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      caCertPool,
+	}
+	return config, nil
+}

api/http/user_handler.go

@@ -0,0 +1,247 @@
+package http
+
+import (
+	"github.com/portainer/portainer"
+
+	"encoding/json"
+	"github.com/asaskevich/govalidator"
+	"github.com/gorilla/mux"
+	"log"
+	"net/http"
+	"os"
+)
+
+// UserHandler represents an HTTP API handler for managing users.
+type UserHandler struct {
+	*mux.Router
+	Logger            *log.Logger
+	UserService       portainer.UserService
+	CryptoService     portainer.CryptoService
+	middleWareService *middleWareService
+}
+
+// NewUserHandler returns a new instance of UserHandler.
+func NewUserHandler(middleWareService *middleWareService) *UserHandler {
+	h := &UserHandler{
+		Router:            mux.NewRouter(),
+		Logger:            log.New(os.Stderr, "", log.LstdFlags),
+		middleWareService: middleWareService,
+	}
+	h.Handle("/users", middleWareService.addMiddleWares(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h.handlePostUsers(w, r)
+	})))
+	h.Handle("/users/{username}", middleWareService.addMiddleWares(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h.handleGetUser(w, r)
+	}))).Methods("GET")
+	h.Handle("/users/{username}", middleWareService.addMiddleWares(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h.handlePutUser(w, r)
+	}))).Methods("PUT")
+	h.Handle("/users/{username}/passwd", middleWareService.addMiddleWares(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h.handlePostUserPasswd(w, r)
+	})))
+	h.HandleFunc("/users/admin/check", h.handleGetAdminCheck)
+	h.HandleFunc("/users/admin/init", h.handlePostAdminInit)
+	return h
+}
+
+// handlePostUsers handles POST requests on /users
+func (handler *UserHandler) handlePostUsers(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "POST" {
+		handleNotAllowed(w, []string{"POST"})
+		return
+	}
+
+	var req postUsersRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		Error(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		Error(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	user := &portainer.User{
+		Username: req.Username,
+	}
+	user.Password, err = handler.CryptoService.Hash(req.Password)
+	if err != nil {
+		Error(w, portainer.ErrCryptoHashFailure, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	err = handler.UserService.UpdateUser(user)
+	if err != nil {
+		Error(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+type postUsersRequest struct {
+	Username string `valid:"alphanum,required"`
+	Password string `valid:"required"`
+}
+
+// handlePostUserPasswd handles POST requests on /users/:username/passwd
+func (handler *UserHandler) handlePostUserPasswd(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "POST" {
+		handleNotAllowed(w, []string{"POST"})
+		return
+	}
+
+	vars := mux.Vars(r)
+	username := vars["username"]
+
+	var req postUserPasswdRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		Error(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		Error(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	var password = req.Password
+
+	u, err := handler.UserService.User(username)
+	if err == portainer.ErrUserNotFound {
+		Error(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		Error(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	valid := true
+	err = handler.CryptoService.CompareHashAndData(u.Password, password)
+	if err != nil {
+		valid = false
+	}
+
+	encodeJSON(w, &postUserPasswdResponse{Valid: valid}, handler.Logger)
+}
+
+type postUserPasswdRequest struct {
+	Password string `valid:"required"`
+}
+
+type postUserPasswdResponse struct {
+	Valid bool `json:"valid"`
+}
+
+// handleGetUser handles GET requests on /users/:username
+func (handler *UserHandler) handleGetUser(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	username := vars["username"]
+
+	user, err := handler.UserService.User(username)
+	if err == portainer.ErrUserNotFound {
+		Error(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		Error(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	user.Password = ""
+	encodeJSON(w, &user, handler.Logger)
+}
+
+// handlePutUser handles PUT requests on /users/:username
+func (handler *UserHandler) handlePutUser(w http.ResponseWriter, r *http.Request) {
+	var req putUserRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		Error(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		Error(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	user := &portainer.User{
+		Username: req.Username,
+	}
+	user.Password, err = handler.CryptoService.Hash(req.Password)
+	if err != nil {
+		Error(w, portainer.ErrCryptoHashFailure, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	err = handler.UserService.UpdateUser(user)
+	if err != nil {
+		Error(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+type putUserRequest struct {
+	Username string `valid:"alphanum,required"`
+	Password string `valid:"required"`
+}
+
+// handlePostAdminInit handles GET requests on /users/admin/check
+func (handler *UserHandler) handleGetAdminCheck(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "GET" {
+		handleNotAllowed(w, []string{"GET"})
+		return
+	}
+
+	user, err := handler.UserService.User("admin")
+	if err == portainer.ErrUserNotFound {
+		Error(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		Error(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	user.Password = ""
+	encodeJSON(w, &user, handler.Logger)
+}
+
+// handlePostAdminInit handles POST requests on /users/admin/init
+func (handler *UserHandler) handlePostAdminInit(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "POST" {
+		handleNotAllowed(w, []string{"POST"})
+		return
+	}
+
+	var req postAdminInitRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		Error(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err := govalidator.ValidateStruct(req)
+	if err != nil {
+		Error(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	user := &portainer.User{
+		Username: "admin",
+	}
+	user.Password, err = handler.CryptoService.Hash(req.Password)
+	if err != nil {
+		Error(w, portainer.ErrCryptoHashFailure, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	err = handler.UserService.UpdateUser(user)
+	if err != nil {
+		Error(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+type postAdminInitRequest struct {
+	Password string `valid:"required"`
+}

api/http/websocket_handler.go

@@ -0,0 +1,184 @@
+package http
+
+import (
+	"github.com/portainer/portainer"
+
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"github.com/gorilla/mux"
+	"golang.org/x/net/websocket"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"time"
+)
+
+// WebSocketHandler represents an HTTP API handler for proxying requests to a web socket.
+type WebSocketHandler struct {
+	*mux.Router
+	Logger                *log.Logger
+	middleWareService     *middleWareService
+	endpointConfiguration *portainer.EndpointConfiguration
+}
+
+// NewWebSocketHandler returns a new instance of WebSocketHandler.
+func NewWebSocketHandler() *WebSocketHandler {
+	h := &WebSocketHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/websocket/exec", websocket.Handler(h.webSocketDockerExec))
+	return h
+}
+
+func (handler *WebSocketHandler) webSocketDockerExec(ws *websocket.Conn) {
+	qry := ws.Request().URL.Query()
+	execID := qry.Get("id")
+
+	// Should not be managed here
+	endpoint, err := url.Parse(handler.endpointConfiguration.Endpoint)
+	if err != nil {
+		log.Fatalf("Unable to parse endpoint URL: %s", err)
+		return
+	}
+
+	var host string
+	if endpoint.Scheme == "tcp" {
+		host = endpoint.Host
+	} else if endpoint.Scheme == "unix" {
+		host = endpoint.Path
+	}
+
+	// Should not be managed here
+	var tlsConfig *tls.Config
+	if handler.endpointConfiguration.TLS {
+		tlsConfig, err = createTLSConfiguration(handler.endpointConfiguration.TLSCACertPath,
+			handler.endpointConfiguration.TLSCertPath,
+			handler.endpointConfiguration.TLSKeyPath)
+		if err != nil {
+			log.Fatalf("Unable to create TLS configuration: %s", err)
+			return
+		}
+	}
+
+	if err := hijack(host, endpoint.Scheme, "POST", "/exec/"+execID+"/start", tlsConfig, true, ws, ws, ws, nil, nil); err != nil {
+		log.Fatalf("error during hijack: %s", err)
+		return
+	}
+}
+
+type execConfig struct {
+	Tty    bool
+	Detach bool
+}
+
+// hijack allows to upgrade an HTTP connection to a TCP connection
+// It redirects IO streams for stdin, stdout and stderr to a websocket
+func hijack(addr, scheme, method, path string, tlsConfig *tls.Config, setRawTerminal bool, in io.ReadCloser, stdout, stderr io.Writer, started chan io.Closer, data interface{}) error {
+	execConfig := &execConfig{
+		Tty:    true,
+		Detach: false,
+	}
+
+	buf, err := json.Marshal(execConfig)
+	if err != nil {
+		return fmt.Errorf("error marshaling exec config: %s", err)
+	}
+
+	rdr := bytes.NewReader(buf)
+
+	req, err := http.NewRequest(method, path, rdr)
+	if err != nil {
+		return fmt.Errorf("error during hijack request: %s", err)
+	}
+
+	req.Header.Set("User-Agent", "Docker-Client")
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Connection", "Upgrade")
+	req.Header.Set("Upgrade", "tcp")
+	req.Host = addr
+
+	var (
+		dial    net.Conn
+		dialErr error
+	)
+
+	if tlsConfig == nil {
+		dial, dialErr = net.Dial(scheme, addr)
+	} else {
+		dial, dialErr = tls.Dial(scheme, addr, tlsConfig)
+	}
+
+	if dialErr != nil {
+		return dialErr
+	}
+
+	// When we set up a TCP connection for hijack, there could be long periods
+	// of inactivity (a long running command with no output) that in certain
+	// network setups may cause ECONNTIMEOUT, leaving the client in an unknown
+	// state. Setting TCP KeepAlive on the socket connection will prohibit
+	// ECONNTIMEOUT unless the socket connection truly is broken
+	if tcpConn, ok := dial.(*net.TCPConn); ok {
+		tcpConn.SetKeepAlive(true)
+		tcpConn.SetKeepAlivePeriod(30 * time.Second)
+	}
+	if err != nil {
+		return err
+	}
+	clientconn := httputil.NewClientConn(dial, nil)
+	defer clientconn.Close()
+
+	// Server hijacks the connection, error 'connection closed' expected
+	clientconn.Do(req)
+
+	rwc, br := clientconn.Hijack()
+	defer rwc.Close()
+
+	if started != nil {
+		started <- rwc
+	}
+
+	var receiveStdout chan error
+
+	if stdout != nil || stderr != nil {
+		go func() (err error) {
+			if setRawTerminal && stdout != nil {
+				_, err = io.Copy(stdout, br)
+			}
+			return err
+		}()
+	}
+
+	go func() error {
+		if in != nil {
+			io.Copy(rwc, in)
+		}
+
+		if conn, ok := rwc.(interface {
+			CloseWrite() error
+		}); ok {
+			if err := conn.CloseWrite(); err != nil {
+			}
+		}
+		return nil
+	}()
+
+	if stdout != nil || stderr != nil {
+		if err := <-receiveStdout; err != nil {
+			return err
+		}
+	}
+	go func() {
+		for {
+			fmt.Println(br)
+		}
+	}()
+
+	return nil
+}