feat(agent): add agent support (#1828)

api/http/client/client.go

@@ -0,0 +1,77 @@
+package client
+
+import (
+	"crypto/tls"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/crypto"
+)
+
+// ExecutePingOperationFromEndpoint will send a SystemPing operation HTTP request to a Docker environment
+// using the specified endpoint configuration. It is used exclusively when
+// specifying an endpoint from the CLI via the -H flag.
+func ExecutePingOperationFromEndpoint(endpoint *portainer.Endpoint) (bool, error) {
+	if strings.HasPrefix(endpoint.URL, "unix://") {
+		return false, nil
+	}
+
+	transport := &http.Transport{}
+
+	scheme := "http"
+
+	if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
+		tlsConfig, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+		if err != nil {
+			return false, err
+		}
+		scheme = "https"
+		transport.TLSClientConfig = tlsConfig
+	}
+
+	client := &http.Client{
+		Timeout:   time.Second * 3,
+		Transport: transport,
+	}
+
+	target := strings.Replace(endpoint.URL, "tcp://", scheme+"://", 1)
+	return pingOperation(client, target)
+}
+
+// ExecutePingOperation will send a SystemPing operation HTTP request to a Docker environment
+// using the specified host and optional TLS configuration.
+func ExecutePingOperation(host string, tlsConfig *tls.Config) (bool, error) {
+	transport := &http.Transport{}
+
+	scheme := "http"
+	if tlsConfig != nil {
+		transport.TLSClientConfig = tlsConfig
+		scheme = "https"
+	}
+
+	client := &http.Client{
+		Timeout:   time.Second * 3,
+		Transport: transport,
+	}
+
+	target := strings.Replace(host, "tcp://", scheme+"://", 1)
+	return pingOperation(client, target)
+}
+
+func pingOperation(client *http.Client, target string) (bool, error) {
+	pingOperationURL := target + "/_ping"
+
+	response, err := client.Get(pingOperationURL)
+	if err != nil {
+		return false, err
+	}
+
+	agentOnDockerEnvironment := false
+	if response.Header.Get(portainer.PortainerAgentHeader) != "" {
+		agentOnDockerEnvironment = true
+	}
+
+	return agentOnDockerEnvironment, nil
+}

api/http/handler/endpoint.go

@@ -2,12 +2,11 @@ package handler
 
 import (
 	"bytes"
-	"crypto/tls"
 	"strings"
-	"time"
 
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/crypto"
+	"github.com/portainer/portainer/http/client"
 	httperror "github.com/portainer/portainer/http/error"
 	"github.com/portainer/portainer/http/proxy"
 	"github.com/portainer/portainer/http/security"
@@ -63,10 +62,6 @@ func NewEndpointHandler(bouncer *security.RequestBouncer, authorizeEndpointManag
 }
 
 type (
-	postEndpointsResponse struct {
-		ID int `json:"Id"`
-	}
-
 	putEndpointAccessRequest struct {
 		AuthorizedUsers []int `valid:"-"`
 		AuthorizedTeams []int `valid:"-"`
@@ -125,44 +120,26 @@ func (handler *EndpointHandler) handleGetEndpoints(w http.ResponseWriter, r *htt
 	encodeJSON(w, filteredEndpoints, handler.Logger)
 }
 
-func sendPingRequest(host string, tlsConfig *tls.Config) error {
-	transport := &http.Transport{}
-
-	scheme := "http"
-	if tlsConfig != nil {
-		transport.TLSClientConfig = tlsConfig
-		scheme = "https"
-	}
-
-	client := &http.Client{
-		Timeout:   time.Second * 3,
-		Transport: transport,
-	}
-
-	pingOperationURL := strings.Replace(host, "tcp://", scheme+"://", 1) + "/_ping"
-	_, err := client.Get(pingOperationURL)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func (handler *EndpointHandler) createTLSSecuredEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
-
 	tlsConfig, err := crypto.CreateTLSConfig(payload.caCert, payload.cert, payload.key, payload.skipTLSClientVerification, payload.skipTLSServerVerification)
 	if err != nil {
 		return nil, err
 	}
 
-	err = sendPingRequest(payload.url, tlsConfig)
+	agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.url, tlsConfig)
 	if err != nil {
 		return nil, err
 	}
 
+	endpointType := portainer.DockerEnvironment
+	if agentOnDockerEnvironment {
+		endpointType = portainer.AgentOnDockerEnvironment
+	}
+
 	endpoint := &portainer.Endpoint{
 		Name:      payload.name,
 		URL:       payload.url,
+		Type:      endpointType,
 		GroupID:   portainer.EndpointGroupID(payload.groupID),
 		PublicURL: payload.publicURL,
 		TLSConfig: portainer.TLSConfiguration{
@@ -224,17 +201,22 @@ func (handler *EndpointHandler) createTLSSecuredEndpoint(payload *postEndpointPa
 }
 
 func (handler *EndpointHandler) createUnsecuredEndpoint(payload *postEndpointPayload) (*portainer.Endpoint, error) {
+	endpointType := portainer.DockerEnvironment
 
 	if !strings.HasPrefix(payload.url, "unix://") {
-		err := sendPingRequest(payload.url, nil)
+		agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.url, nil)
 		if err != nil {
 			return nil, err
 		}
+		if agentOnDockerEnvironment {
+			endpointType = portainer.AgentOnDockerEnvironment
+		}
 	}
 
 	endpoint := &portainer.Endpoint{
 		Name:      payload.name,
 		URL:       payload.url,
+		Type:      endpointType,
 		GroupID:   portainer.EndpointGroupID(payload.groupID),
 		PublicURL: payload.publicURL,
 		TLSConfig: portainer.TLSConfiguration{
@@ -331,7 +313,7 @@ func (handler *EndpointHandler) handlePostEndpoints(w http.ResponseWriter, r *ht
 		return
 	}
 
-	encodeJSON(w, &postEndpointsResponse{ID: int(endpoint.ID)}, handler.Logger)
+	encodeJSON(w, &endpoint, handler.Logger)
 }
 
 // handleGetEndpoint handles GET requests on /endpoints/:id

api/http/handler/websocket.go

@@ -1,11 +1,11 @@
 package handler
 
 import (
+	"bufio"
 	"bytes"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"io"
 	"log"
 	"net"
 	"net/http"
@@ -16,119 +16,135 @@ import (
 	"time"
 
 	"github.com/gorilla/mux"
+	"github.com/gorilla/websocket"
+	"github.com/koding/websocketproxy"
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/crypto"
-	"golang.org/x/net/websocket"
+	httperror "github.com/portainer/portainer/http/error"
 )
 
-// WebSocketHandler represents an HTTP API handler for proxying requests to a web socket.
-type WebSocketHandler struct {
-	*mux.Router
-	Logger          *log.Logger
-	EndpointService portainer.EndpointService
-}
+type (
+	// WebSocketHandler represents an HTTP API handler for proxying requests to a web socket.
+	WebSocketHandler struct {
+		*mux.Router
+		Logger             *log.Logger
+		EndpointService    portainer.EndpointService
+		SignatureService   portainer.DigitalSignatureService
+		connectionUpgrader websocket.Upgrader
+	}
+
+	webSocketExecRequestParams struct {
+		execID   string
+		nodeName string
+		endpoint *portainer.Endpoint
+	}
+
+	execStartOperationPayload struct {
+		Tty    bool
+		Detach bool
+	}
+)
 
 // NewWebSocketHandler returns a new instance of WebSocketHandler.
 func NewWebSocketHandler() *WebSocketHandler {
 	h := &WebSocketHandler{
-		Router: mux.NewRouter(),
-		Logger: log.New(os.Stderr, "", log.LstdFlags),
+		Router:             mux.NewRouter(),
+		Logger:             log.New(os.Stderr, "", log.LstdFlags),
+		connectionUpgrader: websocket.Upgrader{},
 	}
-	h.Handle("/websocket/exec", websocket.Handler(h.webSocketDockerExec))
+	h.HandleFunc("/websocket/exec", h.handleWebsocketExec).Methods(http.MethodGet)
 	return h
 }
 
-func (handler *WebSocketHandler) webSocketDockerExec(ws *websocket.Conn) {
-	qry := ws.Request().URL.Query()
-	execID := qry.Get("id")
-	edpID := qry.Get("endpointId")
-
-	parsedID, err := strconv.Atoi(edpID)
-	if err != nil {
-		log.Printf("Unable to parse endpoint ID: %s", err)
+// handleWebsocketExec handles GET requests on /websocket/exec?id=<execID>&endpointId=<endpointID>&nodeName=<nodeName>
+// If the nodeName query parameter is present, the request will be proxied to the underlying agent endpoint.
+// If the nodeName query parameter is not specified, the request will be upgraded to the websocket protocol and
+// an ExecStart operation HTTP request will be created and hijacked.
+func (handler *WebSocketHandler) handleWebsocketExec(w http.ResponseWriter, r *http.Request) {
+	paramExecID := r.FormValue("id")
+	paramEndpointID := r.FormValue("endpointId")
+	if paramExecID == "" || paramEndpointID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpointID := portainer.EndpointID(parsedID)
-	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	endpointID, err := strconv.Atoi(paramEndpointID)
 	if err != nil {
-		log.Printf("Unable to retrieve endpoint: %s", err)
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
 		return
 	}
 
-	endpointURL, err := url.Parse(endpoint.URL)
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err != nil {
-		log.Printf("Unable to parse endpoint URL: %s", err)
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
 		return
 	}
 
-	var host string
-	if endpointURL.Scheme == "tcp" {
-		host = endpointURL.Host
-	} else if endpointURL.Scheme == "unix" {
-		host = endpointURL.Path
+	params := &webSocketExecRequestParams{
+		endpoint: endpoint,
+		execID:   paramExecID,
+		nodeName: r.FormValue("nodeName"),
 	}
 
-	// TODO: Should not be managed here
-	var tlsConfig *tls.Config
-	if endpoint.TLSConfig.TLS {
-		tlsConfig, err = crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
-		if err != nil {
-			log.Fatalf("Unable to create TLS configuration: %s", err)
-			return
+	err = handler.handleRequest(w, r, params)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+func (handler *WebSocketHandler) handleRequest(w http.ResponseWriter, r *http.Request, params *webSocketExecRequestParams) error {
+	if params.nodeName != "" {
+		return handler.proxyWebsocketRequest(w, r, params)
+	}
+
+	websocketConn, err := handler.connectionUpgrader.Upgrade(w, r, nil)
+	if err != nil {
+		return err
+	}
+	defer websocketConn.Close()
+
+	return hijackExecStartOperation(websocketConn, params.endpoint, params.execID)
+}
+
+func (handler *WebSocketHandler) proxyWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketExecRequestParams) error {
+	agentURL, err := url.Parse(params.endpoint.URL)
+	if err != nil {
+		return err
+	}
+
+	agentURL.Scheme = "ws"
+	proxy := websocketproxy.NewProxy(agentURL)
+
+	if params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify {
+		agentURL.Scheme = "wss"
+		proxy.Dialer = &websocket.Dialer{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: params.endpoint.TLSConfig.TLSSkipVerify,
+			},
 		}
 	}
 
-	if err := hijack(host, endpointURL.Scheme, "POST", "/exec/"+execID+"/start", tlsConfig, true, ws, ws, ws, nil, nil); err != nil {
-		log.Fatalf("error during hijack: %s", err)
-		return
+	signature, err := handler.SignatureService.Sign(portainer.PortainerAgentSignatureMessage)
+	if err != nil {
+		return err
 	}
+
+	proxy.Director = func(incoming *http.Request, out http.Header) {
+		out.Set(portainer.PortainerAgentSignatureHeader, signature)
+		out.Set(portainer.PortainerAgentTargetHeader, params.nodeName)
+	}
+
+	r.Header.Del("Origin")
+	proxy.ServeHTTP(w, r)
+
+	return nil
 }
 
-type execConfig struct {
-	Tty    bool
-	Detach bool
-}
-
-// hijack allows to upgrade an HTTP connection to a TCP connection
-// It redirects IO streams for stdin, stdout and stderr to a websocket
-func hijack(addr, scheme, method, path string, tlsConfig *tls.Config, setRawTerminal bool, in io.ReadCloser, stdout, stderr io.Writer, started chan io.Closer, data interface{}) error {
-	execConfig := &execConfig{
-		Tty:    true,
-		Detach: false,
-	}
-
-	buf, err := json.Marshal(execConfig)
+func hijackExecStartOperation(websocketConn *websocket.Conn, endpoint *portainer.Endpoint, execID string) error {
+	dial, err := createDial(endpoint)
 	if err != nil {
-		return fmt.Errorf("error marshaling exec config: %s", err)
-	}
-
-	rdr := bytes.NewReader(buf)
-
-	req, err := http.NewRequest(method, path, rdr)
-	if err != nil {
-		return fmt.Errorf("error during hijack request: %s", err)
-	}
-
-	req.Header.Set("User-Agent", "Docker-Client")
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Connection", "Upgrade")
-	req.Header.Set("Upgrade", "tcp")
-	req.Host = addr
-
-	var (
-		dial    net.Conn
-		dialErr error
-	)
-
-	if tlsConfig == nil {
-		dial, dialErr = net.Dial(scheme, addr)
-	} else {
-		dial, dialErr = tls.Dial(scheme, addr, tlsConfig)
-	}
-
-	if dialErr != nil {
-		return dialErr
+		return err
 	}
 
 	// When we set up a TCP connection for hijack, there could be long periods
@@ -140,57 +156,128 @@ func hijack(addr, scheme, method, path string, tlsConfig *tls.Config, setRawTerm
 		tcpConn.SetKeepAlive(true)
 		tcpConn.SetKeepAlivePeriod(30 * time.Second)
 	}
+
+	httpConn := httputil.NewClientConn(dial, nil)
+	defer httpConn.Close()
+
+	execStartRequest, err := createExecStartRequest(execID)
 	if err != nil {
 		return err
 	}
-	clientconn := httputil.NewClientConn(dial, nil)
-	defer clientconn.Close()
 
-	// Server hijacks the connection, error 'connection closed' expected
-	clientconn.Do(req)
-
-	rwc, br := clientconn.Hijack()
-	defer rwc.Close()
-
-	if started != nil {
-		started <- rwc
+	err = hijackRequest(websocketConn, httpConn, execStartRequest)
+	if err != nil {
+		return err
 	}
 
-	var receiveStdout chan error
-
-	if stdout != nil || stderr != nil {
-		go func() (err error) {
-			if setRawTerminal && stdout != nil {
-				_, err = io.Copy(stdout, br)
-			}
-			return err
-		}()
-	}
-
-	go func() error {
-		if in != nil {
-			io.Copy(rwc, in)
-		}
-
-		if conn, ok := rwc.(interface {
-			CloseWrite() error
-		}); ok {
-			if err := conn.CloseWrite(); err != nil {
-			}
-		}
-		return nil
-	}()
-
-	if stdout != nil || stderr != nil {
-		if err := <-receiveStdout; err != nil {
-			return err
-		}
-	}
-	go func() {
-		for {
-			fmt.Println(br)
-		}
-	}()
-
 	return nil
 }
+
+func createDial(endpoint *portainer.Endpoint) (net.Conn, error) {
+	url, err := url.Parse(endpoint.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	var host string
+	if url.Scheme == "tcp" {
+		host = url.Host
+	} else if url.Scheme == "unix" {
+		host = url.Path
+	}
+
+	if endpoint.TLSConfig.TLS {
+		tlsConfig, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+		if err != nil {
+			return nil, err
+		}
+		return tls.Dial(url.Scheme, host, tlsConfig)
+	}
+
+	return net.Dial(url.Scheme, host)
+}
+
+func createExecStartRequest(execID string) (*http.Request, error) {
+	execStartOperationPayload := &execStartOperationPayload{
+		Tty:    true,
+		Detach: false,
+	}
+
+	encodedBody := bytes.NewBuffer(nil)
+	err := json.NewEncoder(encodedBody).Encode(execStartOperationPayload)
+	if err != nil {
+		return nil, err
+	}
+
+	request, err := http.NewRequest("POST", "/exec/"+execID+"/start", encodedBody)
+	if err != nil {
+		return nil, err
+	}
+
+	request.Header.Set("Content-Type", "application/json")
+	request.Header.Set("Connection", "Upgrade")
+	request.Header.Set("Upgrade", "tcp")
+
+	return request, nil
+}
+
+func hijackRequest(websocketConn *websocket.Conn, httpConn *httputil.ClientConn, request *http.Request) error {
+	// Server hijacks the connection, error 'connection closed' expected
+	resp, err := httpConn.Do(request)
+	if err != httputil.ErrPersistEOF {
+		if err != nil {
+			return err
+		}
+		if resp.StatusCode != http.StatusSwitchingProtocols {
+			resp.Body.Close()
+			return fmt.Errorf("unable to upgrade to tcp, received %d", resp.StatusCode)
+		}
+	}
+
+	tcpConn, brw := httpConn.Hijack()
+	defer tcpConn.Close()
+
+	errorChan := make(chan error, 1)
+	go streamFromTCPConnToWebsocketConn(websocketConn, brw, errorChan)
+	go streamFromWebsocketConnToTCPConn(websocketConn, tcpConn, errorChan)
+
+	err = <-errorChan
+	if websocket.IsUnexpectedCloseError(err, websocket.CloseGoingAway, websocket.CloseNoStatusReceived) {
+		return err
+	}
+
+	return nil
+}
+
+func streamFromWebsocketConnToTCPConn(websocketConn *websocket.Conn, tcpConn net.Conn, errorChan chan error) {
+	for {
+		_, in, err := websocketConn.ReadMessage()
+		if err != nil {
+			errorChan <- err
+			break
+		}
+
+		_, err = tcpConn.Write(in)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+	}
+}
+
+func streamFromTCPConnToWebsocketConn(websocketConn *websocket.Conn, br *bufio.Reader, errorChan chan error) {
+	for {
+		out := make([]byte, 1024)
+		_, err := br.Read(out)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+
+		err = websocketConn.WriteMessage(websocket.TextMessage, out)
+		if err != nil {
+			errorChan <- err
+			break
+		}
+	}
+}

api/http/proxy/access_control.go

@@ -98,9 +98,12 @@ func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.Team
 }
 
 func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
-	metadata := make(map[string]interface{})
-	metadata["ResourceControl"] = resourceControl
-	object["Portainer"] = metadata
+	if object["Portainer"] == nil {
+		object["Portainer"] = make(map[string]interface{})
+	}
+
+	portainerMetadata := object["Portainer"].(map[string]interface{})
+	portainerMetadata["ResourceControl"] = resourceControl
 	return object
 }
 

api/http/proxy/configs.go

@@ -14,7 +14,7 @@ const (
 
 // configListOperation extracts the response as a JSON object, loop through the configs array
 // decorate and/or filter the configs based on resource controls before rewriting the response
-func configListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func configListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 
 	// ConfigList response is a JSON array
@@ -39,7 +39,7 @@ func configListOperation(request *http.Request, response *http.Response, executo
 // configInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the config based on resource control (check are done based on the configID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated config.
-func configInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func configInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ConfigInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/containers.go

@@ -16,7 +16,7 @@ const (
 
 // containerListOperation extracts the response as a JSON object, loop through the containers array
 // decorate and/or filter the containers based on resource controls before rewriting the response
-func containerListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func containerListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ContainerList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
@@ -47,7 +47,7 @@ func containerListOperation(request *http.Request, response *http.Response, exec
 // containerInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the container based on resource control (check are done based on the containerID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated container.
-func containerInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func containerInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ContainerInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/factory.go

@@ -17,6 +17,7 @@ type proxyFactory struct {
 	SettingsService        portainer.SettingsService
 	RegistryService        portainer.RegistryService
 	DockerHubService       portainer.DockerHubService
+	SignatureService       portainer.DigitalSignatureService
 }
 
 func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
@@ -24,10 +25,11 @@ func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
 	return newSingleHostReverseProxyWithHostHeader(u)
 }
 
-func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, endpoint *portainer.Endpoint) (http.Handler, error) {
+func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, tlsConfig *portainer.TLSConfiguration, enableSignature bool) (http.Handler, error) {
 	u.Scheme = "https"
-	proxy := factory.createDockerReverseProxy(u)
-	config, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+
+	proxy := factory.createDockerReverseProxy(u, enableSignature)
+	config, err := crypto.CreateTLSConfiguration(tlsConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -36,14 +38,15 @@ func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, endpoint *portainer
 	return proxy, nil
 }
 
-func (factory *proxyFactory) newDockerHTTPProxy(u *url.URL) http.Handler {
+func (factory *proxyFactory) newDockerHTTPProxy(u *url.URL, enableSignature bool) http.Handler {
 	u.Scheme = "http"
-	return factory.createDockerReverseProxy(u)
+	return factory.createDockerReverseProxy(u, enableSignature)
 }
 
 func (factory *proxyFactory) newDockerSocketProxy(path string) http.Handler {
 	proxy := &socketProxy{}
 	transport := &proxyTransport{
+		enableSignature:        false,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
@@ -55,9 +58,10 @@ func (factory *proxyFactory) newDockerSocketProxy(path string) http.Handler {
 	return proxy
 }
 
-func (factory *proxyFactory) createDockerReverseProxy(u *url.URL) *httputil.ReverseProxy {
+func (factory *proxyFactory) createDockerReverseProxy(u *url.URL, enableSignature bool) *httputil.ReverseProxy {
 	proxy := newSingleHostReverseProxyWithHostHeader(u)
 	transport := &proxyTransport{
+		enableSignature:        enableSignature,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
@@ -65,6 +69,11 @@ func (factory *proxyFactory) createDockerReverseProxy(u *url.URL) *httputil.Reve
 		DockerHubService:       factory.DockerHubService,
 		dockerTransport:        &http.Transport{},
 	}
+
+	if enableSignature {
+		transport.SignatureService = factory.SignatureService
+	}
+
 	proxy.Transport = transport
 	return proxy
 }

api/http/proxy/manager.go

@@ -9,24 +9,37 @@ import (
 	"github.com/portainer/portainer"
 )
 
-// Manager represents a service used to manage Docker proxies.
-type Manager struct {
-	proxyFactory     *proxyFactory
-	proxies          cmap.ConcurrentMap
-	extensionProxies cmap.ConcurrentMap
-}
+type (
+	// Manager represents a service used to manage Docker proxies.
+	Manager struct {
+		proxyFactory     *proxyFactory
+		proxies          cmap.ConcurrentMap
+		extensionProxies cmap.ConcurrentMap
+	}
+
+	// ManagerParams represents the required parameters to create a new Manager instance.
+	ManagerParams struct {
+		ResourceControlService portainer.ResourceControlService
+		TeamMembershipService  portainer.TeamMembershipService
+		SettingsService        portainer.SettingsService
+		RegistryService        portainer.RegistryService
+		DockerHubService       portainer.DockerHubService
+		SignatureService       portainer.DigitalSignatureService
+	}
+)
 
 // NewManager initializes a new proxy Service
-func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService, settingsService portainer.SettingsService, registryService portainer.RegistryService, dockerHubService portainer.DockerHubService) *Manager {
+func NewManager(parameters *ManagerParams) *Manager {
 	return &Manager{
 		proxies:          cmap.New(),
 		extensionProxies: cmap.New(),
 		proxyFactory: &proxyFactory{
-			ResourceControlService: resourceControlService,
-			TeamMembershipService:  teamMembershipService,
-			SettingsService:        settingsService,
-			RegistryService:        registryService,
-			DockerHubService:       dockerHubService,
+			ResourceControlService: parameters.ResourceControlService,
+			TeamMembershipService:  parameters.TeamMembershipService,
+			SettingsService:        parameters.SettingsService,
+			RegistryService:        parameters.RegistryService,
+			DockerHubService:       parameters.DockerHubService,
+			SignatureService:       parameters.SignatureService,
 		},
 	}
 }
@@ -41,14 +54,19 @@ func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (ht
 		return nil, err
 	}
 
+	enableSignature := false
+	if endpoint.Type == portainer.AgentOnDockerEnvironment {
+		enableSignature = true
+	}
+
 	if endpointURL.Scheme == "tcp" {
-		if endpoint.TLSConfig.TLS {
-			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, endpoint)
+		if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
+			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, &endpoint.TLSConfig, enableSignature)
 			if err != nil {
 				return nil, err
 			}
 		} else {
-			proxy = manager.proxyFactory.newDockerHTTPProxy(endpointURL)
+			proxy = manager.proxyFactory.newDockerHTTPProxy(endpointURL, enableSignature)
 		}
 	} else {
 		// Assume unix:// scheme

api/http/proxy/networks.go

@@ -15,7 +15,7 @@ const (
 
 // networkListOperation extracts the response as a JSON object, loop through the networks array
 // decorate and/or filter the networks based on resource controls before rewriting the response
-func networkListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func networkListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// NetworkList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
@@ -39,7 +39,7 @@ func networkListOperation(request *http.Request, response *http.Response, execut
 // networkInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the network based on resource control and either rewrite an access denied response
 // or a decorated network.
-func networkInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func networkInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// NetworkInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/secrets.go

@@ -14,7 +14,7 @@ const (
 
 // secretListOperation extracts the response as a JSON object, loop through the secrets array
 // decorate and/or filter the secrets based on resource controls before rewriting the response
-func secretListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func secretListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 
 	// SecretList response is a JSON array
@@ -39,7 +39,7 @@ func secretListOperation(request *http.Request, response *http.Response, executo
 // secretInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the secret based on resource control (check are done based on the secretID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated secret.
-func secretInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func secretInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// SecretInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/SecretInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/services.go

@@ -15,7 +15,7 @@ const (
 
 // serviceListOperation extracts the response as a JSON array, loop through the service array
 // decorate and/or filter the services based on resource controls before rewriting the response
-func serviceListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func serviceListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ServiceList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
@@ -39,7 +39,7 @@ func serviceListOperation(request *http.Request, response *http.Response, execut
 // serviceInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the service based on resource control and either rewrite an access denied response
 // or a decorated service.
-func serviceInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func serviceInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ServiceInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/proxy/tasks.go

@@ -15,7 +15,7 @@ const (
 
 // taskListOperation extracts the response as a JSON object, loop through the tasks array
 // and filter the tasks based on resource controls before rewriting the response
-func taskListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func taskListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 
 	// TaskList response is a JSON array

api/http/proxy/transport.go

@@ -17,11 +17,13 @@ var apiVersionRe = regexp.MustCompile(`(/v[0-9]\.[0-9]*)?`)
 type (
 	proxyTransport struct {
 		dockerTransport        *http.Transport
+		enableSignature        bool
 		ResourceControlService portainer.ResourceControlService
 		TeamMembershipService  portainer.TeamMembershipService
 		RegistryService        portainer.RegistryService
 		DockerHubService       portainer.DockerHubService
 		SettingsService        portainer.SettingsService
+		SignatureService       portainer.DigitalSignatureService
 	}
 	restrictedOperationContext struct {
 		isAdmin          bool
@@ -45,7 +47,7 @@ type (
 		operationContext *restrictedOperationContext
 		labelBlackList   []portainer.Pair
 	}
-	restrictedOperationRequest func(*http.Request, *http.Response, *operationExecutor) error
+	restrictedOperationRequest func(*http.Response, *operationExecutor) error
 	operationRequest           func(*http.Request) error
 )
 
@@ -61,6 +63,16 @@ func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Respon
 	path := apiVersionRe.ReplaceAllString(request.URL.Path, "")
 	request.URL.Path = path
 
+	if p.enableSignature {
+		signature, err := p.SignatureService.Sign(portainer.PortainerAgentSignatureMessage)
+		if err != nil {
+			return nil, err
+		}
+
+		request.Header.Set(portainer.PortainerAgentPublicKeyHeader, p.SignatureService.EncodedPublicKey())
+		request.Header.Set(portainer.PortainerAgentSignatureHeader, signature)
+	}
+
 	switch {
 	case strings.HasPrefix(path, "/configs"):
 		return p.proxyConfigRequest(request)
@@ -392,7 +404,7 @@ func (p *proxyTransport) executeRequestAndRewriteResponse(request *http.Request,
 		return response, err
 	}
 
-	err = operation(request, response, executor)
+	err = operation(response, executor)
 	return response, err
 }
 

api/http/proxy/volumes.go

@@ -15,7 +15,7 @@ const (
 
 // volumeListOperation extracts the response as a JSON object, loop through the volume array
 // decorate and/or filter the volumes based on resource controls before rewriting the response
-func volumeListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func volumeListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// VolumeList response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
@@ -48,7 +48,7 @@ func volumeListOperation(request *http.Request, response *http.Response, executo
 // volumeInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the volume based on any existing resource control and either rewrite an access denied response
 // or a decorated volume.
-func volumeInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func volumeInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// VolumeInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
 	responseObject, err := getResponseAsJSONOBject(response)

api/http/server.go

@@ -34,6 +34,7 @@ type Server struct {
 	StackManager           portainer.StackManager
 	LDAPService            portainer.LDAPService
 	GitService             portainer.GitService
+	SignatureService       portainer.DigitalSignatureService
 	Handler                *handler.Handler
 	SSL                    bool
 	SSLCert                string
@@ -43,7 +44,15 @@ type Server struct {
 // Start starts the HTTP server
 func (server *Server) Start() error {
 	requestBouncer := security.NewRequestBouncer(server.JWTService, server.UserService, server.TeamMembershipService, server.AuthDisabled)
-	proxyManager := proxy.NewManager(server.ResourceControlService, server.TeamMembershipService, server.SettingsService, server.RegistryService, server.DockerHubService)
+	proxyManagerParameters := &proxy.ManagerParams{
+		ResourceControlService: server.ResourceControlService,
+		TeamMembershipService:  server.TeamMembershipService,
+		SettingsService:        server.SettingsService,
+		RegistryService:        server.RegistryService,
+		DockerHubService:       server.DockerHubService,
+		SignatureService:       server.SignatureService,
+	}
+	proxyManager := proxy.NewManager(proxyManagerParameters)
 
 	var fileHandler = handler.NewFileHandler(filepath.Join(server.AssetsPath, "public"))
 	var authHandler = handler.NewAuthHandler(requestBouncer, server.AuthDisabled)
@@ -78,6 +87,7 @@ func (server *Server) Start() error {
 	dockerHandler.ProxyManager = proxyManager
 	var websocketHandler = handler.NewWebSocketHandler()
 	websocketHandler.EndpointService = server.EndpointService
+	websocketHandler.SignatureService = server.SignatureService
 	var endpointHandler = handler.NewEndpointHandler(requestBouncer, server.EndpointManagement)
 	endpointHandler.EndpointService = server.EndpointService
 	endpointHandler.EndpointGroupService = server.EndpointGroupService