feat(stacks): add support for stack deploy (#1280)

api/http/handler/dockerhub.go

@@ -22,7 +22,7 @@ type DockerHubHandler struct {
 	DockerHubService portainer.DockerHubService
 }
 
-// NewDockerHubHandler returns a new instance of NewDockerHubHandler.
+// NewDockerHubHandler returns a new instance of DockerHubHandler.
 func NewDockerHubHandler(bouncer *security.RequestBouncer) *DockerHubHandler {
 	h := &DockerHubHandler{
 		Router: mux.NewRouter(),

api/http/handler/handler.go

@@ -20,6 +20,7 @@ type Handler struct {
 	RegistryHandler       *RegistryHandler
 	DockerHubHandler      *DockerHubHandler
 	ResourceHandler       *ResourceHandler
+	StackHandler          *StackHandler
 	StatusHandler         *StatusHandler
 	SettingsHandler       *SettingsHandler
 	TemplatesHandler      *TemplatesHandler
@@ -49,6 +50,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case strings.HasPrefix(r.URL.Path, "/api/endpoints"):
 		if strings.Contains(r.URL.Path, "/docker") {
 			http.StripPrefix("/api/endpoints", h.DockerHandler).ServeHTTP(w, r)
+		} else if strings.Contains(r.URL.Path, "/stacks") {
+			http.StripPrefix("/api/endpoints", h.StackHandler).ServeHTTP(w, r)
 		} else {
 			http.StripPrefix("/api", h.EndpointHandler).ServeHTTP(w, r)
 		}

api/http/handler/resource_control.go

@@ -82,6 +82,8 @@ func (handler *ResourceHandler) handlePostResources(w http.ResponseWriter, r *ht
 		resourceControlType = portainer.NetworkResourceControl
 	case "secret":
 		resourceControlType = portainer.SecretResourceControl
+	case "stack":
+		resourceControlType = portainer.StackResourceControl
 	default:
 		httperror.WriteErrorResponse(w, portainer.ErrInvalidResourceControlType, http.StatusBadRequest, handler.Logger)
 		return

api/http/handler/stack.go

@@ -0,0 +1,609 @@
+package handler
+
+import (
+	"encoding/json"
+	"path"
+	"strconv"
+	"strings"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/file"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// StackHandler represents an HTTP API handler for managing Stack.
+type StackHandler struct {
+	*mux.Router
+	Logger                 *log.Logger
+	FileService            portainer.FileService
+	GitService             portainer.GitService
+	StackService           portainer.StackService
+	EndpointService        portainer.EndpointService
+	ResourceControlService portainer.ResourceControlService
+	StackManager           portainer.StackManager
+}
+
+// NewStackHandler returns a new instance of StackHandler.
+func NewStackHandler(bouncer *security.RequestBouncer) *StackHandler {
+	h := &StackHandler{
+		Router: mux.NewRouter(),
+		Logger: log.New(os.Stderr, "", log.LstdFlags),
+	}
+	h.Handle("/{endpointId}/stacks",
+		bouncer.AuthenticatedAccess(http.HandlerFunc(h.handlePostStacks))).Methods(http.MethodPost)
+	h.Handle("/{endpointId}/stacks",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetStacks))).Methods(http.MethodGet)
+	h.Handle("/{endpointId}/stacks/{id}",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetStack))).Methods(http.MethodGet)
+	h.Handle("/{endpointId}/stacks/{id}",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleDeleteStack))).Methods(http.MethodDelete)
+	h.Handle("/{endpointId}/stacks/{id}",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handlePutStack))).Methods(http.MethodPut)
+	h.Handle("/{endpointId}/stacks/{id}/stackfile",
+		bouncer.RestrictedAccess(http.HandlerFunc(h.handleGetStackFile))).Methods(http.MethodGet)
+	return h
+}
+
+type (
+	postStacksRequest struct {
+		Name             string `valid:"required"`
+		SwarmID          string `valid:"required"`
+		StackFileContent string `valid:""`
+		GitRepository    string `valid:""`
+		PathInRepository string `valid:""`
+	}
+	postStacksResponse struct {
+		ID string `json:"Id"`
+	}
+	getStackFileResponse struct {
+		StackFileContent string `json:"StackFileContent"`
+	}
+	putStackRequest struct {
+		StackFileContent string `valid:"required"`
+	}
+)
+
+// handlePostStacks handles POST requests on /:endpointId/stacks?method=<method>
+func (handler *StackHandler) handlePostStacks(w http.ResponseWriter, r *http.Request) {
+	method := r.FormValue("method")
+	if method == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidQueryFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if method == "string" {
+		handler.handlePostStacksStringMethod(w, r)
+	} else if method == "repository" {
+		handler.handlePostStacksRepositoryMethod(w, r)
+	} else if method == "file" {
+		handler.handlePostStacksFileMethod(w, r)
+	} else {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+}
+
+func (handler *StackHandler) handlePostStacksStringMethod(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req postStacksRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackName := req.Name
+	if stackName == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackFileContent := req.StackFileContent
+	if stackFileContent == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	swarmID := req.SwarmID
+	if swarmID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stacks, err := handler.StackService.Stacks()
+	if err != nil && err != portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, stack := range stacks {
+		if strings.EqualFold(stack.Name, stackName) {
+			httperror.WriteErrorResponse(w, portainer.ErrStackAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackName + "_" + swarmID),
+		Name:       stackName,
+		SwarmID:    swarmID,
+		EntryPoint: file.ComposeFileDefaultName,
+	}
+
+	projectPath, err := handler.FileService.StoreStackFileFromString(string(stack.ID), stackFileContent)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	stack.ProjectPath = projectPath
+
+	err = handler.StackService.CreateStack(stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackManager.Deploy(stack, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postStacksResponse{ID: string(stack.ID)}, handler.Logger)
+}
+
+func (handler *StackHandler) handlePostStacksRepositoryMethod(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req postStacksRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackName := req.Name
+	if stackName == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	swarmID := req.SwarmID
+	if swarmID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if req.GitRepository == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	if req.PathInRepository == "" {
+		req.PathInRepository = file.ComposeFileDefaultName
+	}
+
+	stacks, err := handler.StackService.Stacks()
+	if err != nil && err != portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, stack := range stacks {
+		if strings.EqualFold(stack.Name, stackName) {
+			httperror.WriteErrorResponse(w, portainer.ErrStackAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackName + "_" + swarmID),
+		Name:       stackName,
+		SwarmID:    swarmID,
+		EntryPoint: req.PathInRepository,
+	}
+
+	projectPath := handler.FileService.GetStackProjectPath(string(stack.ID))
+	stack.ProjectPath = projectPath
+
+	// Ensure projectPath is empty
+	err = handler.FileService.RemoveDirectory(projectPath)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.GitService.CloneRepository(req.GitRepository, projectPath)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackService.CreateStack(stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackManager.Deploy(stack, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postStacksResponse{ID: string(stack.ID)}, handler.Logger)
+}
+
+func (handler *StackHandler) handlePostStacksFileMethod(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stackName := r.FormValue("Name")
+	if stackName == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	swarmID := r.FormValue("SwarmID")
+	if swarmID == "" {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	stackFile, _, err := r.FormFile("file")
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	defer stackFile.Close()
+
+	stacks, err := handler.StackService.Stacks()
+	if err != nil && err != portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	for _, stack := range stacks {
+		if strings.EqualFold(stack.Name, stackName) {
+			httperror.WriteErrorResponse(w, portainer.ErrStackAlreadyExists, http.StatusConflict, handler.Logger)
+			return
+		}
+	}
+
+	stack := &portainer.Stack{
+		ID:         portainer.StackID(stackName + "_" + swarmID),
+		Name:       stackName,
+		SwarmID:    swarmID,
+		EntryPoint: file.ComposeFileDefaultName,
+	}
+
+	projectPath, err := handler.FileService.StoreStackFileFromReader(string(stack.ID), stackFile)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+	stack.ProjectPath = projectPath
+
+	err = handler.StackService.CreateStack(stack)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackManager.Deploy(stack, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &postStacksResponse{ID: string(stack.ID)}, handler.Logger)
+}
+
+// handleGetStacks handles GET requests on /:endpointId/stacks?swarmId=<swarmId>
+func (handler *StackHandler) handleGetStacks(w http.ResponseWriter, r *http.Request) {
+	swarmID := r.FormValue("swarmId")
+
+	vars := mux.Vars(r)
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	id, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+	endpointID := portainer.EndpointID(id)
+
+	_, err = handler.EndpointService.Endpoint(endpointID)
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var stacks []portainer.Stack
+	if swarmID == "" {
+		stacks, err = handler.StackService.Stacks()
+	} else {
+		stacks, err = handler.StackService.StacksBySwarmID(swarmID)
+	}
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	resourceControls, err := handler.ResourceControlService.ResourceControls()
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	filteredStacks := proxy.FilterStacks(stacks, resourceControls, securityContext.IsAdmin,
+		securityContext.UserID, securityContext.UserMemberships)
+
+	encodeJSON(w, filteredStacks, handler.Logger)
+}
+
+// handleGetStack handles GET requests on /:endpointId/stacks/:id
+func (handler *StackHandler) handleGetStack(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	resourceControl, err := handler.ResourceControlService.ResourceControlByResourceID(stack.Name)
+	if err != nil && err != portainer.ErrResourceControlNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	extendedStack := proxy.ExtendedStack{*stack, portainer.ResourceControl{}}
+	if resourceControl != nil {
+		if securityContext.IsAdmin || proxy.CanAccessStack(stack, resourceControl, securityContext.UserID, securityContext.UserMemberships) {
+			extendedStack.ResourceControl = *resourceControl
+		} else {
+			httperror.WriteErrorResponse(w, portainer.ErrResourceAccessDenied, http.StatusForbidden, handler.Logger)
+			return
+		}
+	}
+
+	encodeJSON(w, extendedStack, handler.Logger)
+}
+
+// handlePutStack handles PUT requests on /:endpointId/stacks/:id
+func (handler *StackHandler) handlePutStack(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	var req putStackRequest
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = govalidator.ValidateStruct(req)
+	if err != nil {
+		httperror.WriteErrorResponse(w, ErrInvalidRequestFormat, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = handler.FileService.StoreStackFileFromString(string(stack.ID), req.StackFileContent)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackManager.Deploy(stack, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}
+
+// handleGetStackFile handles GET requests on /:endpointId/stacks/:id/stackfile
+func (handler *StackHandler) handleGetStackFile(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	_, err = handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stackFileContent, err := handler.FileService.GetFileContent(path.Join(stack.ProjectPath, stack.EntryPoint))
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	encodeJSON(w, &getStackFileResponse{StackFileContent: stackFileContent}, handler.Logger)
+}
+
+// handleDeleteStack handles DELETE requests on /:endpointId/stacks/:id
+func (handler *StackHandler) handleDeleteStack(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	stackID := vars["id"]
+
+	endpointID, err := strconv.Atoi(vars["endpointId"])
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
+		return
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	stack, err := handler.StackService.Stack(portainer.StackID(stackID))
+	if err == portainer.ErrStackNotFound {
+		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
+		return
+	} else if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackManager.Remove(stack, endpoint)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.StackService.DeleteStack(portainer.StackID(stackID))
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+
+	err = handler.FileService.RemoveDirectory(stack.ProjectPath)
+	if err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
+		return
+	}
+}

api/http/handler/upload.go

@@ -30,7 +30,7 @@ func NewUploadHandler(bouncer *security.RequestBouncer) *UploadHandler {
 	return h
 }
 
-// handlePostUploadTLS handles POST requests on /upload/tls/{certificate:(?:ca|cert|key)}?folder=folder
+// handlePostUploadTLS handles POST requests on /upload/tls/{certificate:(?:ca|cert|key)}?folder=<folder>
 func (handler *UploadHandler) handlePostUploadTLS(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	certificate := vars["certificate"]

api/http/handler/websocket.go

@@ -69,7 +69,7 @@ func (handler *WebSocketHandler) webSocketDockerExec(ws *websocket.Conn) {
 		host = endpointURL.Path
 	}
 
-	// Should not be managed here
+	// TODO: Should not be managed here
 	var tlsConfig *tls.Config
 	if endpoint.TLSConfig.TLS {
 		tlsConfig, err = crypto.CreateTLSConfiguration(&endpoint.TLSConfig)

api/http/proxy/access_control.go

@@ -2,6 +2,83 @@ package proxy
 
 import "github.com/portainer/portainer"
 
+type (
+	// ExtendedStack represents a stack combined with its associated access control
+	ExtendedStack struct {
+		portainer.Stack
+		ResourceControl portainer.ResourceControl `json:"ResourceControl"`
+	}
+)
+
+// applyResourceAccessControl returns an optionally decorated object as the first return value and the
+// access level for the user (granted or denied) as the second return value.
+// It will retrieve an identifier from the labels object. If an identifier exists, it will check for
+// an existing resource control associated to it.
+// Returns a decorated object and authorized access (true) when a resource control is found and the user can access the resource.
+// Returns the original object and authorized access (true) when no resource control is found.
+// Returns the original object and denied access (false) when a resource control is found and the user cannot access the resource.
+func applyResourceAccessControlFromLabel(labelsObject, resourceObject map[string]interface{}, labelIdentifier string,
+	context *restrictedOperationContext) (map[string]interface{}, bool) {
+
+	if labelsObject != nil && labelsObject[labelIdentifier] != nil {
+		resourceIdentifier := labelsObject[labelIdentifier].(string)
+		return applyResourceAccessControl(resourceObject, resourceIdentifier, context)
+	}
+	return resourceObject, true
+}
+
+// applyResourceAccessControl returns an optionally decorated object as the first return value and the
+// access level for the user (granted or denied) as the second return value.
+// Returns a decorated object and authorized access (true) when a resource control is found to the specified resource
+// identifier and the user can access the resource.
+// Returns the original object and authorized access (true) when no resource control is found for the specified
+// resource identifier.
+// Returns the original object and denied access (false) when a resource control is associated to the resource
+// and the user cannot access the resource.
+func applyResourceAccessControl(resourceObject map[string]interface{}, resourceIdentifier string,
+	context *restrictedOperationContext) (map[string]interface{}, bool) {
+
+	authorizedAccess := true
+
+	resourceControl := getResourceControlByResourceID(resourceIdentifier, context.resourceControls)
+	if resourceControl != nil {
+		if context.isAdmin || canUserAccessResource(context.userID, context.userTeamIDs, resourceControl) {
+			resourceObject = decorateObject(resourceObject, resourceControl)
+		} else {
+			authorizedAccess = false
+		}
+	}
+
+	return resourceObject, authorizedAccess
+}
+
+// decorateResourceWithAccessControlFromLabel will retrieve an identifier from the labels object. If an identifier exists,
+// it will check for an existing resource control associated to it. If a resource control is found, the resource object will be
+// decorated. If no identifier can be found in the labels or no resource control is associated to the identifier, the resource
+// object will not be changed.
+func decorateResourceWithAccessControlFromLabel(labelsObject, resourceObject map[string]interface{}, labelIdentifier string,
+	resourceControls []portainer.ResourceControl) map[string]interface{} {
+
+	if labelsObject != nil && labelsObject[labelIdentifier] != nil {
+		resourceIdentifier := labelsObject[labelIdentifier].(string)
+		resourceObject = decorateResourceWithAccessControl(resourceObject, resourceIdentifier, resourceControls)
+	}
+
+	return resourceObject
+}
+
+// decorateResourceWithAccessControl will check if a resource control is associated to the specified resource identifier.
+// If a resource control is found, the resource object will be decorated, otherwise it will not be changed.
+func decorateResourceWithAccessControl(resourceObject map[string]interface{}, resourceIdentifier string,
+	resourceControls []portainer.ResourceControl) map[string]interface{} {
+
+	resourceControl := getResourceControlByResourceID(resourceIdentifier, resourceControls)
+	if resourceControl != nil {
+		return decorateObject(resourceObject, resourceControl)
+	}
+	return resourceObject
+}
+
 func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.TeamID, resourceControl *portainer.ResourceControl) bool {
 	for _, authorizedUserAccess := range resourceControl.UserAccesses {
 		if userID == authorizedUserAccess.UserID {
@@ -19,3 +96,63 @@ func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.Team
 
 	return false
 }
+
+func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
+	metadata := make(map[string]interface{})
+	metadata["ResourceControl"] = resourceControl
+	object["Portainer"] = metadata
+	return object
+}
+
+func getResourceControlByResourceID(resourceID string, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
+	for _, resourceControl := range resourceControls {
+		if resourceID == resourceControl.ResourceID {
+			return &resourceControl
+		}
+		for _, subResourceID := range resourceControl.SubResourceIDs {
+			if resourceID == subResourceID {
+				return &resourceControl
+			}
+		}
+	}
+	return nil
+}
+
+// CanAccessStack checks if a user can access a stack
+func CanAccessStack(stack *portainer.Stack, resourceControl *portainer.ResourceControl, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	userTeamIDs := make([]portainer.TeamID, 0)
+	for _, membership := range memberships {
+		userTeamIDs = append(userTeamIDs, membership.TeamID)
+	}
+
+	if canUserAccessResource(userID, userTeamIDs, resourceControl) {
+		return true
+	}
+
+	return false
+}
+
+// FilterStacks filters stacks based on user role and resource controls.
+func FilterStacks(stacks []portainer.Stack, resourceControls []portainer.ResourceControl, isAdmin bool,
+	userID portainer.UserID, memberships []portainer.TeamMembership) []ExtendedStack {
+
+	filteredStacks := make([]ExtendedStack, 0)
+
+	userTeamIDs := make([]portainer.TeamID, 0)
+	for _, membership := range memberships {
+		userTeamIDs = append(userTeamIDs, membership.TeamID)
+	}
+
+	for _, stack := range stacks {
+		extendedStack := ExtendedStack{stack, portainer.ResourceControl{}}
+		resourceControl := getResourceControlByResourceID(stack.Name, resourceControls)
+		if resourceControl == nil {
+			filteredStacks = append(filteredStacks, extendedStack)
+		} else if resourceControl != nil && (isAdmin || canUserAccessResource(userID, userTeamIDs, resourceControl)) {
+			extendedStack.ResourceControl = *resourceControl
+			filteredStacks = append(filteredStacks, extendedStack)
+		}
+	}
+
+	return filteredStacks
+}

api/http/proxy/containers.go

@@ -11,6 +11,7 @@ const (
 	ErrDockerContainerIdentifierNotFound = portainer.Error("Docker container identifier not found")
 	containerIdentifier                  = "Id"
 	containerLabelForServiceIdentifier   = "com.docker.swarm.service.id"
+	containerLabelForStackIdentifier     = "com.docker.stack.namespace"
 )
 
 // containerListOperation extracts the response as a JSON object, loop through the containers array
@@ -27,8 +28,7 @@ func containerListOperation(request *http.Request, response *http.Response, exec
 	if executor.operationContext.isAdmin {
 		responseArray, err = decorateContainerList(responseArray, executor.operationContext.resourceControls)
 	} else {
-		responseArray, err = filterContainerList(responseArray, executor.operationContext.resourceControls,
-			executor.operationContext.userID, executor.operationContext.userTeamIDs)
+		responseArray, err = filterContainerList(responseArray, executor.operationContext)
 	}
 	if err != nil {
 		return err
@@ -58,30 +58,22 @@ func containerInspectOperation(request *http.Request, response *http.Response, e
 	if responseObject[containerIdentifier] == nil {
 		return ErrDockerContainerIdentifierNotFound
 	}
-	containerID := responseObject[containerIdentifier].(string)
 
-	resourceControl := getResourceControlByResourceID(containerID, executor.operationContext.resourceControls)
-	if resourceControl != nil {
-		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
-			executor.operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
+	containerID := responseObject[containerIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, containerID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	containerLabels := extractContainerLabelsFromContainerInspectObject(responseObject)
-	if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
-		serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, executor.operationContext.resourceControls)
-		if resourceControl != nil {
-			if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
-				executor.operationContext.userTeamIDs, resourceControl) {
-				responseObject = decorateObject(responseObject, resourceControl)
-			} else {
-				return rewriteAccessDeniedResponse(response)
-			}
-		}
+	responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForServiceIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	return rewriteResponse(response, responseObject, http.StatusOK)
@@ -106,3 +98,96 @@ func extractContainerLabelsFromContainerListObject(responseObject map[string]int
 	containerLabelsObject := extractJSONField(responseObject, "Labels")
 	return containerLabelsObject
 }
+
+// decorateContainerList loops through all containers and decorates any container with an existing resource control.
+// Resource controls checks are based on: resource identifier, service identifier (from label), stack identifier (from label).
+// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+func decorateContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+
+		containerObject := container.(map[string]interface{})
+		if containerObject[containerIdentifier] == nil {
+			return nil, ErrDockerContainerIdentifierNotFound
+		}
+
+		containerID := containerObject[containerIdentifier].(string)
+		containerObject = decorateResourceWithAccessControl(containerObject, containerID, resourceControls)
+
+		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+		containerObject = decorateResourceWithAccessControlFromLabel(containerLabels, containerObject, containerLabelForServiceIdentifier, resourceControls)
+		containerObject = decorateResourceWithAccessControlFromLabel(containerLabels, containerObject, containerLabelForStackIdentifier, resourceControls)
+
+		decoratedContainerData = append(decoratedContainerData, containerObject)
+	}
+
+	return decoratedContainerData, nil
+}
+
+// filterContainerList loops through all containers and filters public containers (no associated resource control)
+// as well as authorized containers (access granted to the user based on existing resource control).
+// Authorized containers are decorated during the process.
+// Resource controls checks are based on: resource identifier, service identifier (from label), stack identifier (from label).
+// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+func filterContainerList(containerData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+		containerObject := container.(map[string]interface{})
+		if containerObject[containerIdentifier] == nil {
+			return nil, ErrDockerContainerIdentifierNotFound
+		}
+
+		containerID := containerObject[containerIdentifier].(string)
+		containerObject, access := applyResourceAccessControl(containerObject, containerID, context)
+		if access {
+			containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+			containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForServiceIdentifier, context)
+			if access {
+				containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForStackIdentifier, context)
+				if access {
+					filteredContainerData = append(filteredContainerData, containerObject)
+				}
+			}
+		}
+	}
+
+	return filteredContainerData, nil
+}
+
+// filterContainersWithLabels loops through a list of containers, and filters containers that do not contains
+// any labels in the labels black list.
+func filterContainersWithBlackListedLabels(containerData []interface{}, labelBlackList []portainer.Pair) ([]interface{}, error) {
+	filteredContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+		containerObject := container.(map[string]interface{})
+
+		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+		if containerLabels != nil {
+			if !containerHasBlackListedLabel(containerLabels, labelBlackList) {
+				filteredContainerData = append(filteredContainerData, containerObject)
+			}
+		} else {
+			filteredContainerData = append(filteredContainerData, containerObject)
+		}
+	}
+
+	return filteredContainerData, nil
+}
+
+func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelBlackList []portainer.Pair) bool {
+	for key, value := range containerLabels {
+		labelName := key
+		labelValue := value.(string)
+
+		for _, blackListedLabel := range labelBlackList {
+			if blackListedLabel.Name == labelName && blackListedLabel.Value == labelValue {
+				return true
+			}
+		}
+	}
+
+	return false
+}

api/http/proxy/decorator.go

@@ -1,138 +0,0 @@
-package proxy
-
-import "github.com/portainer/portainer"
-
-// decorateVolumeList loops through all volumes and will decorate any volume with an existing resource control.
-// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
-func decorateVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedVolumeData := make([]interface{}, 0)
-
-	for _, volume := range volumeData {
-
-		volumeObject := volume.(map[string]interface{})
-		if volumeObject[volumeIdentifier] == nil {
-			return nil, ErrDockerVolumeIdentifierNotFound
-		}
-
-		volumeID := volumeObject[volumeIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(volumeID, resourceControls)
-		if resourceControl != nil {
-			volumeObject = decorateObject(volumeObject, resourceControl)
-		}
-		decoratedVolumeData = append(decoratedVolumeData, volumeObject)
-	}
-
-	return decoratedVolumeData, nil
-}
-
-// decorateContainerList loops through all containers and will decorate any container with an existing resource control.
-// Check is based on the container ID and optional Swarm service ID.
-// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
-func decorateContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedContainerData := make([]interface{}, 0)
-
-	for _, container := range containerData {
-
-		containerObject := container.(map[string]interface{})
-		if containerObject[containerIdentifier] == nil {
-			return nil, ErrDockerContainerIdentifierNotFound
-		}
-
-		containerID := containerObject[containerIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(containerID, resourceControls)
-		if resourceControl != nil {
-			containerObject = decorateObject(containerObject, resourceControl)
-		}
-
-		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
-		if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
-			serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-			resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-			if resourceControl != nil {
-				containerObject = decorateObject(containerObject, resourceControl)
-			}
-		}
-
-		decoratedContainerData = append(decoratedContainerData, containerObject)
-	}
-
-	return decoratedContainerData, nil
-}
-
-// decorateServiceList loops through all services and will decorate any service with an existing resource control.
-// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-func decorateServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedServiceData := make([]interface{}, 0)
-
-	for _, service := range serviceData {
-
-		serviceObject := service.(map[string]interface{})
-		if serviceObject[serviceIdentifier] == nil {
-			return nil, ErrDockerServiceIdentifierNotFound
-		}
-
-		serviceID := serviceObject[serviceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-		if resourceControl != nil {
-			serviceObject = decorateObject(serviceObject, resourceControl)
-		}
-		decoratedServiceData = append(decoratedServiceData, serviceObject)
-	}
-
-	return decoratedServiceData, nil
-}
-
-// decorateNetworkList loops through all networks and will decorate any network with an existing resource control.
-// Network object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
-func decorateNetworkList(networkData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedNetworkData := make([]interface{}, 0)
-
-	for _, network := range networkData {
-
-		networkObject := network.(map[string]interface{})
-		if networkObject[networkIdentifier] == nil {
-			return nil, ErrDockerNetworkIdentifierNotFound
-		}
-
-		networkID := networkObject[networkIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(networkID, resourceControls)
-		if resourceControl != nil {
-			networkObject = decorateObject(networkObject, resourceControl)
-		}
-
-		decoratedNetworkData = append(decoratedNetworkData, networkObject)
-	}
-
-	return decoratedNetworkData, nil
-}
-
-// decorateSecretList loops through all secrets and will decorate any secret with an existing resource control.
-// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
-func decorateSecretList(secretData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
-	decoratedSecretData := make([]interface{}, 0)
-
-	for _, secret := range secretData {
-
-		secretObject := secret.(map[string]interface{})
-		if secretObject[secretIdentifier] == nil {
-			return nil, ErrDockerSecretIdentifierNotFound
-		}
-
-		secretID := secretObject[secretIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(secretID, resourceControls)
-		if resourceControl != nil {
-			secretObject = decorateObject(secretObject, resourceControl)
-		}
-
-		decoratedSecretData = append(decoratedSecretData, secretObject)
-	}
-
-	return decoratedSecretData, nil
-}
-
-func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
-	metadata := make(map[string]interface{})
-	metadata["ResourceControl"] = resourceControl
-	object["Portainer"] = metadata
-	return object
-}

api/http/proxy/factory.go

@@ -1,6 +1,7 @@
 package proxy
 
 import (
+	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -56,3 +57,15 @@ func (factory *proxyFactory) createReverseProxy(u *url.URL) *httputil.ReversePro
 	proxy.Transport = transport
 	return proxy
 }
+
+func newSocketTransport(socketPath string) *http.Transport {
+	return &http.Transport{
+		Dial: func(proto, addr string) (conn net.Conn, err error) {
+			return net.Dial("unix", socketPath)
+		},
+	}
+}
+
+func newHTTPTransport() *http.Transport {
+	return &http.Transport{}
+}

api/http/proxy/filter.go

@@ -1,185 +0,0 @@
-package proxy
-
-import "github.com/portainer/portainer"
-
-// filterVolumeList loops through all volumes, filters volumes without any resource control (public resources) or with
-// any resource control giving access to the user (these volumes will be decorated).
-// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
-func filterVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredVolumeData := make([]interface{}, 0)
-
-	for _, volume := range volumeData {
-		volumeObject := volume.(map[string]interface{})
-		if volumeObject[volumeIdentifier] == nil {
-			return nil, ErrDockerVolumeIdentifierNotFound
-		}
-
-		volumeID := volumeObject[volumeIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(volumeID, resourceControls)
-		if resourceControl == nil {
-			filteredVolumeData = append(filteredVolumeData, volumeObject)
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			volumeObject = decorateObject(volumeObject, resourceControl)
-			filteredVolumeData = append(filteredVolumeData, volumeObject)
-		}
-	}
-
-	return filteredVolumeData, nil
-}
-
-// filterContainerList loops through all containers, filters containers without any resource control (public resources) or with
-// any resource control giving access to the user (check on container ID and optional Swarm service ID, these containers will be decorated).
-// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
-func filterContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredContainerData := make([]interface{}, 0)
-
-	for _, container := range containerData {
-		containerObject := container.(map[string]interface{})
-		if containerObject[containerIdentifier] == nil {
-			return nil, ErrDockerContainerIdentifierNotFound
-		}
-
-		containerID := containerObject[containerIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(containerID, resourceControls)
-		if resourceControl == nil {
-			// check if container is part of a Swarm service
-			containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
-			if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
-				serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-				serviceResourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-				if serviceResourceControl == nil {
-					filteredContainerData = append(filteredContainerData, containerObject)
-				} else if serviceResourceControl != nil && canUserAccessResource(userID, userTeamIDs, serviceResourceControl) {
-					containerObject = decorateObject(containerObject, serviceResourceControl)
-					filteredContainerData = append(filteredContainerData, containerObject)
-				}
-			} else {
-				filteredContainerData = append(filteredContainerData, containerObject)
-			}
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			containerObject = decorateObject(containerObject, resourceControl)
-			filteredContainerData = append(filteredContainerData, containerObject)
-		}
-	}
-
-	return filteredContainerData, nil
-}
-
-// filterContainersWithLabels loops through a list of containers, and filters containers that do not contains
-// any labels in the labels black list.
-func filterContainersWithBlackListedLabels(containerData []interface{}, labelBlackList []portainer.Pair) ([]interface{}, error) {
-	filteredContainerData := make([]interface{}, 0)
-
-	for _, container := range containerData {
-		containerObject := container.(map[string]interface{})
-
-		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
-		if containerLabels != nil {
-			if !containerHasBlackListedLabel(containerLabels, labelBlackList) {
-				filteredContainerData = append(filteredContainerData, containerObject)
-			}
-		} else {
-			filteredContainerData = append(filteredContainerData, containerObject)
-		}
-	}
-
-	return filteredContainerData, nil
-}
-
-// filterServiceList loops through all services, filters services without any resource control (public resources) or with
-// any resource control giving access to the user (these services will be decorated).
-// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-func filterServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredServiceData := make([]interface{}, 0)
-
-	for _, service := range serviceData {
-		serviceObject := service.(map[string]interface{})
-		if serviceObject[serviceIdentifier] == nil {
-			return nil, ErrDockerServiceIdentifierNotFound
-		}
-
-		serviceID := serviceObject[serviceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-		if resourceControl == nil {
-			filteredServiceData = append(filteredServiceData, serviceObject)
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			serviceObject = decorateObject(serviceObject, resourceControl)
-			filteredServiceData = append(filteredServiceData, serviceObject)
-		}
-	}
-
-	return filteredServiceData, nil
-}
-
-// filterNetworkList loops through all networks, filters networks without any resource control (public resources) or with
-// any resource control giving access to the user (these networks will be decorated).
-// Network object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
-func filterNetworkList(networkData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredNetworkData := make([]interface{}, 0)
-
-	for _, network := range networkData {
-		networkObject := network.(map[string]interface{})
-		if networkObject[networkIdentifier] == nil {
-			return nil, ErrDockerNetworkIdentifierNotFound
-		}
-
-		networkID := networkObject[networkIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(networkID, resourceControls)
-		if resourceControl == nil {
-			filteredNetworkData = append(filteredNetworkData, networkObject)
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			networkObject = decorateObject(networkObject, resourceControl)
-			filteredNetworkData = append(filteredNetworkData, networkObject)
-		}
-	}
-
-	return filteredNetworkData, nil
-}
-
-// filterSecretList loops through all secrets, filters secrets without any resource control (public resources) or with
-// any resource control giving access to the user (these secrets will be decorated).
-// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
-func filterSecretList(secretData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredSecretData := make([]interface{}, 0)
-
-	for _, secret := range secretData {
-		secretObject := secret.(map[string]interface{})
-		if secretObject[secretIdentifier] == nil {
-			return nil, ErrDockerSecretIdentifierNotFound
-		}
-
-		secretID := secretObject[secretIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(secretID, resourceControls)
-		if resourceControl == nil {
-			filteredSecretData = append(filteredSecretData, secretObject)
-		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
-			secretObject = decorateObject(secretObject, resourceControl)
-			filteredSecretData = append(filteredSecretData, secretObject)
-		}
-	}
-
-	return filteredSecretData, nil
-}
-
-// filterTaskList loops through all tasks, filters tasks without any resource control (public resources) or with
-// any resource control giving access to the user based on the associated service identifier.
-// Task object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/TaskList
-func filterTaskList(taskData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
-	filteredTaskData := make([]interface{}, 0)
-
-	for _, task := range taskData {
-		taskObject := task.(map[string]interface{})
-		if taskObject[taskServiceIdentifier] == nil {
-			return nil, ErrDockerTaskServiceIdentifierNotFound
-		}
-
-		serviceID := taskObject[taskServiceIdentifier].(string)
-
-		resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
-		if resourceControl == nil || (resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl)) {
-			filteredTaskData = append(filteredTaskData, taskObject)
-		}
-	}
-
-	return filteredTaskData, nil
-}

api/http/proxy/networks.go

@@ -10,6 +10,7 @@ const (
 	// ErrDockerNetworkIdentifierNotFound defines an error raised when Portainer is unable to find a network identifier
 	ErrDockerNetworkIdentifierNotFound = portainer.Error("Docker network identifier not found")
 	networkIdentifier                  = "Id"
+	networkLabelForStackIdentifier     = "com.docker.stack.namespace"
 )
 
 // networkListOperation extracts the response as a JSON object, loop through the networks array
@@ -26,8 +27,7 @@ func networkListOperation(request *http.Request, response *http.Response, execut
 	if executor.operationContext.isAdmin {
 		responseArray, err = decorateNetworkList(responseArray, executor.operationContext.resourceControls)
 	} else {
-		responseArray, err = filterNetworkList(responseArray, executor.operationContext.resourceControls,
-			executor.operationContext.userID, executor.operationContext.userTeamIDs)
+		responseArray, err = filterNetworkList(responseArray, executor.operationContext)
 	}
 	if err != nil {
 		return err
@@ -50,17 +50,85 @@ func networkInspectOperation(request *http.Request, response *http.Response, exe
 	if responseObject[networkIdentifier] == nil {
 		return ErrDockerNetworkIdentifierNotFound
 	}
-	networkID := responseObject[networkIdentifier].(string)
 
-	resourceControl := getResourceControlByResourceID(networkID, executor.operationContext.resourceControls)
-	if resourceControl != nil {
-		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
-			executor.operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
+	networkID := responseObject[networkIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, networkID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	networkLabels := extractNetworkLabelsFromNetworkInspectObject(responseObject)
+	responseObject, access = applyResourceAccessControlFromLabel(networkLabels, responseObject, networkLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	return rewriteResponse(response, responseObject, http.StatusOK)
 }
+
+// extractNetworkLabelsFromNetworkInspectObject retrieve the Labels of the network if present.
+// Container schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
+func extractNetworkLabelsFromNetworkInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// extractNetworkLabelsFromNetworkListObject retrieve the Labels of the network if present.
+// Network schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+func extractNetworkLabelsFromNetworkListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// decorateNetworkList loops through all networks and decorates any network with an existing resource control.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Network object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+func decorateNetworkList(networkData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedNetworkData := make([]interface{}, 0)
+
+	for _, network := range networkData {
+
+		networkObject := network.(map[string]interface{})
+		if networkObject[networkIdentifier] == nil {
+			return nil, ErrDockerNetworkIdentifierNotFound
+		}
+
+		networkID := networkObject[networkIdentifier].(string)
+		networkObject = decorateResourceWithAccessControl(networkObject, networkID, resourceControls)
+
+		networkLabels := extractNetworkLabelsFromNetworkListObject(networkObject)
+		networkObject = decorateResourceWithAccessControlFromLabel(networkLabels, networkObject, networkLabelForStackIdentifier, resourceControls)
+
+		decoratedNetworkData = append(decoratedNetworkData, networkObject)
+	}
+
+	return decoratedNetworkData, nil
+}
+
+// filterNetworkList loops through all networks and filters public networks (no associated resource control)
+// as well as authorized networks (access granted to the user based on existing resource control).
+// Authorized networks are decorated during the process.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Network object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
+func filterNetworkList(networkData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredNetworkData := make([]interface{}, 0)
+
+	for _, network := range networkData {
+		networkObject := network.(map[string]interface{})
+		if networkObject[networkIdentifier] == nil {
+			return nil, ErrDockerNetworkIdentifierNotFound
+		}
+
+		networkID := networkObject[networkIdentifier].(string)
+		networkObject, access := applyResourceAccessControl(networkObject, networkID, context)
+		if access {
+			networkLabels := extractNetworkLabelsFromNetworkListObject(networkObject)
+			networkObject, access = applyResourceAccessControlFromLabel(networkLabels, networkObject, networkLabelForStackIdentifier, context)
+			if access {
+				filteredNetworkData = append(filteredNetworkData, networkObject)
+			}
+		}
+	}
+
+	return filteredNetworkData, nil
+}

api/http/proxy/secrets.go

@@ -27,8 +27,7 @@ func secretListOperation(request *http.Request, response *http.Response, executo
 	if executor.operationContext.isAdmin {
 		responseArray, err = decorateSecretList(responseArray, executor.operationContext.resourceControls)
 	} else {
-		responseArray, err = filterSecretList(responseArray, executor.operationContext.resourceControls,
-			executor.operationContext.userID, executor.operationContext.userTeamIDs)
+		responseArray, err = filterSecretList(responseArray, executor.operationContext)
 	}
 	if err != nil {
 		return err
@@ -51,17 +50,58 @@ func secretInspectOperation(request *http.Request, response *http.Response, exec
 	if responseObject[secretIdentifier] == nil {
 		return ErrDockerSecretIdentifierNotFound
 	}
-	secretID := responseObject[secretIdentifier].(string)
 
-	resourceControl := getResourceControlByResourceID(secretID, executor.operationContext.resourceControls)
-	if resourceControl != nil {
-		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
-			executor.operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
+	secretID := responseObject[secretIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, secretID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	return rewriteResponse(response, responseObject, http.StatusOK)
 }
+
+// decorateSecretList loops through all secrets and decorates any secret with an existing resource control.
+// Resource controls checks are based on: resource identifier.
+// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+func decorateSecretList(secretData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedSecretData := make([]interface{}, 0)
+
+	for _, secret := range secretData {
+
+		secretObject := secret.(map[string]interface{})
+		if secretObject[secretIdentifier] == nil {
+			return nil, ErrDockerSecretIdentifierNotFound
+		}
+
+		secretID := secretObject[secretIdentifier].(string)
+		secretObject = decorateResourceWithAccessControl(secretObject, secretID, resourceControls)
+
+		decoratedSecretData = append(decoratedSecretData, secretObject)
+	}
+
+	return decoratedSecretData, nil
+}
+
+// filterSecretList loops through all secrets and filters public secrets (no associated resource control)
+// as well as authorized secrets (access granted to the user based on existing resource control).
+// Authorized secrets are decorated during the process.
+// Resource controls checks are based on: resource identifier.
+// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+func filterSecretList(secretData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredSecretData := make([]interface{}, 0)
+
+	for _, secret := range secretData {
+		secretObject := secret.(map[string]interface{})
+		if secretObject[secretIdentifier] == nil {
+			return nil, ErrDockerSecretIdentifierNotFound
+		}
+
+		secretID := secretObject[secretIdentifier].(string)
+		secretObject, access := applyResourceAccessControl(secretObject, secretID, context)
+		if access {
+			filteredSecretData = append(filteredSecretData, secretObject)
+		}
+	}
+
+	return filteredSecretData, nil
+}

api/http/proxy/service.go

@@ -1,64 +0,0 @@
-package proxy
-
-import (
-	"net/http"
-
-	"github.com/portainer/portainer"
-)
-
-const (
-	// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier
-	ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")
-	serviceIdentifier                  = "ID"
-)
-
-// serviceListOperation extracts the response as a JSON array, loop through the service array
-// decorate and/or filter the services based on resource controls before rewriting the response
-func serviceListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
-	var err error
-	// ServiceList response is a JSON array
-	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
-	responseArray, err := getResponseAsJSONArray(response)
-	if err != nil {
-		return err
-	}
-
-	if executor.operationContext.isAdmin {
-		responseArray, err = decorateServiceList(responseArray, executor.operationContext.resourceControls)
-	} else {
-		responseArray, err = filterServiceList(responseArray, executor.operationContext.resourceControls, executor.operationContext.userID, executor.operationContext.userTeamIDs)
-	}
-	if err != nil {
-		return err
-	}
-
-	return rewriteResponse(response, responseArray, http.StatusOK)
-}
-
-// serviceInspectOperation extracts the response as a JSON object, verify that the user
-// has access to the service based on resource control and either rewrite an access denied response
-// or a decorated service.
-func serviceInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
-	// ServiceInspect response is a JSON object
-	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
-	responseObject, err := getResponseAsJSONOBject(response)
-	if err != nil {
-		return err
-	}
-
-	if responseObject[serviceIdentifier] == nil {
-		return ErrDockerServiceIdentifierNotFound
-	}
-	serviceID := responseObject[serviceIdentifier].(string)
-
-	resourceControl := getResourceControlByResourceID(serviceID, executor.operationContext.resourceControls)
-	if resourceControl != nil {
-		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
-	}
-
-	return rewriteResponse(response, responseObject, http.StatusOK)
-}

api/http/proxy/services.go

@@ -0,0 +1,142 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier
+	ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")
+	serviceIdentifier                  = "ID"
+	serviceLabelForStackIdentifier     = "com.docker.stack.namespace"
+)
+
+// serviceListOperation extracts the response as a JSON array, loop through the service array
+// decorate and/or filter the services based on resource controls before rewriting the response
+func serviceListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+	var err error
+	// ServiceList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateServiceList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterServiceList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// serviceInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the service based on resource control and either rewrite an access denied response
+// or a decorated service.
+func serviceInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+	// ServiceInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[serviceIdentifier] == nil {
+		return ErrDockerServiceIdentifierNotFound
+	}
+
+	serviceID := responseObject[serviceIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, serviceID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	serviceLabels := extractServiceLabelsFromServiceInspectObject(responseObject)
+	responseObject, access = applyResourceAccessControlFromLabel(serviceLabels, responseObject, serviceLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// extractServiceLabelsFromServiceInspectObject retrieve the Labels of the service if present.
+// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
+func extractServiceLabelsFromServiceInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Spec.Labels
+	serviceSpecObject := extractJSONField(responseObject, "Spec")
+	if serviceSpecObject != nil {
+		return extractJSONField(serviceSpecObject, "Labels")
+	}
+	return nil
+}
+
+// extractServiceLabelsFromServiceListObject retrieve the Labels of the service if present.
+// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func extractServiceLabelsFromServiceListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Spec.Labels
+	serviceSpecObject := extractJSONField(responseObject, "Spec")
+	if serviceSpecObject != nil {
+		return extractJSONField(serviceSpecObject, "Labels")
+	}
+	return nil
+}
+
+// decorateServiceList loops through all services and decorates any service with an existing resource control.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func decorateServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedServiceData := make([]interface{}, 0)
+
+	for _, service := range serviceData {
+
+		serviceObject := service.(map[string]interface{})
+		if serviceObject[serviceIdentifier] == nil {
+			return nil, ErrDockerServiceIdentifierNotFound
+		}
+
+		serviceID := serviceObject[serviceIdentifier].(string)
+		serviceObject = decorateResourceWithAccessControl(serviceObject, serviceID, resourceControls)
+
+		serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)
+		serviceObject = decorateResourceWithAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, resourceControls)
+
+		decoratedServiceData = append(decoratedServiceData, serviceObject)
+	}
+
+	return decoratedServiceData, nil
+}
+
+// filterServiceList loops through all services and filters public services (no associated resource control)
+// as well as authorized services (access granted to the user based on existing resource control).
+// Authorized services are decorated during the process.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func filterServiceList(serviceData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredServiceData := make([]interface{}, 0)
+
+	for _, service := range serviceData {
+		serviceObject := service.(map[string]interface{})
+		if serviceObject[serviceIdentifier] == nil {
+			return nil, ErrDockerServiceIdentifierNotFound
+		}
+
+		serviceID := serviceObject[serviceIdentifier].(string)
+		serviceObject, access := applyResourceAccessControl(serviceObject, serviceID, context)
+		if access {
+			serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)
+			serviceObject, access = applyResourceAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, context)
+			if access {
+				filteredServiceData = append(filteredServiceData, serviceObject)
+			}
+		}
+	}
+
+	return filteredServiceData, nil
+}

api/http/proxy/tasks.go

@@ -10,6 +10,7 @@ const (
 	// ErrDockerTaskServiceIdentifierNotFound defines an error raised when Portainer is unable to find the service identifier associated to a task
 	ErrDockerTaskServiceIdentifierNotFound = portainer.Error("Docker task service identifier not found")
 	taskServiceIdentifier                  = "ServiceID"
+	taskLabelForStackIdentifier            = "com.docker.stack.namespace"
 )
 
 // taskListOperation extracts the response as a JSON object, loop through the tasks array
@@ -25,8 +26,7 @@ func taskListOperation(request *http.Request, response *http.Response, executor
 	}
 
 	if !executor.operationContext.isAdmin {
-		responseArray, err = filterTaskList(responseArray, executor.operationContext.resourceControls,
-			executor.operationContext.userID, executor.operationContext.userTeamIDs)
+		responseArray, err = filterTaskList(responseArray, executor.operationContext)
 		if err != nil {
 			return err
 		}
@@ -34,3 +34,45 @@ func taskListOperation(request *http.Request, response *http.Response, executor
 
 	return rewriteResponse(response, responseArray, http.StatusOK)
 }
+
+// extractTaskLabelsFromTaskListObject retrieve the Labels of the task if present.
+// Task schema reference: https://docs.docker.com/engine/api/v1.28/#operation/TaskList
+func extractTaskLabelsFromTaskListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Spec.ContainerSpec.Labels
+	taskSpecObject := extractJSONField(responseObject, "Spec")
+	if taskSpecObject != nil {
+		containerSpecObject := extractJSONField(taskSpecObject, "ContainerSpec")
+		if containerSpecObject != nil {
+			return extractJSONField(containerSpecObject, "Labels")
+		}
+	}
+	return nil
+}
+
+// filterTaskList loops through all tasks and filters public tasks (no associated resource control)
+// as well as authorized tasks (access granted to the user based on existing resource control).
+// Resource controls checks are based on: service identifier, stack identifier (from label).
+// Task object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/TaskList
+// any resource control giving access to the user based on the associated service identifier.
+func filterTaskList(taskData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredTaskData := make([]interface{}, 0)
+
+	for _, task := range taskData {
+		taskObject := task.(map[string]interface{})
+		if taskObject[taskServiceIdentifier] == nil {
+			return nil, ErrDockerTaskServiceIdentifierNotFound
+		}
+
+		serviceID := taskObject[taskServiceIdentifier].(string)
+		taskObject, access := applyResourceAccessControl(taskObject, serviceID, context)
+		if access {
+			taskLabels := extractTaskLabelsFromTaskListObject(taskObject)
+			taskObject, access = applyResourceAccessControlFromLabel(taskLabels, taskObject, taskLabelForStackIdentifier, context)
+			if access {
+				filteredTaskData = append(filteredTaskData, taskObject)
+			}
+		}
+	}
+
+	return filteredTaskData, nil
+}

api/http/proxy/transport.go

@@ -1,7 +1,6 @@
 package proxy
 
 import (
-	"net"
 	"net/http"
 	"path"
 	"strings"
@@ -30,18 +29,6 @@ type (
 	restrictedOperationRequest func(*http.Request, *http.Response, *operationExecutor) error
 )
 
-func newSocketTransport(socketPath string) *http.Transport {
-	return &http.Transport{
-		Dial: func(proto, addr string) (conn net.Conn, err error) {
-			return net.Dial("unix", socketPath)
-		},
-	}
-}
-
-func newHTTPTransport() *http.Transport {
-	return &http.Transport{}
-}
-
 func (p *proxyTransport) RoundTrip(request *http.Request) (*http.Response, error) {
 	return p.proxyDockerRequest(request)
 }
@@ -202,7 +189,13 @@ func (p *proxyTransport) proxyNodeRequest(request *http.Request) (*http.Response
 }
 
 func (p *proxyTransport) proxySwarmRequest(request *http.Request) (*http.Response, error) {
-	return p.administratorOperation(request)
+	switch requestPath := request.URL.Path; requestPath {
+	case "/swarm":
+		return p.executeDockerRequest(request)
+	default:
+		// assume /swarm/{action}
+		return p.administratorOperation(request)
+	}
 }
 
 func (p *proxyTransport) proxyTaskRequest(request *http.Request) (*http.Response, error) {

api/http/proxy/utils.go

@@ -1,32 +0,0 @@
-package proxy
-
-import "github.com/portainer/portainer"
-
-func getResourceControlByResourceID(resourceID string, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
-	for _, resourceControl := range resourceControls {
-		if resourceID == resourceControl.ResourceID {
-			return &resourceControl
-		}
-		for _, subResourceID := range resourceControl.SubResourceIDs {
-			if resourceID == subResourceID {
-				return &resourceControl
-			}
-		}
-	}
-	return nil
-}
-
-func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelBlackList []portainer.Pair) bool {
-	for key, value := range containerLabels {
-		labelName := key
-		labelValue := value.(string)
-
-		for _, blackListedLabel := range labelBlackList {
-			if blackListedLabel.Name == labelName && blackListedLabel.Value == labelValue {
-				return true
-			}
-		}
-	}
-
-	return false
-}

api/http/proxy/volumes.go

@@ -10,6 +10,7 @@ const (
 	// ErrDockerVolumeIdentifierNotFound defines an error raised when Portainer is unable to find a volume identifier
 	ErrDockerVolumeIdentifierNotFound = portainer.Error("Docker volume identifier not found")
 	volumeIdentifier                  = "Name"
+	volumeLabelForStackIdentifier     = "com.docker.stack.namespace"
 )
 
 // volumeListOperation extracts the response as a JSON object, loop through the volume array
@@ -31,7 +32,7 @@ func volumeListOperation(request *http.Request, response *http.Response, executo
 		if executor.operationContext.isAdmin {
 			volumeData, err = decorateVolumeList(volumeData, executor.operationContext.resourceControls)
 		} else {
-			volumeData, err = filterVolumeList(volumeData, executor.operationContext.resourceControls, executor.operationContext.userID, executor.operationContext.userTeamIDs)
+			volumeData, err = filterVolumeList(volumeData, executor.operationContext)
 		}
 		if err != nil {
 			return err
@@ -45,7 +46,7 @@ func volumeListOperation(request *http.Request, response *http.Response, executo
 }
 
 // volumeInspectOperation extracts the response as a JSON object, verify that the user
-// has access to the volume based on resource control and either rewrite an access denied response
+// has access to the volume based on any existing resource control and either rewrite an access denied response
 // or a decorated volume.
 func volumeInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
 	// VolumeInspect response is a JSON object
@@ -58,16 +59,85 @@ func volumeInspectOperation(request *http.Request, response *http.Response, exec
 	if responseObject[volumeIdentifier] == nil {
 		return ErrDockerVolumeIdentifierNotFound
 	}
-	volumeID := responseObject[volumeIdentifier].(string)
 
-	resourceControl := getResourceControlByResourceID(volumeID, executor.operationContext.resourceControls)
-	if resourceControl != nil {
-		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl) {
-			responseObject = decorateObject(responseObject, resourceControl)
-		} else {
-			return rewriteAccessDeniedResponse(response)
-		}
+	volumeID := responseObject[volumeIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, volumeID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	volumeLabels := extractVolumeLabelsFromVolumeInspectObject(responseObject)
+	responseObject, access = applyResourceAccessControlFromLabel(volumeLabels, responseObject, volumeLabelForStackIdentifier, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
 	}
 
 	return rewriteResponse(response, responseObject, http.StatusOK)
 }
+
+// extractVolumeLabelsFromVolumeInspectObject retrieve the Labels of the volume if present.
+// Volume schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
+func extractVolumeLabelsFromVolumeInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// extractVolumeLabelsFromVolumeListObject retrieve the Labels of the volume if present.
+// Volume schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func extractVolumeLabelsFromVolumeListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	return extractJSONField(responseObject, "Labels")
+}
+
+// decorateVolumeList loops through all volumes and decorates any volume with an existing resource control.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func decorateVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedVolumeData := make([]interface{}, 0)
+
+	for _, volume := range volumeData {
+
+		volumeObject := volume.(map[string]interface{})
+		if volumeObject[volumeIdentifier] == nil {
+			return nil, ErrDockerVolumeIdentifierNotFound
+		}
+
+		volumeID := volumeObject[volumeIdentifier].(string)
+		volumeObject = decorateResourceWithAccessControl(volumeObject, volumeID, resourceControls)
+
+		volumeLabels := extractVolumeLabelsFromVolumeListObject(volumeObject)
+		volumeObject = decorateResourceWithAccessControlFromLabel(volumeLabels, volumeObject, volumeLabelForStackIdentifier, resourceControls)
+
+		decoratedVolumeData = append(decoratedVolumeData, volumeObject)
+	}
+
+	return decoratedVolumeData, nil
+}
+
+// filterVolumeList loops through all volumes and filters public volumes (no associated resource control)
+// as well as authorized volumes (access granted to the user based on existing resource control).
+// Authorized volumes are decorated during the process.
+// Resource controls checks are based on: resource identifier, stack identifier (from label).
+// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func filterVolumeList(volumeData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredVolumeData := make([]interface{}, 0)
+
+	for _, volume := range volumeData {
+		volumeObject := volume.(map[string]interface{})
+		if volumeObject[volumeIdentifier] == nil {
+			return nil, ErrDockerVolumeIdentifierNotFound
+		}
+
+		volumeID := volumeObject[volumeIdentifier].(string)
+		volumeObject, access := applyResourceAccessControl(volumeObject, volumeID, context)
+		if access {
+			volumeLabels := extractVolumeLabelsFromVolumeListObject(volumeObject)
+			volumeObject, access = applyResourceAccessControlFromLabel(volumeLabels, volumeObject, volumeLabelForStackIdentifier, context)
+			if access {
+				filteredVolumeData = append(filteredVolumeData, volumeObject)
+			}
+		}
+	}
+
+	return filteredVolumeData, nil
+}

api/http/server.go

@@ -27,7 +27,10 @@ type Server struct {
 	FileService            portainer.FileService
 	RegistryService        portainer.RegistryService
 	DockerHubService       portainer.DockerHubService
+	StackService           portainer.StackService
+	StackManager           portainer.StackManager
 	LDAPService            portainer.LDAPService
+	GitService             portainer.GitService
 	Handler                *handler.Handler
 	SSL                    bool
 	SSLCert                string
@@ -39,6 +42,7 @@ func (server *Server) Start() error {
 	requestBouncer := security.NewRequestBouncer(server.JWTService, server.TeamMembershipService, server.AuthDisabled)
 	proxyManager := proxy.NewManager(server.ResourceControlService, server.TeamMembershipService, server.SettingsService)
 
+	var fileHandler = handler.NewFileHandler(server.AssetsPath)
 	var authHandler = handler.NewAuthHandler(requestBouncer, server.AuthDisabled)
 	authHandler.UserService = server.UserService
 	authHandler.CryptoService = server.CryptoService
@@ -82,7 +86,13 @@ func (server *Server) Start() error {
 	resourceHandler.ResourceControlService = server.ResourceControlService
 	var uploadHandler = handler.NewUploadHandler(requestBouncer)
 	uploadHandler.FileService = server.FileService
-	var fileHandler = handler.NewFileHandler(server.AssetsPath)
+	var stackHandler = handler.NewStackHandler(requestBouncer)
+	stackHandler.FileService = server.FileService
+	stackHandler.StackService = server.StackService
+	stackHandler.EndpointService = server.EndpointService
+	stackHandler.ResourceControlService = server.ResourceControlService
+	stackHandler.StackManager = server.StackManager
+	stackHandler.GitService = server.GitService
 
 	server.Handler = &handler.Handler{
 		AuthHandler:           authHandler,
@@ -95,6 +105,7 @@ func (server *Server) Start() error {
 		ResourceHandler:       resourceHandler,
 		SettingsHandler:       settingsHandler,
 		StatusHandler:         statusHandler,
+		StackHandler:          stackHandler,
 		TemplatesHandler:      templatesHandler,
 		DockerHandler:         dockerHandler,
 		WebSocketHandler:      websocketHandler,