refactor(portainer): introduce internal package (#3924)

* refactor(auth): move auth helpers to internal package

* refactor(edge-compute): move edge helpers to internal package

* refactor(tags): move tags helper to internal package

* style(portainer): sort imports

api/internal/authorization/access_control.go

@@ -0,0 +1,156 @@
+package authorization
+
+import "github.com/portainer/portainer/api"
+
+// NewPrivateResourceControl will create a new private resource control associated to the resource specified by the
+// identifier and type parameters. It automatically assigns it to the user specified by the userID parameter.
+func NewPrivateResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType, userID portainer.UserID) *portainer.ResourceControl {
+	return &portainer.ResourceControl{
+		Type:           resourceType,
+		ResourceID:     resourceIdentifier,
+		SubResourceIDs: []string{},
+		UserAccesses: []portainer.UserResourceAccess{
+			{
+				UserID:      userID,
+				AccessLevel: portainer.ReadWriteAccessLevel,
+			},
+		},
+		TeamAccesses:       []portainer.TeamResourceAccess{},
+		AdministratorsOnly: false,
+		Public:             false,
+		System:             false,
+	}
+}
+
+// NewSystemResourceControl will create a new public resource control with the System flag set to true.
+// These kind of resource control are not persisted and are created on the fly by the Portainer API.
+func NewSystemResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType) *portainer.ResourceControl {
+	return &portainer.ResourceControl{
+		Type:               resourceType,
+		ResourceID:         resourceIdentifier,
+		SubResourceIDs:     []string{},
+		UserAccesses:       []portainer.UserResourceAccess{},
+		TeamAccesses:       []portainer.TeamResourceAccess{},
+		AdministratorsOnly: false,
+		Public:             true,
+		System:             true,
+	}
+}
+
+// NewPublicResourceControl will create a new public resource control.
+func NewPublicResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType) *portainer.ResourceControl {
+	return &portainer.ResourceControl{
+		Type:               resourceType,
+		ResourceID:         resourceIdentifier,
+		SubResourceIDs:     []string{},
+		UserAccesses:       []portainer.UserResourceAccess{},
+		TeamAccesses:       []portainer.TeamResourceAccess{},
+		AdministratorsOnly: false,
+		Public:             true,
+		System:             false,
+	}
+}
+
+// NewRestrictedResourceControl will create a new resource control with user and team accesses restrictions.
+func NewRestrictedResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType, userIDs []portainer.UserID, teamIDs []portainer.TeamID) *portainer.ResourceControl {
+	userAccesses := make([]portainer.UserResourceAccess, 0)
+	teamAccesses := make([]portainer.TeamResourceAccess, 0)
+
+	for _, id := range userIDs {
+		access := portainer.UserResourceAccess{
+			UserID:      id,
+			AccessLevel: portainer.ReadWriteAccessLevel,
+		}
+
+		userAccesses = append(userAccesses, access)
+	}
+
+	for _, id := range teamIDs {
+		access := portainer.TeamResourceAccess{
+			TeamID:      id,
+			AccessLevel: portainer.ReadWriteAccessLevel,
+		}
+
+		teamAccesses = append(teamAccesses, access)
+	}
+
+	return &portainer.ResourceControl{
+		Type:               resourceType,
+		ResourceID:         resourceIdentifier,
+		SubResourceIDs:     []string{},
+		UserAccesses:       userAccesses,
+		TeamAccesses:       teamAccesses,
+		AdministratorsOnly: false,
+		Public:             false,
+		System:             false,
+	}
+}
+
+// DecorateStacks will iterate through a list of stacks, check for an associated resource control for each
+// stack and decorate the stack element if a resource control is found.
+func DecorateStacks(stacks []portainer.Stack, resourceControls []portainer.ResourceControl) []portainer.Stack {
+	for idx, stack := range stacks {
+
+		resourceControl := GetResourceControlByResourceIDAndType(stack.Name, portainer.StackResourceControl, resourceControls)
+		if resourceControl != nil {
+			stacks[idx].ResourceControl = resourceControl
+		}
+	}
+
+	return stacks
+}
+
+// FilterAuthorizedStacks returns a list of decorated stacks filtered through resource control access checks.
+func FilterAuthorizedStacks(stacks []portainer.Stack, user *portainer.User, userTeamIDs []portainer.TeamID, rbacEnabled bool) []portainer.Stack {
+	authorizedStacks := make([]portainer.Stack, 0)
+
+	for _, stack := range stacks {
+		_, ok := user.EndpointAuthorizations[stack.EndpointID][portainer.EndpointResourcesAccess]
+		if rbacEnabled && ok {
+			authorizedStacks = append(authorizedStacks, stack)
+			continue
+		}
+
+		if stack.ResourceControl != nil && UserCanAccessResource(user.ID, userTeamIDs, stack.ResourceControl) {
+			authorizedStacks = append(authorizedStacks, stack)
+		}
+	}
+
+	return authorizedStacks
+}
+
+// UserCanAccessResource will valide that a user has permissions defined in the specified resource control
+// based on its identifier and the team(s) he is part of.
+func UserCanAccessResource(userID portainer.UserID, userTeamIDs []portainer.TeamID, resourceControl *portainer.ResourceControl) bool {
+	for _, authorizedUserAccess := range resourceControl.UserAccesses {
+		if userID == authorizedUserAccess.UserID {
+			return true
+		}
+	}
+
+	for _, authorizedTeamAccess := range resourceControl.TeamAccesses {
+		for _, userTeamID := range userTeamIDs {
+			if userTeamID == authorizedTeamAccess.TeamID {
+				return true
+			}
+		}
+	}
+
+	return resourceControl.Public
+}
+
+// GetResourceControlByResourceIDAndType retrieves the first matching resource control in a set of resource controls
+// based on the specified id and resource type parameters.
+func GetResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
+	for _, resourceControl := range resourceControls {
+		if resourceID == resourceControl.ResourceID && resourceType == resourceControl.Type {
+			return &resourceControl
+		}
+		for _, subResourceID := range resourceControl.SubResourceIDs {
+			if resourceID == subResourceID {
+				return &resourceControl
+			}
+		}
+	}
+	return nil
+}

api/internal/authorization/authorizations.go

@@ -0,0 +1,776 @@
+package authorization
+
+import "github.com/portainer/portainer/api"
+
+// Service represents a service used to
+// update authorizations associated to a user or team.
+type Service struct {
+	dataStore portainer.DataStore
+}
+
+// NewService returns a point to a new Service instance.
+func NewService(dataStore portainer.DataStore) *Service {
+	return &Service{
+		dataStore: dataStore,
+	}
+}
+
+// DefaultEndpointAuthorizationsForEndpointAdministratorRole returns the default endpoint authorizations
+// associated to the endpoint administrator role.
+func DefaultEndpointAuthorizationsForEndpointAdministratorRole() portainer.Authorizations {
+	return map[portainer.Authorization]bool{
+		portainer.OperationDockerContainerArchiveInfo:         true,
+		portainer.OperationDockerContainerList:                true,
+		portainer.OperationDockerContainerExport:              true,
+		portainer.OperationDockerContainerChanges:             true,
+		portainer.OperationDockerContainerInspect:             true,
+		portainer.OperationDockerContainerTop:                 true,
+		portainer.OperationDockerContainerLogs:                true,
+		portainer.OperationDockerContainerStats:               true,
+		portainer.OperationDockerContainerAttachWebsocket:     true,
+		portainer.OperationDockerContainerArchive:             true,
+		portainer.OperationDockerContainerCreate:              true,
+		portainer.OperationDockerContainerPrune:               true,
+		portainer.OperationDockerContainerKill:                true,
+		portainer.OperationDockerContainerPause:               true,
+		portainer.OperationDockerContainerUnpause:             true,
+		portainer.OperationDockerContainerRestart:             true,
+		portainer.OperationDockerContainerStart:               true,
+		portainer.OperationDockerContainerStop:                true,
+		portainer.OperationDockerContainerWait:                true,
+		portainer.OperationDockerContainerResize:              true,
+		portainer.OperationDockerContainerAttach:              true,
+		portainer.OperationDockerContainerExec:                true,
+		portainer.OperationDockerContainerRename:              true,
+		portainer.OperationDockerContainerUpdate:              true,
+		portainer.OperationDockerContainerPutContainerArchive: true,
+		portainer.OperationDockerContainerDelete:              true,
+		portainer.OperationDockerImageList:                    true,
+		portainer.OperationDockerImageSearch:                  true,
+		portainer.OperationDockerImageGetAll:                  true,
+		portainer.OperationDockerImageGet:                     true,
+		portainer.OperationDockerImageHistory:                 true,
+		portainer.OperationDockerImageInspect:                 true,
+		portainer.OperationDockerImageLoad:                    true,
+		portainer.OperationDockerImageCreate:                  true,
+		portainer.OperationDockerImagePrune:                   true,
+		portainer.OperationDockerImagePush:                    true,
+		portainer.OperationDockerImageTag:                     true,
+		portainer.OperationDockerImageDelete:                  true,
+		portainer.OperationDockerImageCommit:                  true,
+		portainer.OperationDockerImageBuild:                   true,
+		portainer.OperationDockerNetworkList:                  true,
+		portainer.OperationDockerNetworkInspect:               true,
+		portainer.OperationDockerNetworkCreate:                true,
+		portainer.OperationDockerNetworkConnect:               true,
+		portainer.OperationDockerNetworkDisconnect:            true,
+		portainer.OperationDockerNetworkPrune:                 true,
+		portainer.OperationDockerNetworkDelete:                true,
+		portainer.OperationDockerVolumeList:                   true,
+		portainer.OperationDockerVolumeInspect:                true,
+		portainer.OperationDockerVolumeCreate:                 true,
+		portainer.OperationDockerVolumePrune:                  true,
+		portainer.OperationDockerVolumeDelete:                 true,
+		portainer.OperationDockerExecInspect:                  true,
+		portainer.OperationDockerExecStart:                    true,
+		portainer.OperationDockerExecResize:                   true,
+		portainer.OperationDockerSwarmInspect:                 true,
+		portainer.OperationDockerSwarmUnlockKey:               true,
+		portainer.OperationDockerSwarmInit:                    true,
+		portainer.OperationDockerSwarmJoin:                    true,
+		portainer.OperationDockerSwarmLeave:                   true,
+		portainer.OperationDockerSwarmUpdate:                  true,
+		portainer.OperationDockerSwarmUnlock:                  true,
+		portainer.OperationDockerNodeList:                     true,
+		portainer.OperationDockerNodeInspect:                  true,
+		portainer.OperationDockerNodeUpdate:                   true,
+		portainer.OperationDockerNodeDelete:                   true,
+		portainer.OperationDockerServiceList:                  true,
+		portainer.OperationDockerServiceInspect:               true,
+		portainer.OperationDockerServiceLogs:                  true,
+		portainer.OperationDockerServiceCreate:                true,
+		portainer.OperationDockerServiceUpdate:                true,
+		portainer.OperationDockerServiceDelete:                true,
+		portainer.OperationDockerSecretList:                   true,
+		portainer.OperationDockerSecretInspect:                true,
+		portainer.OperationDockerSecretCreate:                 true,
+		portainer.OperationDockerSecretUpdate:                 true,
+		portainer.OperationDockerSecretDelete:                 true,
+		portainer.OperationDockerConfigList:                   true,
+		portainer.OperationDockerConfigInspect:                true,
+		portainer.OperationDockerConfigCreate:                 true,
+		portainer.OperationDockerConfigUpdate:                 true,
+		portainer.OperationDockerConfigDelete:                 true,
+		portainer.OperationDockerTaskList:                     true,
+		portainer.OperationDockerTaskInspect:                  true,
+		portainer.OperationDockerTaskLogs:                     true,
+		portainer.OperationDockerPluginList:                   true,
+		portainer.OperationDockerPluginPrivileges:             true,
+		portainer.OperationDockerPluginInspect:                true,
+		portainer.OperationDockerPluginPull:                   true,
+		portainer.OperationDockerPluginCreate:                 true,
+		portainer.OperationDockerPluginEnable:                 true,
+		portainer.OperationDockerPluginDisable:                true,
+		portainer.OperationDockerPluginPush:                   true,
+		portainer.OperationDockerPluginUpgrade:                true,
+		portainer.OperationDockerPluginSet:                    true,
+		portainer.OperationDockerPluginDelete:                 true,
+		portainer.OperationDockerSessionStart:                 true,
+		portainer.OperationDockerDistributionInspect:          true,
+		portainer.OperationDockerBuildPrune:                   true,
+		portainer.OperationDockerBuildCancel:                  true,
+		portainer.OperationDockerPing:                         true,
+		portainer.OperationDockerInfo:                         true,
+		portainer.OperationDockerVersion:                      true,
+		portainer.OperationDockerEvents:                       true,
+		portainer.OperationDockerSystem:                       true,
+		portainer.OperationDockerUndefined:                    true,
+		portainer.OperationDockerAgentPing:                    true,
+		portainer.OperationDockerAgentList:                    true,
+		portainer.OperationDockerAgentHostInfo:                true,
+		portainer.OperationDockerAgentBrowseDelete:            true,
+		portainer.OperationDockerAgentBrowseGet:               true,
+		portainer.OperationDockerAgentBrowseList:              true,
+		portainer.OperationDockerAgentBrowsePut:               true,
+		portainer.OperationDockerAgentBrowseRename:            true,
+		portainer.OperationDockerAgentUndefined:               true,
+		portainer.OperationPortainerResourceControlCreate:     true,
+		portainer.OperationPortainerResourceControlUpdate:     true,
+		portainer.OperationPortainerStackList:                 true,
+		portainer.OperationPortainerStackInspect:              true,
+		portainer.OperationPortainerStackFile:                 true,
+		portainer.OperationPortainerStackCreate:               true,
+		portainer.OperationPortainerStackMigrate:              true,
+		portainer.OperationPortainerStackUpdate:               true,
+		portainer.OperationPortainerStackDelete:               true,
+		portainer.OperationPortainerWebsocketExec:             true,
+		portainer.OperationPortainerWebhookList:               true,
+		portainer.OperationPortainerWebhookCreate:             true,
+		portainer.OperationPortainerWebhookDelete:             true,
+		portainer.OperationIntegrationStoridgeAdmin:           true,
+		portainer.EndpointResourcesAccess:                     true,
+	}
+}
+
+// DefaultEndpointAuthorizationsForHelpDeskRole returns the default endpoint authorizations
+// associated to the helpdesk role.
+func DefaultEndpointAuthorizationsForHelpDeskRole(volumeBrowsingAuthorizations bool) portainer.Authorizations {
+	authorizations := map[portainer.Authorization]bool{
+		portainer.OperationDockerContainerArchiveInfo: true,
+		portainer.OperationDockerContainerList:        true,
+		portainer.OperationDockerContainerChanges:     true,
+		portainer.OperationDockerContainerInspect:     true,
+		portainer.OperationDockerContainerTop:         true,
+		portainer.OperationDockerContainerLogs:        true,
+		portainer.OperationDockerContainerStats:       true,
+		portainer.OperationDockerImageList:            true,
+		portainer.OperationDockerImageSearch:          true,
+		portainer.OperationDockerImageGetAll:          true,
+		portainer.OperationDockerImageGet:             true,
+		portainer.OperationDockerImageHistory:         true,
+		portainer.OperationDockerImageInspect:         true,
+		portainer.OperationDockerNetworkList:          true,
+		portainer.OperationDockerNetworkInspect:       true,
+		portainer.OperationDockerVolumeList:           true,
+		portainer.OperationDockerVolumeInspect:        true,
+		portainer.OperationDockerSwarmInspect:         true,
+		portainer.OperationDockerNodeList:             true,
+		portainer.OperationDockerNodeInspect:          true,
+		portainer.OperationDockerServiceList:          true,
+		portainer.OperationDockerServiceInspect:       true,
+		portainer.OperationDockerServiceLogs:          true,
+		portainer.OperationDockerSecretList:           true,
+		portainer.OperationDockerSecretInspect:        true,
+		portainer.OperationDockerConfigList:           true,
+		portainer.OperationDockerConfigInspect:        true,
+		portainer.OperationDockerTaskList:             true,
+		portainer.OperationDockerTaskInspect:          true,
+		portainer.OperationDockerTaskLogs:             true,
+		portainer.OperationDockerPluginList:           true,
+		portainer.OperationDockerDistributionInspect:  true,
+		portainer.OperationDockerPing:                 true,
+		portainer.OperationDockerInfo:                 true,
+		portainer.OperationDockerVersion:              true,
+		portainer.OperationDockerEvents:               true,
+		portainer.OperationDockerSystem:               true,
+		portainer.OperationDockerAgentPing:            true,
+		portainer.OperationDockerAgentList:            true,
+		portainer.OperationDockerAgentHostInfo:        true,
+		portainer.OperationPortainerStackList:         true,
+		portainer.OperationPortainerStackInspect:      true,
+		portainer.OperationPortainerStackFile:         true,
+		portainer.OperationPortainerWebhookList:       true,
+		portainer.EndpointResourcesAccess:             true,
+	}
+
+	if volumeBrowsingAuthorizations {
+		authorizations[portainer.OperationDockerAgentBrowseGet] = true
+		authorizations[portainer.OperationDockerAgentBrowseList] = true
+	}
+
+	return authorizations
+}
+
+// DefaultEndpointAuthorizationsForStandardUserRole returns the default endpoint authorizations
+// associated to the standard user role.
+func DefaultEndpointAuthorizationsForStandardUserRole(volumeBrowsingAuthorizations bool) portainer.Authorizations {
+	authorizations := map[portainer.Authorization]bool{
+		portainer.OperationDockerContainerArchiveInfo:         true,
+		portainer.OperationDockerContainerList:                true,
+		portainer.OperationDockerContainerExport:              true,
+		portainer.OperationDockerContainerChanges:             true,
+		portainer.OperationDockerContainerInspect:             true,
+		portainer.OperationDockerContainerTop:                 true,
+		portainer.OperationDockerContainerLogs:                true,
+		portainer.OperationDockerContainerStats:               true,
+		portainer.OperationDockerContainerAttachWebsocket:     true,
+		portainer.OperationDockerContainerArchive:             true,
+		portainer.OperationDockerContainerCreate:              true,
+		portainer.OperationDockerContainerKill:                true,
+		portainer.OperationDockerContainerPause:               true,
+		portainer.OperationDockerContainerUnpause:             true,
+		portainer.OperationDockerContainerRestart:             true,
+		portainer.OperationDockerContainerStart:               true,
+		portainer.OperationDockerContainerStop:                true,
+		portainer.OperationDockerContainerWait:                true,
+		portainer.OperationDockerContainerResize:              true,
+		portainer.OperationDockerContainerAttach:              true,
+		portainer.OperationDockerContainerExec:                true,
+		portainer.OperationDockerContainerRename:              true,
+		portainer.OperationDockerContainerUpdate:              true,
+		portainer.OperationDockerContainerPutContainerArchive: true,
+		portainer.OperationDockerContainerDelete:              true,
+		portainer.OperationDockerImageList:                    true,
+		portainer.OperationDockerImageSearch:                  true,
+		portainer.OperationDockerImageGetAll:                  true,
+		portainer.OperationDockerImageGet:                     true,
+		portainer.OperationDockerImageHistory:                 true,
+		portainer.OperationDockerImageInspect:                 true,
+		portainer.OperationDockerImageLoad:                    true,
+		portainer.OperationDockerImageCreate:                  true,
+		portainer.OperationDockerImagePush:                    true,
+		portainer.OperationDockerImageTag:                     true,
+		portainer.OperationDockerImageDelete:                  true,
+		portainer.OperationDockerImageCommit:                  true,
+		portainer.OperationDockerImageBuild:                   true,
+		portainer.OperationDockerNetworkList:                  true,
+		portainer.OperationDockerNetworkInspect:               true,
+		portainer.OperationDockerNetworkCreate:                true,
+		portainer.OperationDockerNetworkConnect:               true,
+		portainer.OperationDockerNetworkDisconnect:            true,
+		portainer.OperationDockerNetworkDelete:                true,
+		portainer.OperationDockerVolumeList:                   true,
+		portainer.OperationDockerVolumeInspect:                true,
+		portainer.OperationDockerVolumeCreate:                 true,
+		portainer.OperationDockerVolumeDelete:                 true,
+		portainer.OperationDockerExecInspect:                  true,
+		portainer.OperationDockerExecStart:                    true,
+		portainer.OperationDockerExecResize:                   true,
+		portainer.OperationDockerSwarmInspect:                 true,
+		portainer.OperationDockerSwarmUnlockKey:               true,
+		portainer.OperationDockerSwarmInit:                    true,
+		portainer.OperationDockerSwarmJoin:                    true,
+		portainer.OperationDockerSwarmLeave:                   true,
+		portainer.OperationDockerSwarmUpdate:                  true,
+		portainer.OperationDockerSwarmUnlock:                  true,
+		portainer.OperationDockerNodeList:                     true,
+		portainer.OperationDockerNodeInspect:                  true,
+		portainer.OperationDockerNodeUpdate:                   true,
+		portainer.OperationDockerNodeDelete:                   true,
+		portainer.OperationDockerServiceList:                  true,
+		portainer.OperationDockerServiceInspect:               true,
+		portainer.OperationDockerServiceLogs:                  true,
+		portainer.OperationDockerServiceCreate:                true,
+		portainer.OperationDockerServiceUpdate:                true,
+		portainer.OperationDockerServiceDelete:                true,
+		portainer.OperationDockerSecretList:                   true,
+		portainer.OperationDockerSecretInspect:                true,
+		portainer.OperationDockerSecretCreate:                 true,
+		portainer.OperationDockerSecretUpdate:                 true,
+		portainer.OperationDockerSecretDelete:                 true,
+		portainer.OperationDockerConfigList:                   true,
+		portainer.OperationDockerConfigInspect:                true,
+		portainer.OperationDockerConfigCreate:                 true,
+		portainer.OperationDockerConfigUpdate:                 true,
+		portainer.OperationDockerConfigDelete:                 true,
+		portainer.OperationDockerTaskList:                     true,
+		portainer.OperationDockerTaskInspect:                  true,
+		portainer.OperationDockerTaskLogs:                     true,
+		portainer.OperationDockerPluginList:                   true,
+		portainer.OperationDockerPluginPrivileges:             true,
+		portainer.OperationDockerPluginInspect:                true,
+		portainer.OperationDockerPluginPull:                   true,
+		portainer.OperationDockerPluginCreate:                 true,
+		portainer.OperationDockerPluginEnable:                 true,
+		portainer.OperationDockerPluginDisable:                true,
+		portainer.OperationDockerPluginPush:                   true,
+		portainer.OperationDockerPluginUpgrade:                true,
+		portainer.OperationDockerPluginSet:                    true,
+		portainer.OperationDockerPluginDelete:                 true,
+		portainer.OperationDockerSessionStart:                 true,
+		portainer.OperationDockerDistributionInspect:          true,
+		portainer.OperationDockerBuildPrune:                   true,
+		portainer.OperationDockerBuildCancel:                  true,
+		portainer.OperationDockerPing:                         true,
+		portainer.OperationDockerInfo:                         true,
+		portainer.OperationDockerVersion:                      true,
+		portainer.OperationDockerEvents:                       true,
+		portainer.OperationDockerSystem:                       true,
+		portainer.OperationDockerUndefined:                    true,
+		portainer.OperationDockerAgentPing:                    true,
+		portainer.OperationDockerAgentList:                    true,
+		portainer.OperationDockerAgentHostInfo:                true,
+		portainer.OperationDockerAgentUndefined:               true,
+		portainer.OperationPortainerResourceControlUpdate:     true,
+		portainer.OperationPortainerStackList:                 true,
+		portainer.OperationPortainerStackInspect:              true,
+		portainer.OperationPortainerStackFile:                 true,
+		portainer.OperationPortainerStackCreate:               true,
+		portainer.OperationPortainerStackMigrate:              true,
+		portainer.OperationPortainerStackUpdate:               true,
+		portainer.OperationPortainerStackDelete:               true,
+		portainer.OperationPortainerWebsocketExec:             true,
+		portainer.OperationPortainerWebhookList:               true,
+		portainer.OperationPortainerWebhookCreate:             true,
+	}
+
+	if volumeBrowsingAuthorizations {
+		authorizations[portainer.OperationDockerAgentBrowseGet] = true
+		authorizations[portainer.OperationDockerAgentBrowseList] = true
+		authorizations[portainer.OperationDockerAgentBrowseDelete] = true
+		authorizations[portainer.OperationDockerAgentBrowsePut] = true
+		authorizations[portainer.OperationDockerAgentBrowseRename] = true
+	}
+
+	return authorizations
+}
+
+// DefaultEndpointAuthorizationsForReadOnlyUserRole returns the default endpoint authorizations
+// associated to the readonly user role.
+func DefaultEndpointAuthorizationsForReadOnlyUserRole(volumeBrowsingAuthorizations bool) portainer.Authorizations {
+	authorizations := map[portainer.Authorization]bool{
+		portainer.OperationDockerContainerArchiveInfo: true,
+		portainer.OperationDockerContainerList:        true,
+		portainer.OperationDockerContainerChanges:     true,
+		portainer.OperationDockerContainerInspect:     true,
+		portainer.OperationDockerContainerTop:         true,
+		portainer.OperationDockerContainerLogs:        true,
+		portainer.OperationDockerContainerStats:       true,
+		portainer.OperationDockerImageList:            true,
+		portainer.OperationDockerImageSearch:          true,
+		portainer.OperationDockerImageGetAll:          true,
+		portainer.OperationDockerImageGet:             true,
+		portainer.OperationDockerImageHistory:         true,
+		portainer.OperationDockerImageInspect:         true,
+		portainer.OperationDockerNetworkList:          true,
+		portainer.OperationDockerNetworkInspect:       true,
+		portainer.OperationDockerVolumeList:           true,
+		portainer.OperationDockerVolumeInspect:        true,
+		portainer.OperationDockerSwarmInspect:         true,
+		portainer.OperationDockerNodeList:             true,
+		portainer.OperationDockerNodeInspect:          true,
+		portainer.OperationDockerServiceList:          true,
+		portainer.OperationDockerServiceInspect:       true,
+		portainer.OperationDockerServiceLogs:          true,
+		portainer.OperationDockerSecretList:           true,
+		portainer.OperationDockerSecretInspect:        true,
+		portainer.OperationDockerConfigList:           true,
+		portainer.OperationDockerConfigInspect:        true,
+		portainer.OperationDockerTaskList:             true,
+		portainer.OperationDockerTaskInspect:          true,
+		portainer.OperationDockerTaskLogs:             true,
+		portainer.OperationDockerPluginList:           true,
+		portainer.OperationDockerDistributionInspect:  true,
+		portainer.OperationDockerPing:                 true,
+		portainer.OperationDockerInfo:                 true,
+		portainer.OperationDockerVersion:              true,
+		portainer.OperationDockerEvents:               true,
+		portainer.OperationDockerSystem:               true,
+		portainer.OperationDockerAgentPing:            true,
+		portainer.OperationDockerAgentList:            true,
+		portainer.OperationDockerAgentHostInfo:        true,
+		portainer.OperationPortainerStackList:         true,
+		portainer.OperationPortainerStackInspect:      true,
+		portainer.OperationPortainerStackFile:         true,
+		portainer.OperationPortainerWebhookList:       true,
+	}
+
+	if volumeBrowsingAuthorizations {
+		authorizations[portainer.OperationDockerAgentBrowseGet] = true
+		authorizations[portainer.OperationDockerAgentBrowseList] = true
+	}
+
+	return authorizations
+}
+
+// DefaultPortainerAuthorizations returns the default Portainer authorizations used by non-admin users.
+func DefaultPortainerAuthorizations() portainer.Authorizations {
+	return map[portainer.Authorization]bool{
+		portainer.OperationPortainerDockerHubInspect:        true,
+		portainer.OperationPortainerEndpointGroupList:       true,
+		portainer.OperationPortainerEndpointList:            true,
+		portainer.OperationPortainerEndpointInspect:         true,
+		portainer.OperationPortainerEndpointExtensionAdd:    true,
+		portainer.OperationPortainerEndpointExtensionRemove: true,
+		portainer.OperationPortainerExtensionList:           true,
+		portainer.OperationPortainerMOTD:                    true,
+		portainer.OperationPortainerRegistryList:            true,
+		portainer.OperationPortainerRegistryInspect:         true,
+		portainer.OperationPortainerTeamList:                true,
+		portainer.OperationPortainerTemplateList:            true,
+		portainer.OperationPortainerTemplateInspect:         true,
+		portainer.OperationPortainerUserList:                true,
+		portainer.OperationPortainerUserInspect:             true,
+		portainer.OperationPortainerUserMemberships:         true,
+	}
+}
+
+// UpdateVolumeBrowsingAuthorizations will update all the volume browsing authorizations for each role (except endpoint administrator)
+// based on the specified removeAuthorizations parameter. If removeAuthorizations is set to true, all
+// the authorizations will be dropped for the each role. If removeAuthorizations is set to false, the authorizations
+// will be reset based for each role.
+func (service Service) UpdateVolumeBrowsingAuthorizations(remove bool) error {
+	roles, err := service.dataStore.Role().Roles()
+	if err != nil {
+		return err
+	}
+
+	for _, role := range roles {
+		// all roles except endpoint administrator
+		if role.ID != portainer.RoleID(1) {
+			updateRoleVolumeBrowsingAuthorizations(&role, remove)
+
+			err := service.dataStore.Role().UpdateRole(role.ID, &role)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func updateRoleVolumeBrowsingAuthorizations(role *portainer.Role, removeAuthorizations bool) {
+	if !removeAuthorizations {
+		delete(role.Authorizations, portainer.OperationDockerAgentBrowseDelete)
+		delete(role.Authorizations, portainer.OperationDockerAgentBrowseGet)
+		delete(role.Authorizations, portainer.OperationDockerAgentBrowseList)
+		delete(role.Authorizations, portainer.OperationDockerAgentBrowsePut)
+		delete(role.Authorizations, portainer.OperationDockerAgentBrowseRename)
+		return
+	}
+
+	role.Authorizations[portainer.OperationDockerAgentBrowseGet] = true
+	role.Authorizations[portainer.OperationDockerAgentBrowseList] = true
+
+	// Standard-user
+	if role.ID == portainer.RoleID(3) {
+		role.Authorizations[portainer.OperationDockerAgentBrowseDelete] = true
+		role.Authorizations[portainer.OperationDockerAgentBrowsePut] = true
+		role.Authorizations[portainer.OperationDockerAgentBrowseRename] = true
+	}
+}
+
+// RemoveTeamAccessPolicies will remove all existing access policies associated to the specified team
+func (service *Service) RemoveTeamAccessPolicies(teamID portainer.TeamID) error {
+	endpoints, err := service.dataStore.Endpoint().Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		for policyTeamID := range endpoint.TeamAccessPolicies {
+			if policyTeamID == teamID {
+				delete(endpoint.TeamAccessPolicies, policyTeamID)
+
+				err := service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range endpointGroups {
+		for policyTeamID := range endpointGroup.TeamAccessPolicies {
+			if policyTeamID == teamID {
+				delete(endpointGroup.TeamAccessPolicies, policyTeamID)
+
+				err := service.dataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	registries, err := service.dataStore.Registry().Registries()
+	if err != nil {
+		return err
+	}
+
+	for _, registry := range registries {
+		for policyTeamID := range registry.TeamAccessPolicies {
+			if policyTeamID == teamID {
+				delete(registry.TeamAccessPolicies, policyTeamID)
+
+				err := service.dataStore.Registry().UpdateRegistry(registry.ID, &registry)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	return service.UpdateUsersAuthorizations()
+}
+
+// RemoveUserAccessPolicies will remove all existing access policies associated to the specified user
+func (service *Service) RemoveUserAccessPolicies(userID portainer.UserID) error {
+	endpoints, err := service.dataStore.Endpoint().Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		for policyUserID := range endpoint.UserAccessPolicies {
+			if policyUserID == userID {
+				delete(endpoint.UserAccessPolicies, policyUserID)
+
+				err := service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range endpointGroups {
+		for policyUserID := range endpointGroup.UserAccessPolicies {
+			if policyUserID == userID {
+				delete(endpointGroup.UserAccessPolicies, policyUserID)
+
+				err := service.dataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	registries, err := service.dataStore.Registry().Registries()
+	if err != nil {
+		return err
+	}
+
+	for _, registry := range registries {
+		for policyUserID := range registry.UserAccessPolicies {
+			if policyUserID == userID {
+				delete(registry.UserAccessPolicies, policyUserID)
+
+				err := service.dataStore.Registry().UpdateRegistry(registry.ID, &registry)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	return nil
+}
+
+// UpdateUsersAuthorizations will trigger an update of the authorizations for all the users.
+func (service *Service) UpdateUsersAuthorizations() error {
+	users, err := service.dataStore.User().Users()
+	if err != nil {
+		return err
+	}
+
+	for _, user := range users {
+		err := service.updateUserAuthorizations(user.ID)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (service *Service) updateUserAuthorizations(userID portainer.UserID) error {
+	user, err := service.dataStore.User().User(userID)
+	if err != nil {
+		return err
+	}
+
+	endpointAuthorizations, err := service.getAuthorizations(user)
+	if err != nil {
+		return err
+	}
+
+	user.EndpointAuthorizations = endpointAuthorizations
+
+	return service.dataStore.User().UpdateUser(userID, user)
+}
+
+func (service *Service) getAuthorizations(user *portainer.User) (portainer.EndpointAuthorizations, error) {
+	endpointAuthorizations := portainer.EndpointAuthorizations{}
+	if user.Role == portainer.AdministratorRole {
+		return endpointAuthorizations, nil
+	}
+
+	userMemberships, err := service.dataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpoints, err := service.dataStore.Endpoint().Endpoints()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	roles, err := service.dataStore.Role().Roles()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpointAuthorizations = getUserEndpointAuthorizations(user, endpoints, endpointGroups, roles, userMemberships)
+
+	return endpointAuthorizations, nil
+}
+
+func getUserEndpointAuthorizations(user *portainer.User, endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup, roles []portainer.Role, userMemberships []portainer.TeamMembership) portainer.EndpointAuthorizations {
+	endpointAuthorizations := make(portainer.EndpointAuthorizations)
+
+	groupUserAccessPolicies := map[portainer.EndpointGroupID]portainer.UserAccessPolicies{}
+	groupTeamAccessPolicies := map[portainer.EndpointGroupID]portainer.TeamAccessPolicies{}
+	for _, endpointGroup := range endpointGroups {
+		groupUserAccessPolicies[endpointGroup.ID] = endpointGroup.UserAccessPolicies
+		groupTeamAccessPolicies[endpointGroup.ID] = endpointGroup.TeamAccessPolicies
+	}
+
+	for _, endpoint := range endpoints {
+		authorizations := getAuthorizationsFromUserEndpointPolicy(user, &endpoint, roles)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromUserEndpointGroupPolicy(user, &endpoint, roles, groupUserAccessPolicies)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromTeamEndpointPolicies(userMemberships, &endpoint, roles)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromTeamEndpointGroupPolicies(userMemberships, &endpoint, roles, groupTeamAccessPolicies)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+		}
+	}
+
+	return endpointAuthorizations
+}
+
+func getAuthorizationsFromUserEndpointPolicy(user *portainer.User, endpoint *portainer.Endpoint, roles []portainer.Role) portainer.Authorizations {
+	policyRoles := make([]portainer.RoleID, 0)
+
+	policy, ok := endpoint.UserAccessPolicies[user.ID]
+	if ok {
+		policyRoles = append(policyRoles, policy.RoleID)
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromUserEndpointGroupPolicy(user *portainer.User, endpoint *portainer.Endpoint, roles []portainer.Role, groupAccessPolicies map[portainer.EndpointGroupID]portainer.UserAccessPolicies) portainer.Authorizations {
+	policyRoles := make([]portainer.RoleID, 0)
+
+	policy, ok := groupAccessPolicies[endpoint.GroupID][user.ID]
+	if ok {
+		policyRoles = append(policyRoles, policy.RoleID)
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromTeamEndpointPolicies(memberships []portainer.TeamMembership, endpoint *portainer.Endpoint, roles []portainer.Role) portainer.Authorizations {
+	policyRoles := make([]portainer.RoleID, 0)
+
+	for _, membership := range memberships {
+		policy, ok := endpoint.TeamAccessPolicies[membership.TeamID]
+		if ok {
+			policyRoles = append(policyRoles, policy.RoleID)
+		}
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromTeamEndpointGroupPolicies(memberships []portainer.TeamMembership, endpoint *portainer.Endpoint, roles []portainer.Role, groupAccessPolicies map[portainer.EndpointGroupID]portainer.TeamAccessPolicies) portainer.Authorizations {
+	policyRoles := make([]portainer.RoleID, 0)
+
+	for _, membership := range memberships {
+		policy, ok := groupAccessPolicies[endpoint.GroupID][membership.TeamID]
+		if ok {
+			policyRoles = append(policyRoles, policy.RoleID)
+		}
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromRoles(roleIdentifiers []portainer.RoleID, roles []portainer.Role) portainer.Authorizations {
+	var associatedRoles []portainer.Role
+
+	for _, id := range roleIdentifiers {
+		for _, role := range roles {
+			if role.ID == id {
+				associatedRoles = append(associatedRoles, role)
+				break
+			}
+		}
+	}
+
+	var authorizations portainer.Authorizations
+	highestPriority := 0
+	for _, role := range associatedRoles {
+		if role.Priority > highestPriority {
+			highestPriority = role.Priority
+			authorizations = role.Authorizations
+		}
+	}
+
+	return authorizations
+}

api/internal/edge/edgegroup.go

@@ -0,0 +1,59 @@
+package edge
+
+import (
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/internal/tag"
+)
+
+// EdgeGroupRelatedEndpoints returns a list of endpoints related to this Edge group
+func EdgeGroupRelatedEndpoints(edgeGroup *portainer.EdgeGroup, endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup) []portainer.EndpointID {
+	if !edgeGroup.Dynamic {
+		return edgeGroup.Endpoints
+	}
+
+	endpointIDs := []portainer.EndpointID{}
+	for _, endpoint := range endpoints {
+		if endpoint.Type != portainer.EdgeAgentEnvironment {
+			continue
+		}
+
+		var endpointGroup portainer.EndpointGroup
+		for _, group := range endpointGroups {
+			if endpoint.GroupID == group.ID {
+				endpointGroup = group
+				break
+			}
+		}
+
+		if edgeGroupRelatedToEndpoint(edgeGroup, &endpoint, &endpointGroup) {
+			endpointIDs = append(endpointIDs, endpoint.ID)
+		}
+	}
+
+	return endpointIDs
+}
+
+// edgeGroupRelatedToEndpoint returns true is edgeGroup is associated with endpoint
+func edgeGroupRelatedToEndpoint(edgeGroup *portainer.EdgeGroup, endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup) bool {
+	if !edgeGroup.Dynamic {
+		for _, endpointID := range edgeGroup.Endpoints {
+			if endpoint.ID == endpointID {
+				return true
+			}
+		}
+		return false
+	}
+
+	endpointTags := tag.Set(endpoint.TagIDs)
+	if endpointGroup.TagIDs != nil {
+		endpointTags = tag.Union(endpointTags, tag.Set(endpointGroup.TagIDs))
+	}
+	edgeGroupTags := tag.Set(edgeGroup.TagIDs)
+
+	if edgeGroup.PartialMatch {
+		intersection := tag.Intersection(endpointTags, edgeGroupTags)
+		return len(intersection) != 0
+	}
+
+	return tag.Contains(edgeGroupTags, endpointTags)
+}

api/internal/edge/edgestack.go

@@ -0,0 +1,30 @@
+package edge
+
+import (
+	"errors"
+	"github.com/portainer/portainer/api"
+)
+
+// EdgeStackRelatedEndpoints returns a list of endpoints related to this Edge stack
+func EdgeStackRelatedEndpoints(edgeGroupIDs []portainer.EdgeGroupID, endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup, edgeGroups []portainer.EdgeGroup) ([]portainer.EndpointID, error) {
+	edgeStackEndpoints := []portainer.EndpointID{}
+
+	for _, edgeGroupID := range edgeGroupIDs {
+		var edgeGroup *portainer.EdgeGroup
+
+		for _, group := range edgeGroups {
+			if group.ID == edgeGroupID {
+				edgeGroup = &group
+				break
+			}
+		}
+
+		if edgeGroup == nil {
+			return nil, errors.New("Edge group was not found")
+		}
+
+		edgeStackEndpoints = append(edgeStackEndpoints, EdgeGroupRelatedEndpoints(edgeGroup, endpoints, endpointGroups)...)
+	}
+
+	return edgeStackEndpoints, nil
+}

api/internal/edge/endpoint.go

@@ -0,0 +1,27 @@
+package edge
+
+import "github.com/portainer/portainer/api"
+
+// EndpointRelatedEdgeStacks returns a list of Edge stacks related to this Endpoint
+func EndpointRelatedEdgeStacks(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) []portainer.EdgeStackID {
+	relatedEdgeGroupsSet := map[portainer.EdgeGroupID]bool{}
+
+	for _, edgeGroup := range edgeGroups {
+		if edgeGroupRelatedToEndpoint(&edgeGroup, endpoint, endpointGroup) {
+			relatedEdgeGroupsSet[edgeGroup.ID] = true
+		}
+	}
+
+	relatedEdgeStacks := []portainer.EdgeStackID{}
+	for _, edgeStack := range edgeStacks {
+		for _, edgeGroupID := range edgeStack.EdgeGroups {
+			if relatedEdgeGroupsSet[edgeGroupID] {
+				relatedEdgeStacks = append(relatedEdgeStacks, edgeStack.ID)
+				break
+			}
+		}
+	}
+
+	return relatedEdgeStacks
+
+}

api/internal/tag/tag.go

@@ -0,0 +1,73 @@
+package tag
+
+import "github.com/portainer/portainer/api"
+
+type tagSet map[portainer.TagID]bool
+
+// Set converts an array of ids to a set
+func Set(tagIDs []portainer.TagID) tagSet {
+	set := map[portainer.TagID]bool{}
+	for _, tagID := range tagIDs {
+		set[tagID] = true
+	}
+	return set
+}
+
+// Intersection returns a set intersection of the provided sets
+func Intersection(sets ...tagSet) tagSet {
+	intersection := tagSet{}
+	if len(sets) == 0 {
+		return intersection
+	}
+	setA := sets[0]
+	for tag := range setA {
+		inAll := true
+		for _, setB := range sets {
+			if !setB[tag] {
+				inAll = false
+				break
+			}
+		}
+
+		if inAll {
+			intersection[tag] = true
+		}
+	}
+
+	return intersection
+}
+
+// Union returns a set union of provided sets
+func Union(sets ...tagSet) tagSet {
+	union := tagSet{}
+	for _, set := range sets {
+		for tag := range set {
+			union[tag] = true
+		}
+	}
+	return union
+}
+
+// Contains return true if setA contains setB
+func Contains(setA tagSet, setB tagSet) bool {
+	containedTags := 0
+	for tag := range setB {
+		if setA[tag] {
+			containedTags++
+		}
+	}
+	return containedTags == len(setA)
+}
+
+// Difference returns the set difference tagsA - tagsB
+func Difference(setA tagSet, setB tagSet) tagSet {
+	set := tagSet{}
+
+	for tag := range setA {
+		if !setB[tag] {
+			set[tag] = true
+		}
+	}
+
+	return set
+}