feat(agent): add agent support (#1828)

api/bolt/migrate_dbversion9.go

@@ -0,0 +1,20 @@
+package bolt
+
+import "github.com/portainer/portainer"
+
+func (m *Migrator) updateEndpointsToVersion10() error {
+	legacyEndpoints, err := m.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range legacyEndpoints {
+		endpoint.Type = portainer.DockerEnvironment
+		err = m.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

api/bolt/migrator.go

@@ -104,6 +104,14 @@ func (m *Migrator) Migrate() error {
 		}
 	}
 
+	// https://github.com/portainer/portainer/issues/461
+	if m.CurrentDBVersion < 10 {
+		err := m.updateEndpointsToVersion10()
+		if err != nil {
+			return err
+		}
+	}
+
 	err := m.VersionService.StoreDBVersion(portainer.DBVersion)
 	if err != nil {
 		return err

api/cli/cli.go

@@ -38,6 +38,7 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		NoAuth:            kingpin.Flag("no-auth", "Disable authentication").Default(defaultNoAuth).Bool(),
 		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAnalytics).Bool(),
 		TLSVerify:         kingpin.Flag("tlsverify", "TLS support").Default(defaultTLSVerify).Bool(),
+		TLSSkipVerify:     kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
 		TLSCacert:         kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
 		TLSCert:           kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
 		TLSKey:            kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),

api/cli/defaults.go

@@ -9,6 +9,7 @@ const (
 	defaultNoAuth          = "false"
 	defaultNoAnalytics     = "false"
 	defaultTLSVerify       = "false"
+	defaultTLSSkipVerify   = "false"
 	defaultTLSCACertPath   = "/certs/ca.pem"
 	defaultTLSCertPath     = "/certs/cert.pem"
 	defaultTLSKeyPath      = "/certs/key.pem"

api/cli/defaults_windows.go

@@ -7,6 +7,7 @@ const (
 	defaultNoAuth          = "false"
 	defaultNoAnalytics     = "false"
 	defaultTLSVerify       = "false"
+	defaultTLSSkipVerify   = "false"
 	defaultTLSCACertPath   = "C:\\certs\\ca.pem"
 	defaultTLSCertPath     = "C:\\certs\\cert.pem"
 	defaultTLSKeyPath      = "C:\\certs\\key.pem"

api/cmd/portainer/main.go

@@ -10,6 +10,7 @@ import (
 	"github.com/portainer/portainer/filesystem"
 	"github.com/portainer/portainer/git"
 	"github.com/portainer/portainer/http"
+	"github.com/portainer/portainer/http/client"
 	"github.com/portainer/portainer/jwt"
 	"github.com/portainer/portainer/ldap"
 
@@ -61,8 +62,8 @@ func initStore(dataStorePath string) *bolt.Store {
 	return store
 }
 
-func initStackManager(assetsPath string) portainer.StackManager {
-	return exec.NewStackManager(assetsPath)
+func initStackManager(assetsPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (portainer.StackManager, error) {
+	return exec.NewStackManager(assetsPath, signatureService, fileService)
 }
 
 func initJWTService(authenticationEnabled bool) portainer.JWTService {
@@ -76,6 +77,10 @@ func initJWTService(authenticationEnabled bool) portainer.JWTService {
 	return nil
 }
 
+func initDigitalSignatureService() portainer.DigitalSignatureService {
+	return &crypto.ECDSAService{}
+}
+
 func initCryptoService() portainer.CryptoService {
 	return &crypto.Service{}
 }
@@ -173,6 +178,35 @@ func retrieveFirstEndpointFromDatabase(endpointService portainer.EndpointService
 	return &endpoints[0]
 }
 
+func loadAndParseKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	private, public, err := fileService.LoadKeyPair()
+	if err != nil {
+		return err
+	}
+	return signatureService.ParseKeyPair(private, public)
+}
+
+func generateAndStoreKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	private, public, err := signatureService.GenerateKeyPair()
+	if err != nil {
+		return err
+	}
+	privateHeader, publicHeader := signatureService.PEMHeaders()
+	return fileService.StoreKeyPair(private, public, privateHeader, publicHeader)
+}
+
+func initKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
+	existingKeyPair, err := fileService.KeyPairFilesExist()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if existingKeyPair {
+		return loadAndParseKeyPair(fileService, signatureService)
+	}
+	return generateAndStoreKeyPair(fileService, signatureService)
+}
+
 func main() {
 	flags := initCLI()
 
@@ -181,19 +215,29 @@ func main() {
 	store := initStore(*flags.Data)
 	defer store.Close()
 
-	stackManager := initStackManager(*flags.Assets)
-
 	jwtService := initJWTService(!*flags.NoAuth)
 
 	cryptoService := initCryptoService()
 
+	digitalSignatureService := initDigitalSignatureService()
+
 	ldapService := initLDAPService()
 
 	gitService := initGitService()
 
 	authorizeEndpointMgmt := initEndpointWatcher(store.EndpointService, *flags.ExternalEndpoints, *flags.SyncInterval)
 
-	err := initSettings(store.SettingsService, flags)
+	err := initKeyPair(fileService, digitalSignatureService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	stackManager, err := initStackManager(*flags.Assets, digitalSignatureService, fileService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = initSettings(store.SettingsService, flags)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -214,9 +258,10 @@ func main() {
 			endpoint := &portainer.Endpoint{
 				Name: "primary",
 				URL:  *flags.Endpoint,
+				Type: portainer.DockerEnvironment,
 				TLSConfig: portainer.TLSConfiguration{
 					TLS:           *flags.TLSVerify,
-					TLSSkipVerify: false,
+					TLSSkipVerify: *flags.TLSSkipVerify,
 					TLSCACertPath: *flags.TLSCacert,
 					TLSCertPath:   *flags.TLSCert,
 					TLSKeyPath:    *flags.TLSKey,
@@ -225,6 +270,16 @@ func main() {
 				AuthorizedTeams: []portainer.TeamID{},
 				Extensions:      []portainer.EndpointExtension{},
 			}
+
+			agentOnDockerEnvironment, err := client.ExecutePingOperationFromEndpoint(endpoint)
+			if err != nil {
+				log.Fatal(err)
+			}
+
+			if agentOnDockerEnvironment {
+				endpoint.Type = portainer.AgentOnDockerEnvironment
+			}
+
 			err = store.EndpointService.CreateEndpoint(endpoint)
 			if err != nil {
 				log.Fatal(err)
@@ -292,6 +347,7 @@ func main() {
 		FileService:            fileService,
 		LDAPService:            ldapService,
 		GitService:             gitService,
+		SignatureService:       digitalSignatureService,
 		SSL:                    *flags.SSL,
 		SSLCert:                *flags.SSLCert,
 		SSLKey:                 *flags.SSLKey,

api/crypto/ecdsa.go

@@ -0,0 +1,125 @@
+package crypto
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/md5"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"math/big"
+)
+
+const (
+	// PrivateKeyPemHeader represents the header that is appended to the PEM file when
+	// storing the private key.
+	PrivateKeyPemHeader = "EC PRIVATE KEY"
+	// PublicKeyPemHeader represents the header that is appended to the PEM file when
+	// storing the public key.
+	PublicKeyPemHeader = "ECDSA PUBLIC KEY"
+)
+
+// ECDSAService is a service used to create digital signatures when communicating with
+// an agent based environment. It will automatically generates a key pair using ECDSA or
+// can also reuse an existing ECDSA key pair.
+type ECDSAService struct {
+	privateKey    *ecdsa.PrivateKey
+	publicKey     *ecdsa.PublicKey
+	encodedPubKey string
+}
+
+// EncodedPublicKey returns the encoded version of the public that can be used
+// to be shared with other services. It's the hexadecimal encoding of the public key
+// content.
+func (service *ECDSAService) EncodedPublicKey() string {
+	return service.encodedPubKey
+}
+
+// PEMHeaders returns the ECDSA PEM headers.
+func (service *ECDSAService) PEMHeaders() (string, string) {
+	return PrivateKeyPemHeader, PublicKeyPemHeader
+}
+
+// ParseKeyPair parses existing private/public key pair content and associate
+// the parsed keys to the service.
+func (service *ECDSAService) ParseKeyPair(private, public []byte) error {
+	privateKey, err := x509.ParseECPrivateKey(private)
+	if err != nil {
+		return err
+	}
+
+	service.privateKey = privateKey
+
+	encodedKey := hex.EncodeToString(public)
+	service.encodedPubKey = encodedKey
+
+	publicKey, err := x509.ParsePKIXPublicKey(public)
+	if err != nil {
+		return err
+	}
+
+	service.publicKey = publicKey.(*ecdsa.PublicKey)
+
+	return nil
+}
+
+// GenerateKeyPair will create a new key pair using ECDSA.
+func (service *ECDSAService) GenerateKeyPair() ([]byte, []byte, error) {
+	pubkeyCurve := elliptic.P256()
+
+	privatekey, err := ecdsa.GenerateKey(pubkeyCurve, rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	service.privateKey = privatekey
+	service.publicKey = &privatekey.PublicKey
+
+	private, err := x509.MarshalECPrivateKey(service.privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(service.publicKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	encodedKey := hex.EncodeToString(public)
+	service.encodedPubKey = encodedKey
+
+	return private, public, nil
+}
+
+// Sign creates a signature from a message.
+// It automatically hash the message using MD5 and creates a signature from
+// that hash.
+// It then encodes the generated signature in base64.
+func (service *ECDSAService) Sign(message string) (string, error) {
+	digest := md5.New()
+	digest.Write([]byte(message))
+	hash := digest.Sum(nil)
+
+	r := big.NewInt(0)
+	s := big.NewInt(0)
+
+	r, s, err := ecdsa.Sign(rand.Reader, service.privateKey, hash)
+	if err != nil {
+		return "", err
+	}
+
+	keyBytes := service.privateKey.Params().BitSize / 8
+
+	rBytes := r.Bytes()
+	rBytesPadded := make([]byte, keyBytes)
+	copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
+
+	sBytes := s.Bytes()
+	sBytesPadded := make([]byte, keyBytes)
+	copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
+
+	signature := append(rBytesPadded, sBytesPadded...)
+
+	return base64.RawStdEncoding.EncodeToString(signature), nil
+}

api/crypto/tls.go

@@ -33,7 +33,7 @@ func CreateTLSConfig(caCert, cert, key []byte, skipClientVerification, skipServe
 func CreateTLSConfiguration(config *portainer.TLSConfiguration) (*tls.Config, error) {
 	TLSConfig := &tls.Config{}
 
-	if config.TLSCertPath != "" && config.TLSKeyPath != "" {
+	if config.TLS && config.TLSCertPath != "" && config.TLSKeyPath != "" {
 		cert, err := tls.LoadX509KeyPair(config.TLSCertPath, config.TLSKeyPath)
 		if err != nil {
 			return nil, err
@@ -42,7 +42,7 @@ func CreateTLSConfiguration(config *portainer.TLSConfiguration) (*tls.Config, er
 		TLSConfig.Certificates = []tls.Certificate{cert}
 	}
 
-	if !config.TLSSkipVerify {
+	if config.TLS && !config.TLSSkipVerify {
 		caCert, err := ioutil.ReadFile(config.TLSCACertPath)
 		if err != nil {
 			return nil, err

api/exec/stack_manager.go

@@ -12,14 +12,34 @@ import (
 
 // StackManager represents a service for managing stacks.
 type StackManager struct {
-	binaryPath string
+	binaryPath       string
+	signatureService portainer.DigitalSignatureService
+	fileService      portainer.FileService
+}
+
+type dockerCLIConfiguration struct {
+	HTTPHeaders struct {
+		ManagerOperationHeader string `json:"X-PortainerAgent-ManagerOperation"`
+		SignatureHeader        string `json:"X-PortainerAgent-Signature"`
+		PublicKey              string `json:"X-PortainerAgent-PublicKey"`
+	} `json:"HttpHeaders"`
 }
 
 // NewStackManager initializes a new StackManager service.
-func NewStackManager(binaryPath string) *StackManager {
-	return &StackManager{
-		binaryPath: binaryPath,
+// It also updates the configuration of the Docker CLI binary.
+func NewStackManager(binaryPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService) (*StackManager, error) {
+	manager := &StackManager{
+		binaryPath:       binaryPath,
+		signatureService: signatureService,
+		fileService:      fileService,
 	}
+
+	err := manager.updateDockerCLIConfiguration(binaryPath)
+	if err != nil {
+		return nil, err
+	}
+
+	return manager, nil
 }
 
 // Login executes the docker login command against a list of registries (including DockerHub).
@@ -99,9 +119,12 @@ func prepareDockerCommandAndArgs(binaryPath string, endpoint *portainer.Endpoint
 	}
 
 	args := make([]string, 0)
+	args = append(args, "--config", binaryPath)
 	args = append(args, "-H", endpoint.URL)
 
-	if endpoint.TLSConfig.TLS {
+	if !endpoint.TLSConfig.TLS && endpoint.TLSConfig.TLSSkipVerify {
+		args = append(args, "--tls")
+	} else if endpoint.TLSConfig.TLS {
 		args = append(args, "--tls")
 
 		if !endpoint.TLSConfig.TLSSkipVerify {
@@ -115,3 +138,22 @@ func prepareDockerCommandAndArgs(binaryPath string, endpoint *portainer.Endpoint
 
 	return command, args
 }
+
+func (manager *StackManager) updateDockerCLIConfiguration(binaryPath string) error {
+	config := dockerCLIConfiguration{}
+	config.HTTPHeaders.ManagerOperationHeader = "1"
+
+	signature, err := manager.signatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return err
+	}
+	config.HTTPHeaders.SignatureHeader = signature
+	config.HTTPHeaders.PublicKey = manager.signatureService.EncodedPublicKey()
+
+	err = manager.fileService.WriteJSONToFile(path.Join(binaryPath, "config.json"), config)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

api/filesystem/filesystem.go

@@ -2,6 +2,8 @@ package filesystem
 
 import (
 	"bytes"
+	"encoding/json"
+	"encoding/pem"
 	"io/ioutil"
 
 	"github.com/portainer/portainer"
@@ -26,6 +28,10 @@ const (
 	ComposeStorePath = "compose"
 	// ComposeFileDefaultName represents the default name of a compose file.
 	ComposeFileDefaultName = "docker-compose.yml"
+	// PrivateKeyFile represents the name on disk of the file containing the private key.
+	PrivateKeyFile = "portainer.key"
+	// PublicKeyFile represents the name on disk of the file containing the public key.
+	PublicKeyFile = "portainer.pub"
 )
 
 // Service represents a service for managing files and directories.
@@ -198,6 +204,69 @@ func (service *Service) GetFileContent(filePath string) (string, error) {
 	return string(content), nil
 }
 
+// WriteJSONToFile writes JSON to the specified file.
+func (service *Service) WriteJSONToFile(path string, content interface{}) error {
+	jsonContent, err := json.Marshal(content)
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(path, jsonContent, 0644)
+}
+
+// KeyPairFilesExist checks for the existence of the key files.
+func (service *Service) KeyPairFilesExist() (bool, error) {
+	privateKeyPath := path.Join(service.dataStorePath, PrivateKeyFile)
+	exists, err := fileExists(privateKeyPath)
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+
+	publicKeyPath := path.Join(service.dataStorePath, PublicKeyFile)
+	exists, err = fileExists(publicKeyPath)
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// StoreKeyPair store the specified keys content as PEM files on disk.
+func (service *Service) StoreKeyPair(private, public []byte, privatePEMHeader, publicPEMHeader string) error {
+	err := service.createPEMFileInStore(private, privatePEMHeader, PrivateKeyFile)
+	if err != nil {
+		return err
+	}
+
+	err = service.createPEMFileInStore(public, publicPEMHeader, PublicKeyFile)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// LoadKeyPair retrieve the content of both key files on disk.
+func (service *Service) LoadKeyPair() ([]byte, []byte, error) {
+	privateKey, err := service.getContentFromPEMFile(PrivateKeyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	publicKey, err := service.getContentFromPEMFile(PublicKeyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return privateKey, publicKey, nil
+}
+
 // createDirectoryInStore creates a new directory in the file store
 func (service *Service) createDirectoryInStore(name string) error {
 	path := path.Join(service.fileStorePath, name)
@@ -221,3 +290,43 @@ func (service *Service) createFileInStore(filePath string, r io.Reader) error {
 
 	return nil
 }
+
+func (service *Service) createPEMFileInStore(content []byte, fileType, filePath string) error {
+	path := path.Join(service.fileStorePath, filePath)
+	block := &pem.Block{Type: fileType, Bytes: content}
+
+	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	err = pem.Encode(out, block)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) getContentFromPEMFile(filePath string) ([]byte, error) {
+	path := path.Join(service.fileStorePath, filePath)
+
+	fileContent, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(fileContent)
+	return block.Bytes, nil
+}
+
+func fileExists(filePath string) (bool, error) {
+	if _, err := os.Stat(filePath); err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}

api/http/client/client.go

@@ -0,0 +1,77 @@
+package client
+
+import (
+	"crypto/tls"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/crypto"
+)
+
+// ExecutePingOperationFromEndpoint will send a SystemPing operation HTTP request to a Docker environment
+// using the specified endpoint configuration. It is used exclusively when
+// specifying an endpoint from the CLI via the -H flag.
+func ExecutePingOperationFromEndpoint(endpoint *portainer.Endpoint) (bool, error) {
+	if strings.HasPrefix(endpoint.URL, "unix://") {
+		return false, nil
+	}
+
+	transport := &http.Transport{}
+
+	scheme := "http"
+
+	if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
+		tlsConfig, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+		if err != nil {
+			return false, err
+		}
+		scheme = "https"
+		transport.TLSClientConfig = tlsConfig
+	}
+
+	client := &http.Client{
+		Timeout:   time.Second * 3,
+		Transport: transport,
+	}
+
+	target := strings.Replace(endpoint.URL, "tcp://", scheme+"://", 1)
+	return pingOperation(client, target)
+}
+
+// ExecutePingOperation will send a SystemPing operation HTTP request to a Docker environment
+// using the specified host and optional TLS configuration.
+func ExecutePingOperation(host string, tlsConfig *tls.Config) (bool, error) {
+	transport := &http.Transport{}
+
+	scheme := "http"
+	if tlsConfig != nil {
+		transport.TLSClientConfig = tlsConfig
+		scheme = "https"
+	}
+
+	client := &http.Client{
+		Timeout:   time.Second * 3,
+		Transport: transport,
+	}
+
+	target := strings.Replace(host, "tcp://", scheme+"://", 1)
+	return pingOperation(client, target)
+}
+
+func pingOperation(client *http.Client, target string) (bool, error) {
+	pingOperationURL := target + "/_ping"
+
+	response, err := client.Get(pingOperationURL)
+	if err != nil {
+		return false, err
+	}
+
+	agentOnDockerEnvironment := false
+	if response.Header.Get(portainer.PortainerAgentHeader) != "" {
+		agentOnDockerEnvironment = true
+	}
+
+	return agentOnDockerEnvironment, nil
+}

api/http/handler/endpoint.go

@@ -2,12 +2,11 @@ package handler
 
 import (
 	"bytes"
-	"crypto/tls"
 	"strings"
-	"time"
 
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/crypto"
+	"github.com/portainer/portainer/http/client"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/proxy"
 	"github.com/portainer/portainer/http/security"
@@ -63,10 +62,6 @@ func NewEndpointHandler(bouncer *security.RequestBouncer, authorizeEndpointManag
 }
 
 type (
-	postEndpointsResponse struct {
-		ID int `json:"Id"`
-	}
-
 	putEndpointAccessRequest struct {
 		AuthorizedUsers []int `valid:"-"`
 		AuthorizedTeams []int `valid:"-"`
@@ -125,44 +120,26 @@ func (handler *EndpointHandler) handleGetEndpoints(w http.ResponseWriter, r *htt
 	encodeJSON(w, filteredEndpoints, handler.Logger)
 }
 
-func sendPingRequest(host string, tlsConfig *tls.Config) error {
-	transport := &http.Transport{}
-
-	scheme := "http"
-	if tlsConfig != nil {
-		transport.TLSClientConfig = tlsConfig
-		scheme = "https"
-	}
-
-	client := &http.Client{
-		Timeout:   time.Second * 3,
-		Transport: transport,
-	}
-
-	pingOperationURL := strings.Replace(host, "tcp://", scheme+"://", 1) + "/_ping"
-	_, err := client.Get(pingOperationURL)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func (handler *EndpointHandler) createTLSSecuredEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
-
 	tlsConfig, err := crypto.CreateTLSConfig(payload.caCert, payload.cert, payload.key, payload.skipTLSClientVerification, payload.skipTLSServerVerification)
 	if err != nil {
 		return nil, err
 	}
 
-	err = sendPingRequest(payload.url, tlsConfig)
+	agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.url, tlsConfig)
 	if err != nil {
 		return nil, err
 	}
 
+	endpointType := portainer.DockerEnvironment
+	if agentOnDockerEnvironment {
+		endpointType = portainer.AgentOnDockerEnvironment
+	}
+
 	endpoint := &portainer.Endpoint{
 		Name:      payload.name,
 		URL:       payload.url,
+		Type:      endpointType,
 		GroupID:   portainer.EndpointGroupID(payload.groupID),
 		PublicURL: payload.publicURL,
 		TLSConfig: portainer.TLSConfiguration{
@@ -224,17 +201,22 @@ func (handler *EndpointHandler) createTLSSecuredEndpoint(payload *postEndpointPa
 }
 
 func (handler *EndpointHandler) createUnsecuredEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
+	endpointType := portainer.DockerEnvironment
 
 	if !strings.HasPrefix(payload.url, "unix://") {
-		err := sendPingRequest(payload.url, nil)
+		agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.url, nil)
 		if err != nil {
 			return nil, err
 		}
+		if agentOnDockerEnvironment {
+			endpointType = portainer.AgentOnDockerEnvironment
+		}
 	}
 
 	endpoint := &portainer.Endpoint{
 		Name:      payload.name,
 		URL:       payload.url,
+		Type:      endpointType,
 		GroupID:   portainer.EndpointGroupID(payload.groupID),
 		PublicURL: payload.publicURL,
 		TLSConfig: portainer.TLSConfiguration{
@@ -331,7 +313,7 @@ func (handler *EndpointHandler) handlePostEndpoints(w http.ResponseWriter, r *ht
 		return
 	}
 
-	encodeJSON(w, &postEndpointsResponse{ID: int(endpoint.ID)}, handler.Logger)
+	encodeJSON(w, &endpoint, handler.Logger)
 }
 
 // handleGetEndpoint handles GET requests on /endpoints/:id

api/http/handler/websocket.go

@@ -1,11 +1,11 @@
 package handler
 
 import (
+	"bufio"
 	"bytes"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"io"
 	"log"
 	"net"
 	"net/http"
@@ -16,119 +16,135 @@ import (
 	"time"
 
 	"github.com/gorilla/mux"
+	"github.com/gorilla/websocket"
+	"github.com/koding/websocketproxy"
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/crypto"
-	"golang.org/x/net/websocket"
+	httperror "github.com/portainer/portainer/http/error"
 )
 
-// WebSocketHandler represents an HTTP API handler for proxying requests to a web socket.
-type WebSocketHandler struct {
-	*mux.Router
-	Logger          *log.Logger
-	EndpointService portainer.EndpointService
-}
+type (
+	// WebSocketHandler represents an HTTP API handler for proxying requests to a web socket.
+	WebSocketHandler struct {
+		*mux.Router
+		Logger             *log.Logger
+		EndpointService    portainer.EndpointService
+		SignatureService   portainer.DigitalSignatureService
+		connectionUpgrader websocket.Upgrader
+	}
+
+	webSocketExecRequestParams struct {
+		execID   string
+		nodeName string
+		endpoint *portainer.Endpoint
+	}
+
+	execStartOperationPayload struct {
+		Tty    bool
+		Detach bool
+	}
+)
 
 // NewWebSocketHandler returns a new instance of WebSocketHandler.
 func NewWebSocketHandler() *WebSocketHandler {
 	h := &WebSocketHandler{
-		Router: mux.NewRouter(),
-		Logger: log.New(os.Stderr, "", log.LstdFlags),
+		Router:             mux.NewRouter(),
+		Logger:             log.New(os.Stderr, "", log.LstdFlags),
+		connectionUpgrader: websocket.Upgrader{},
 	}
-	h.Handle("/websocket/exec", websocket.Handler(h.webSocketDockerExec))
+	h.HandleFunc("/websocket/exec", h.handleWebsocketExec).Methods(http.MethodGet)
 	return h
 }
 
-func (handler *WebSocketHandler) webSocketDockerExec(ws *websocket.Conn) {
-	qry := ws.Request().URL.Query()
-	execID := qry.Get("id")
-	edpID := qry.Get("endpointId")
-
-	parsedID, err := strconv.Atoi(edpID)
-	if err != nil {
-		log.Printf("Unable to parse endpoint ID: %s", err)
+// handleWebsocketExec handles GET requests on /websocket/exec?id=<execID>&endpointId=<endpointID>&nodeName=<nodeName>
+// If the nodeName query parameter is present, the request will be proxied to the underlying agent endpoint.
+// If the nodeName query parameter is not specified, the request will be upgraded to the websocket protocol and
+// an ExecStart operation HTTP request will be created and hijacked.
+func (handler *WebSocketHandler) handleWebsocketExec(w http.ResponseWriter, r *http.Request) {
+	paramExecID := r.FormValue("id")
+	paramEndpointID := r.FormValue("endpointId")
+	if paramExecID == "" || paramEndpointID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpointID := portainer.EndpointID(parsedID)
-	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	endpointID, err := strconv.Atoi(paramEndpointID)
 	if err != nil {
-		log.Printf("Unable to retrieve endpoint: %s", err)
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpointURL, err := url.Parse(endpoint.URL)
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err != nil {
-		log.Printf("Unable to parse endpoint URL: %s", err)
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
-	var host string
-	if endpointURL.Scheme == "tcp" {
-		host = endpointURL.Host
-	} else if endpointURL.Scheme == "unix" {
-		host = endpointURL.Path
+	params := &webSocketExecRequestParams{
+		endpoint: endpoint,
+		execID:   paramExecID,
+		nodeName: r.FormValue("nodeName"),
 	}
 
-	// TODO: Should not be managed here
-	var tlsConfig *tls.Config
-	if endpoint.TLSConfig.TLS {
-		tlsConfig, err = crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
-		if err != nil {
-			log.Fatalf("Unable to create TLS configuration: %s", err)
-			return
+	err = handler.handleRequest(w, r, params)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+func (handler *WebSocketHandler) handleRequest(w http.ResponseWriter, r *http.Request, params *webSocketExecRequestParams) error {
+	if params.nodeName != "" {
+		return handler.proxyWebsocketRequest(w, r, params)
+	}
+
+	websocketConn, err := handler.connectionUpgrader.Upgrade(w, r, nil)
+	if err != nil {
+		return err
+	}
+	defer websocketConn.Close()
+
+	return hijackExecStartOperation(websocketConn, params.endpoint, params.execID)
+}
+
+func (handler *WebSocketHandler) proxyWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketExecRequestParams) error {
+	agentURL, err := url.Parse(params.endpoint.URL)
+	if err != nil {
+		return err
+	}
+
+	agentURL.Scheme = "ws"
+	proxy := websocketproxy.NewProxy(agentURL)
+
+	if params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify {
+		agentURL.Scheme = "wss"
+		proxy.Dialer = &websocket.Dialer{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: params.endpoint.TLSConfig.TLSSkipVerify,
+			},
 		}
 	}
 
-	if err := hijack(host, endpointURL.Scheme, "POST", "/exec/"+execID+"/start", tlsConfig, true, ws, ws, ws, nil, nil); err != nil {
-		log.Fatalf("error during hijack: %s", err)
-		return
+	signature, err := handler.SignatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return err
 	}
+
+	proxy.Director = func(incoming *http.Request, out http.Header) {
+		out.Set(portainer.PortainerAgentSignatureHeader, signature)
+		out.Set(portainer.PortainerAgentTargetHeader, params.nodeName)
+	}
+
+	r.Header.Del("Origin")
+	proxy.ServeHTTP(w, r)
+
+	return nil
 }
 
-type execConfig struct {
-	Tty    bool
-	Detach bool
-}
-
-// hijack allows to upgrade an HTTP connection to a TCP connection
-// It redirects IO streams for stdin, stdout and stderr to a websocket
-func hijack(addr, scheme, method, path string, tlsConfig *tls.Config, setRawTerminal bool, in io.ReadCloser, stdout, stderr io.Writer, started chan io.Closer, data interface{}) error {
-	execConfig := &execConfig{
-		Tty:    true,
-		Detach: false,
-	}
-
-	buf, err := json.Marshal(execConfig)
+func hijackExecStartOperation(websocketConn *websocket.Conn, endpoint *portainer.Endpoint, execID string) error {
+	dial, err := createDial(endpoint)
 	if err != nil {
-		return fmt.Errorf("error marshaling exec config: %s", err)
-	}
-
-	rdr := bytes.NewReader(buf)
-
-	req, err := http.NewRequest(method, path, rdr)
-	if err != nil {
-		return fmt.Errorf("error during hijack request: %s", err)
-	}
-
-	req.Header.Set("User-Agent", "Docker-Client")
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Connection", "Upgrade")
-	req.Header.Set("Upgrade", "tcp")
-	req.Host = addr
-
-	var (
-		dial    net.Conn
-		dialErr error
-	)
-
-	if tlsConfig == nil {
-		dial, dialErr = net.Dial(scheme, addr)
-	} else {
-		dial, dialErr = tls.Dial(scheme, addr, tlsConfig)
-	}
-
-	if dialErr != nil {
-		return dialErr
+		return err
 	}
 
 	// When we set up a TCP connection for hijack, there could be long periods
@@ -140,57 +156,128 @@ func hijack(addr, scheme, method, path string, tlsConfig *tls.Config, setRawTerm
 		tcpConn.SetKeepAlive(true)
 		tcpConn.SetKeepAlivePeriod(30 * time.Second)
 	}
+
+	httpConn := httputil.NewClientConn(dial, nil)
+	defer httpConn.Close()
+
+	execStartRequest, err := createExecStartRequest(execID)
 	if err != nil {
 		return err
 	}
-	clientconn := httputil.NewClientConn(dial, nil)
-	defer clientconn.Close()
 
-	// Server hijacks the connection, error 'connection closed' expected
-	clientconn.Do(req)
-
-	rwc, br := clientconn.Hijack()
-	defer rwc.Close()
-
-	if started != nil {
-		started <- rwc
+	err = hijackRequest(websocketConn, httpConn, execStartRequest)
+	if err != nil {
+		return err
 	}
 
-	var receiveStdout chan error
-
-	if stdout != nil || stderr != nil {
-		go func() (err error) {
-			if setRawTerminal && stdout != nil {
-				_, err = io.Copy(stdout, br)
-			}
-			return err
-		}()
-	}
-
-	go func() error {
-		if in != nil {
-			io.Copy(rwc, in)
-		}
-
-		if conn, ok := rwc.(interface {
-			CloseWrite() error
-		}); ok {
-			if err := conn.CloseWrite(); err != nil {
-			}
-		}
-		return nil
-	}()
-
-	if stdout != nil || stderr != nil {
-		if err := <-receiveStdout; err != nil {
-			return err
-		}
-	}
-	go func() {
-		for {
-			fmt.Println(br)
-		}
-	}()
-
 	return nil
 }
+
+func createDial(endpoint *portainer.Endpoint) (net.Conn, error) {
+	url, err := url.Parse(endpoint.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	var host string
+	if url.Scheme == "tcp" {
+		host = url.Host
+	} else if url.Scheme == "unix" {
+		host = url.Path
+	}
+
+	if endpoint.TLSConfig.TLS {
+		tlsConfig, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+		if err != nil {
+			return nil, err
+		}
+		return tls.Dial(url.Scheme, host, tlsConfig)
+	}
+
+	return net.Dial(url.Scheme, host)
+}
+
+func createExecStartRequest(execID string) (*http.Request, error) {
+	execStartOperationPayload := &execStartOperationPayload{
+		Tty:    true,
+		Detach: false,
+	}
+
+	encodedBody := bytes.NewBuffer(nil)
+	err := json.NewEncoder(encodedBody).Encode(execStartOperationPayload)
+	if err != nil {
+		return nil, err
+	}
+
+	request, err := http.NewRequest("POST", "/exec/"+execID+"/start", encodedBody)
+	if err != nil {
+		return nil, err
+	}
+
+	request.Header.Set("Content-Type", "application/json")
+	request.Header.Set("Connection", "Upgrade")
+	request.Header.Set("Upgrade", "tcp")
+
+	return request, nil
+}
+
+func hijackRequest(websocketConn *websocket.Conn, httpConn *httputil.ClientConn, request *http.Request) error {
+	// Server hijacks the connection, error 'connection closed' expected
+	resp, err := httpConn.Do(request)
+	if err != httputil.ErrPersistEOF {
+		if err != nil {
+			return err
+		}
+		if resp.StatusCode != http.StatusSwitchingProtocols {
+			resp.Body.Close()
+			return fmt.Errorf("unable to upgrade to tcp, received %d", resp.StatusCode)
+		}
+	}
+
+	tcpConn, brw := httpConn.Hijack()
+	defer tcpConn.Close()
+
+	errorChan := make(chan error, 1)
+	go streamFromTCPConnToWebsocketConn(websocketConn, brw, errorChan)
+	go streamFromWebsocketConnToTCPConn(websocketConn, tcpConn, errorChan)
+
+	err = <-errorChan
+	if websocket.IsUnexpectedCloseError(err, websocket.CloseGoingAway, websocket.CloseNoStatusReceived) {
+		return err
+	}
+
+	return nil
+}
+
+func streamFromWebsocketConnToTCPConn(websocketConn *websocket.Conn, tcpConn net.Conn, errorChan chan error) {
+	for {
+		_, in, err := websocketConn.ReadMessage()
+		if err != nil {
+			errorChan <- err
+			break
+		}
+
+		_, err = tcpConn.Write(in)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+	}
+}
+
+func streamFromTCPConnToWebsocketConn(websocketConn *websocket.Conn, br *bufio.Reader, errorChan chan error) {
+	for {
+		out := make([]byte, 1024)
+		_, err := br.Read(out)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+
+		err = websocketConn.WriteMessage(websocket.TextMessage, out)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+	}
+}

api/http/proxy/access_control.go

@@ -98,9 +98,12 @@ func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.Team
 }
 
 func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
-	metadata := make(map[string]interface{})
-	metadata["ResourceControl"] = resourceControl
-	object["Portainer"] = metadata
+	if object["Portainer"] == nil {
+		object["Portainer"] = make(map[string]interface{})
+	}
+
+	portainerMetadata := object["Portainer"].(map[string]interface{})
+	portainerMetadata["ResourceControl"] = resourceControl
 	return object
 }
 

api/http/proxy/configs.go

@@ -14,7 +14,7 @@ const (
 
 // configListOperation extracts the response as a JSON object, loop through the configs array
 // decorate and/or filter the configs based on resource controls before rewriting the response
-func configListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func configListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 
 	// ConfigList response is a JSON array
@@ -39,7 +39,7 @@ func configListOperation(request *http.Request, response *http.Response, executo
 // configInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the config based on resource control (check are done based on the configID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated config.
-func configInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func configInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ConfigInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/containers.go

@@ -16,7 +16,7 @@ const (
 
 // containerListOperation extracts the response as a JSON object, loop through the containers array
 // decorate and/or filter the containers based on resource controls before rewriting the response
-func containerListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func containerListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ContainerList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
@@ -47,7 +47,7 @@ func containerListOperation(request *http.Request, response *http.Response, exec
 // containerInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the container based on resource control (check are done based on the containerID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated container.
-func containerInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func containerInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ContainerInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/factory.go

@@ -17,6 +17,7 @@ type proxyFactory struct {
 	SettingsService        portainer.SettingsService
 	RegistryService        portainer.RegistryService
 	DockerHubService       portainer.DockerHubService
+	SignatureService       portainer.DigitalSignatureService
 }
 
 func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
@@ -24,10 +25,11 @@ func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
 	return newSingleHostReverseProxyWithHostHeader(u)
 }
 
-func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, endpoint *portainer.Endpoint) (http.Handler, error) {
+func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, tlsConfig *portainer.TLSConfiguration, enableSignature bool) (http.Handler, error) {
 	u.Scheme = "https"
-	proxy := factory.createDockerReverseProxy(u)
-	config, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+
+	proxy := factory.createDockerReverseProxy(u, enableSignature)
+	config, err := crypto.CreateTLSConfiguration(tlsConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -36,14 +38,15 @@ func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, endpoint *portainer
 	return proxy, nil
 }
 
-func (factory *proxyFactory) newDockerHTTPProxy(u *url.URL) http.Handler {
+func (factory *proxyFactory) newDockerHTTPProxy(u *url.URL, enableSignature bool) http.Handler {
 	u.Scheme = "http"
-	return factory.createDockerReverseProxy(u)
+	return factory.createDockerReverseProxy(u, enableSignature)
 }
 
 func (factory *proxyFactory) newDockerSocketProxy(path string) http.Handler {
 	proxy := &socketProxy{}
 	transport := &proxyTransport{
+		enableSignature:        false,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
@@ -55,9 +58,10 @@ func (factory *proxyFactory) newDockerSocketProxy(path string) http.Handler {
 	return proxy
 }
 
-func (factory *proxyFactory) createDockerReverseProxy(u *url.URL) *httputil.ReverseProxy {
+func (factory *proxyFactory) createDockerReverseProxy(u *url.URL, enableSignature bool) *httputil.ReverseProxy {
 	proxy := newSingleHostReverseProxyWithHostHeader(u)
 	transport := &proxyTransport{
+		enableSignature:        enableSignature,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
@@ -65,6 +69,11 @@ func (factory *proxyFactory) createDockerReverseProxy(u *url.URL) *httputil.Reve
 		DockerHubService:       factory.DockerHubService,
 		dockerTransport:        &http.Transport{},
 	}
+
+	if enableSignature {
+		transport.SignatureService = factory.SignatureService
+	}
+
 	proxy.Transport = transport
 	return proxy
 }

api/http/proxy/manager.go

@@ -9,24 +9,37 @@ import (
 	"github.com/portainer/portainer"
 )
 
-// Manager represents a service used to manage Docker proxies.
-type Manager struct {
-	proxyFactory     *proxyFactory
-	proxies          cmap.ConcurrentMap
-	extensionProxies cmap.ConcurrentMap
-}
+type (
+	// Manager represents a service used to manage Docker proxies.
+	Manager struct {
+		proxyFactory     *proxyFactory
+		proxies          cmap.ConcurrentMap
+		extensionProxies cmap.ConcurrentMap
+	}
+
+	// ManagerParams represents the required parameters to create a new Manager instance.
+	ManagerParams struct {
+		ResourceControlService portainer.ResourceControlService
+		TeamMembershipService  portainer.TeamMembershipService
+		SettingsService        portainer.SettingsService
+		RegistryService        portainer.RegistryService
+		DockerHubService       portainer.DockerHubService
+		SignatureService       portainer.DigitalSignatureService
+	}
+)
 
 // NewManager initializes a new proxy Service
-func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService, settingsService portainer.SettingsService, registryService portainer.RegistryService, dockerHubService portainer.DockerHubService) *Manager {
+func NewManager(parameters *ManagerParams) *Manager {
 	return &Manager{
 		proxies:          cmap.New(),
 		extensionProxies: cmap.New(),
 		proxyFactory: &proxyFactory{
-			ResourceControlService: resourceControlService,
-			TeamMembershipService:  teamMembershipService,
-			SettingsService:        settingsService,
-			RegistryService:        registryService,
-			DockerHubService:       dockerHubService,
+			ResourceControlService: parameters.ResourceControlService,
+			TeamMembershipService:  parameters.TeamMembershipService,
+			SettingsService:        parameters.SettingsService,
+			RegistryService:        parameters.RegistryService,
+			DockerHubService:       parameters.DockerHubService,
+			SignatureService:       parameters.SignatureService,
 		},
 	}
 }
@@ -41,14 +54,19 @@ func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (ht
 		return nil, err
 	}
 
+	enableSignature := false
+	if endpoint.Type == portainer.AgentOnDockerEnvironment {
+		enableSignature = true
+	}
+
 	if endpointURL.Scheme == "tcp" {
-		if endpoint.TLSConfig.TLS {
-			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, endpoint)
+		if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
+			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, &endpoint.TLSConfig, enableSignature)
 			if err != nil {
 				return nil, err
 			}
 		} else {
-			proxy = manager.proxyFactory.newDockerHTTPProxy(endpointURL)
+			proxy = manager.proxyFactory.newDockerHTTPProxy(endpointURL, enableSignature)
 		}
 	} else {
 		// Assume unix:// scheme

api/http/proxy/networks.go

@@ -15,7 +15,7 @@ const (
 
 // networkListOperation extracts the response as a JSON object, loop through the networks array
 // decorate and/or filter the networks based on resource controls before rewriting the response
-func networkListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func networkListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// NetworkList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
@@ -39,7 +39,7 @@ func networkListOperation(request *http.Request, response *http.Response, execut
 // networkInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the network based on resource control and either rewrite an access denied response
 // or a decorated network.
-func networkInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func networkInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// NetworkInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/secrets.go

@@ -14,7 +14,7 @@ const (
 
 // secretListOperation extracts the response as a JSON object, loop through the secrets array
 // decorate and/or filter the secrets based on resource controls before rewriting the response
-func secretListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func secretListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 
 	// SecretList response is a JSON array
@@ -39,7 +39,7 @@ func secretListOperation(request *http.Request, response *http.Response, executo
 // secretInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the secret based on resource control (check are done based on the secretID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated secret.
-func secretInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func secretInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// SecretInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/SecretInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/services.go

@@ -15,7 +15,7 @@ const (
 
 // serviceListOperation extracts the response as a JSON array, loop through the service array
 // decorate and/or filter the services based on resource controls before rewriting the response
-func serviceListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func serviceListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ServiceList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
@@ -39,7 +39,7 @@ func serviceListOperation(request *http.Request, response *http.Response, execut
 // serviceInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the service based on resource control and either rewrite an access denied response
 // or a decorated service.
-func serviceInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func serviceInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ServiceInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/tasks.go

@@ -15,7 +15,7 @@ const (
 
 // taskListOperation extracts the response as a JSON object, loop through the tasks array
 // and filter the tasks based on resource controls before rewriting the response
-func taskListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func taskListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 
 	// TaskList response is a JSON array

api/http/proxy/transport.go

@@ -17,11 +17,13 @@ var apiVersionRe = regexp.MustCompile(`(/v[0-9]\.[0-9]*)?`)
 type (
 	proxyTransport struct {
 		dockerTransport        *http.Transport
+		enableSignature        bool
 		ResourceControlService portainer.ResourceControlService
 		TeamMembershipService  portainer.TeamMembershipService
 		RegistryService        portainer.RegistryService
 		DockerHubService       portainer.DockerHubService
 		SettingsService        portainer.SettingsService
+		SignatureService       portainer.DigitalSignatureService
 	}
 	restrictedOperationContext struct {
 		isAdmin          bool
@@ -45,7 +47,7 @@ type (
 		operationContext *restrictedOperationContext
 		labelBlackList   []portainer.Pair
 	}
-	restrictedOperationRequest func(*http.Request, *http.Response, *operationExecutor) error
+	restrictedOperationRequest func(*http.Response, *operationExecutor) error
 	operationRequest           func(*http.Request) error
 )
 
@@ -61,6 +63,16 @@ func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Respon
 	path := apiVersionRe.ReplaceAllString(request.URL.Path, "")
 	request.URL.Path = path
 
+	if p.enableSignature {
+		signature, err := p.SignatureService.Sign(portainer.PortainerAgentSignatureMessage)
+		if err != nil {
+			return nil, err
+		}
+
+		request.Header.Set(portainer.PortainerAgentPublicKeyHeader, p.SignatureService.EncodedPublicKey())
+		request.Header.Set(portainer.PortainerAgentSignatureHeader, signature)
+	}
+
 	switch {
 	case strings.HasPrefix(path, "/configs"):
 		return p.proxyConfigRequest(request)
@@ -392,7 +404,7 @@ func (p *proxyTransport) executeRequestAndRewriteResponse(request *http.Request,
 		return response, err
 	}
 
-	err = operation(request, response, executor)
+	err = operation(response, executor)
 	return response, err
 }
 

api/http/proxy/volumes.go

@@ -15,7 +15,7 @@ const (
 
 // volumeListOperation extracts the response as a JSON object, loop through the volume array
 // decorate and/or filter the volumes based on resource controls before rewriting the response
-func volumeListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func volumeListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// VolumeList response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
@@ -48,7 +48,7 @@ func volumeListOperation(request *http.Request, response *http.Response, executo
 // volumeInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the volume based on any existing resource control and either rewrite an access denied response
 // or a decorated volume.
-func volumeInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func volumeInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// VolumeInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/server.go

@@ -34,6 +34,7 @@ type Server struct {
 	StackManager           portainer.StackManager
 	LDAPService            portainer.LDAPService
 	GitService             portainer.GitService
+	SignatureService       portainer.DigitalSignatureService
 	Handler                *handler.Handler
 	SSL                    bool
 	SSLCert                string
@@ -43,7 +44,15 @@ type Server struct {
 // Start starts the HTTP server
 func (server *Server) Start() error {
 	requestBouncer := security.NewRequestBouncer(server.JWTService, server.UserService, server.TeamMembershipService, server.AuthDisabled)
-	proxyManager := proxy.NewManager(server.ResourceControlService, server.TeamMembershipService, server.SettingsService, server.RegistryService, server.DockerHubService)
+	proxyManagerParameters := &proxy.ManagerParams{
+		ResourceControlService: server.ResourceControlService,
+		TeamMembershipService:  server.TeamMembershipService,
+		SettingsService:        server.SettingsService,
+		RegistryService:        server.RegistryService,
+		DockerHubService:       server.DockerHubService,
+		SignatureService:       server.SignatureService,
+	}
+	proxyManager := proxy.NewManager(proxyManagerParameters)
 
 	var fileHandler = handler.NewFileHandler(filepath.Join(server.AssetsPath, "public"))
 	var authHandler = handler.NewAuthHandler(requestBouncer, server.AuthDisabled)
@@ -78,6 +87,7 @@ func (server *Server) Start() error {
 	dockerHandler.ProxyManager = proxyManager
 	var websocketHandler = handler.NewWebSocketHandler()
 	websocketHandler.EndpointService = server.EndpointService
+	websocketHandler.SignatureService = server.SignatureService
 	var endpointHandler = handler.NewEndpointHandler(requestBouncer, server.EndpointManagement)
 	endpointHandler.EndpointService = server.EndpointService
 	endpointHandler.EndpointGroupService = server.EndpointGroupService

api/portainer.go

@@ -24,6 +24,7 @@ type (
 		NoAnalytics       *bool
 		Templates         *string
 		TLSVerify         *bool
+		TLSSkipVerify     *bool
 		TLSCacert         *string
 		TLSCert           *string
 		TLSKey            *string
@@ -168,11 +169,15 @@ type (
 	// EndpointID represents an endpoint identifier.
 	EndpointID int
 
+	// EndpointType represents the type of an endpoint.
+	EndpointType int
+
 	// Endpoint represents a Docker endpoint with all the info required
 	// to connect to it.
 	Endpoint struct {
 		ID              EndpointID          `json:"Id"`
 		Name            string              `json:"Name"`
+		Type            EndpointType        `json:"Type"`
 		URL             string              `json:"URL"`
 		GroupID         EndpointGroupID     `json:"GroupId"`
 		PublicURL       string              `json:"PublicURL"`
@@ -378,6 +383,15 @@ type (
 		CompareHashAndData(hash string, data string) error
 	}
 
+	// DigitalSignatureService represents a service to manage digital signatures.
+	DigitalSignatureService interface {
+		ParseKeyPair(private, public []byte) error
+		GenerateKeyPair() ([]byte, []byte, error)
+		EncodedPublicKey() string
+		PEMHeaders() (string, string)
+		Sign(message string) (string, error)
+	}
+
 	// JWTService represents a service for managing JWT tokens.
 	JWTService interface {
 		GenerateToken(data *TokenData) (string, error)
@@ -395,6 +409,10 @@ type (
 		GetStackProjectPath(stackIdentifier string) string
 		StoreStackFileFromString(stackIdentifier, fileName, stackFileContent string) (string, error)
 		StoreStackFileFromReader(stackIdentifier, fileName string, r io.Reader) (string, error)
+		KeyPairFilesExist() (bool, error)
+		StoreKeyPair(private, public []byte, privatePEMHeader, publicPEMHeader string) error
+		LoadKeyPair() ([]byte, []byte, error)
+		WriteJSONToFile(path string, content interface{}) error
 	}
 
 	// GitService represents a service for managing Git.
@@ -427,9 +445,20 @@ const (
 	// APIVersion is the version number of the Portainer API.
 	APIVersion = "1.16.5"
 	// DBVersion is the version number of the Portainer database.
-	DBVersion = 9
+	DBVersion = 10
 	// DefaultTemplatesURL represents the default URL for the templates definitions.
 	DefaultTemplatesURL = "https://raw.githubusercontent.com/portainer/templates/master/templates.json"
+	// PortainerAgentHeader represents the name of the header available in any agent response
+	PortainerAgentHeader = "Portainer-Agent"
+	// PortainerAgentTargetHeader represent the name of the header containing the target node name.
+	PortainerAgentTargetHeader = "X-PortainerAgent-Target"
+	// PortainerAgentSignatureHeader represent the name of the header containing the digital signature
+	PortainerAgentSignatureHeader = "X-PortainerAgent-Signature"
+	// PortainerAgentPublicKeyHeader represent the name of the header containing the public key
+	PortainerAgentPublicKeyHeader = "X-PortainerAgent-PublicKey"
+	// PortainerAgentSignatureMessage represents the message used to create a digital signature
+	// to be used when communicating with an agent
+	PortainerAgentSignatureMessage = "Portainer-App"
 )
 
 const (
@@ -494,3 +523,11 @@ const (
 	// StoridgeEndpointExtension represents the Storidge extension
 	StoridgeEndpointExtension
 )
+
+const (
+	_ EndpointType = iota
+	// DockerEnvironment represents an endpoint connected to a Docker environment
+	DockerEnvironment
+	// AgentOnDockerEnvironment represents an endpoint connected to a Portainer agent deployed on a Docker environment
+	AgentOnDockerEnvironment
+)

api/swagger.yaml

@@ -238,7 +238,7 @@ paths:
         200:
           description: "Success"
           schema:
-            $ref: "#/definitions/EndpointCreateResponse"
+            $ref: "#/definitions/Endpoint"
         400:
           description: "Invalid request"
           schema: